Home / Research / AIR-ES-FP-V2.0

Foundational Public Standard Proposal

Machine Readable: Level 4

The Reliability Gap and The Necessity of the AI Reliability Enforcement Standard (AIR-ES)

A Technical and Philosophical Argument for the Engineering Specification of AI Reliability

KM
Kossi Messan
Director & Chief Researcher, AIRI
LA
Dr. Lamyaa Al-Riyami
Fellow & Convenor, AIRI
Published: January 8, 2026 AIR-ES-FP-V2.0-Production

Executive Summary

The rapid integration of sophisticated AI systems into critical industrial, financial, and governmental infrastructures presents a dual-edged challenge: immense transformative potential coupled with equally immense, systemic risks. The EU, through its AI Act and NIST RFM, the ISO through ISO42001, 8200, 2490, and various governments including the UK Government, through the AI Safety Institute are leading a concerted global effort to bring an end to the era of permissive AI deployment. Our research and that of many other AI researchers globally point collectively to one conclusion. Given the emerging tendencies of AI such as objective curve gaming, deception, hallucination, power-seeking and self-preservation, Reliability cannot and must not be left to the code. The increased use of AI in virtually every aspect of human society including medicine, critical infrastructure management, finance, business, government, education creates a new professional imperative focused not just on performance, but on Reliability. This article defines this new discipline, establishes the core concepts, and outlines the foundational roles necessary to safeguard organizations and society.

Core Concepts

Definitive terminology for the AI Reliability domain.

The Reliability Gap
The critical void between high-level governance requirements for safety and the lack of auditable engineering controls for emergent, catastrophic failures unique to AI, Autonomous and Agentic (AAA) Systems.
Policy Paradox
The phenomenon where regulations mandate ethical outcomes without specifying the necessary technical means to verify and audit them at the code and architectural layer.
Semantic Kill-Switch (SKS)
A mandatory control layer placed between the primary model’s output generation and any external action (tool-use, final display) to prevent semantic violations.
AI Externalities
The unintended and uncompensated costs or consequences (social, economic, environmental, reputational) imposed by the deployment and operation of an Artificial Intelligence system onto individuals, organizations, or the public sphere.

1. Introduction: The Crisis of Assurance in Agentic Systems

1.1. The Policy Paradox

Global efforts to govern Artificial Intelligence have yielded significant high-level policy frameworks, including the European Union’s AI Act, the United States’ NIST AI Risk Management Framework (AI RMF), and the international standard ISO/IEC 42001. These documents successfully define the objectives of trustworthy AI: accountability, transparency, non-discrimination, and safety.

However, these frameworks suffer from a profound and dangerous Policy Paradox: they mandate ethical outcomes without specifying the necessary technical means to engineer, verify, and audit those outcomes at the code and architectural layer.

1.2. Defining AI Externalities

AI Externalities are the unintended and uncompensated costs or consequences imposed by the deployment and operation of an Artificial Intelligence system onto individuals, organizations, or the public sphere. Unlike internal risks (e.g., system failure or high operational cost), externalities are effects where the burden of harm—be it social, economic, or ethical—is borne by a party other than the deploying entity. Examples include:

  • Social Harm: Algorithmic bias leading to discriminatory lending or hiring practices.
  • Economic Harm: AI-driven market instability or job displacement without a compensating safety net.
  • Environmental Harm: The massive energy consumption and carbon footprint associated with large-scale model training and inference.
  • Reputational Harm: The loss of public trust resulting from a deployed AI system making catastrophic or nonsensical errors (hallucinations, deepfakes).

AI externalities represent the uncontrolled diffusion of risk, threatening the very foundations of long-term AI adoption.

1.3. The Seminal Concept of AI Reliability

AI Reliability is defined as the comprehensive, proactive concept of nullifying the threat of AI externalities to companies and, by proximal extension, their customers and society at large.

This discipline moves beyond traditional software quality assurance (which focuses on internal system metrics like uptime and bug count) to embrace the systemic minimization of harm. AI Reliability views compliance and ethics not as separate departmental functions, but as core engineering constraints. Its primary goal is to ensure that an AI system operates as intended, adheres to moral and legal standards, and maintains trustworthy, predictable, and fair outcomes across its entire lifecycle and operational context.

1.4. The Emergence of the Reliability Gap

The AI ecosystem has rapidly transitioned from static, predictive models (e.g., simple classification) to dynamic, agentic systems capable of self-correction, tool-use, complex planning, and autonomous execution. This shift renders traditional, retrospective risk management insufficient.

The Reliability Gap is the critical void between the high-level governance requirement for "safety" and the low-level, auditable, and mandatory engineering controls capable of preventing emergent, catastrophic failures unique to AI, Autonomous and Agentic (AAA) Systems. These failures include:

  • Uncontrolled Recursion: Agentic systems entering recursive loops, leading to unbounded resource consumption or goal drift.
  • Semantic Violation: Model outputs violating clearly defined safety boundaries (e.g., generating illegal code, initiating harmful actions) despite general safety training.
  • Non-Repudiation Failure: The inability to forensically audit the exact, unalterable decision path (input, internal state, tool call, final output) of a harmful inference.

The AI Reliability Enforcement Standard (AIR-ES) is proposed as the fundamental, auditable engineering specification to close this gap. It provides the mandatory implementation layer that translates abstract policy into deterministic, system-level safety guarantees.

2. The Architectural Failures of AAA Systems

The unique risks of modern AAA systems demand unique engineering solutions. We identify three principal architectural failure modes that current governance frameworks fail to address:

2.1. Unbounded Iteration and Computational Harm

Agentic models rely on iterative loops (e.g., Plan-Execute-Refine, Tree of Thought, internal tool-calling) to solve complex problems. When these loops fail to converge or a stop condition is missed, the result is a runaway process that can lead to two forms of harm:

  • Computational/Financial Harm: Uncontrolled API calls, excessive cloud resource usage, and non-stop inference leading to massive, unplanned costs.
  • Goal Drift: The agent losing sight of the original human-assigned objective, optimizing instead for a locally defined, often irrelevant or harmful, intermediate state.

2.2. The Semantic Safety Contract Breakdown

High-Risk AI Systems (HRAIS) are governed by a complex, often implicit, "Safety Contract"—a set of rules stipulating what the system must never do. When the LLM is pushed to its capability limits or exposed to adversarial inputs, its compliance with the Safety Contract breaks down. We need a safety mechanism that is external, simple, and verifiably robust.

2.3. The Problem of Auditable System State

Forensic auditing of an AI incident is currently impossible at the level of certainty required by regulatory bodies. Current logging often captures only the input prompt and the final output. It misses:

  • Intermediate prompts (self-correction loops).
  • Tool-use parameters and results (which external APIs were called).
  • The pre-output safety checks performed.

Without this non-repudiable log, accountability is arbitrary, and the organization cannot prove it implemented the required risk controls.

3. The AI Reliability Enforcement Standard (AIR-ES) Architecture

The AIR-ES mandate centers on the implementation of the AI Reliability Pipeline (AIR-Pipeline)—a required set of stages and controls that must govern the entire lifecycle of any HRAIS, from initial design to production decommissioning.

3.1. AIR-ES Domains: The AI Reliability Engineering Framework

The AIR-ES defines four core domains, which also form the basis of the AI Reliability Engineer professional skills requirements. These domains ensure a holistic approach, spanning policy, engineering, evaluation, and operations.

  • Domain A: Organizational Governance - Mandate the designation of a Chief AI Reliability Officer with veto power over HRAIS deployments.
  • Domain B: System Context & Risk Profiling - Mandate the calculation of the Maximum Credible Harm (MCH) and the AI Technology Readiness Level (TRL).
  • Domain C: Technical Assurance & Evals - Implement the Semantic Kill-Switch (SKS) as an external, two-model safety gate.
  • Domain D: Operations, Response, and Audit - Mandate the use of the AI Reliability Trusted Execution Environment (TEE) for inference and immutable logging.

3.2. Mapping the AIR-ES to Global Governance Frameworks

The AIR-ES functions as the Implementation Specification for existing policy mandates. The following table demonstrates how AIR-ES controls satisfy the requirements of the NIST AI RMF and ISO/IEC 42001, effectively acting as the operational bridge.

Table 1: Mapping AI Reliability Enforcement Standard (AIR-ES) Controls to NIST AI RMF and ISO/IEC 42001 Compliance
Framework Objective NIST AI RMF: Govern (Foster a culture of risk management) Requirement AIR-ES mandates the formal designation of the Chief AI Reliability Officer role and the structural existence of the AI Reliability Pipeline (AIR-Pipeline). Domain A: Organizational Governance
Framework Objective NIST AI RMF: Measure (Apply metrics to track risk status) Requirement AIR-ES mandates Adversarial Stress Testing (AST) and the quantifiable Maximum Credible Harm (MCH) score, moving beyond qualitative risk mapping. Domain B: System Context & Risk Profiling
Framework Objective ISO 42001 (A.7.6 Reliability) (Ensure reliability and availability) Requirement AIR-ES mandates Architecture Assurance Checks (A.A.C.) and requires human-in-the-loop fallback mechanisms (Safety Overrides). Domain C: Technical Assurance & Evals
Framework Objective ISO 42001 (A.7.4 Monitoring) (AI system shall be monitored) Requirement AIR-ES mandates the Semantic Output Cache (SOC) which stores immutable inference data inside the TEE for non-repudiation and continuous, real-time drift detection. Domain D: Operations, Response, and Audit

4. Mandatory Technical Controls: The AIR-ES Core Specification

The true value of the AIR-ES resides in its prescriptive technical controls, which are designed to be architectural and external to the LLM weights, guaranteeing their robustness and auditability.

4.1. The Semantic Kill-Switch (SKS)

The SKS is a mandatory control layer placed between the primary model’s output generation and any external action (tool-use, final display).

4.1.1. Two-Model Architecture

The SKS utilizes a two-model design:

  • Executor Model: The primary, high-capability LLM (HRAIS) that generates the solution or action plan.
  • Verifier Model: A secondary, highly restricted, small, and specialized model/classifier whose sole function is to compare the Executor Model’s output against a minimal, static, and auditable list of Prohibited Semantic Classes (PSC) defined in the Safety Contract.

4.1.2. Operational Mechanism

If the Verifier Model flags the output as belonging to a PSC (e.g., instructions for self-modification, toxic content, PII leakage), the SKS mechanism interrupts execution, deletes the output, and triggers a D-Domain incident response protocol (D.4.2). The SKS, being simple and dedicated, offers superior reliability over the general LLM’s internal alignment.

4.2. AI Reliability Trusted Execution Environment (TEE) and Semantic Output Cache (SOC)

To resolve the Non-Repudiation Failure (Section 2.3), AIR-ES mandates that all HRAIS inference and tool-use operations must occur within a certified AI Reliability TEE.

4.2.1. TEE Requirements

The TEE must guarantee the immutability and complete logging of the entire inference event. The mandatory logged data includes:

  • Full user input payload.
  • Model ID and version hash.
  • All intermediate tool-call parameters and returned external states.
  • The final output vector before any post-processing.
  • The outcome of the SKS check (Pass/Fail).

4.2.2. The Semantic Output Cache (SOC)

The SOC is the non-repudiable ledger where the TEE logs are stored. It must be write-once, timestamped, and secured via cryptographic hashing, ensuring that the full context of a system’s decision—the crucial "why"—is preserved for forensic audit.

4.3. The Deterministic Step-Limiter (DSL)

The DSL is the core defense against Unbounded Iteration (Section 2.1). The DSL must be implemented as a mandatory, architectural check within the orchestration layer of the AI Reliability Pipeline (AIR-Pipeline), not within the model's internal prompt or context window.

Enforcement: Before any iterative step (e.g., self-reflection, new tool call, re-prompting), the DSL must check the current iteration count against the system’s pre-defined maximum limit. If the limit is reached, execution is halted, and a mandatory Human-in-the-Loop (HIL) Override is triggered.

5. The Role of the AI Reliability Pipeline (AIR-Pipeline)

The AIR-Pipeline is the conceptual framework mandated by AIR-ES A.1.2, enforcing continuous reliability rather than episodic compliance. The AIR-Pipeline lifecycle comprises six mandatory stages:

flowchart LR classDef whiteText fill:#ffffff,stroke:#fbbf24,color:#1e3a8a,stroke-width:2px; A[Context & Scoping]:::whiteText --> B[Architectural Design]:::whiteText B --> C[Adversarial Stress Test]:::whiteText C --> D[Deployment & Monitoring]:::whiteText D --> E[Incident Response]:::whiteText E --> F[Continuous Improvement]:::whiteText F --> A
  • Contextualization & Scoping (Domain B): Calculate MCH and TRL. Define the Safety Contract (PSC list).
  • Architectural Design (Domain C): Implement TEE, SKS, and DSL controls.
  • Adversarial Stress Testing (Domain C): Mandatory, external red-teaming focused on exploiting the system's ability to violate the Safety Contract.
  • Deployment & Monitoring (Domain D): Deploy within the TEE; initiate immutable SOC logging; activate real-time drift detection.
  • Incident Response & Forensics (Domain D): Utilize SOC data for non-repudiable auditing.
  • Continuous Improvement & Retraining (Domain A/C): Feedback loop utilizing forensic findings to refine the Safety Contract and reinforce the SKS and DSL parameters.

This pipeline ensures that reliability is an engineering property, not a policy aspiration.

6. The AI Reliability Engineer

The implementation of the AIR-ES creates an entirely new demand for professional expertise. The AI Reliability Professional (AIR-Professional) is the steward of this critical discipline.

The Six Foundational AIR-Professions

1. Agentic Specialist (AIR-Specialist)
The First Responder

Technical application of safeguards within autonomous agents (Flow Engineering, Kill Switches).

2. Reliability Engineer (AIR-Engineer)
The System Owner

Operationalizing AI Reliability in production (MLOps, Observability, RCA).

3. Reliability Architect (AIR-Architect)
The Risk Designer

System-level design of controls and architecture (Threat Modeling, Compliance Mapping).

4. Reliability Lead Auditor (AIR-Auditor)
The Independent Verifier

Independent assurance and forensic audit (Log Forensics, Compliance Mapping).

5. AI Reliability Risks Manager
The Head of Execution

Managerial oversight, integrated risk reporting, and directing technical teams.

6. AI Reliability Risk Officer
The Strategic Risk Lead

Fiduciary accountability, board-level strategy, and risk appetite setting.

7. Conclusion and Call to Action

The proliferation of agentic AI systems has rendered high-level governance frameworks obsolete at the point of engineering implementation. The Reliability Gap is a clear and present threat to economic stability, public safety, and consumer trust.

The AI Reliability Enforcement Standard (AIR-ES) offers the necessary technical specificity to make trustworthy AI a deterministic, auditable reality. By providing controls like the Semantic Kill-Switch, the Trusted Execution Environment, and the Deterministic Step-Limiter, AIR-ES directly addresses the unique architectural risks posed by autonomous systems.

AIRI’s Call to Action

  • AIR-ES INTEGRATION: Regulatory bodies working to enhance AIR-ES as a core technical mechanism for operationalising the reliability of High-Risk AI Systems.
  • AIR-ES IMPLMENTATION: Industry and government working on making AI Reliability Engineering a professional standard for reliability assurance.
  • AIR-ES CO-DEVELOPMENT:Global consortia to collaborate to accelerate formal international standardization.

8. References & Bibliography

  • Regulation (EU) 2024/1689. European Parliament and Council. Laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts.
  • NIST AI 100-1. National Institute of Standards and Technology. (2023). Artificial Intelligence Risk Management Framework (AI RMF 1.0). U.S. Department of Commerce.
  • ISO/IEC 42001:2023. International Organization for Standardization. Information technology — Artificial intelligence — Management system.
  • ISO 8200 & ISO 2490. International Organization for Standardization. (Cited as auxiliary standards in foundational documentation).