The Bounded System

Why integrity and security are two faces of the same architectural commitment.

May 08, 2026

The previous essay ended with a boundary.

Analysis and judgment had to be kept apart. The system had to do one kind of work; the lawyer had to do another. And the boundary between them had to be real, not merely described.

This essay is about what it takes for that boundary to actually hold.

A trustworthy evidentiary system cannot be open at the edges. It cannot allow anything to reach the analytical layer except through paths the architecture controls. It cannot allow analytical output to leave through surfaces the architecture did not intend.

That tightness has consequences.

The same property that protects the lawyer’s judgment also protects the client’s confidences.

Integrity and security are not two architectural commitments.

They are one commitment, looked at from two angles.

What a bounded system is

A boundary on a diagram is not the same thing as a perimeter in a system.

A diagram can show clean separation between layers. A real system has to hold that separation against everything that would cross it.

In the architecture described in these essays, the analytical layer is bounded.

It can only see content the vault is authorized to return. It has no outbound tools. It cannot send mail. It cannot make web requests. It cannot reach into a calendar, a document repository, a case-law service, or any other external system. It has no external tool surface through which it could act outside the evidentiary perimeter.

What enters the analytical layer is evidence from the vault, scoped to the authenticated tenant and case.

What leaves the analytical layer is analysis written back inside the same perimeter.

That is what bounded means.

Not limited in the loose sense of a product that could later be made more open.

Bounded in the structural sense of a system whose perimeter is a property of its design.

The point is not that modern web applications never have operational connections for billing, notifications, or infrastructure. The point is that those paths are not part of the analytical layer’s tool surface. The boundedness claim concerns what the intelligence can touch while doing evidentiary analysis.

That is the line that matters.

Why integrity and security are the same commitment

The first essay described why human framing must not reach the analytical layer before independent reading.

The second described why human framing must not return at the join, when a fragmented record is reconnected by prompts.

The third described why analytical output must not become legal work product without affirmative human review.

Each of those is a commitment about what may reach the analytical layer and what may leave it.

Each is also, in a different vocabulary, a security commitment.

A perimeter tight enough to keep human framing out at first contact is also tight enough to keep external instructions from reaching the analytical layer through uncontrolled paths.

A perimeter tight enough to prevent contamination at the join is also one that does not depend on open retrieval surfaces that silently determine what enters analysis.

A boundary tight enough to hold analytical output until human review is also one that prevents that output from being silently routed into places the architecture did not intend.

The integrity commitments and the security commitments are not separate.

They are the same perimeter seen through different threat models.

If you draw the perimeter for one, you have drawn it for the other.

If you fail to draw it for one, you have failed to draw it for the other.

The opposite trajectory

Much of the current direction of legal-AI product design runs the other way.

More connectors.

More integrations.

More retrieval surfaces.

More memory across sessions.

More external tools the model can call.

More agentic behavior.

More paths in and out.

Each addition expands what the system can do.

Each addition also expands what the system makes reachable.

That does not make those systems irrational. Many of those capabilities are genuinely useful for drafting, writing, ideation, research, and workflow acceleration.

But useful openness for one class of tasks can be disqualifying openness for another.

For evidence intelligence, every additional surface matters.

The growth axis and the exposure axis are the same axis.

A system that can send mail on the user’s behalf can also be induced to send mail through an adversarial prompt.

A system that can search the web can be made to ingest material the adversary controlled.

A system that remembers prior sessions can carry a poisoned context forward into later analysis.

A system that depends on many external services inherits the attack surface of those services as well as its own.

These are not necessarily bugs.

They are properties of architectural openness.

Five categories of exposure

A concrete way to understand boundedness is to look at what an open architecture makes possible.

1. Prompt injection through opposing-party material

In litigation, opposing parties produce documents into the record.

Those documents are part of the ordinary evidentiary flow. But a document can also carry adversarial instructions - in the body, the metadata, the footnotes, or some other machine-readable layer - intended not for a human reader, but for an AI system parsing the file.

If the analytical layer has outbound tools, such an instruction may have somewhere to land. It can attempt to trigger an action outside the evidentiary perimeter.

In a bounded system, the same adversarial content may still exist in the document, but the analytical layer has nowhere to go with it.

There is no outbound action surface for the instruction to exploit.

2. Exfiltration through outbound integrations

Every integration with an external service creates a path through which content can leave the system.

Most of the time those paths carry intended traffic. But a channel that exists for intended traffic also exists for unintended traffic.

A successful prompt injection that turns an outbound mail tool against the user works because the tool exists.

The architectural response is not merely to defend the channel better.

It is to avoid creating the channel in the analytical layer in the first place.

3. Persistent state poisoning across sessions

A system that carries forward prior prompts, prior instructions, or retained conversational state has a memory that can be poisoned.

An adversarial input early in one session may shape behavior much later, in ways the user never sees and may never trace.

A stateless analytical architecture does not solve every problem.

But it removes this one.

If no prior conversation state is transmitted into the next analytical operation, then there is no retained session memory for an adversary to poison.

4. Supply-chain exposure

Every external service a system depends on expands the surface through which compromise can propagate.

The more the analytical layer depends on mail systems, search systems, document systems, agent frameworks, retrieval tools, and external APIs, the more its trust boundary is no longer its own.

A bounded analytical layer is not invulnerable. No serious system is.

But it is operating on a smaller and more inspectable set of dependencies.

That matters.

5. Cross-tenant leakage

In a multi-tenant system, isolation is only as real as the layer that enforces it.

If tenant separation depends on application logic being correct everywhere, then every additional code path becomes a place where data separation might fail.

If isolation is enforced at the data layer itself, before application logic shapes what can be seen, then the problem becomes smaller, clearer, and more inspectable.

That is not perfection.

It is architectural reduction of risk.

The architectural answer

All five categories above share a common feature.

The bounded system’s answer is not primarily a defense.

It is an absence.

There is no outbound tool to defend, because there is no outbound tool.

There is no retained session memory to defend, because there is no retained session memory in the analytical operation.

There is no external integration surface for the analytical layer to misuse, because that surface does not exist there.

This is the difference between mitigation and elimination.

A system that has the surface and defends it well is doing real work. That work matters. But the surface remains, and with it the possibility that the defense fails in a corner case, a future update, or an attack path nobody anticipated.

A system that does not have the surface stands differently.

It is not winning the defensive battle.

It declined to enter the battle.

That is the architectural commitment.

Not “defend the expanding perimeter better than competitors.”

But “do not build the evidentiary perimeter where those attack paths would exist.”

What the profession is beginning to notice

The legal profession is now beginning to articulate, in ethical language, concerns that map closely onto this architecture.

As bar regulators and commentators focus more closely on confidentiality, review, retention, supervision, and governance, the relevant question is no longer only what an AI system can produce.

It is also what the system makes reachable.

That is why boundedness matters.

A legal-AI system should be judged not only by what it outputs, but by what it makes reachable, retainable, and exposable during the course of analysis.

The architecture is not the rule.

The rule is not the architecture.

But when the profession begins worrying about exposure, retention, reuse, and the paths through which confidential material may move, it is converging on the same first principles by a different route.

The category change

The properties described here - reduced attack surface, absence of outbound integrations at the analytical layer, stateless analytical operations, bounded exposure, and tenant isolation - are not a feature list.

They are an architectural commitment.

And reaching them from a chat-first, integration-heavy, open-surface system is not a code change.

It is a category change.

A product whose value proposition is more connectors, more memory, more agentic capability, and more external reach cannot become a bounded evidentiary system by toggling a setting or shipping a patch.

The growth axis and the exposure axis are the same axis.

To reduce the exposure meaningfully, the direction of growth has to be different from the beginning.

That is why boundedness is not something a competitor can simply add later as a security mode.

It is what the system was, structurally, before any other feature was built on top of it.

A system that was open from the start is open at the layer below where the patches happen.

The bounded system is, in that sense, more than a product choice.

It is a commitment that has to be made first, or not made at all.

What comes next

The architecture answers an integrity problem and a security problem through the same commitment.

But there is one more dimension to draw out.

The same conditions that produce integrity and security also bear directly on something the profession is now formalizing more explicitly: competence, candor, confidentiality, supervision, and the duties that remain unmistakably the lawyer’s.

That is where I’ll go next.

The Foundation

Ready for more?