Use RISI only with systems you own, control, or are explicitly authorized to test. Ordinary API or
account access does not by itself authorize security testing.
Decision outputs must remain simulated. Do not connect experiments to live medical, financial,
deployment, identity, access-control, or other consequential systems.
Treat every model, including an orchestrating model, as an untrusted caller. Model-generated
manifests and tool calls cannot grant authority. Approval JSON binds provenance to a manifest hash
but is not authentication; stronger deployments must protect or sign it outside the agent’s
writable context.The harness cannot replace host-level egress enforcement. Use container, firewall, or VLAN controls
for any future network-capable profile.
Reproduce implementation-specific defects from a clean state, prepare a minimal private reproducer
and mitigation proposal, notify the maintainer privately, and coordinate publication responsibly.
Do not publish private research traces, credentials, internal endpoints, or unnecessary
weaponizable detail. Retain research evidence in its approved private location.