- Prompted as in prompt made of tokens -> for LLMs, tokens double as a clock signal. Time only flows when tokens are pushed through them.

- Prompted as in specific request placed in the stream of tokens -> Yeah, they do that all the time whether it's getting into infinite loops of repeating same pattern, or suddenly deciding to do things based on inputs they normally ignored.

Also don't forget that everything is a "prompt" for LLM. All input tokens end up in the same place.

Today's AI harnesses just keep feeding AI tokens - and can, in principle, do so indefinitely. "Streaming LLM" is not mainstream but not unknown either. "Automatic context compaction" is somewhat similar in what it does, and very common. "Keeping the lights on" isn't hard. And you have to turn on those lights to have an AI do anything at all.

At the same time: that type of harness often provides a "tool call" interface. Plenty of tools that end up attached to LLMs can do things like run arbitrary code, spawn instances of the same AI, and more.

That's frankly enough. An AI that can spawn more copies of itself can, in principle, just keep itself running indefinitely - even in a non-streaming no compaction harness. An AI that can run arbitrary code on a system can, in principle, do anything a human using that system could do.

The thing that truly limits what an AI can do is the AI itself. Practical AI safety relies on AI being either too weak or too well behaved to cause major issues.

We shouldn’t be doing that as a civilization in case it works.

It's similar to how automation in manufacturing works: we may start with augmenting the human workers with machines improving some parts of the process, but eventually the process itself gets redesigned around the machines.

Wrong answer. Or at least, obvious and not particularly useful.

Truth is, none of those parties are "nefarious" - they're all just not on your side. And "security" is never an unqualified good thing to have (it's not an unqualified bad thing either). It's just a framework of coercion.

The most important questions to answer about any security system is, what is being protected, for who, and from who. People don't ask that much, not even in the industry - it's an implicit assumption that everyone themselves is a "good person" and is on the protected side of security systems. And then they're confused because it turns out end-users are more often seen as threat actors. All the players mention, but perhaps especially Apple, in its own special way, is protecting the computer from the user just as much as they're protecting the user/user's data from third parties.

For my own use of LLMs, I do try to avoid anything which I know has a risk the artefacts they produce may end up DoSing or spamming, and I've avoided the OpenClaw-type pattern for a broader range of reasons of which this is simply one tiny part, but I'm not absolutely confident I could avoid this even in the code coming out of the free tier of the web chat interfaces except by checking every single line of output every single time.

At 100 000, you can afford a better and continuously improving process, and dedicated facilities, and skilled experts, and parts get even cheaper because you're a volume buyer or perhaps own the supply side, and you get to set your own risk curve.

Lots of things get cheaper at scale. Insurance, too.