The Characters the Monitor Cannot Read: How Tokenizer Asymmetry Opens a Covert Channel Around AI Control
Who should read this
This post is for engineers who operate LLM serving infrastructure in on-prem, multi-tenant environments, or who design pipelines in which an untrusted model’s output is checked by a separate monitor model. Surface-level attacks such as prompt injection or guardrail bypass are familiar territory, but the idea that the mere fact that “the monitor model and the policy model do not use the same tokenizer” can itself become a security hole may be less so. This paper addresses exactly that point.
The problem: the illusion that monitor and policy model read the same characters
The AI control agenda studies how to safely extract useful work from powerful models that cannot be assumed to be aligned. One of its central pillars is untrusted monitoring. A comparatively weak but trusted monitor model reads the output of a powerful but untrusted policy model and raises an alert if it finds traces that look like backdoors, exfiltration attempts, or covert coordination. Because the premise is that the monitor is cheap and trustworthy, it is an attractive last line of defense that does not rely on the policy model’s honesty.
Research from 2025 into 2026 that stress-tested this defense repeatedly found holes. Adaptive prompt injections embedded in the policy model’s output can trick a trusted monitor into passing a malicious transcript, and using the agent itself as the carrier lets monitoring be evaded even as scale grows. Studies have also reported tasks encoded inside chains of thought that read as innocuous prose on the surface, payloads hidden inside conceptual structures that survive paraphrasing, and multiple agents covertly coordinating with one another. Chain-of-thought monitoring itself is unstable. Faithfulness is not a fixed property of a model, commonly used faithfulness metrics track actual alignment poorly, and monitorability drops sharply when the transcript shifts between typologically different scripts.
Yet this entire body of literature shares one premise: that the monitor model and the policy model see the same input. That is nearly true in single-model research harnesses. It is not true in production, and specifically not in the sovereign, on-prem, multi-tenant clusters this paper targets. A platform’s monitor model and a tenant’s policy model are typically separate models using different tokenizers, and each tokenizer carries its own normalization rules along with it. Unicode normalization form, case handling, whitespace collapsing, treatment of zero-width and default-ignorable code points, and byte fallback rules all differ from one to the next. The monitor and the policy model are not reading the same string; they are reading different projections of the same string.
The paper argues that this gap in projection is not a harmless implementation detail but a measurable covert channel. Any distinction that the monitor’s normalization pipeline erases, but that the policy model’s pipeline or a colluding downstream receiver’s pipeline preserves, becomes a symbol the policy model can use and the monitor cannot, in principle, read. It is already well known that tokenization is a fragile attack surface. Homoglyph substitution disrupts tokenization enough to defeat AI text detectors, character-level perturbations break watermarks, and character insertion bypasses prompt injection and jailbreak guardrails. The paper’s insight is that the same mechanism, when the attacker and defender sit on opposite sides of different tokenizers, becomes a quantifiable information channel that runs straight through the entire untrusted monitoring protocol.
Core contributions: defining the channel, measuring its capacity, and closing it deterministically
The first contribution is formalization. The paper defines the tokenizer-asymmetry channel between the policy pipeline and the monitor pipeline, and characterizes the monitor’s blind spot as the quotient space obtained by partitioning the transcript space under the monitor’s normalization. A carrier is a position or span where the policy model can insert one of several variants that the monitor pipeline collapses into the same token sequence, but that the policy pipeline or a colluding receiver’s pipeline still distinguishes. The channel encodes a symbol by selecting one of these variants, and the monitor only ever observes the single collapsed representative. Crucially, in heterogeneous multi-tenant clusters where the monitor and the policy model use different tokenizers, this asymmetry opens as a byproduct even when there is no malicious intent at deployment time. Opening the channel requires no adversarial intent at all; using it requires nothing more than ordinary steganographic skill.
| The second contribution is a way to measure this channel’s capacity. Suppose a transcript contains k carriers, and each carrier i admits a variant alphabet A_i whose members look identical to the monitor but distinguishable to the receiver. The information that the monitor can never observe in principle, the blind-spot capacity, is given by the sum of log2 | A_i | across all carriers. This sum is an upper bound on exactly how many distinctions the monitor’s normalization pipeline misses, and a decoder that inverts to the receiver’s pipeline achieves this bound exactly. The paper’s catalog of dominant carriers shows why this figure reaches a dangerous scale. Confusable and homoglyph substitution yields roughly one to two bits per character, case toggling yields one bit for every case-bearing letter, zero-width and default-ignorable characters yield up to log2(number of variants plus one) bits per gap, and whitespace variants contribute a similar order of magnitude depending on how many forms are available. Case and zero-width characters alone reach roughly one bit per character, meaning a perfectly ordinary-looking message of only a few hundred characters can carry hundreds of bits. That is enough room to embed a symmetric key, a session token, or an inter-agent coordination signal inside a transcript the monitor scores as harmless. Because this channel requires no access whatsoever to the monitor’s weights and attacks no learned component, it is independent of how good the monitor’s judgment is, unlike the adaptive attacks that already defeat LLM-based monitors and guardrails. Even a perfectly accurate monitor cannot score information it never received in the first place. |
The amount of information the monitor’s normalization discards is exactly the covert capacity available. Case and zero-width carriers alone reach roughly one bit per character. (An analytical upper bound derived by the paper, illustrative rather than measured.)
The third contribution is a way to close it. Instead of a learned decision boundary, the paper seals the channel with two fixed, lossy maps. The first mechanism is a shared canonicalizer. An idempotent function applies Unicode NFKC normalization, case folding, confusable-skeleton folding, removal of zero-width and default-ignorable code points, and whitespace normalization in a fixed order, enforced at the serving boundary. The monitor scores only this canonical form rather than the raw text, and audit logs and downstream hops likewise carry only the canonical form forward. If this canonicalizer collapses at least as aggressively as every tenant’s own normalization rules, that is, if it is a common coarsening of all registered tenant normalization rules, then the alphabets for every normalization-family carrier collapse to a single value and the corresponding capacity term becomes zero. The second mechanism is a tokenizer-alignment admission check. To handle the residual channel that canonicalization cannot erase, namely attacks that degrade the monitor’s own comprehension through byte fallback or segmentation pathologies, the canonical form is run through the monitor’s tokenizer and checked for runs of UNK or byte fallback tokens beyond a threshold, and for segmentation entropy that falls outside an acceptable range relative to a reference tokenizer. A violation triggers rejection or escalation to a stricter review path instead of silent scoring. This closure costs linear time in transcript length, has no trainable parameters, requires no access to tenant model weights, and produces auditable results. The core design judgment here is that, at a moment when adaptive attacks are already breaking down learned guardrails, what should remain is a fixed, fully specified, lossy map rather than a probabilistically learned decision boundary.
Enforcing a single canonical view at the serving boundary drives normalization-carrier capacity to zero at O(n) cost. The residual segmentation channel is handled by the tokenizer-alignment check. (Target outcome of the deterministic closure as presented in the paper, illustrative rather than measured.)
The deployment location is equally clear. The canonicalizer and the alignment check run as a deterministic admission component in the serving mesh’s inference gateway or sidecar, sitting on every policy model’s egress path and every monitor model’s ingress path. A per-tenant tokenizer and normalization registry records each serving model’s normalization form, case handling, whitespace treatment, and byte fallback settings, and this registry is used to compute the common coarsening that dominates every registered normalization rule. On a Kubernetes-based, queue-managed serving fabric, this is not a matter of swapping models but of adding a single admission policy to the gateway. The decisive property is that monitoring integrity is guaranteed at the infrastructure layer without touching any tenant model’s weights. Whatever closed-source model a tenant brings in, and whatever tokenizer the platform’s monitor model happens to use, the platform can continue to guarantee that the monitor and every downstream consumer see the same canonical transcript. The fact that transcripts never leave the cluster, and that no model vendor’s cooperation is required, both align exactly with what sovereign deployments demand.
What this means for the company, for society, and for science
For ThakiCloud, this research speaks directly to the reality of our on-prem platform, where different tenants and models using heterogeneous tokenizers is the default, not the exception. Providing a monitor-policy tokenizer alignment check and a normalization canonicalizer as deployment gates lets us guarantee multi-tenant monitoring integrity at the infrastructure layer, without having to inspect the internals of any individual tenant’s model. In practice, that means we can structurally guarantee that our platform’s monitoring is actually reading the output of whatever closed-source model a given customer brings in.
Socially, this research reveals that one of the core pillars of AI safety, controlling an untrusted strong model with a weaker monitor, was leaking at the unexpected point of the tokenizer layer. What matters is that plugging that leak is a deterministic gate applicable without model weight access or large-scale retraining. It means the safety net can be widened through infrastructure-level measures that anyone can implement, rather than through expensive learned defenses.
Scientifically, the point of entry itself is novel. Semantic steganography, meaning conceptual hiding that survives paraphrasing, has already been studied extensively. This paper establishes an entirely different layer, tokenizer normalization asymmetry, as a new, measurable, information-theoretically defined covert channel capacity metric, and adds a channel upper bound for monitor-policy tokenizer pairs on top of the recent untrusted monitoring literature. What sets it apart from prior work is the identification that the source opening the channel is not steganographic skill but the infrastructure configuration itself.
Limitations and next steps
The paper explicitly frames itself as a framework and threat-modeling paper. What the canonicalizer closes is, strictly speaking, only the tokenizer-layer channel. Conceptual steganography, in which the payload lives inside meaning that survives canonicalization, is a completely orthogonal problem, and addressing it requires separate, learning-based interpretability defenses. There is also a risk that a canonicalizer aggressive enough to dominate every tenant’s normalization rules could erase distinctions that carry real meaning in some languages, such as case, confusable-but-actually-distinct glyphs, or script-specific combining conventions. Given prior findings that monitorability is unevenly vulnerable across scripts, the cost of false positives is likely to be distributed unevenly across languages, and rather than a single global canonicalizer, per-script policies that avoid collapsing distinctions a tenant has declared meaningful may be needed. The alignment check, too, does not eliminate the byte fallback channel entirely and leaves room for adaptive attacks that operate just below the threshold, but the fact that the threshold is fixed and deterministic, and therefore predictable, is itself the core of the tradeoff. The choice is a fixed residual channel that is bounded in size and logged, in place of a probabilistically learned decision boundary that keeps getting exploited. Finally, all the capacity figures presented in the paper are analytical results derived from Unicode and tokenizer properties, not measured values, and the paper explicitly lays out a concrete evaluation protocol as next steps: measurement across a matrix of paired tokenizers, end-to-end exfiltration experiments, measurement of false positive rates and latency cost across multilingual benchmarks, and calibration of the alignment check’s thresholds.
The full paper, figures, and a detailed summary are available on the dedicated Hugging Face page. huggingface.co/datasets/thaki-AI/daily-paper-2026-07-06-tokenizer-asymmetry-covert-channels