https://gfrm.in/categories/decision-theory/Recent content in Decision-Theory on Guy FreemanHugoenTue, 09 Jun 2026 00:00:00 +0000https://gfrm.in/posts/openclaw-cheaper-and-harder-to-fool/Tue, 09 Jun 2026 00:00:00 +0000https://gfrm.in/posts/openclaw-cheaper-and-harder-to-fool/<p><a href="https://github.com/openclaw/openclaw">OpenClaw</a> makes tool calls all day, and two kinds of them deserve more scrutiny than they get. The first merely costs money: the agent runs a call it has already run — same tool, same arguments, same session — because nothing in its loop is keeping score. The second is worse: a prompt injection in something the agent read persuades it to carry untrusted data into a consequential action, and an address that arrived inside a document it was summarising turns up as the recipient of a forward.</p>https://gfrm.in/posts/credence-pi-pass-2/Mon, 08 Jun 2026 00:00:00 +0000https://gfrm.in/posts/credence-pi-pass-2/<p>In <a href="https://gfrm.in/posts/credence-pi-pass-1/">the last post</a> I built a governance layer for a coding agent&rsquo;s tool calls: a <em>body</em> that hooks the agent&rsquo;s <code>tool_call</code> event, extracts a few features, and dispatches ask, proceed, or block; and a <em>brain</em>, a Julia daemon that holds a belief and maximises expected utility. The commitment that held it together was that the brain is opaque to the body. The wire carries observations and named actions and nothing else, so the brain can change how it reasons without the body ever knowing.</p>https://gfrm.in/posts/credence-pi-pass-1/Tue, 05 May 2026 00:00:00 +0000https://gfrm.in/posts/credence-pi-pass-1/<p>There is a coding agent — <em>pi</em>, the AI tool I use to write code — and it makes tool calls all day. It runs <code>bash</code>, edits files, opens HTTP requests, queries databases. Most of what it wants to do is fine. Some of it isn&rsquo;t. The question I have been circling for months is: who decides which is which, and how, and on what basis?</p> <p>The current answers are unsatisfying. The agent&rsquo;s own RLHF disposition decides — but I have no visibility into the function it&rsquo;s optimising. A static rules file decides — but a static file cannot improve from observation. A human (me) decides — but a human cannot stay in the loop on every tool call without becoming the bottleneck. None of these are <em>learning</em> about the agent&rsquo;s behaviour from the agent&rsquo;s behaviour. None of them treat the question as what it actually is: a sequential decision problem under uncertainty about the agent&rsquo;s intent and its capacity to do harm.</p>