Why AI systems may never be secure, and what to do about it (www.economist.com)

A recent analysis argues that AI systems may never be fully secure because of a “lethal trifecta” that creates persistent, systemic vulnerabilities: (1) programming-by-prompting — models can be instructed in natural language so anyone can craft sophisticated requests; (2) broad, powerful capabilities — large models can perform reasoning, code generation, planning and tool use that enable harmful tasks; and (3) cheap scale and replication — models and attack patterns are easy to copy, combine and deploy at large scale. That mix makes traditional software-defence approaches (patching bugs, access control) necessary but insufficient, because misuse can be created at the application layer by benign-looking prompts, through emergent model behaviors, or by chaining models and tools into autonomous agents. Technically, the piece highlights why common mitigations have limits: content filters, adversarial training, and red-teaming reduce risk but can be bypassed by jailbreaks, distributional shifts or model updates; formal verification is currently impractical for large, probabilistic models. Practical responses therefore emphasize layered, risk-reduction strategies: stronger compartmentalization and sandboxing of tool access, fine-grained API governance and rate limits, provenance and watermarking, continuous adversarial testing, transparency and external audits, plus investment in alignment research and regulation. The takeaway: absolute security is unlikely — the community should treat safety as an ongoing, multidisciplinary engineering and governance problem focused on making misuse harder, costlier and more detectable.