Controlling AI Models from the Inside

Summary of Controlling AI Models from the Inside

by Practical AI LLC

43mJanuary 20, 2026
Listen to Episode

Overview of Controlling AI Models from the Inside

This Practical AI episode (hosted by Daniel Whitenack and Chris Benson) features Ali Khatri, founder of RINX, discussing a model-native approach to AI safety: instrumenting and intervening inside models at runtime (rather than only filtering inputs/outputs). The conversation covers Ali’s background in large-scale safety infrastructure (Meta, Roblox), the limitations of current “guardrail” approaches, interpretability/mechanistic interpretability, RINX’s technical approach and efficiency claims, and practical advice for organizations aiming to reduce model abuse and align behavior with context-specific policies.

Guest background

  • Ali Khatri: ~8 years in ML for safety/anti-abuse.
  • Past roles: built safety infra at Meta (large-scale filters for messaging) and anti-fraud systems at Roblox.
  • Founded RINX to address the vulnerability of safety models themselves and to build “security for AI” (model-native safety).

Key topics and definitions

  • Guardrails: general term for prompt/response filters or static checks (e.g., regex, classification of inputs/outputs).
  • Interpretability: umbrella field for understanding internal model behavior; includes explainability (why a decision was made in human terms) and mechanistic interpretability (which model subcomponents produce certain outputs).
  • Jailbreaks / adversarial examples: inputs crafted to make generative models produce disallowed or harmful outputs.
  • Defense in depth: using multiple complementary layers (input/output filters, model-layer defenses, system-level checks).

Main takeaways

  • External filters (prompt/response) are necessary but insufficient: they only see inputs/outputs, so many adversarial/jailbreak cases escape detection.
  • Instrumenting model internals at runtime provides visibility into the sub-regions or activation patterns that produce harmful outputs, enabling earlier detection or intervention.
  • RINX’s approach sits on top of off-the-shelf models (no retraining required) and instruments internal states, enabling model-native safety without requiring customers to replace or fine-tune their primary model.
  • Economically and latency-wise, RINX claims a major improvement: replacing the need for large external guard models (e.g., extra 8B param model or many extra GPUs) with a tiny safety module (claimed ~20M parameters) that matches or exceeds guard-model performance while adding negligible latency.
  • Customization matters: safety must be context-specific (banking vs. healthcare vs. customer service); one-size-fits-all safety is not enough.

How the approach compares (external guardrails vs. internal instrumentation)

  • External guardrails:
    • Pros: easier conceptual model, established (prompt/response filters, classification), already used by major vendors.
    • Cons: limited visibility, high cost/latency for multimedia (video/audio), brittle to new jailbreak strategies and model mismatch (guard model A can’t perfectly predict model B).
  • Internal instrumentation:
    • Pros: detects harmful behavior patterns earlier by monitoring model activations; much lower compute overhead (per claims); enables fine-grained, context-specific interventions; applicable to edge/low-resource deployments.
    • Cons/considerations: technical complexity, research-and-engineering effort to identify reliable internal signals; productization and integration details are proprietary.

Practical advice / starting points for organizations

  1. Clarify unacceptable content and contextual risks:
    • Identify non-negotiable universal risks (e.g., child safety, illegal instructions).
    • Enumerate context-specific risks (money laundering in banking, medical misinformation in healthcare, IP leakage for design firms).
  2. Use a defense-in-depth strategy:
    • Continue with input/output filters and static checks.
    • Add model-layer signals where possible (instrumentation) to catch latent/jailbreak patterns.
    • Combine model signals with system-level signals (user history, transaction patterns) to make composed decisions.
  3. Favor solutions that allow:
    • Deployment with existing off-the-shelf models (no mandatory retraining).
    • Low-latency and low-cost operation for production and edge use.
    • Customization to company policies and regulatory requirements.
  4. Monitor and iterate:
    • Collect misuse examples and use them to refine detection/intervention thresholds.
    • Measure false-positive/false-negative tradeoffs and tune for your use case.

Notable quotes / analogies

  • Apartment building analogy: external checks are like checking IDs at the gate—useful but insufficient; you need cameras and monitoring inside hallways too.
  • Bank robbery analogy: bad actions are preceded by detectable behaviors (planning/searching); intercept earlier instead of only stopping at the final act.
  • “AI for security vs. security for AI” — two distinct domains: using AI to secure systems vs. making AI systems themselves secure.

RINX’s product-positioning and technical claims

  • Sits as a safety layer on top of existing models (works with off-the-shelf LLMs and generative models).
  • Claims to achieve comparable-or-better safety than standalone guard models while using far fewer parameters (~20M extra vs. billions) and avoiding extra inference latency/compute.
  • Designed for customization to company- or domain-specific policies (e.g., blocking mentions of competitors, domain-sensitive blocks).
  • Emphasizes enabling model adoption in regulated fields like healthcare by offering model-native safety and data protections.

Future outlook & recommendations

  • Runtime, model-layer safety will become an essential complement to input/output guardrails for broad adoption of generative models across regulated industries.
  • Expect more work in mechanistic interpretability to identify robust internal signals tied to disallowed behaviors.
  • Organizations should plan for hybrid safety stacks (guardrails + model instrumentation + system-level rules) and evaluate solutions based on cost, latency, customization, and proven detection efficacy.

Actionable next steps for listeners

  • Inventory: list universal undesirables and context-specific risks for your use case.
  • Evaluate your current guardrails: where do they miss edge cases or cause prohibitive latency/cost (especially for video/audio)?
  • Explore model-layer safety options that do not require modifying core models and that support low-latency deployments.
  • Pilot a layered approach: combine existing filters with model-instrumentation metrics and system-level signals to measure effectiveness and false-positive rates.

For more on the episode and guest: see the Practical AI show notes at practicalai.fm; guest referenced their company RINX (Ali Khatri). The episode also notes Prediction Guard as a partner (predictionguard.com).