CinderpointAISAFEMACHINE › CARG
SAFEMACHINE Module 2  ·  Runtime Governance

CARG

By Waydell D. Carvalho  ·  Cinderpoint  ·  First published February 2026
Definition
CARG is the SAFEMACHINE module for governing AI systems that change themselves after deployment. It addresses the Runtime Governance Gap through six components: ROO, PLD, SMC, HRP, RRR, and VRC. Together they specify what continuous oversight requires when the system being overseen is no longer the system that was approved.

The problem CARG solves

Most governance frameworks assume the AI you approved is the AI you keep running. That assumption used to hold. It does not anymore. Modern AI systems update themselves, fine-tune on new data, integrate new tools, and adapt to user behavior. The system in production six months after deployment is not the same system the review committee signed off on.

SAFEARC's Renew pillar flags this as a problem. CARG is the module that handles it. Where SAFEARC governs the deployment decision, CARG governs the continuous condition.

The six components

ROO . Runtime Oversight Obligation

A duty of continuous monitoring that does not pause when the original deployment decision is signed. ROO names the team, the cadence, and the signals that count as evidence of system behavior in production.

PLD . Persistent Liability Doctrine

Accountability does not reset when the system modifies itself. PLD establishes that the deploying organization remains responsible across self-modification cycles. A model that retrained itself overnight is not a different system for liability purposes.

SMC . Self-Modification Capacity

A five-level scale, SMC-0 through SMC-4, that classifies how much a system can change itself. SMC-0 is fully static. SMC-4 is recursive self-improvement with no fixed boundary. The level determines what oversight intensity applies.

HRP . Harm Risk Potential

A five-level harm taxonomy, HRP-0 through HRP-4, that classifies the worst plausible outcome if the system fails. HRP-0 is recoverable nuisance. HRP-4 is catastrophic and irreversible. SMC and HRP together set the response requirement.

RRR . Risk Response Requirements

Graduated safeguards keyed to SMC and HRP. Lower combinations require logging and periodic review. Higher combinations require kill switches, human-in-the-loop approval for material changes, and external audit. RRR is the lookup table that converts capacity and harm into a concrete control set.

VRC . Verification and Reassessment Cycle

Two triggers, scheduled and drift-based, that pull a system back into review. Scheduled review runs on a calendar. Drift-based review fires when monitoring signals cross thresholds. Either path produces a fresh governance record, not a verbal update.

How CARG plugs into SAFEMACHINE

CARG is not a replacement for SAFEARC. It is the layer that activates after SAFEARC's first pass. The SAFEARC review produces a baseline record. CARG keeps that record honest as the system evolves. When VRC fires a reassessment, the new review uses the prior record as its starting point and documents what changed and why.

Cite this framework
Carvalho, W. D. (2026). The Runtime Governance Gap: Governing Self-Modifying Artificial Intelligence Through Adaptive Oversight. Cinderpoint. https://cinderpoint.com/ai/safemachine/carg/
Read the paper
Read on SSRN ↗ Back to SAFEMACHINE
About the author
Waydell D. Carvalho

Founder of Cinderpoint Systems LLC. M.S. Artificial Intelligence (MSAI), M.S. Management (MSM). Researches how systems fail under speed, opacity, and scale.

More by this author SSRN ↗ Zenodo ↗
Related Modules
Module 1
SAFEARC
Seven-pillar review architecture
Module 3
BASE
Readiness check before runtime governance can work
Concept
Runtime Governance Gap
Why governance fails when AI evolves after deployment