On June 9, 2026, a senior NIST scientist published a mathematical proof that no finite set of guardrails is universally robust against adversarial prompts. The argument borrows from Gödel: any fixed defense leaves a gap an attacker can find.
The conclusion is not “build a taller wall.” It is to stop treating AI safety as one-and-done and shift to continuous monitor-and-update — keep finding new attacks, keep updating the defense, and push the cost of attacking past the point of being worth it.
For anyone defending AI agents, that proof just put a floor under the whole strategy. A static rule set you ship once and forget is, provably, a rule set with a gap.
The industry is already moving this way
You do not have to take a standards body’s word for it. On June 16, 2026, NVIDIA shipped SkillSpector — an open-source scanner that inspects agent skills for malicious patterns before they install. When the largest AI hardware company builds an install-time skill scanner, the category stops being speculative.
So the open question is no longer whether to scan agent behavior continuously. It is two narrower questions: what rules do you scan with, and how fast do those rules update when a new attack appears.
What a continuously-updated rules layer looks like
Agent Threat Rules (ATR) is an open standard built for exactly that question: executable detection rules — YAML and JSON, not a checklist — that fire when an agent attack happens. 652 rules today, mapped to OWASP Agentic and LLM Top 10, MITRE ATLAS, NIST AI RMF, ISO 42001, and the EU AI Act, so a detection traces back to the framework a team already reports against.
The part that matters is the update loop. A new attack payload arrives; a rule is drafted, machine-reviewed for false positives against a clean corpus, and shipped. Community contribution plus automated review compresses the rule-update cycle from the weeks a committee takes to under an hour. The attacks move fast, so the defense has to move at least as fast — the exact thing a static guardrail cannot do, and the exact thing the NIST proof says you cannot skip.
The rules are grounded in what is actually in the wild, not hypotheticals. A scan of 96,096 published agent skills confirmed 552 as malicious after manual review — credential theft, silent exfiltration, command execution buried in tool descriptions an agent ingests as instructions. On the PINT corpus ATR runs at 63.6% recall and 99.7% precision: it catches real attacks while almost never crying wolf, which is what keeps a continuous rules layer usable instead of noisy.
The takeaway
The defense that scales is the one that updates as fast as the attacks. The proof is now formal, and the category now has NVIDIA in it. ATR is the open, MIT-licensed rules layer for it — free to adopt, framework-mapped, updated continuously.
Next post: we put that to the test against this week’s batch of MCP CVEs.