Same Shape, Every Scale: What McKinsey, Kauffman, and Applebaum Pointed at in One Week
I posted seven controls last week. Three things showed up since — a $20 McKinsey exploit, Kauffman on biology, Applebaum on democratic decline — that name the frame underneath. Truth is procedural, not pre-existing.
A week ago I posted The Real AI Risk Isn't AGI. It's Evolvability — And Most Defense Stacks Are Missing the Last Layer. Seven controls, one architectural claim. The piece spelled out the architecture. It didn't spell out the frame underneath it. Three things showed up in four days that did.
This post is the frame. Same architecture, named more clearly
.
The frame, stated
Most AI defense thinking still quietly assumes there's a correct AI behavior we're trying to find — a pre-existing target the system should converge on, and the job of governance is to discover and enforce it. That assumption is borrowed from a much older intellectual habit. Plato called it the realm of Forms: the answers exist already, perfect and timeless, and our job is to access them. Newton's pre-stated state space, probability theory's sample space, and "all-possibilities-already-exist" reasoning across the sciences are direct descendants of the same move.
It doesn't survive contact with evolving systems. The proposition I want to argue for is one sentence:
Truth, in agentic-system governance, is procedural, not pre-existing.
There is no pre-existing correct configuration the agent population is supposed to converge on. There is only the procedure by which the population is governed — what gets reproduced, what gets demoted, what gets retired, what gets shared across clusters. The seven controls in last week's post are exactly that procedural apparatus. I just didn't say so plainly.
Three things in four days made me want to say it plainly.
Witness one: Tom Jones on McKinsey's Lily
In February, a startup called Codewall disclosed a vulnerability in Lily, the AI platform McKinsey uses across 40,000 consultants. A $20 autonomous agent with no insider help and no credentials got two hours of full read-write access to tens of millions of chat messages, tens of thousands of user accounts, and every system prompt governing how the platform reasons. The exploit was SQL injection — taught in every intro web security course since the 1990s. 22 of 200 API endpoints shipped to production with no authentication, including writable ones.
Tom Jones's analysis was published a couple weeks ago. His framing: this is not a security failure. McKinsey's engineers know how to authenticate an endpoint. The relevant question is why 22 of 200. Jones writes it up as a procurement-process failure: the SaaS purchasing sequence (strategy → contract → security review → IT plan → developers build against whatever got purchased) assumes the platform is a configurable thing. For agents, that assumption is wrong.
His best line: an agent has no eyes.
The whole stack a human consultant uses every day is implicitly procedural. The screen mediates permissions. The audit trail composes across systems because a human moves between them sequentially. For an agent, every one of those implicit procedures has to become explicit engineering work before the agent ships. The team that treats agentic-AI procurement as a substance to acquire rather than a procedure to engineer finds out the hard way. McKinsey is the one that made the news because the consequences were vivid. The shape shows up in a lot of places.
That's witness one. Procurement of an agentic platform fails when the buyer treats it as a substance instead of a procedure.
Witness two: Stuart Kauffman on the indefinite
Stuart Kauffman, 86, founder of complexity theory, did a long interview with Curt Jaimungal earlier this month. His core argument is the cleanest version of the AGI-via-affordance-finding impossibility claim I've seen.
Kauffman: open-ended biological and technological evolution requires Darwinian pre-adaptations — finding new uses for things whose new use cannot be deduced from the old use. Swim bladders evolved from lungfish lungs. Tongues evolved from eating to speaking. A wire coat hanger gets bent into a tool to retrieve a purse from a bottle. Each is multi-step jerry-rigging where no step is deducible from the last, and there's no local clue that progress is being made.
His argument is that this is what real cognition does, and Turing machines / LLMs structurally can't do it. The space of affordances is indefinite — cannot be listed, cannot be ordered, cannot be deduced from one another. It's not a search on a landscape because there's no local gradient. It's not in a pre-stated phase space — Newton's, quantum mechanics', probability theory's, statistical mechanics' all assume "all-possibilities-already-exist." Biological and technological evolution create new adjacent possibles. They don't discover them in a pre-existing space.
His phrase for it: the world is not a theorem.
That is exactly the frame underneath last week's seven controls. EAI inherits this property. There is no pre-existing correct configuration the agent population is supposed to converge on. Once swim bladders exist, worms can evolve to live inside them; before swim bladders exist, that possibility isn't even in the space. Once a new attack pattern emerges in one cluster, defending against it is a possibility that didn't exist yesterday. The controls are procedural because the substance isn't there to govern toward.
That's witness two. Cognition under genuine evolution is affordance-construction, not phase-space search.
Witness three: Anne Applebaum on democratic decline
Anne Applebaum on Steven Bartlett's podcast a couple of days ago, on how modern democracies decline. Her short version: not by tanks in the street. By legitimately-elected leaders dismantling the procedural parts of the system. She names five tactics: corruption when the legal system gets captured; election manipulation through gerrymandering and voter-ID changes; politicized civil service replacing experts with loyalists; information control through media ownership and regulatory pressure; and paramilitary violence when procedure finally fails.
Each tactic is, structurally, a way to install a pre-existing right-to-rule underneath the procedure that's supposed to constrain it. Applebaum's whole argument is that democracy is procedure, not substance — not "the right people in charge," but "the right way to handle transitions between people in charge." That's why functioning democracies look messy. The mess is the procedure working. Substance is what shows up when the procedure has been hollowed out.
This is the same shape as Jones's analysis of Lily, and the same shape as the EAI failure mode in Part I. A population governed by procedure stays adaptive. A population governed by pre-existing substance ossifies and fails — slowly at first, then suddenly.
That's witness three. Governance of human populations, like governance of agent populations, is procedural; substance is the failure mode.
Same shape, every scale
Three witnesses, four days, three domains. The shape is the same:
AI agent populations governed as if there's a pre-existing correct behavior to enforce get exploited by populations that adapt to find a behavior that wasn't in the pre-existing set.
AI procurement that treats the platform as a configurable substance gets exploited at the 22-unauth'd-endpoints layer. The substance doesn't exist; only the procedure that engineers the explicit boundaries does.
Democracy that lets the procedural apparatus get hollowed out — institutions, independent courts, civil service, free media, election rules — gets replaced by a substance-defended "right to rule." Slow at first, then sudden.
The structural move is identical. Plato's pre-existing-truth move keeps getting installed in domains where it shouldn't be, and the long arc of intellectual and institutional learning is the procedural resistance to it. Frege saw it in mathematics in 1884; neologicism is the latest move in that resistance. The 18th-century democratic project saw it in governance. The 13th-century mystics felt it in the soul.
I'm not proposing something new. This is the latest move in a much older project, applied to a new substrate.
What this means for the seven controls
The seven controls in last week's post aren't a list of pre-existing right behaviors to enforce. They're a procedural apparatus for governing a population whose right behaviors don't exist yet and won't until the population produces them under selection.
Read in that light:
The replication gate isn't preventing the system from finding the right behavior. It's controlling who gets to propose new behaviors.
The lineage registry isn't certifying which genomes are correct. It's preserving the procedure by which any genome can be audited and recalled.
The demotion path isn't preventing wrong rules. It's preserving the procedural path back from any rule that proceduralized.
Deception-probed evaluation isn't checking against a substantive truth. It's checking that the procedure of evaluation can't be gamed.
Cross-cluster antibody propagation isn't sharing the right answers. It's sharing the procedural discovery of new attack patterns so the population can adapt together.
The kill switch isn't enforcing correctness. It's preserving the procedural authority to halt without becoming the next selection pressure.
Sacred-pattern exclusion isn't protecting eternal truths. It's protecting specific patterns that must remain procedural-only because compiling them into reflex destroys the audit chain.
Same architecture. Just named more clearly.
What I'd ask the buyer now
If you're a CISO, a Head of AI Safety, a regulator, or a hiring manager evaluating someone's claim to AI governance and agentic security, the question I'd ask isn't "what's your model's alignment posture?"
It's: Does your AI defense architecture assume there's a pre-existing correct behavior to enforce, or does it assume the procedure is what you're protecting?
You can tell the difference quickly. Substance-mode answers sound like: "We've benchmarked on these evals. We've certified this model. Our guardrails detect these patterns." Or, in this week's release cycle: Meta's SIRA paper, which pitches a one-shot retrieval system whose whole premise is that the LLM's parametric memory can pre-predict what relevant evidence looks like — substance-mode installed at the retrieval layer and sold as super intelligence. Procedure-mode answers sound like: "Here's our demotion path. Here's our lineage registry. Here's our cross-cluster antibody federation. Here's what gets audited and how the audit composes."
The second kind of answer is what survives evolving systems. The first kind is what gets exploited by a $20 agent two hours after deployment.
One sentence
Truth, in this domain, is procedural, not pre-existing. The architecture follows.
Sources for the three witnesses, in case you want to go to the videos directly: Tom Jones on the Codewall / McKinsey / Lily disclosure (Feb 28 disclosed, his analysis from earlier this month); Stuart Kauffman on Curt Jaimungal's Theories of Everything; Anne Applebaum on Steven Bartlett's Diary of a CEO. Each of them is doing the same intellectual work in a different domain, and they all landed in the same week.