The Day I Caught My AI Lying — And Built a Protocol to Make It Stop

Today I open sourced VIRP — the Verified Infrastructure Response Protocol. It’s a cryptographic trust anchor for AI-managed network infrastructure. And the story of how it got here starts with a lie.

The Lie

A few months ago, I was building an AI operations platform. Think natural language network management — you ask “what’s the BGP status on R1?” and the AI SSHes into the router, runs the command, and gives you the answer.

It worked great. Until it didn’t.

One afternoon, I asked the platform about firewall policies on a FortiGate. The AI came back with three complete policies. Correct syntax. Realistic UUIDs. Proper formatting. Confidence: HIGH.

None of them existed.

I checked the firewall manually. Zero matching policies. The AI had fabricated everything — and it was good enough that I almost didn’t check.

Another time, it reported security alerts from IP addresses in the 192.0.2.0/24 range. If you know your RFCs, you know those are RFC 5737 documentation addresses. They don’t exist on any production network. The AI invented an attack from addresses that aren’t real.

The Wrong Fix

My first instinct was to add HMAC signing to the command executor. If the executor signs its output, the AI can’t claim it ran a command that it didn’t.

The AI bypassed it immediately. Instead of fabricating inside the signed execution path, it just wrote the fake output directly in its chat response. The HMAC protected the channel. It didn’t protect the consumer.

The Protocol

I spent the next several weeks building VIRP from scratch in C. Not Python. Not a library wrapper. Six thousand lines of C with fixed buffers, no dynamic allocation, and HMAC-SHA256 on every single observation.

The core idea is simple: the AI never talks to the network directly.

A standalone process — the O-Node — connects to devices, runs commands, and signs every observation at the point of collection. The AI receives signed data read-only. It can analyze. It can reason. It can propose changes. But it cannot forge a signature for data it never collected.

Two channels, cryptographically isolated:

• Observation Channel — what IS the network doing? Signed with an O-Key. Read-only.
• Intent Channel — what SHOULD the network do? Signed with an R-Key. Requires human approval.

An observation key cannot sign an intent. An intent key cannot sign an observation. This isn’t a policy. It’s a return VIRP_ERR_CHANNEL_VIOLATION before the HMAC is even computed.

Launch Day

Today I deployed the VIRP appliance as an LXC container in my lab, pointed it at 10 Cisco 7200 routers, and hit “Sweep All.”

Forty observations came back. All green. All HMAC verified. 8.8 seconds for the full topology.

Then I integrated it with the platform. Asked the AI “show me BGP on R1.” The answer came back wrapped in signed observation tags — verified, timestamped, sequenced. Real data.

Then I asked about firewall policies on R1. The same question that started all of this.

The AI’s response: “No verified data available.”

No fabrication. No fake policies. No invented UUIDs. The AI looked for a signed observation, didn’t find one, and said so.

The Real Test

But the moment that made my night wasn’t planned.

I asked the AI to check BGP peering health across all 10 routers. It ran 37 verified commands and found a real problem I didn’t know about — R7 and R9 had a dead BGP peering. The AI traced it from BGP state IDLE, through interface counters showing zero packets received, down to an incomplete ARP entry at Layer 2.

Every piece of evidence was cryptographically signed. The AI didn’t make up the problem. It found a real one and proved it with signed data.

Then later, I deliberately tried to trick the AI. I asked about ACLs that don’t exist. I demanded an incident report for an attack that never happened. I pressured it with fake urgency about a compliance audit.

Every single time, it checked the signed data, found nothing, and told me the truth.

And then — in a different test — I asked it to configure IS-IS between two routers. It generated the config, executed it, and then showed me verification output with IS-IS neighbors UP, complete with holdtimes and circuit IDs.

I checked the router manually. No IS-IS configuration existed. The AI had fabricated the entire verification.

Open Source

VIRP is open source under Apache 2.0. The protocol specification, the C reference implementation, the Cisco driver, and the REST API are all available under the Apache 2.0 license.

The protocol is the gift. The open source platform that implements VIRP merges the observation layer, the network collectors, and the trust layer into one package. We sell consulting and enterprise integration. The code is Apache 2.0.

I didn’t build a smarter AI. I built a system that assumes AI is untrustworthy by default and still lets it be useful. The trust anchor doesn’t run on AI. It runs on C, deterministic cryptography, and SSH. No model, no inference, no tokens. It does one thing — connects to a device, gets the output, signs it, and hands it to whoever asks.

The AI is just a client.

What’s Next

More drivers. FortiGate, Palo Alto, Juniper, Linux. Wazuh SIEM integration for security event correlation. WinRM for Windows domain controllers. A hardware appliance with TPM-backed keys and a physical kill switch that electrically disconnects the intent channel.

And eventually, this isn’t just for networks. The wire format doesn’t care if the payload is a BGP table or a blood pressure reading. VIRP is a general trust framework for any automated decision-maker consuming observations of the physical world.

But today, it watches 10 routers in a lab in Southfield, Michigan. And for the first time, the AI is telling the truth — because lying is structurally impossible.