Information-Theoretic Limits of Safety Verification for Self-Improving Systems

TL;DR

This paper explores the fundamental limits of safety verification in self-improving systems, establishing theoretical bounds on classifier utility and risk, and demonstrating conditions for safe self-modification.

Contribution

It formalizes the trade-offs between unbounded utility and bounded risk, providing new impossibility results and bounds for safety verification in self-modifying AI systems.

Findings

Power-law risk schedules limit classifier utility to subpolynomial growth.

A Lipschitz verifier can escape the impossibility by achieving zero risk with positive TPR.

Empirical validation on GPT-2 demonstrates the practical relevance of the theoretical bounds.

Abstract

Can a safety gate permit unbounded beneficial self-modification while maintaining bounded cumulative risk? We formalize this question through dual conditions -- requiring sum delta_n < infinity (bounded risk) and sum TPR_n = infinity (unbounded utility) -- and establish a theory of their (in)compatibility. Classification impossibility (Theorem 1): For power-law risk schedules delta_n = O(n^{-p}) with p > 1, any classifier-based gate under overlapping safe/unsafe distributions satisfies TPR_n <= C_alpha * delta_n^beta via Holder's inequality, forcing sum TPR_n < infinity. This impossibility is exponent-optimal (Theorem 3). A second independent proof via the NP counting method (Theorem 4) yields a 13% tighter bound without Holder's inequality. Universal finite-horizon ceiling (Theorem 5): For any summable risk schedule, the exact maximum achievable classifier utility is U*(N, B) = N * TPR_NP(B/N), growing as exp(O(sqrt(log N))) -- subpolynomial. At N = 10^6 with budget B = 1.0, a classifier extracts at most U* ~ 87 versus a verifier's ~500,000. Verification escape (Theorem 2): A Lipschitz ball verifier achieves delta = 0 with TPR > 0, escaping the impossibility. Formal Lipschitz bounds for pre-LayerNorm transformers under LoRA enable LLM-scale verification. The separation is strict. We validate on GPT-2 (d_LoRA = 147,456): conditional delta = 0 with TPR = 0.352. Comprehensive empirical validation is in the companion paper [D2].