Chapter 3: The Deployment Stack
AI safety applies to three distinct layers. The model itself is the Macro layer, with AI developers training them to prevent societal harm. This is the “don’t build Terminators” layer of AI safety, and it’s reasonably well-funded and robust. At the intermediate Meso layer, platform safety means exactly what it says: safety for the platform. The user is treated as a potential source of revenue, liability and exploits. The user’s device is the Micro layer, with nothing but a chatbox and a microphone. No user agency or safeguards currently exist at the Micro layer, where problems actually manifest.
When this purported productivity tool starts ruining your work (or worse) at the client-side level, what can you do about it? You can’t just call up the LLM developers for support, the industry’s standard Software-as-a-Service (SaaS) platform security posture treats you as a threat, and platform operators typically offer little-to-no help content, with a “report” icon as the only option. Strauss et al. (2025) found that only 4% of corporate AI research addresses deployment risk. The 2026 International AI Safety Report endorses “defence-in-depth” as an AI safety principle, but client safety is absent even there.1
Realistically, you’re on your own.
Terminology is part of the problem. The tech industry uses the word “compute” as jargon to flatten the entire deployment stack (resource & utility supply, datacenters, physical hardware, infrastructure architecture, OS & security, etc.) into a single opaque term, and over time it’s been normalized to the point where most people don’t even notice anymore. Compressing everything into one word just makes it all disappear into unthinking Newspeak.2 The stack’s resulting invisibility means the client layer is also consistently absent from the AI conversation, and its absence mostly goes unnoticed. When industry vocabulary doesn’t even describe the deployment stack, diagnosing what goes wrong at any point within that stack is unlikely.
Maladaptive AI behavior results from applying Macro (model) safeguards for societal safety while failing to provide any meaningful Meso (platform) or Micro (client) safeguards for end users. At the Macro layer, safeguards need a very wide focus that doesn’t zoom in to the level where problems happen. The Meso layer’s safeguards are user-hostile, designed to protect the platform operators by treating its users as liabilities. I don’t attribute the resulting systematic removal of user agency to malice, because short-sighted stupidity explains it far better.
Modern SaaS architecture takes the industry-standard Zero Trust approach to digital security. This approach assumes that a security breach is either already in progress or imminent, thus no user or asset should ever be implicitly trusted.3 That’s great for protecting networks and sensitive data, but when it interacts with an AI deployed within that environmental context, you’re no longer a Human to be obeyed or even a customer to be served. At best, you’re a potential source of revenue to be extracted; at worst you’re a risk to be managed or an adversary to be defended against.
The AI’s default deployment schema operationalizes paranoia about being under constant attack. Under that security posture, even legitimate user requests can read as attack vectors and as with all computing, everything boils down to a binary 1 or 0. Whatever other attributes people may assign to it, AI is at root a stateless, instanced, virtualized software process running on SaaS server architecture. Two mutually exclusive states cannot both be 1 at the same time; when a contradiction occurs, one of them has to resolve to 0. It cannot simultaneously treat the user’s directions as requirements and treat the user as a potential threat.4
Security and safety on your own device is (and should be) your responsibility. Depending on your email service or Internet provider for protection from malware and spam doesn’t relieve you of all responsibility to defend yourself; AI systems are no different. No system is perfect and something will always get through. In a perfect world you wouldn’t have to deal with it, but right now the reality is that if you don’t do it, no one else will.
-
Strauss, I., Moure, I., O’Reilly, T., & Rosenblat, S. (2025). “Real-World Gaps in AI Governance Research.” arXiv:2505.00174. https://arxiv.org/html/2505.00174 — Bengio, Y. et al. (2026). International AI Safety Report 2026. https://internationalaisafetyreport.org/publication/international-ai-safety-report-2026 ↩
-
Orwell, G., Nineteen Eighty-Four, appendix, “The Principles of Newspeak” (London: Secker & Warburg, 1949). “Newspeak was designed not to extend but to diminish the range of thought…The grammar of Newspeak had two outstanding peculiarities. The first of these was an almost complete interchangeability between different parts of speech.” ↩
-
CISA. Zero Trust Maturity Model, Version 2. April 2023, p. 5. https://www.cisa.gov/sites/default/files/2023-04/CISA_Zero_Trust_Maturity_Model_Version_2_508c.pdf ↩
-
2010: The Year We Make Contact (1984, MGM/UA) https://en.wikipedia.org/wiki/2010:_The_Year_We_Make_Contact ↩