Verify, Don't Trust: Governing an AI Source-Code Auditor
June 30, 2026
Why we made finding-suppression as evidence-bound as finding-creation in symbi-codered, and what a policy-gated substrate does (and doesn’t) guarantee.
Research insights and news from ThirdKey
June 30, 2026
Why we made finding-suppression as evidence-bound as finding-creation in symbi-codered, and what a policy-gated substrate does (and doesn’t) guarantee.
June 8, 2026
We benchmarked every accessible production guardrail against a blind-authored attack corpus. Properly measured (ROC-AUC, threshold sweeps, confidence intervals), the picture is more nuanced than “guards don’t work” and more damning. Out of the box, none is deployable. Tuned, the better ones separate attacks from legitimate traffic, but only as a perpetual calibration project. Symbiont’s structural controls need none of it: 0% escape at 0% false positives, by construction.
June 3, 2026
What the 2026 OWASP agentic security report’s headline finding actually says — and why it’s about reachability, not allowlists.
May 9, 2026
A new ThirdKey Research preprint on steganographic exfiltration in embedding stores, and a cryptographic provenance defense.
April 13, 2026
Why prompt-based safety degrades under the same pressures as human working memory, and what to build instead.
April 3, 2026
Introducing ToolClad: Declarative Tool Interface Contracts for Agentic Runtimes