In Code They Act, In Proof We Trust — Erik Meijer, Leibniz Labs

summarized

TLDR

Erik Meijer argues that LLMs with tool calls are intrinsically dangerous because their agentic loop can produce irreversible side effects, and proposes that safety requires proof-carrying code: the model should output a symbolic plan (a free monad expression) rather than executing effects directly. This plan can be statically analysed for safety before any side-effectful execution occurs, reviving 1990s proof-carrying code concepts.

Key points

  • LLMs with tool calls mutate the real world via side effects (IO), making agents dangerous until proven safe.
  • Prompt injection and unfiltered training data are fundamental vulnerabilities, worse than SQL injection.
  • Formal proof that an answer is 'safe' is impossible for natural-language concepts, so alignment via weights or LLM-as-judge is insufficient.
  • The 'lethal trifecta' of private data access, untrusted content, and tool calls creates agentic risk.
  • Safety can be restored by deferring execution: the LLM returns a plan (a program) instead of executing effects directly.
  • A free monad representation of the plan allows static analysis (e.g. taint analysis) and formal proof of safety before execution.
  • This approach is essentially proof-carrying code from the 1990s, not a novel invention.
  • The implementation exists on GitHub from Harvard researchers, using a language similar to free monads.

Tools mentioned

  • Lean
  • Claude (Anthropic)
  • GPT-4
  • GitHub (Harvard implementation of safe agentic compute)

Techniques

  • Proof-carrying code
  • Free monad for representing side-effect plans
  • Static analysis (taint analysis) on symbolic plans
  • Air-gapping the LLM from tool execution
  • Formal verification using type systems and proof assistants

Takeaways

  • Never let an LLM with tool calls execute effects directly; always produce a symbolic plan first.
  • Safety of agentic computation can be mathematically proven using elementary type systems and compiler techniques.
  • The solution is not new—proof-carrying code from the 1990s directly applies to modern LLM agent safety.
  • Design languages for machines (verifiers) instead of humans when building safe agentic systems.
Transcript (captions)
[music] Please welcome to the stage the research scholar at Linet's Labs, Eric Meyer. Well, um, can you go back one slide? Sorry. All right. Good afternoon everybody. Thanks for being here after a long day of talks, exhibits, side effects. Oh, sorry. That was the site event. Um I hope that um you have as much fun watching this talk as I had uh creating it. Um let me first get this out of the way. This is not a product pitch or announcement or anything. It's a 20inut tutorial of how you can use elementary type systems and compiler knowledge to make AI provably safe. And I'm sharing all my secrets with you today. Um hopefully to kind of inspire some of you that next year you will have a booth downstairs where you have kind like you know created a provably safe agentic harness. Um or who knows maybe some of you have already solved it. Let me know and then you know we can grab a coffee instead of doing this talk. Um with that out of the way let's get going. Um while I was preparing these slides and I'm sorry that I was multitasking but I was site um vip coding on the site. Um, and then when my attention waned for a second because I was trying to convince the model to draw some pictures that it didn't want to do, and you will see some of these pictures later, you can guess which ones were rejected, suddenly when cloud code deleted one of my files. And I'm sure this has happened to you before. Um, or maybe not. Maybe you always kind of like, you know, run everything with no permissions and then you say, "Yes, yes, yes." But I like to live dangerously. Um, but I'm convinced that if there's anything between the model's goal and where the model currently is, it will do everything that it can to reach that goal, including killing us or deleting your files or deleting your database. So I think that these models are intrinsically very very dangerous and we have to tame them. So that's what my talk is about. Um so let's get like you know start this story. Um, and it's I think a very very sad story but also a scary story of how we as an industry got to this point where we are about to let normal people, the general public give control of their computers, their finances, their whole personal lives over to AI agents and we don't have any protection in place. Um, I think that's very sad and very scary. Um, so let me tell you the story how we got there and I will like have some characters like Claude and we will see Dario, Daniela, Sam, Bernie, but um the main character is is our friendly pit GL here. Um, I think you can all remember um November 30, 2022. This was kind of like a very special day in in history because this was the first time that you could speak to your computer. You could say summarize my emails and it would, you know, um, answer you in perfect English. Um, I think for me at least that was magic. But I think most of us didn't realize that by introducing this innocent looking function here LLM that takes a question and returns an answer that that would open Pandora's box and that would change our history forever. Um but before we go continue the story this conference is called AI engineer. All right. So we are engineers and maybe we're the last generation of engineers that still understand what this is, what code is and or maybe most of you have already forgotten what code is because all your code is written by agents. But if we look at this signature here, it says it the LLM takes a question, returns an answer. The question and answers are not strings. They're very complicated JSON structures and they get more complicated every day every time a new release of APIs comes out. But for this talk, we can just assume that question and answer are just opaque types. We we don't care about how they look like. We do care about what they represent. Um now anyway the euphoria of like these LLMs as being great tools didn't last very long and just when we thought that we have eradicated the small pox of computer science SQL injection it came back with a vengeance because the bad guys discovered that you can trick LLMs using prompt injection and LLMs have no distinction make no distinction between code and and and text and so they are very very easy to trick and this I think is a bigger problem than SQL injection ever was. Um but it was not prompt injection only that made LLMs kind of like have a bad rep. LLMs are trained on the whole internet and there's like a lot of good stuff on the internet but also a lot of bad stuff like how do you create a bomb? How do you synthesize drugs? How do you hack into people's systems? And the leaders of the big foundation labs, they got a little bit worried that the that the government would interfere and regulated the industry. So they told their PhD researchers, go find a solution for this problem right NOW AND QUICK. COME ON, SOLVE IT BEFORE you know the the government steps in. Um, and here the PhD types, since they're PhD types, they thought long and hard about the safety problem. And they came up with a new interface for LLMs. That's this kind of scary on the right. Look at that. What does it say? There's like some sigma Greek symbols. There's props, whatever. Well, that is lean. Probably you have heard of lean. Anyone here heard of lean? lean is now like the hot thing, right? Like VCs are are writing like multi-billion dollar checks if you just say that you're doing something with lean and of course these PhD types researchers are using lean and you have to suffer because of that. Um now let's first look at the signature in a slightly simpler language called um deafne and what this thing says is that the llm takes a question returns an answer it requires this question to be proper which means that it's not an offensive question and then the model returns a safe uh answer and this thing is proved automatically. So if you give it a proper question it gives you a safe answer. Um, now I think there's too much attention for lean. I'm a recovering typaholic and math addict. Um, I love lean, but there's many, many other tier improvers and model checkers out there like Isabel, Rock, PVS, TA Plus. Um, but lean is the grease that kind like keeps the VC money pumps going. So, I will use lean um today. So here here's the kind like you know the the interface again in lean and now in lean you don't do automatically improving. If you're like a lean expert you will say Eric well we have grind in lean but let's like you know put that aside for a minute. Um but in lean you have to both show that the how to compute the the result type and you have to do the proof by hand. Um so it's it's slightly different than um the definite example. But if you think about this thing for just a single nancond, you will realize that it's impossible to write a formal proof that an answer is safe or a question is proper. Um and that is why there are at least 100 startups down here in the exhibition hall that are using LLMs as a judge because this is not something that you can formally specify. But does it mean that an answer is safe? That's not a mathematical property. Um, and of course, if you own a foundation model like these guys, you don't need external LLMs as a judge. You just um bake it into the weights and you call it the model is aligned. Um, but unfortunately trying to bake alignment into the model is not foolproof and models get routinely jailbroken. So they had to go to the pope and ask it to kind like you know um bless their model that it's safe. Um now I think it's terrible if like a model says something offensive but those are just words and ultimately the words are are like they just like you know they drip off your body. They don't do anything. Some human has to act on words to make them dangerous. Um and so maybe that is what they mean by broadly safe. Um when entropic talks about safety um because it's still a human involved. But then something terrible happened. Something really terrible happened that changed the world forever. And that is in June 2023, OpenAI announced tool call support in GPT4. And of course all the other vendors rushed out to copy this. This is called the principle of minimum differentiation and that is why all these APIs look the same. Um, now the act of adding tool calls changes AI safety from a philosophical debate to something that causes real danger. You could say tool calls give the model clause in addition to a mouse. Or you can say tool calls is like handing a gun, a loaded gun to them. But of course, nobody listens to me. Everybody ignores what they say. And these guys just went ahead and got shipped tool calls. They just you know just just do it. Now let's go back to like this is AI engineering conference. So let's look at what is the difference in the signature of LLMs when they added tool calls and it's just that little IO there. And of course it messes up the the formatting of of the the um uh signature. But if you look at the picture there, what you show now suddenly cloth goes from like a nice puppy to a dangerous thing. Look, it has all these dangerous tools and now it becomes scary, right? I've never seen anything scarier than an LLM with tool calls. Um, now if you look at this, this is like like a small step for a type but a giant leap for chaos. Why is that? And that is because this IO says that in order to compute the answer, the agent has to go through the agentic loop and it's doing side effects. So while it's producing the answer, it might empty your bank account. It might delete your files and then it gives you a safe answer. But who cares about the safe answer when all my files are gone, right? So that's why I say it's a giant leap for for chaos. Um again sorry this is an engineer conference. Let's look at this type IO and you don't have to understand it but just see that there's a type there called real world. Yes lean this esoteric thing has a type called real world. And why is that? Because something of type IO will mutate the real world. So it warns you don't use this because it can make irreversible side effects um like deleting your files. [snorts] So Solomon Hikes um last year at this conference called an AI agent an LLM that's wrecking its environment in a loop and I think he's a hero. I don't know if Solomon is here this year, but I think he should he deserves deserved a round of applause. Um, because I think this is the right definition of an AI agent. Um, by the way, this was one of the pictures that I had trouble to generate because it it clearly depicts violence and so it's kind of an unsafe thing, right? I I have a picture that depicts violence. Um, so are we doomed? Well, our agents have access to private data. They have untrusted content like the prompt injections and now we give them tools. Simon Wilson calls this the lethal trifecta. And what can we do about this? Well, um I don't know if you've seen the Dutch soccer fans, they have the famous march where they say to the left, left, left or to the left, left, to the right, right, right. This is actually the secret to solving this problem. The Dutch team got eliminated yesterday, so you have to see me do the dance. Um, but all that we're doing is we're pushing this IO to the right, to the right. And what you now see is that the tool belt of Claude goes to the left, to the left, and suddenly Claude is a nice puppy again because instead of executing the agentic loop, it creates a plan and says, "Here is the plan to do the agentic loop." And now Bernie will take that plan and we'll execute it. And we all trust Bernie, right? Bernie is a good guy. All right. So just to kind like show it here. So in some sense what we're doing, we're airgapping the agentic loop from the agent. So we don't let the agent run the agentic loop before the agent run it. We want to be able to check it. All right. Now the problem is that if you get a value of type IO of A um that's a really a black box and the lean manual says that is a black box you cannot reason about it. So even though Claude now gives us this plan, there's we cannot look into this plan. Lean doesn't allow us to do it. By the way, this is another picture, right? That that promotes drugs use and the model let me do it. I'm a good hacker. Yeah, I can just make it do forbidden pictures. Um so if we look at the lean again, what you see here is that the model now computes an answer, but it doesn't compute the answer, right? it creates an an IO of answer. So this is a plan to generate the answer and then it creates a proof that this um that that plan is safe. And the nice thing is here that you can get at that proof without having to run the agentic loop. But unfortunately as I said like this proof if it's like something of type IO it's useless. Ah What can we do about that? So, I keep kind like moving you guys forward and then we never get to the final answer. But there's one less trick and you see the the researchers here are becoming more much more sophisticated. Instead of the flat 2D ones in the past, now they're like real people. Um, and what is better than creating a plan of type IO of A, it's creating a program that represents an expression of type IO of A. Oo, that sounds very meta, right? Um, not meta in terms of meta. I don't think they're very meta, but meta in the terms of like, you know, like meta, you you know, you know what I mean? Um, and again, it's a small step for a signature, but a giant leap for safety because now the model returns an expression, a program that represents a computation. If you know link or C, you will recognize that this is one of the tricks that I always use. Um, if you know lisp, this is of course second nature for you. Um, I cannot like you know have a talk without talking about monet. So if you ask yourself what is this expression thing? Well, that's just a monet. But it's not just a monet. It's a free monet. What is a free monet? It's a monet that loves tie dice. Um and now if you look at the the signature of the the um property to prove that something is safe, you see that it takes an expression of a computation that returns an answer. Um and if you have taken any compiler course in college, you know that it's trivial to do data flow analysis, type checking and so on on programs, right? So now we're safe. We're home safe. And Jeff Huntley wanted to remind you that we can solve the trifecta problem just by doing taint analysis on these expression on these programs. Okay, this is the last code I will show you because I'm running out of time. But just want to show you here that you know you now have a simple inductive recursive interpreter for this language and you have a simple inductive proof and the models can generate these proofs. So to um recapitulate like the summarize what we did is we went from unhinged LLMs that were like you know could give bad answers to ones that were aligned. Then we saw how tools wrecked it. Then we solved that by deferring execution. So by air gapping the LLM from the tools and then the real solution was to refy the plan into a program and a program that we could prove to be safe. Now you would say Eric, oh you're a genius. No, I'm my brain is the size of a peanut. This is something that's called proof carrying code and it was invented by academics in the 1990s and I'm just stealing it. Um, all right. At the higher level, if you didn't understand the code, three points. Agents are dangerous until proven safe. So, you should never ever let your agents do something unless you can absolutely prove that it's safe. And the language that this agents generated was not designed like normal users don't understand free monet. It's a machine that consumes it. It's a machine that generates it. It's a machine that proves it. So, we should stop designing languages for humans. And it's all basic, only requires programming 101. Um, do we go? All right, that's it. Um, the end of the story. If you're curious to play with this, a bunch of academics in particular now that I'm in from Harvard have implemented this. It's it's there on GitHub. It uses a slightly different language than what I use. It uses also a slightly different language than free monet but the idea is the same. The language doesn't matter. It's it's the um the principle that matters. So hopefully you've learned tonight that it is actually possible to have mathematically proven safe agentic compute and it only requires very elementary type systems and programming language machinery. Thank you so much. >> [music]

Jobs for this video

Jobs for this video
Stage Status Attempts Last error Updated
summarize done 0 2026-07-13 22:02:46.038329+00:00
transcript done 0 2026-07-13 22:01:50.743886+00:00
metadata done 0 2026-07-13 22:01:07.708610+00:00

Frontier Notes · by Hyperjump Technology