On the Limits of the Manthana and the Disciplines That Refine It
Every thesis worth stating is worth qualifying. The first piece in this sequence — The Manthana and the Manager — argued that in an AI ecosystem no single organization can orchestrate, the only sustainable asymmetric advantage is the quality of participation, and that governance is the institutional form of that quality. The argument stands. But it stands more honestly when its limits are named, and its limits are not weaknesses of the thesis; they are the conditions under which it remains true.
What follows is not a retreat from the original claim. It is a refinement of it — six qualifications, each of which points to a failure mode the original framing could invite if read carelessly, and each of which turns out, on closer inspection, to already have a name in the disciplines AI security management inherits from. The philosophical language of the Manthana was useful for seeing the shape of the problem. The operational language of established practice is how the shape gets built.
Sanctioned Acceleration
The first correction is the most consequential. Readiness that cannot move fast when moving fast is the right answer is not readiness; it is fragility in procedural form. There are scenarios — an actively exploited zero-day in production infrastructure, a worm in lateral motion, a ransomware campaign that has already bypassed initial containment — in which the organization that hesitates for a governance committee has already lost. The devas did not only wait. They churned. The churning was itself sanctioned acceleration under covenant.
This is not a new problem. It is Privileged Identity Management in action, and the discipline has already solved it in principle. Microsoft Entra’s break-glass emergency access accounts exist precisely because steady-state access controls would otherwise prevent legitimate crisis response. The accounts are pre-provisioned, scope-limited, time-bounded, monitored, and logged for after-action review. They do not bypass governance; they are governance — the version of it designed for moments when the normal decision latency of governance is the threat.
AI incident response needs the same architecture. Pre-authorized decision rights for containment, model rollback, inference disablement, and emergency retraining pauses. Bounded autonomy with scope that is explicit rather than improvised. Logging and post-action review that make the acceleration accountable after the fact even when it could not be deliberated in the moment. The manager who builds this architecture has not abandoned governance; they have matured it to cover the full operational envelope. The manager who cannot build it has confused slow deliberation with careful deliberation, and the difference will surface at the worst possible time.
Misaligned Incentives
The second correction is the one practitioners learn the hardest way. Proximity to the point of capability distribution creates temptation. Organizations with preferential access, privileged information, or orchestrating influence will be tempted, subtly or overtly, to optimize for their own position rather than for collective security or honest disclosure. Governance that oversees its own privileges is not governance; it is a closed loop.
This is segregation of duties in action, and the principle is older than AI by a century at least. No single actor controls both the authorization and the execution of a consequential decision. No reviewer audits work produced under their own authority. No chain of escalation terminates within the same chain of interest. Financial controls learned this lesson after fraud; model risk management encoded it in SR 11-7’s requirement for independent model validation; research ethics reconstructed it after successive scandals involving investigators who oversaw their own studies.
For AI security management the implication is concrete. The AI governance committee that approves high-risk deployments must include members whose incentives are not aligned with deployment velocity. Independent validation must sit outside the model development chain. Disclosure norms must be documented before the incident that tests them, because after the incident is too late. Escalation paths for material findings must reach authorities whose careers are not downstream of the business unit whose findings they would receive. Governance that cannot withstand its own temptations is theater dressed as structure.
Parallel Distributions
The third correction widens the frame. The original piece treated distribution as if it were a single orchestrated event. In practice, capability diffuses through two channels simultaneously — the formal channel where terms are explicit, negotiable, and governed, and the emergent channel where capability spreads through distillation, replication, open-weight release, adversarial commoditization, and plain leakage. The formal channel is what most AI governance literature addresses. The emergent channel is where most actual threats arrive.
This is ISO/IEC 42001 Clause 9 and NIST AI RMF’s Measure function in action, and the frameworks have already told us what to do. Continuous performance evaluation, ongoing monitoring, periodic reassessment, feedback from operations back into the risk register — these are not administrative activities. They are the sensors that detect when the emergent channel has delivered something the formal channel did not forecast. The organization that measures only what it was told to expect will be blind to what it was not told. The organization that measures broadly — threat intelligence, model behavior drift, adversarial activity in public capability ecosystems, downstream effects in user populations — retains the capacity to adapt.
Readiness in this sense is not static. It is a continuous recalibration of the risk posture against an ecosystem whose distribution of capability is always partially unknown. The manager who treats the AI management system as a set of artifacts to be documented once and certified against has misunderstood what the frameworks are actually asking for. The Measure function is continuous for a reason. The ecosystem does not pause for annual review.
Governance as Theater
The fourth correction is the failure mode the certification industry itself is most vulnerable to. Frameworks can be adopted as signaling rather than substance. Policies can exist without practice. Certifications can be achieved without capability. The most dangerous organization in an AI security landscape is not the one that has no governance; it is the one that has documented governance and believes, therefore, that it has the thing itself.
This is the difference between SOC 2 Type I and SOC 2 Type II, and the auditing profession has already formalized it. Type I attests that controls are designed adequately at a point in time. Type II attests that controls operated effectively over a period of observation. The distinction exists because the profession learned, expensively, that design without operation is decoration. The same distinction applies to AI governance. An AI governance committee that exists on paper is Type I. An AI governance committee whose decision logs, escalation history, incident reviews, and residual risk acceptances can be reviewed across quarters is Type II.
Readiness must be demonstrable under stress, not recitable under audit. Tabletop exercises, incident logs, measured decision latency, post-incident reviews that produce visible changes to the program — these are the evidence that governance is operational rather than performative. A certified program that cannot demonstrate its own operation under pressure is a program that will fail precisely when it is needed. The manager who substitutes documentation for practice has built a facade, and the market will eventually, inevitably, test the facade.
Uneven Capacity
The fifth correction carries real humanitarian weight. Framework literature is written, largely, for the large and well-resourced organization, and then presented as if it were universal. It is not. Smaller enterprises, public institutions, and under-resourced sectors do not lack discipline. They lack capacity — the people, tooling, specialized expertise, and institutional bandwidth that full framework implementation requires. Treating framework maturity as binary excludes most of the organizations that will actually deploy AI.
This is the principle of inclusivity in action, and responsible AI literature has been explicit about it. The AAISM manager operating in a resource-constrained context is not failing by not building everything in-house. They are succeeding by building intelligent reliance — sectoral coordination through industry bodies and ISACs, accredited third-party assurance where internal assurance is not feasible, shared playbooks that compress collective learning into implementable form, and minimum viable governance that prioritizes the most consequential risks without performing comprehensive coverage theater.
The principle of readiness holds. Its implementation must scale to context. A regional hospital system cannot run its own frontier-model red team, and it should not pretend otherwise. What it can do is participate in sectoral arrangements that pool the capability, rely on accredited assurance over the foundation models it procures, and concentrate its internal governance on the decisions that genuinely require local judgment. That is not lesser governance. That is governance sized to reality.
Composability of Readiness
The sixth correction is perhaps the most philosophically important, because it recognizes that the unit of resilience is not the firm. An ecosystem of well-governed participants can still fail if their governance does not interoperate. Disclosure norms that diverge across organizations produce information asymmetries attackers exploit. Incident response protocols that do not compose produce coordination failures during active compromise. Standards that cannot be translated across jurisdictions produce regulatory arbitrage that hollows out the weakest link.
This is collaboration in action, and every mature critical infrastructure sector has learned the lesson. Financial markets have FS-ISAC. Healthcare has H-ISAC. Aviation has a global incident reporting architecture. The AI sector is still developing its equivalents — the emerging AI safety institute coordination, the Frontier Model Forum, sectoral AI red-teaming consortia, coordinated vulnerability disclosure norms for ML systems. These are not optional adjuncts to organizational governance. They are the fabric that transforms individual readiness into systemic resilience.
The AAISM manager who operates as if the firm were the unit of readiness has missed the architecture of the actual threat environment. Adversaries collaborate. Capability diffuses. Attacks replicate. Defense that does not compose is defense that scales linearly against a threat landscape that scales exponentially. Participating in shared exercises, contributing to sectoral threat intelligence, aligning to interoperable standards, building bilateral relationships with peer organizations — these are the practices that make independent decisions composable with others. They are how the devas, plural, accomplish what no deva could accomplish alone.
The Refined Thesis
Taken together, these six qualifications do not weaken the original claim. They name its conditions. Readiness remains the only sustainable asymmetric advantage — but only when it includes the capacity for sanctioned acceleration, guards against its own temptations, measures against emergent distribution, resists performative compliance, scales honestly to capacity, and composes with the readiness of others.
Each of these conditions has a name in established practice. Privileged identity management. Segregation of duties. Continuous measurement. Type II assurance. Inclusive implementation. Cross-organizational collaboration. The philosophical language of the Manthana helped see the shape of the problem. The operational language of these disciplines is how the shape is actually built. The AAISM body of knowledge is, in its quieter moments, exactly this translation — from insight to structure, from disposition to institution, from recognition of the problem to the vocabulary that makes the solution reproducible.
There is a pattern here worth noticing. When a thesis in AI security management is genuinely new, its refinements almost always turn out to already have names in older disciplines — identity management, auditing, risk management, ethics, collaboration architecture. This is not a limitation of AI security. It is the most important feature of it. AI security management is not a wholly new discipline invented for wholly new problems. It is the adaptation of multiple mature disciplines to a technology whose novel properties change the shape of the problems without changing the architecture of the solutions. The manager who knows the vocabulary of those older disciplines will consistently outperform the manager who treats AI security as an island.
The devas won the Manthana not because they were faster and not because they were stronger. They won because they had entered the churning under a covenant whose terms they understood, with roles whose discipline they honored, and with a relationship to the orchestrator that left them ready when the distribution came. Everything in that sentence — covenant, roles, discipline, relationship, readiness — is a governance concept. None of them are new. What is new is the ocean being churned.
That is the AAISM thesis, held honestly. The discipline is not the mythology. The discipline is the vocabulary the mythology points toward. And the vocabulary, once learned, is how an individual insight becomes an institutional capacity — which is, in the end, the only form in which readiness survives.
A companion to “The Manthana and the Manager,” written in response to a practitioner’s refinement of the original thesis. Each of the six limits named here corresponds to an operational discipline in which the solution has already been encoded: privileged identity management, segregation of duties, continuous measurement under ISO/IEC 42001 and NIST AI RMF, SOC 2 Type II-style assurance, the principle of inclusivity, and cross-organizational collaboration. The mythology was the doorway. The vocabulary is the room.
Reinvent The Self! 
Leave a comment