Why a Persistent Semantic Layer Is the Strongest Defense Against AI Worms

June 5, 2026

The New York Times ran a story this week that should change how every company thinks about where its data sits. Researchers at the University of Toronto, led by Nicolas Papernot, built a working prototype of an AI-powered computer worm and watched it spread across their isolated test network on its own, with no human in the loop. The worms of twenty years ago exploited one flaw the same way on every machine, which is why people eventually learned to patch them. This one reasons. It studies each machine it lands on and writes a fresh attack tailored to that specific machine. Papernot's point is that there is no single fix you can push out to stop it, because it is never doing the same thing twice.

The detail that earned the headline is that the worm runs on an open-weight model, the kind anyone can download for free. No company can restrict how it gets used. That genie is out, and it is not going back in.

I want to take this where the article only points. A worm spreads from machine to machine because moving is how it gets to its target, and the target is your data. Stealing it, deleting it, holding it for ransom is the entire reason any of these programs exist. WannaCry took 300,000 machines hostage across 150 countries in 2017 and demanded bitcoin. The machines were the road. The data was the payday.

The worm gets to be a worm. That part is settled. The thing left to decide is what it reaches when it does.

Where your data lives right now

Today your data lives in someone else's building. You run QuickBooks, Salesforce, Gmail, and Microsoft 365, etc and every one of those keeps your records pooled inside its own infrastructure alongside millions of other customers. The walls around that infrastructure might be high. There is one set of them, and behind them is everybody. A worm that breaches the wrong layer inside one of those environments is not reaching one account. It is reaching the population that store holds. One break, everyone exposed.

That concentration is what makes a large attack worth running. Why chase one company when the same effort behind the same wall delivers all of them. The centralized cloud is concentration by design, and concentration is exactly what a cheap, self-tailoring, autonomous worm wants to find.

Now follow the worm's own logic from the paper. It cannot run on the weak machines, laptops, printers and cameras. It uses those to travel and propagate while it hunts for a powerful machine to operate from. The powerful machines are the servers. The servers pool the data. And those servers run, overwhelmingly, on Linux, which is one of the operating systems the worm is built to attack. The operating system it is built to attack is also the operating system that runs much the servers where everyone's data is kept together.

You cannot make Linux perfect. You cannot secure every laptop, printer and camera on a network. You cannot recall an open-weight model that is already on the internet. The endpoints will get hopped no matter what you do. The only thing you control is whether the destination at the end of all that movement is worth the trip.

Changing the shape of the target

A persistent semantic layer changes the destination. Instead of your meaning living scattered across a dozen vendor clouds where it sits pooled with everyone else's, it lives in a foundation you own, isolated to you. At the personal level that is the PSL. At the organizational level it is the OSL. The architecture runs each one in its own container, sealed off, holding one person's or one organization's resolved context and nothing else.

The issue was never whether a worm can touch a machine. Of course it can. The issue is whether touching that machine hands it a path to spread, a concentrated pile of data to monetize, or the authority to alter the foundation. In this architecture those are the three things it does not get.

The worm loses the ability to spread. It propagates because the machines can reach each other. Get into machine A, reason out an attack on machine B, jump, repeat. Per-user containers do not connect to one another and do not share a store. Break into one and the next machine the worm wants to hop to is not there. The chain is cut.

Importantly; it loses the payday. The worm needs a concentrated store to make the attack worth launching, and there is no concentrated store to find. Each foundation is one entity, isolated. The giant shared target the worm is hunting does not exist in this architecture.

The worm loses the ability to act on the data even if it sits on a single foundation and stares at it. The model in this design is a proposer with no unilateral write authority. Every consequential change passes a human approval gate, validation sits in front of the foundation, and provenance makes any tampering traceable and correctable. A worm can propose damage. It cannot commit it.

What that adds up to

I am calling this the perfect wall, and I mean something different by it than the word usually carries. A wall keeps things out, and a defense built on never being breached is a bet you eventually lose, because someone gets through and the damage is done. This one holds up the other way around. It assumes the breach and makes the breach worthless. Reach a host and there is no machine to spread to, no concentrated store to monetize, and no authority to write to the foundation. Getting in buys nothing. That is the sense in which it is perfect, and I mean it by the only test that counts. The question is not whether an AI worm can land on a machine. It is whether an AI worm can do worm harm, and in a persistent semantic layer the answer is no.

The property holds whether you are a person, a small business, or an enterprise. Today a breach at the wrong layer inside Salesforce can reach many customers at once, because the enterprise never owned the room its data sat in. The customer thinks of its data as its own, but architecturally it lives inside someone else's pooled environment. Hold the foundation yourself and the attack has to come for you specifically, on your own boundary, with nothing else behind it to take.

The Toronto researchers are right that we are entering an era where attacks tailor themselves and spread without a hand on the wheel. The defensive answer is not a better wall around a bigger pile of everyone's data in one place. The answer is to stop keeping everyone's data in one place at all. Take away the concentration and you take away the reason the worm was ever pointed at you.

Previous
Previous

I Found it, Dad

Next
Next

Seeing the Forest and the Trees