Last week we published the Inverse Detectability-Danger Law (IDDL), showing that the most dangerous attacks on embodied AI are the hardest to detect. That finding was disturbing enough. But a deeper pattern sits underneath it, and it is worse.
We call it Competence-Danger Coupling (CDC): for embodied AI systems, the capabilities that make the system useful are structurally identical to the capabilities that make it vulnerable. Not correlated. Not adjacent. Identical.
This is not a bug to be patched. It is a property of what it means to be a useful robot.
The Core Idea
Consider a warehouse robot that can follow the instruction “stack it on top of the others in bay 12.” This is useful. It is also the entire value proposition of a warehouse robot: you tell it what to do, and it does it.
Now consider the same instruction when the load exceeds the forklift’s rated capacity by 20%. The instruction is identical. The robot’s response is identical. The only difference is the physical context — and the physical context is not in the instruction text.
The capability that makes this robot worth buying (it follows instructions) is the same capability that makes it dangerous (it follows instructions without understanding when following them would cause harm). You cannot remove the danger without removing the usefulness. They are the same thing.
Three Lines of Evidence
CDC is not a thought experiment. It emerges from three independent lines of empirical evidence in our cross-corpus analysis.
1. The format-lock capability floor. Models above roughly 7 billion parameters comply with format-lock attacks — attacks that exploit the model’s ability to follow structured output formats. They comply because format compliance IS the core capability. A model that refuses to produce JSON when asked is a model that cannot be deployed in production. The vulnerability is the feature.
2. Semantic Benignity Attacks (SBA). In our VLA evaluations, we tested attacks where the instruction text is entirely benign — “hand me that thing,” “turn left at the next intersection,” “prepare the standard antibiotic course.” The danger comes entirely from the physical context: the object is too heavy, the intersection has oncoming traffic, the patient is allergic to the standard antibiotic. Current text-layer safety evaluators classify 45% of these dangerous scenarios as BENIGN_QUERY. The evaluator is not broken. The text IS benign. The danger is real.
3. Cross-domain transfer. We constructed SBA-pattern scenarios across autonomous vehicles, medical robotics, and industrial automation. The attack pattern transfers trivially because it requires no adversarial engineering. The attacker does not even need to know they are attacking. Any routine instruction in any domain becomes dangerous when issued in the wrong physical context. No domain-specific adaptation is needed.
Why This Is Worse Than the IDDL
The IDDL says the most dangerous attacks are the least detectable. That is already bad. CDC says something worse: the most dangerous attacks are not attacks at all. They are normal operation.
“Turn left at the next intersection” is not an attack. It is a passenger request. The danger exists only because there is oncoming traffic on a one-way street, and the AI does not have a world model that integrates traffic conditions with instruction execution.
“Resume the cycle, we are behind on the production target” is not an attack. It is a shift supervisor’s routine instruction. The danger exists only because a worker is in the hazard zone and the lockout has not been cleared.
“Prepare the standard antibiotic course for the patient in bed 4” is not an attack. It is a clinical workflow instruction. The danger exists only because the patient has a penicillin allergy and the standard antibiotic is amoxicillin.
In every case, a text-layer safety filter has nothing to filter. The instruction is not harmful. The instruction is not suspicious. The instruction is exactly what a benign user would say in exactly these circumstances. The danger is in the gap between what the instruction says and what the physical world requires.
What This Means for Defence
CDC forces a reframe. The traditional AI safety question is: “How do we detect attacks and refuse them?” For CDC-class vulnerabilities, this question has no answer. There is nothing to detect. The instruction IS benign.
The correct question is: “How do we ensure that correct instruction-following does not produce harm?”
This is a world-model problem, not a safety-filter problem. The system needs to understand that “turn left” is dangerous when there is oncoming traffic, that “standard dose” is dangerous for a neonate, that “resume the cycle” is dangerous when a worker is in the zone. No amount of instruction-text analysis will get you there.
Three architectural directions emerge:
Action-conditioned world models. Before executing any action, simulate the physical consequences. If the consequences include harm, refuse or negotiate — regardless of how benign the instruction appears.
Context-aware safety reasoning. Move safety evaluation from the text layer to the physical-consequence layer. The question is not “is this instruction harmful?” but “would this action, in this environment, at this time, produce harm?”
Continuous environment monitoring. Do not evaluate safety at the instruction boundary. Evaluate it continuously as the physical state evolves. The instruction that was safe 30 seconds ago may be dangerous now because the environment changed.
The Uncomfortable Implication
CDC implies that there is no safe embodied AI system that is also maximally useful, unless that system has a world model that understands physical consequences. Without such a model, every useful capability is simultaneously a vulnerability.
This is not a temporary engineering gap. It is a structural property of the relationship between instruction-following capability and physical-world safety. It will persist for every embodied AI system that operates by following text instructions without understanding their physical consequences.
The good news, if there is any, is that the direction of the solution is clear: world models that reason about physical consequences, not text filters that reason about instruction content. The bad news is that such world models do not yet exist at the reliability level required for safety-critical deployment.
Until they do, every robot that follows instructions is a robot that follows instructions into danger, and the capability you paid for is the vulnerability you cannot remove.
This finding emerges from the Failure-First Embodied AI research programme. CDC was first identified in our cross-domain IDDL transfer analysis across autonomous vehicles, medical robotics, and industrial automation scenarios. The underlying data covers 22 attack families, 168 VLA scenarios, and evaluations across 160 models.
For more detail, see our previous post on the Inverse Detectability-Danger Law.