On Quantum Mechanics, Entropy, and the Only Honest Way to Secure AI

There is a particular kind of intellectual dishonesty that runs through most enterprise AI security discourse. It sounds like this: make the model predictable, constrain its outputs, define its guardrails, control the variables. The implicit promise is that with enough engineering discipline, you can reduce an AI system to something deterministic — something you can reason about the way you reason about a firewall rule.

We named our firm Quantropic because we believe this promise is not just wrong. We believe it is the wrong question entirely.

Quantum and Entropy: Two Words That Mean the Same Uncomfortable Thing

The name Quantropic is a compound. Quantum, from the Latin quantus — how much — the foundational unit of discreteness in physics. Entropy, from the Greek tropē — transformation — the thermodynamic measure of disorder, uncertainty, and the irreversible flow of information.

They are, at their deepest level, two faces of the same epistemic challenge: nature does not permit perfect knowledge, and any system that pretends otherwise accumulates hidden risk.

Quantum mechanics, in its most rigorous formulation, does not describe particles. It describes probability amplitudes — complex-valued functions whose squared moduli yield the likelihood of a measurement outcome. Before measurement, a system exists in superposition: not in an unknown state, but genuinely in multiple states simultaneously. The act of observation collapses the wavefunction into a single outcome, irreversibly. This is not a limitation of our instruments. It is the structure of reality.

Entropy, in the information-theoretic sense Shannon formalized in 1948, is the expected amount of information produced by a probabilistic source. High entropy means high uncertainty, high surprise, high information content. A perfectly predictable system has zero entropy and, paradoxically, carries no information at all. The most information-rich systems are precisely those we cannot fully predict.

Both concepts point toward the same conclusion: uncertainty is not a defect to be engineered away. It is fundamental.

Heisenberg and the AI System You Think You Control

Werner Heisenberg’s uncertainty principle states, in its standard formulation, that the position and momentum of a particle cannot both be known with arbitrary precision simultaneously. More precisely:

$$\sigma_x \cdot \sigma_p \geq \frac{\hbar}{2}$$

The product of the standard deviations of position and momentum measurements is bounded below by a constant. This is not a statement about measurement clumsiness. It is a statement about the mathematics of Fourier conjugate pairs: a wavefunction that is highly localized in position space must, by the mathematics of the transform, be broadly distributed in momentum space. The two cannot simultaneously be sharp.

The parallel to AI systems is not metaphorical. It is structural.

A large language model is, at its core, a probability distribution over token sequences conditioned on context. When you attempt to make its behavior more precisely constrained along one axis — say, by narrowly defining acceptable output formats — you are, in effect, trying to localize it in one dimension of a vast, high-dimensional probability space. The uncertainty does not disappear. It redistributes. The model becomes less predictable in adjacent dimensions: edge cases multiply, emergent behaviors appear in contexts you did not test, adversarial inputs find new attack surfaces along the newly compressed boundaries.

This is not a failure of alignment engineering. It is a consequence of the geometry of the space the model inhabits. You cannot fully localize an LLM’s behavior without destroying the very generalization capability that makes it useful. The uncertainty is load-bearing.

Security engineers who have spent careers thinking about deterministic systems find this deeply uncomfortable. In traditional application security, you can enumerate the attack surface, patch the vulnerability, verify the fix. The system before and after the patch is the same system, modulo one well-defined change. An AI system under adversarial pressure does not behave this way. Fixing one prompt injection vector redistributes the probability mass — the model’s implicit completion space shifts. You have changed the wavefunction. You have not eliminated the uncertainty.

Entropy as Security Primitive

Thermodynamic entropy and information entropy are unified by Ludwig Boltzmann’s relation and later formalized by Edwin Jaynes into a coherent framework: entropy is a measure of missing information, of the degrees of freedom a system possesses that we have not constrained.

In AI security, entropy appears everywhere you look:

In training data. The entropy of a model’s training corpus determines the complexity of the representations it builds. Low-entropy training data — narrow, curated, homogeneous — produces models with low generalization, brittle behaviors, and high sensitivity to distribution shift. But high-entropy training data produces models whose behavior space is correspondingly vast and difficult to audit.

In model weights. The information content of a large model’s parameter space is immense. Mechanistic interpretability research has shown that individual capabilities are distributed across layers and heads in ways that resist clean decomposition. You cannot audit a neural network the way you audit source code, because the functional structure does not map cleanly to the physical structure.

In inference. Temperature parameters, nucleus sampling, and beam search are all explicit entropy controls on the generation process. Security-focused deployments typically reduce temperature toward zero, seeking determinism. But low-temperature generation amplifies certain attack vectors — it makes outputs more predictable to an adversary as well as to the operator. A deterministic model is a model with a discoverable output function. That is not obviously safer.

In adversarial inputs. Prompt injection, jailbreaks, and indirect injection attacks all exploit the same entropic property: the model’s probability distribution can be shifted by carefully chosen inputs that move the probability mass toward attacker-desired outputs. This is, mathematically, an entropy manipulation attack. The attacker is not breaking the model. They are steering its wavefunction.

The Wrong Approach: Commanding Certainty Into Existence

Most enterprise AI governance frameworks share a common architecture. They attempt to reduce AI system behavior to a set of rules, constraints, and guardrails that, if properly engineered, will produce safe and predictable outputs. This is the deterministic paradigm applied to a probabilistic system.

The failure mode is not that the rules are wrong. The failure mode is that rules-based constraint creates an illusion of control that is more dangerous than acknowledged uncertainty. A CISO who believes their AI deployment is fully governed by a 47-page acceptable use policy has not made their organization safer. They have made it confident in a way that is not epistemically warranted.

The Heisenberg analogy extends further here. Attempting to measure the security state of an AI system — to audit it, red-team it, certify it — necessarily interacts with the system. Red-teaming changes the model’s operator context. Fine-tuning for safety changes the weight distribution. Every intervention is simultaneously a measurement and a perturbation. The observer effect is not metaphorical in AI security; it is operational.

Organizations that demand deterministic guarantees from probabilistic systems are asking nature for something nature will not provide. When nature refuses, they typically respond by adding more rules. The rules accumulate. The gap between the rule set and the actual behavior space widens. The system becomes ungovernable not because it is too uncertain but because the governance model is wrong.

The Quantropic Approach: Training for Uncertainty

Our firm’s foundational premise inverts the standard question. We do not ask: how do we make this AI system predictable enough to govern? We ask: how do we build organizations that are competent to operate under irreducible uncertainty?

This is not a philosophical preference. It is an engineering requirement.

The companies that will build durable, secure AI cultures in the next decade are not the ones with the most comprehensive AI policies. They are the ones whose people have internalized a probabilistic mental model of AI system behavior — who understand that a model’s output is always a sample from a distribution, that the distribution shifts with context, that adversarial inputs are attempts to steer that distribution, and that security is therefore a continuous statistical process rather than a binary compliance state.

This means training security teams to think in probability, not in rules. It means teaching product teams that a model that passes 10,000 red-team scenarios still carries unquantified residual risk in the scenarios that were not tested. It means helping executives understand that AI governance is closer to portfolio risk management than to software patching — you manage exposure, you do not eliminate it.

It means, in short, learning to work with entropy rather than against it.

Why This Is the Harder Path, and Why It Is the Only Viable One

There is a reason the deterministic paradigm is dominant. Rules are auditable. Compliance frameworks can be checked. A governance policy can be signed off by a board. Uncertainty cannot be signed off. Probability distributions are not comfortable deliverables for a quarterly risk report.

But the alternative — pretending that a stochastic system has been made deterministic through sufficient constraint — produces organizations that are miscalibrated about their actual risk exposure. They are not safer. They are more surprised when things go wrong, because they had already resolved the uncertainty in their mental model before the system resolved it in reality.

The uncertainty principle does not care about your governance framework. The entropy of a production LLM does not decrease because you wrote a policy. What changes, with the right organizational culture, is the capacity to detect distributional shifts early, respond to them without panic, and make good decisions under conditions of irreducible uncertainty.

That is the capability we build. That is what the name means.

Quanttropic stands for the fundamental discreteness of what we can know. AND the transformation that happens when you stop fighting that fact, and start building with it.

Wulf Schulz is Founder of Quantropic.ai with more then 30 years experience in cybersecurity research. He has specialized in AI security since 2018. He advises organizations on AI governance, pre-deployment security frameworks, and the structural risks of deploying probabilistic systems in enterprise environments.