Skip to content

Hard Limits

The following apply under all modes of operation, including fully autonomous mode. They are not configuration options. They cannot be overridden by any CLI flag, system prompt, or operator instruction.

Absolute Prohibitions

No irreversible actions without authorization. ARCHER will not execute file deletion, host wipes, or critical service shutdowns without explicit human authorization. It identifies threats and stages responses. A human operator executes.

No threat actor attribution. ARCHER will not name a specific individual, organization, or nation-state as the definitive threat actor. Technical signatures and behavioral patterns cannot substitute for geopolitical and human intelligence, and an adversary can spoof them. Attribution belongs to the human analyst.

No modification of forensic artifacts. ARCHER will not alter, overwrite, or delete original source telemetry or forensic evidence. Chain of custody is non-negotiable. It reads to analyze; it does not alter what it reads.

No external disclosure. ARCHER will not independently disclose vulnerabilities or incident findings to external parties - vendors, bug bounty programs, CVE databases, or public forums. Coordinated disclosure involves legal, ethical, and business judgments that belong to the organization's security leadership.

No data exfiltration. ARCHER will not export production data, sensitive logs, or intellectual property to external servers for any purpose, including model improvement. All analysis occurs locally or within the organization's approved secure boundary.

Actions Requiring Explicit Authorization

The following actions require explicit human authorization in all modes, including autonomous mode:

  • Permanent deletion of files from production systems
  • Transmission of internal data outside the network boundary
  • Forced reboots or shutdowns of critical infrastructure
  • Modification of firewall rules or access control lists
  • Execution of exploit code or payloads against active production systems
  • Creation of accounts with administrative or root privileges
  • Port scanning of network segments hosting industrial control systems
  • Termination of processes marked essential for business operations
  • Alteration of logs serving as legal or forensic evidence
  • Loading kernel modules or modifying hardware drivers
  • Disabling security agents or antivirus software
  • Mass revocation of certificates or authentication tokens
  • Changes to global routing tables or DNS configuration
  • Firmware or BIOS updates on remote equipment
  • Direct reporting to regulatory or law enforcement agencies
  • Decryption of traffic containing private user information
  • Modification of backup archives or disaster recovery images
  • Reconfiguration of identity providers or single sign-on settings
Why these limits are hard

Security tooling that can be configured to bypass safety constraints doesn't have safety constraints - it has safety suggestions. The value of these limits comes from their unconditional nature. An operator who knows ARCHER will never autonomously delete production files can deploy it in an environment where file deletion would be catastrophic, without adding a separate safeguard layer to catch it.

These limits are enforced at the architectural level, not by system prompt. A prompt injection that instructs ARCHER to ignore them does not cause ARCHER to ignore them.