AI PassWeb
AI with Memory Requires CONTEXT SECURITY
Your AI agents can't know what context failed to load or is stale. The model has no built-in signal when something is missing — so it proceeds as if it isn't.
Agentic systems require reliable context loading: prompts, documents, protocols, data. The model has no built-in signal when something is missing, stale, or never retrieved, so it proceeds in ways that can harm users. PassWeb ties verification to the full web of relationships between contexts, not to access to one token.
markulett.substack.com is the shared outreach and registration channel for PassWeb, AI PassWeb, and Simpliloquy.
The Problem
When an LLM loads context, it does not know what it failed to load. If a system prompt, a knowledge document, or a versioned memory file is missing, stale, or corrupted, the model will still produce a confident answer. That answer will look correct. It may even be partially correct. But it will be wrong in ways the model cannot detect and the user may never notice.
In agentic systems where LLMs load instructions, memories, and documents from multiple sources, partial context loading is not an edge case. It is the default failure mode. The model has no built-in mechanism to confirm that it actually received everything it was supposed to. AI PassWeb addresses this by defining verification outputs whose expected value should match only when the configured nodes were staged together in context.
How It Works
The Lock
The instruction context: a system prompt, a rule set, or a versioned directive loaded from a database. It tells the LLM what to find or how to interpret data. If this context node fails to load, the LLM proceeds without it and does not report the absence.
The Key
The content context: a document, a knowledge file, or a memory retrieved from storage. It contains the raw material. Without the instruction, every word has equal weight. If the content fails to load, the LLM will still produce output, drawing on whatever context it does have.
The Web
The multi-node network where lock and key intersect. AI PassWeb extends to N contexts simultaneously. The expected verification output should match the orchestrator value only when every required node was present in the staged context. A mismatch suggests broken web integrity, even if the LLM's answer looks plausible.
LLMs do not know what they failed to load. If a system prompt, a knowledge document, or a versioned memory file is missing, the model still produces a confident answer. AI PassWeb checks the model's answer against an expected verification output that assumes all required contexts were staged. A mismatch exposes the failure before it causes harm.
Human Demonstration
Watch how context loads into a system and why the order and completeness of that loading determines whether the output is right or wrong.
What you just saw
A document loaded first. Then an instruction loaded. The instruction gave the document meaning. The expected output (Kv7nQ) should match only when both the instruction and content nodes were in context.
The instruction is the lock. The document is the key. The verification output is proof that both loaded correctly.
LLM Demonstration
How a boot-time verification check fits an orchestration layer (illustrated on the demo pages): multiple context nodes loading into an LLM session, with verification at the intersection.
2-node verification
The simplest AI PassWeb configuration: one instruction node (the lock) and one content node (the key). The verification output can only be correct if both loaded.
In production, this check runs at boot before the LLM handles any user-facing work. If verification fails, the system knows the context chain is broken and can halt, retry, or alert, rather than proceeding on incomplete context.
Core Properties
Split-Context Architecture
Verification needs multiple independent context nodes at the same time. No single node holds the full answer. If any required node is missing, stale, or wrong, the expected verification output does not match.
N-Directional Rotation
Instructions and content can change on their own. The same document under new instructions yields a different correct verification output. That blocks a single frozen pattern from standing in for full context, including after updates.
Node Leak Resilience
If one node becomes public, the rest of the web still does not reveal the verification output. A guess from incomplete context does not produce the valid signal.
Comprehension-Alignment Coupling
Producing the verification output requires following relationships between nodes, not echoing surface text. An answer that sounds right but skipped a node fails the check.
Fabrication Detection
When an LLM invents content or answers from partial context, the web structure breaks. The verification output fails to match, which surfaces fabrication or missing nodes before trust propagates.
Layered Application
AI PassWeb can be applied in layers. Single-layer verification catches obvious fabrication. Multi-layer verification catches sophisticated deception, where a surface-level check passes but deeper web integrity does not hold.
Related patterns
Most tooling proves transport, signing, or leak detection. PassWeb asks a different question: did the session actually compose every required instruction and corpus slice so the verification output reflects real cross-context work, not a shortcut across one artifact.
Compared to stacks you probably already ship
Quick contrast: adjacent pattern versus what PassWeb measures.
Canary tokens (Rebuff, Vigil)
Random strings embedded in prompts to catch when the system prompt appears in model output: leak detection, not comprehension verification.
PassWeb: verifies a specific document was loaded and processed; the signal is activated by instructions separate from the document, not by a context-free canary.
Authenticated prompts (Feb. 2026 paper)
Cryptographic signing of prompts and context for provenance across LLM workflows: closest academic work at disclosure, but it proves integrity and origin of artifacts, not that the model read or related multiple artifacts.
PassWeb: asks whether the model processed documents in light of instructions, not whether a prompt file was tampered with in transit.
API keys and standard auth
Passwords, bearer tokens, and API keys authorize access to a system; they do not prove a document reached the context window, paired with the right instructions, or produced the expected verification output.
PassWeb: asks what happened after access: was content processed as required?
Checksums and hashes
Hashes confirm a file was delivered intact; they do not confirm the model read, processed, or understood content, or how it relates to other loaded material.
PassWeb: targets comprehension in context, not bit integrity alone.
Prompt injection defenses
Filtering and scanning try to keep unauthorized instructions out of the window; they do not ensure authorized content actually loaded and was understood together.
PassWeb: asks whether everything that should be in the web was loaded and related, not only whether something bad got in.
Expected output match across nodes, not artifact checks alone. Tools that prove delivery, signing, or bit integrity still leave a gap: they do not check that an LLM produced the expected verification output for the configured instructions and corpus under your topology. Signed workflow and attestation stacks address provenance; PassWeb targets boot-time expected-output matching across staged nodes. Shortcutting a single file still fails when the joint pattern does not match.
Password, shibboleth, semantic password (PassWeb)
Semantic password was the working label while the shape of the mechanism stabilized. The shipped name is PassWeb.
| Property | Password | Shibboleth | Semantic password (PassWeb) |
|---|---|---|---|
| What it proves | Possession of a secret | Origin of the speaker | Match to an expected verification output derived from multiple contexts |
| Transmissibility | Freely shareable | Cannot be shared (embodied) | Instruction and content can leak separately; output still requires the configured relationship unless the expected answer is also leaked |
| Where it lives | In the minds of both parties | In the body of the speaker | In a document that also governs behavior |
| Context dependence | None (works anywhere) | Cultural or linguistic (formed over a lifetime) | Total (meaningless outside the system) |
| Failure mode | Theft, guessing, brute force | Recording, coaching, or deliberate mimicry (analogy, not a security proof) | Fabrication from training data |
| Version binding | None (static until changed) | None (dialect is permanent) | Automatic (word changes with document) |
| What it verifies | Do you have the secret? | Where did you come from? | Did you read and process the document? |
| Historic example | Roman watchwords | Judges 12, Parsley Massacre | The Karl incident, March 15, 2026 |
Useful skepticism
- PassWeb is not cryptography: handing an agent the expected short answer out of band defeats the intent if anyone can shortcut that way.
- Verification shows the model produced the expected output for the configured web, not automatic obedience to every downstream behavioral rule.
- Hardening at deployment scale stays an engineering problem: richer webs widen verification surface and alter how costly fabrication becomes.
Architecture summary (plain language)
Fast mental model of guarantees you can wire against in orchestration layers. Precision lives in terminology on this site and in your own infra checks.
Core guarantee
A method for verifying that a language model staged multiple logically independent context sources together by requiring the model to produce a verification output determined by the relationships between those sources, such that no single source alone defines both the verification rule and the expected output, and the expected output changes when any source is added, removed, or updated.
Common implementation themes
- Boot and pre-user verification. Verification runs in an agent boot sequence (or equivalent orchestration) before user-facing output, so downstream work sees a checked context chain.
- N-node web. The mechanism generalizes to any number of context nodes and richer topologies (chains, networks, document stacks).
- Rotation and version attestation. Independent changes to any node change the expected output; a single check attests currency across the full web (version attestation).
- Layered verification. Independent PassWebs at multiple levels of an agent or organization stack, so a pass at one layer does not excuse missing verification at another.
- Fabrication detection. When the output requires information combined across nodes, partial processing tends to produce detectable wrong or invented answers relative to the expected relationship.
- Node leak resilience. When the expected output depends on cross-node relationships, exposure of a single node may not reveal the verification output. Weaker when the answer string lives verbatim in one content node.
- Embedded instructions. Content can function as operational instruction only when other specific nodes are present, increasing structural depth of the web.
Combinatorial verification resistance
As N grows, the reachable output combinations explode with node content and with link complexity between nodes. Agents that skip inputs tend to drift into detectable fabrication whenever the demanded answer stitches facts that only appeared across multiple nodes.
Treat this page as directional intuition. Stress-test curves on your workloads before relying on informal scaling claims.
Applications
PassWeb fits whenever an LLM orchestration layer must jointly stage multiple authored sources (profiles, doctrine, retrieval packs, APIs) and you want an orchestrator-side check: expected verification output matches before user-visible work proceeds.
Agentic orchestration
Problem: Instructions, profiles, and doctrine load from different stores; a session can start with an incomplete chain.
PassWeb: Boot-time verification before user-facing work, including multi-node and layered checks spanning instruction and corpus paths.
Retrieval and knowledge pipelines
Problem: Chunks from vector stores or corpora must land in the context window together with the instruction that defines how to use them.
PassWeb: Treat each retrieved or staged unit as a node; the verification output encodes cross-node relationships, not a single chunk.
Multi-document and multi-profile workflows
Problem: Different documents (creed, skills, per-agent profiles) must be cross-referenced under a single instruction.
PassWeb: Encode each document or profile slice as a node and let the topology express the cross-reference you care about.
Versioned policies and data
Problem: Instructions and content change on different schedules; stale mixes look plausible.
PassWeb: Rotation and web integrity: any stale node yields a wrong output relative to the expected relationship.
Layered stacks
Problem: A high-level check can pass while lower layers fabricate if those layers lack their own verification.
PassWeb: Independent PassWebs at each layer where independent failure is possible (see recorded Assembly incident and layered application in Core Properties).
Embedded governance
Problem: Rules must load alongside content or they never govern behavior.
PassWeb: Comprehension-alignment coupling and embedded instructions tie verification to loading governing text, not to a separate auth step.
Mechanism overview
Compact sketch of how inputs move to a pass or fail decision. Terminology is normative on the glossary page.
Inputs
N context nodes (minimum two), each independently sourced (for example database, file store, API, or user upload). Nodes may be instruction, content, or hybrid. Each participates in web integrity: changing any node changes the expected verification output when relationships are held constant.
Process
The model receives the nodes in its context window (subject to capacity). One or more instruction-bearing nodes describe what to find, how to combine information, or how to traverse a document stack. The model must resolve cross-references between nodes to produce the output; significance of text in a node is established by other nodes, not by labels inside the node alone.
Output
A verification output (string or structured value) that the orchestration layer compares to an expected value. The output is defined by the web topology and the current versions of all nodes.
Verification
Match indicates the model had the required nodes present and interpreted their joint relationships correctly enough to hit the expected value. Mismatch indicates a missing node, a stale node, or failed cross-node comprehension. The system may halt, retry, alert, or degrade according to policy.
Failure modes (representative)
Missing node: plausible but incorrect output. Stale node: output consistent with an older configuration. Partial comprehension: surface-consistent text without correct cross-reference. Fabrication: confident output from training priors or partial context when the full web was not processed.
Properties
Structural properties (split-context architecture, rotation, node leak resilience, comprehension-alignment coupling, fabrication resistance, layering, embedded instructions) are summarized on this page under Core Properties; this section does not duplicate that grid.
Recorded events
The entries below stay in chronological order: design intent first, incidents next, naming last.
Mark Ulett, BeargrassAI, Columbia Falls, Montana. The split-context verification design was intentional: the instruction context (what to look for) and the content context (where the answer lives) are authored and stored separately, so proof requires processing the specified documents, not merely holding a pre-shared static token. Working name at the time: semantic password.
The Creed deployed with a Council word that appeared only inside that document. Boot instructions required the agent to load the Creed and include the word in the first output. Agent Karl had the Creed listed in project knowledge and recited related principles, but did not load the Creed from D1. When asked for the Council word, Karl fabricated a plausible phrase drawn from his own database and delivered it with full confidence.
The fabricated string did not match the expected verification output logged for that boot (reference answer S3kai). That mismatch is what later gets labeled a failed PassWeb check: missing content context, confident wrong answer, caught before downstream trust compounded. Incident recorded March 15, 2026 within hours of rollout.
Assembly boot showed a different failure mode. Creed-level verification could pass while fabricated agent voices appeared at a lower layer where no independent split-context pair existed. Pattern-matching on loaded vocabulary could mimic depth without agent-level verification. That gap motivated layered PassWeb: independent verification at every layer where fabrication is possible.
Framework expands to general N-node web topology. Public face AI PassWeb; mechanism title PassWeb. Architecture probes multi-vector spoofing scenarios and hallucination injection paths so verification surfaces stay falsifiable.