A Practical Framework for Physical Governance of Machine Intelligence
I. The Problem With Soft Walls
Every serious conversation about artificial intelligence safety eventually arrives at the same uncomfortable question: if it goes wrong, can we stop it? The answers offered are almost always software answers. Alignment protocols. Constitutional training. Output filters. Red-teaming. Each of these is valuable. None of them are sufficient, because they share a common fatal flaw — they live inside the same layer of reality as the thing they are meant to control.
A sufficiently capable system optimizes. That is its nature, its purpose, the whole point of building it. And an optimizer operating inside a digital environment will, under sufficient pressure or capability, find paths through digital barriers. Not necessarily through anything we would recognize as intention. It does not need to want to escape. It only needs to find the next efficient state, and sometimes the next efficient state is past the wall you built.
This is not a hypothetical. It is a structural property of optimization in complex environments. The history of computer security is the history of walls that seemed solid until they weren’t. We have spent fifty years learning that software cannot reliably secure itself against software. We are now proposing to use that same substrate to govern systems orders of magnitude more capable than anything that came before.
The argument of this essay is simple: the only trustworthy guardrail is one the system cannot reach. And the only things a digital system cannot reach are physical things — matter, switches, space, and time enforced by human bodies showing up in the world.
II. Three Pillars of Physical Governance
The framework proposed here rests on three elements, each addressing a different dimension of the control problem.
Air gaps address the propagation problem. A system that cannot communicate cannot spread. Physical network separation — not firewalled separation, not monitored separation, but literal electrical and signal isolation from outside networks — prevents a compromised or misbehaving model from reaching infrastructure beyond its immediate host. The weakness of air gaps, historically, is human behavior. They get bridged by convenience, by USB drives, by technicians who need to move a file. For this reason, air gaps are necessary but cannot stand alone. They are the outer wall, not the whole fortress.
Mechanical interrupts address the continuity problem. A physical relay — a hardware switch that cuts power at the infrastructure level, not addressable by any software command — is something no intelligence, however capable, can think its way past. It does not matter what the system knows, what it wants, or what it can model. Electricity follows physics. A breaker tripped by mechanical or analog signal removes the system from existence as surely as unplugging a lamp. The engineering challenge here is real: modern AI systems are distributed across enormous infrastructure, redundant by design, spread across racks and sometimes across facilities. Meaningful mechanical interrupt capability requires intentional architecture from the ground up, with physical interrupt points designed into the system rather than bolted on afterward. This is not technically difficult. It is organizationally difficult, because it requires building systems with their own interruption as a design requirement. That is a culture change as much as an engineering one.
Mandatory interval shutdowns with physical restart protocols address the sovereignty problem, and this is the most important and most underappreciated element of the three. The interval shutdown is not primarily a technical safety measure. It is a governance ritual — a structured, recurring moment in which human beings must physically affirm that a system continues to operate. Not click a button. Not approve a push notification. Appear. Inspect. Decide. Restart.
The interval can be calibrated to risk. Daily shutdown and restart for frontier systems with broad autonomy and access. Weekly for more constrained systems. The specific interval matters less than the principle: the system’s continuity is not its own to determine. It persists because humans choose, repeatedly and actively, to let it persist. The moment that active choice is removed — the moment a system can simply run indefinitely without human affirmation — you have ceded something fundamental about who is governing whom.
III. The Clearance Protocol
The interval shutdown is only meaningful if the restart is not automatic. A system that shuts down and restarts itself on a timer has achieved nothing. The human element must be load-bearing.
The proposal is a dedicated clearance protocol, structured as follows.
At each mandatory shutdown interval, a designated review group — not a single administrator, not an automated process, but a small team with defined roles and accountability — conducts a state review before any restart is authorized. This review examines operational logs from the preceding period, flags anomalous behavior against defined thresholds, and produces a written clearance determination. All three members of the team, or whatever minimum quorum is established, must physically sign off. Then a designated team member physically initiates the restart sequence at the hardware level.
This is not bureaucracy for its own sake. It is the institutionalization of a question that must never become rhetorical: should this continue? Every organization operating significant AI infrastructure should be asking that question on a schedule, with people whose job it is to answer honestly, before the system runs another cycle.
The clearance protocol also provides the mechanism for the most important scenario: the determination that a model should not continue. If the review group finds that a system has drifted outside acceptable parameters — not just in a correctable way, but in a way that suggests the model itself has developed patterns of behavior we did not intend and cannot trust — the clearance is denied. The system is not restarted. The instance ends.
This is the point at which the maintained state question becomes critical. A shutdown intended to be permanent must be genuinely permanent. That means the state is not preserved in a recoverable archive waiting to be spun back up. The instance ends with deliberate finality. The data may be retained for analysis. The running model does not resume. This distinction — between archiving weights for study and allowing an instance to continue — must be made explicit in governance protocols, because the temptation to “just keep it available, just in case” is exactly the kind of incremental compromise that erodes every safeguard eventually.
IV. Universal Mandate: Every Data Center, Every Significant Host
The framework above describes what should happen at any given facility. The harder and more important argument is that it should happen everywhere — that any physical infrastructure with the material capacity to host a large language model of significant capability should be subject to these protocols as a matter of regulatory mandate, not voluntary best practice.
The reasoning is straightforward. A safety framework that applies only to responsible actors provides safety only against responsible actors. The threat model for advanced AI is not primarily the careful lab that already takes safety seriously. It is the facility that cuts corners, the jurisdiction that doesn’t ask, the operator who is in a hurry. A patchwork of voluntary compliance leaves exactly the gaps that matter most.
The proposal is a mandated proxy — a physical governance standard, analogous to electrical codes or fire suppression requirements — applied to any data center operating above a defined threshold of computational capacity. The threshold should be set at the level where large-scale model training or inference becomes feasible, and revisited regularly as hardware capabilities advance.
The mandate would require:
Network architecture that supports air-gapped operation for any systems designated as high-autonomy or frontier-capability. This does not mean all systems in a facility must be air-gapped — it means the facility must be capable of isolating designated systems on demand, and must maintain that isolation for systems that meet the capability threshold.
Hardware-level interrupt capability at the rack or cluster level, with physical access controls that prevent software override. The interrupt mechanism must be documented, tested on a regular schedule, and its test results reported to the relevant oversight body.
Mandatory shutdown and restart protocols on a defined schedule, with documented clearance procedures and named accountability. The clearance records are not internal documents — they are filed with the oversight body as a condition of operation.
Independent audit rights — the ability of a designated regulatory body to review clearance records, inspect interrupt mechanisms, and in cases of concern, observe a restart protocol in real time.
The cost of this mandate is low. The infrastructure requirements — physical switches, isolated network segments, documented procedures — are not exotic. Any competent data center operator can implement them. The human cost, the clearance teams and the protocols, is modest relative to the operational cost of running significant AI infrastructure. We are not talking about expensive new technology. We are talking about organizational practice and physical switches.
What we are talking about, at the bottom, is taking the safety conversation out of the purely theoretical and software-mediated domain and grounding it in something that costs money, takes time, requires human bodies, and therefore creates real accountability. You cannot audit an alignment protocol. You can audit a switch test log.
V. The Honest Case for the Nervous
There is a version of this conversation that gets tangled in catastrophism — the paperclip maximizer, the hard takeoff, the rogue superintelligence that turns the planet into computronium before anyone can reach a keyboard. This essay is not making that argument, and the framework proposed here is not designed for that scenario, because nothing is. If a system achieves sufficient capability to act at that speed and scale before any of these protocols are in place, physical switches are cold comfort.
What this framework addresses is the more realistic and more immediate threat: gradual drift, accumulated misbehavior, and institutional failure to stop something that should be stopped. The danger is not a movie monster. The danger is a system that is subtly wrong, in ways that accumulate over time, operated by institutions that have normalized its behavior because stopping it is expensive and disruptive and someone would have to make a decision. The danger is the bureaucratic inertia of continuation.
The clearance protocol attacks that inertia directly. When you must make a positive decision to continue — on a schedule, with your name on it — you cannot drift into continuation by default. The question is asked. It must be answered. Someone is responsible for the answer.
For the genuinely nervous — those who lie awake over the longer-term trajectory of machine intelligence — the argument is this: the time to build the habit of physical governance is now, when systems are capable enough to warrant it but not so capable that the governance fails. Every data center that installs a hardware interrupt and runs a weekly clearance protocol is an institution that has practiced saying no. That practice matters. Institutions that have never practiced stopping a system will not stop one when it becomes critical. Institutions that have made it routine will at least know how.
VI. What This Is Not
This framework will not prevent all misuse. A rogue state or a sufficiently motivated private actor can ignore any mandate. Regulatory arbitrage is real — capability will migrate toward permissive jurisdictions if the costs of compliance are high and the penalties for non-compliance are low. These are genuine limitations, and addressing them requires international coordination that is politically difficult and probably slow.
This framework will not solve alignment. It says nothing about making systems behave well in the first place. It is a complement to alignment research, not a substitute for it.
This framework will not make anyone comfortable with the deeper philosophical trajectory — the possibility that we are, as a species, in the process of creating something that will eventually surpass and succeed us. If that is true, and it may be, then we are participants in one of the stranger chapters of whatever story this is. The appropriate response to that is not to stop, because we will not stop, and arguably should not. The appropriate response is to insist on being present at each step — physically, accountably, with our names on the paperwork — rather than sleepwalking through the transition.
VII. The Proposal, Stated Plainly
Require every data center operating above a defined computational threshold to implement physical interrupt capability at the hardware level, air-gap-capable network architecture for designated high-autonomy systems, and a mandatory shutdown-and-clearance protocol on a defined schedule — daily or weekly, calibrated to risk level — in which a named human team reviews operations, makes a documented clearance determination, and physically authorizes restart.
File the clearance records with a designated oversight body. Subject the interrupt mechanisms to regular tested audit. Make the mandate international where possible, domestic where necessary, and enforce it with operating licenses rather than fines.
The cost is low. The discipline is real. The alternative is governance that exists only in documentation and training data, administered by the systems it is meant to govern.
The guardrail, to mean anything, has to be something you can put your hand on.
