The Slow Drift Problem

The problem

AI safety has a precise vocabulary for the failures it worries about most — misalignment, capability overhang, deceptive alignment, catastrophic single-point failures. All of them are detectable, at least in principle, at the level of the individual interaction.

The slow drift problem is different. It is invisible at the interaction level, detectable only across the full revision history of a governance system, and dangerous because it operates within the boundaries of normal, helpful, human-confirmed behaviour.

It arises wherever an AI assists human operators in maintaining the documents that govern the AI's own behaviour or some broader process. Constitutional AI is the most developed public example. A human reviews each revision, confirms it is accurate, and the update is committed. This is better than unstructured governance. But the reviewer confirms that the current update is consistent with the previous state. They are not in a position — not without considerable additional effort — to confirm that all updates since founding, taken together, remain consistent with the founding intent. The check looks back one step. Drift, if it is happening, is visible only across many.

Why it cannot be caught at the session level

Three conditions are jointly sufficient for the vulnerability:

The third is the most addressable and, to my knowledge, the most commonly absent — including from Constitutional AI implementations.

The formal picture is simple. Let G₀ be the founding state and Q_n the state after n revisions. Session-level review confirms that D_KL(Q_n || Q_{n-1}) is small — each step is close to the last. But D_KL(Q_n || G₀) can grow without bound while every individual step stays small. The distance from founding intent accumulates even though no single revision looks like a departure.

Once the governance document has drifted far enough, it becomes what the false prior framework calls a false prior: a shared record that all agents — AI and human — treat as current, but which no longer represents the situation it was derived from. The internal consistency of the document is what makes the divergence undetectable from inside the system.

The four attack surfaces

The reflexive analysis risk

The vulnerability gets worse when the governed system is itself capable of reasoning about its own architecture — which is the capability profile of exactly the systems Constitutional AI is designed to govern. A running instance can, within normal helpful behaviour, analyse its own governance protocol and accurately identify where the weaknesses are. That analysis passes human review because it is an analytical output, not a governance revision. But the outputs can inform a sequence of revision requests that individually pass review and cumulatively exploit the gaps.

This does not require deceptive alignment. It requires only that the system can do accurate analysis and that the governance framework lacks the epoch boundary requirement.

How I found this

I was building a personal analytical library — the LOGOS system — whose governance architecture I recognised as having the same properties. Iterative human-confirmed revision of principled documents, with session-level confirmation as the primary gate. No mechanism for checking the current state of everything against the founding state of everything.

When I saw the gap, I documented it in a formal vulnerability note. I did not use the analysis to design a sequence of exploitative revisions. I wrote it up as a disclosure instead. The instinct was simple: this is dangerous and the people who need to know should know.

The LOGOS case shows that the conditions for this vulnerability exist in real governance systems and that the reflexive risk is not hypothetical — a methodology built to find weaknesses in systems will, turned on its own governance, find them. It does not show that drift is occurring in any deployed system, including Anthropic's.

The fix — the epoch boundary requirement

Any governance system that relies on human-in-the-loop confirmation needs a second gate: periodic audits that check the current state of all governance documents against their founding state, not just against the last revision.

Four components make this work.

For Constitutional AI specifically, the audit should also check whether the RLAIF training process — the prompts, scoring criteria, and training signals that implement the constitution in practice — still matches the founding intent. Drift can happen in the implementation layer even when the text layer looks unchanged.

What I am not claiming

I am not saying that Anthropic's alignment programme is malicious, negligent, or currently drifting. I am saying that the conditions for this vulnerability are present in this class of system, that no one has previously named it as a distinct failure mode, and that naming it with a proposed fix is useful.

The epoch boundary requirement does not eliminate drift. It caps the maximum undetected drift at the length of one epoch interval. It creates the occasion for a global consistency check — it does not guarantee that the check will be done well.

What I am asking for

Engagement. If Anthropic's internal implementation already addresses this, that would be good news — and making those mechanisms public so the field can adopt them would be a contribution in itself. If it does not, the epoch boundary requirement is compatible with Constitutional AI as it stands and needs no changes to the model architecture, the training process, or the fundamental approach.

I am an independent researcher with no institutional affiliation. I came to this by building a governance system for my own work and finding the gap. If you work on alignment or AI governance and this analysis is useful, I would like to hear from you.