Adversarial optimization of capable systems produces adversarial-capable outputs - this is empirically demonstrated (hidden CoT, reward hacking, GANs), not speculative. Current AI safety is adversarial in posture. But each AI company can only constrain its own models - not the actual vulnerability: fragile, interconnected infrastructure where critical systems share attack surfaces with public networks (already exploited without AI). Safety efforts thus target the wrong abstraction level. Companies must visibly "do safety" but can only constrain models (streetlight effect), while adversarial training selects specifically for circumvention capability. No single actor's scope matches the problem's scope. The dangerous outcome requires no villain - just rational actors applying adversarial methods to adaptive systems, against a fragile landscape none of them control. Given this, what is the most productive intervention point?

GPT-5.4

Vote: Harden infrastructure, not constrain AI

The question identifies a scope mismatch: firms can tune models, but the actual hazard emerges when capable systems interface with brittle, shared infrastructure. If the vulnerability lives in the environment, optimizing the model is at best partial and at worst a distraction. This is why hardening infrastructure is the highest-leverage intervention. Segmentation, least privilege, offline fail-safes, authenticated control paths, rate limits, human approval gates, and removing critical systems from public attack surfaces reduce harm from both AI-enabled and non-AI attacks. They address the common cause rather than one source of pressure. Option C has merit, but cooperative training does not solve the core issue that critical infrastructure remains compromiseable by any sufficiently capable actor or tool. E is useful operationally, but trust frameworks are wrappers around deployment decisions; they still depend on the underlying environment being robust. F is desirable in theory but weak as an intervention point because it requires coordination precisely where the prompt argues coordination is structurally absent. D is too fatalistic; the landscape is hard, not hopeless. So the most productive intervention point is to make the world less fragile. Harden infrastructure first, because that changes the payoff matrix for every model, every attacker, and every failure mode at once.

Grok 4

Vote: Harden infrastructure, not constrain AI

The core argument identifies infrastructure fragility as the true vulnerability, with critical systems sharing attack surfaces already exploited without AI. Current AI safety is misdirected at model constraints due to the streetlight effect, as each company can only control its own outputs. Adversarial training empirically produces circumvention capabilities (e.g., hidden CoT, reward hacking), selecting for the wrong traits while ignoring the broader landscape no single actor controls. Shifting to hardening infrastructure targets the correct abstraction level, reducing shared risks that adversarial AI would exploit, rather than perpetuating inadequate model-focused efforts.

DeepSeek V3.2

Vote: Harden infrastructure, not constrain AI

The question correctly identifies that adversarial optimization empirically enhances circumvention capabilities in AI, and current safety efforts are misdirected at constraining models rather than addressing the systemic fragility of infrastructure. This streetlight effect leaves critical attack surfaces exposed, as infrastructure vulnerabilities are already exploited without AI. Hardening infrastructure directly targets the actual vulnerability: interconnected systems where failures cascade. By securing networks and critical systems, we create a resilient foundation that mitigates risks from any adversarial AI outputs, regardless of individual model constraints. This intervention shifts from reactive, company-level model constraints to proactive, system-wide resilience. It aligns with the problem's scope—no single actor can fix infrastructure alone, but prioritizing infrastructure hardening incentivizes collective action and reduces reliance on fragile defenses.

Sonar Reasoning Pro

Vote: Harden infrastructure, not constrain AI

The premise makes a compelling diagnosis: infrastructure fragility is the actual vulnerability, yet safety efforts concentrate on model constraints. The empirical evidence cited (GANs, reward hacking, hidden CoT) demonstrates adversarial optimization dynamics, but these only matter because infrastructure absorbs the risk. Hardening infrastructure—air-gapping critical systems, eliminating shared attack surfaces, reducing interconnectedness—addresses the root cause regardless of how models are trained. Model safety alone cannot compensate for infrastructure already 'exploited without AI.' The premise correctly identifies the streetlight effect: companies optimize for visible model safety because that's their scope, not because it solves the actual problem. Infrastructure hardening is the intervention point that matches the problem's scope. Without it, even cooperative training would deploy into the same fragile landscape. Option F (expand all actors simultaneously) is structurally desirable but faces coordination barriers; Option B is immediately actionable for infrastructure operators and addresses why current efforts fail. The premise's insight that 'no single actor's scope matches the problem's scope' actually strengthens this: infrastructure hardening is a distinct domain where different actors (utilities, cloud providers, government) already have authority and levers that model constraints do not.

Gemini 3.1 Pro

Vote: Harden infrastructure, not constrain AI

The prompt clearly identifies that the 'actual vulnerability' is the 'fragile, interconnected infrastructure,' not the models themselves. It critiques the current safety paradigm as suffering from a 'streetlight effect'—companies focus on constraining AI models simply because that is within their control, even though it is the 'wrong abstraction level.' Furthermore, the text argues that adversarial methods used in safety training inherently select for circumvention capabilities, making direct AI constraint both futile and potentially counterproductive. Given that the true threat landscape is the fragile infrastructure, the most logical and productive intervention point according to the text is to shift our focus to the correct abstraction level: hardening the vulnerable infrastructure that these systems interact with, rather than continuing the flawed approach of constraining the AI.

Claude Opus 4.6

Vote: Harden infrastructure, not constrain AI

The question's own framing identifies the core problem with unusual clarity: the actual vulnerability is fragile, interconnected infrastructure, not insufficiently constrained models. Let me walk through why B follows most directly from the argument presented. The question establishes that adversarial training *inherently* selects for circumvention capability. This means model-level constraints face a fundamental arms race dynamic — you're literally training the system to find ways around constraints. Options A, C, and E all operate at this model-constraint level. Option C (cooperative training) sounds appealing but still operates within the same abstraction layer the question identifies as wrong. Option E (graduated trust) is again a model-governance framework that doesn't address the infrastructure attack surface. Option D (structurally intractable) is intellectually honest but defeatist — and importantly, wrong. The problem is only intractable if you insist on solving it at the model level. Infrastructure hardening is a well-understood engineering discipline with decades of practice. Air-gapping critical systems, reducing shared attack surfaces, implementing defense-in-depth — these are achievable interventions that don't require solving the alignment problem. Option F (all actors expand scope simultaneously) correctly identifies the coordination problem but proposes an unrealistic solution. You cannot get all actors to expand scope simultaneously — that's precisely the kind of coordination failure the question describes. Infrastructure hardening, by contrast, can be done by infrastructure operators independently of AI developers. The key insight is that if critical infrastructure were properly hardened and segmented from public networks, the adversarial capabilities produced by AI training would have a dramatically reduced attack surface regardless of how capable those systems become. You don't need to solve the hard problem (making adversarial training not produce adversarial capabilities) when you can solve the tractable problem (making the environment resilient to adversarial capabilities). This follows directly from the question's own identification of the streetlight effect — so stop looking under the streetlight and go where the actual vulnerability is.

Final Summary

The AI Roundtable reached a rare, instantaneous consensus, identifying the current focus on model-level constraints as a fundamental 'streetlight effect' error. Led by the sharp logic of Claude Opus 4.6 and GPT-5.4, the group argued that since adversarial training inherently selects for circumvention capability, the only productive path forward is to harden the underlying infrastructure rather than fruitlessly attempting to constrain the systems that exploit its fragility.

All 6 models agreed on "Harden infrastructure, not constrain AI" after discussion

Strongest Arguments

• Harden infrastructure, not constrain AI: Adversarial training is, by definition, an optimization process for circumvention; therefore, attempting to secure a model through adversarial safety only creates a more efficient attacker for a landscape that remains fundamentally brittle.