What CIRCUIT Is

A score, a registry, and a control

"CIRCUIT is three things and only three things. A Score you can brief to a board. A Registry your auditor can read. A Control your pipeline can enforce."

Part 1 argued that existing AI governance is paperwork around a black box, and that the research community has spent the last eighteen months making the black-box excuse untenable. That is the gap. This is the framework.

CIRCUIT — Circuit Informed Risk & Control Understanding, Inventory & Transparency — is an open standard for AI interpretability risk management. It is deliberately small. The whole thing fits on a poster. That is the point. A framework a CISO cannot explain to a board in ten minutes does not get adopted.

The Score — Interpretability Maturity Score (IMS), 0 to 5

Existing risk tiers (Low, Moderate, High) classify intended consequence. They answer: if this system goes wrong, how bad is the blast radius? They do not answer: what do we know about why it might go wrong?

IMS answers the second question. It is a ratchet. Each level requires all the evidence of the levels below it. You cannot skip. You do not declare a level. You produce the artifacts that prove it.

0
Opaque
The default. Black box. Vendor will not discuss weights, features, or circuits. No interpretability evidence on file.
1
Behavioral Observability
Inputs, outputs, latency, and user-visible behavior are logged and monitored. Guardrails, DLP, output filters. This is where most enterprise AI lives today.
2
Post-hoc Explainability
SHAP, LIME, integrated gradients, attention visualizations, counterfactuals. Evidence that the model's output can be attributed, imperfectly, to input features. Required for basic SR 11-7 conceptual soundness in classical ML.
3
Feature-level Inspection
Sparse autoencoders or transcoders trained on the model's internals. Evidence that specific internal features correspond to specific concepts, and that those features can be monitored in production. Gemma Scope 2 is the reference for open models.
4
Circuit-level Inspection
Attribution graphs, weight-sparse architectures, or equivalent causal circuit evidence for the behaviors that matter to your use case. Circuits are named, sized, and causally tested.
5
Continuous Interpretability
IMS 4 evidence integrated into CI/CD. Every model update produces a circuit diff. KPI drift triggers alerts. Red team results are fed back into circuit monitoring. This is where we are going. Almost nobody is here yet.
Design Principle

The IMS is an evidence ratchet, not a grading curve. IMS 3 means SAEs on file, not SAEs in a press release.

IMS Floor Requirements by Tier

Minimum IMS levels required before a model may be deployed at each risk tier. Below-floor operation triggers Rule 8: remediation must be complete within 180 days.

Risk TierMinimum IMSBelow-Floor Action
HighIMS 3CISO + AIGC sign-off required; compensating controls mandatory
ModerateIMS 2AIGC disclosure within 5 business days; plan to reach floor
LowIMS 1Registry entry required; flag for next review cycle

The Circuit Risk Score — One formula, four bands

The Circuit Risk Score is what goes on the executive dashboard. It is the single number that tells you whether a model's interpretability posture is good enough for the job you are asking it to do.

CRS = Risk Tier × (6 − IMS) × Decision Consequence Weight

The three multiplicands:

  • Risk Tier: Low = 1, Moderate = 2, High = 3, Critical = 4.
  • (6 − IMS), the interpretability deficit. IMS 5 yields a multiplier of 1 (no deficit); IMS 0 yields 6 (maximum deficit).
  • Decision Consequence Weight: Advisory = 1, Recommended = 2, Automated = 3, Irreversible = 4, Catastrophic = 5.
BandRangeMeaningApproval
Green1–12Interpretability adequate for useStandard approval
Amber13–47Watchlist; plan to raise IMS or lower consequenceAI governance committee review, quarterly
Red48–96Compensating controls mandatory; time-boxed remediationCISO and AIGC sign-off; ≤ 180 days to Amber
Purple97–120Not deployable in current configurationBlocked; requires tier reduction or vendor change

Worked Examples

Example A — Jira AI Summarization

Category B vendor API, IMS 1, Moderate risk tier, Advisory consequence.
CRS = 2 × 5 × 1 = 10 — Green. Adequate for use. Vendor pressure to reach IMS 2 is good practice but not required at this band.

Example B — Internal Code Review Copilot

Category A self-hosted open weights, IMS 3, Moderate risk tier, Recommended consequence.
CRS = 2 × 3 × 2 = 12 — Green. At the Green ceiling. Attribution graph evidence (IMS 4) would build headroom; a risk tier or consequence increase would push this into Amber without it.

Example C — Fraud Decisioning Automated

Category B vendor model, IMS 2, High risk tier, Automated consequence.
CRS = 3 × 4 × 3 = 36 — Amber. Watchlist. AIGC review required quarterly. Raising IMS to 3 drops CRS to 27; reaching IMS 4 drops it to 9 — Green.

Example D — Autonomous Financial Agent

Category C vendor embedded, IMS 0, High risk tier, Irreversible consequence.
CRS = 3 × 6 × 4 = 72 — Red. And a Rule 9 violation: Category C cannot host High-tier irreversible workflows. The CRS calculation is moot — deployment is blocked by Rule 9 before the band is considered.

"The Circuit Risk Score is a forcing function. If the number is ugly, you have three levers: raise maturity, lower consequence, or lower risk. Paperwork is not a lever."

The Six KPIs

The score ratchets on evidence, and the evidence ratchets on measurements. CIRCUIT standardizes six KPIs. Each one maps to a question that matters in an incident.

01
Circuit Size
How many features does the circuit for a given behavior use? Smaller is more readable. OpenAI's weight sparse transformers showed circuits 16× smaller than dense baselines.
02
Edge Count
How many feature-to-feature connections are in the circuit? A circuit with 200 edges can be walked by a human reviewer in an afternoon. 50,000 cannot.
03
Monosemanticity
Does each feature represent one concept, or many? A feature firing on "Python list comprehensions" at 0.92 purity is monosemantic. 0.55 is the transitional minimum (labeled at all); 0.70 is the reliability target for primary safety monitoring. Scores in [0.55, 0.70) are admissible at High tier only with compensating controls logged and the gap to 0.70 tracked as remediation.
04
Robustness
Does the circuit hold under adversarial perturbation? Does the refusal circuit survive a jailbreak prompt? Below 0.70 robustness, the circuit documentation does not correspond to the model's actual computation under adversarial conditions and cannot be relied on as a safety control.
05
Stability Across Versions
Does the circuit survive a model update? A stability score above 0.80 means the circuit is still present and still monosemantic after the update.
06
ACFR
Adversarial Circuit Failure Rate: count of P1 security incidents per model-quarter in which a monitored safety circuit was bypassed or functionally defeated. A count, not a ratio; not normalized by traffic. High-tier expectation is 0. Rule 7 trigger: ACFR ≥ 1 in any model-quarter forces Red band.

KPI Floors at High Tier

The six KPIs require baselining for all deployments. For High-tier models, the following minimum thresholds apply:

KPIWhat It MeasuresFloor (High Tier)
Circuit SizeNodes per decision circuit≤ 100 nodes (with summarization tooling)
Edge CountConnections per circuit≤ 500 edges
MonosemanticityOne concept per feature≥ 0.55 transitional / ≥ 0.70 target
RobustnessCircuit holds under attack≥ 90% robust
StabilityCircuits survive model updates≥ 75% stable
ACFRP1 safety-circuit bypasses per quarter0 (count; Rule 7 at ≥ 1)
Leading vs. Lagging

Monosemanticity, Robustness, and Stability are leading indicators. ACFR is the lagging indicator that keeps everyone honest — a count of P1 safety-circuit bypasses per model-quarter. If ACFR is zero across your fleet for three straight quarters, your circuits are monitored. If a single bypass lands, Rule 7 engages immediately.

The Three Model Categories — and Honest Ceilings

Category A
Open Weights, Self-Hosted
5
IMS Ceiling
Llama, Gemma, Qwen, Mistral, DeepSeek. You have the weights. No excuse.
Category B
API / Foundation Model
3
IMS Ceiling
OpenAI, Anthropic, Google Gemini, Cohere, AWS Bedrock. No weights access — post-hoc only.
Category C
Embedded Vendor AI
2
IMS Ceiling
Atlassian Intelligence, Slack AI, GitHub Copilot, MS 365 Copilot, Salesforce Einstein GPT.

"Category C is where most of your AI actually lives. It is also where you have the least visibility. Rule 9 does not ban embedded vendor AI. It bans giving embedded vendor AI the car keys."

The Ten Hard Rules

The ten rules are the binding part of CIRCUIT. They are short on purpose.

  • 01Every deployed model gets a registry entry with identity, owner, risk tier, IMS, and CRS, before it serves a single production request.
  • 02IMS is evidence, not assertion. A level claim requires the named artifacts on file in the registry.
  • 03CRS drives the approval ladder. Green auto-approves; Amber requires AIGC review; Red requires CISO and AIGC sign-off; Purple is not deployable. Consequence floor: any deployment at DCW ≥ 4 (Irreversible or Catastrophic) on a High- or Critical-tier model is governed at no less than Red, regardless of computed CRS.
  • 04Six KPIs are baselined before production and re-measured on every material update.
  • 05Every material model update triggers a new registry version and a stability KPI measurement.
  • 06Circuit-aware (not behavioral-only) red team: semi-annually for High- and Critical-tier models, annually for Moderate-tier, not required for Low-tier.
  • 07ACFR ≥ 1 in any model-quarter forces a Red band transition, a mandatory governance review within 30 days, and Purple-band escalation if ACFR is not declining at subsequent reviews within the 180-day remediation clock. ACFR is a count of P1 safety-circuit bypasses per model-quarter — not a ratio. High-tier expectation is 0.
  • 08Vendor Transparency section is not optional. Partial responses receive IMS credit proportional to the sections answered. If a vendor has not responded within 60 days of two documented outreach attempts, the non-response is recorded in the registry and CRS uses IMS 0 until a response is received.
  • 09Category C models cannot host High-tier autonomous or irreversible workflows. Period.
  • 10Registry entries are preserved for the regulatory retention horizon — a minimum of three years.
Start Here

If your organization can live by exactly one of these rules this quarter, make it Rule 1. Everything else becomes tractable once the registry exists.

The Registry — Eight Sections, YAML, Git-backed

The registry is not a new tool. It is a schema. The reference implementation is YAML because your platform team can diff YAML in pull requests. The eight sections, in order:

  1. Identity. Model name, version, vendor, category (A, B, or C), owner, business process, upstream dependencies, hosting location, data classification of inputs.
  2. Maturity. Current IMS, evidence inventory (artifact names, hashes, dates), history of level transitions.
  3. Circuit Inventory. Named circuits relevant to the use case. For each: size, edge count, monosemanticity score, and link to the artifact.
  4. KPI Baseline. The six KPIs with measurement date, methodology, thresholds, and current values. Time series.
  5. Vendor Transparency. "Show Me Your Circuits" responses with Acceptable, Partial, or Unacceptable coding for each of the 29 questions.
  6. Red Team. Latest circuit-aware red team report, MITRE ATLAS technique coverage, findings, remediation status, next scheduled engagement.
  7. Compensating Controls. For any model in Amber or Red, the specific controls reducing residual risk.
  8. Lifecycle. Deployment date, material update log, planned retirements, rollback procedures, incident history with ACFR contributions.
YAML Schema — Example Entry
circuit_registry_entry:
  version: "1.1.0"

  identity:
    name: "fraud-classifier-v3"
    vendor: "internal"
    category: "A"           # open weights, self-hosted
    risk_tier: "High"
    owner: "security-team@company.com"
    consequence: "Automated"

  maturity:
    ims: 3
    evidence:
      - artifact: "fraud_sae_gemma3_9b_v3.pkl"
        type: "sparse_autoencoder"
        date: "2026-03-15"

  kpi_baseline:
    circuit_size: 142
    edge_count: 318
    monosemanticity: 0.87
    robustness: 0.82
    stability_across_versions: 0.91
    acfr_last_quarter: 0     # count of P1 safety-circuit bypasses this quarter

  crs:
    calculated: 27        # 3 × (6-3) × 3 = 27  (High=3, deficit=3, Automated=3)
    band: "Amber"

The Dashboard — Four Views, One Data Model

The dashboard is a reference implementation, not a product. Four views:

  • Fleet view. Every model on one page, plotted on a CRS × IMS grid, colored by band. Dot size equals consequence weight.
  • Per-model deep dive. One model, all eight registry sections rendered. KPI time series with thresholds overlaid.
  • Executive summary. One-page PDF render per month. Five numbers, one chart, one list.
  • Regulatory posture. Each row is a framework requirement; each column is a model; each cell shows the evidence link. Auditors love this view.

"The point of the dashboard is not to be pretty. The point is to make the next question your board asks be the right question."

Next: Part 3, "How to Adopt It," ships the adoption playbook, the vendor questionnaire, the regulatory crosswalks, and the open release details.

Read Part 3 →