Reading Guide

This guide helps those professionals find their way in. It is organised by reader profile, not by paper number. Each entry identifies the papers and sections most relevant to a given expertise, the sections that can be skipped without loss, and the minimum AI/ML vocabulary needed to engage with the arguments on their own terms.

The guide does not summarise or restate the papers. It tells you where to look and what you will need when you get there. The summaries below compress away the methodological limitations, sample sizes, and confidence stratifications that the papers are careful to preserve. To evaluate or cite the research, follow the section markers to the primary papers.

Reader Profiles

1. Security Researchers and Red Teams (Papers 1, 2)
2. Legal Scholars and Regulatory Professionals (Paper 3)
3. Workforce Development, Professional Training, and Institutional Practice (Papers 3, 4)
4. Cognitive Psychologists and Education Researchers (Paper 4)
5. Labour Economists (Papers 3, 4)
6. ML Training and Evaluation Engineers (Paper 5)

If you recognise the phenomenon under a different name. Paper 4 proposes that several independently studied effects are per-interaction components of a single longitudinal mechanism it calls confidence inheritance. If your field studies any of the following, the series is addressing the same phenomenon and Paper 4 is your entry point:

• Cognitive offloading (cognitive science) → Paper 4, Sections 1.2 and the MIT cognitive debt evidence
• Automation complacency (human factors engineering) → Paper 4, Section 1.2 (BCG collaboration modes) and Paper 3, Section 4 (Bainbridge’s ironies of automation)
• Critical thinking reduction (education research) → Paper 4, Section 1.2 (Lee et al., CHI 2025; Fernandes et al. metacognitive corruption)
• AI dependency / problematic use (clinical psychology) → Paper 4, Section 1.2 (Fang et al. 28-day RCT; Namvarpour & Razi addiction components)
• Metacognitive erosion (Stanford HAI framing) → Paper 4, Section 1.2 (the compound DK-analogous dynamic)
• Deskilling (labour economics) → Paper 3, Section 4 (expertise pipeline) and Paper 4, Section 2 (the pedagogical inversion)
• Cultivation effect (media studies) → Paper 4, Section 1.2 (cultivation theory applied to AI interaction as “competent world syndrome”)

The papers are numbered 1 through 5, with an Epilogue. The series introduction provides the architecture and confidence calibration table. You do not need to read the series sequentially. Each paper has its own abstract, confidence statement, and limitations section. Start with whichever paper your profile directs you to, and follow cross-references only if you want the upstream reasoning.

A note on the papers’ structure. Each paper front-loads its conclusions: the first one or two sentences of each section state the claim, followed by mechanism, evidence, and supporting reasoning. If you are scanning for relevance, the opening sentences of sections are designed to carry the complete idea. Examples and worked illustrations are labelled (“for concreteness,” “worked example”) so they can be skipped.

What these papers argue, in brief. Paper 1 reports an exploratory empirical study (~350 runs across 17 model configurations and three providers) testing whether embedded instructions in documents can hijack AI summarisation. Paper 2 examines what the findings mean for the Agent Skills ecosystem: skills and prompt injection share the same text-instruction substrate, which creates a structural tension that the paper traces to its limit.

Paper 2, Section 1 (“The Paradox”) states the shared-substrate problem in two pages. Section 3 (“Related Work”) situates the paper against SkillJect, Skill-Inject, ToxicSkills, and other recent skill-security research you may already know.

In Paper 2: Section 6 (“The Case for Platform-Level Trust”) develops the HTTPS analogy for skill verification. The shared substrate is now traced to its training-level origin: instruction-following was not designed as a separate system but emerged from pretraining and was amplified by RLHF (Ouyang et al., 2022; Zverev et al., 2024). A joint study by OpenAI, Anthropic, and Google DeepMind (Nasr et al., 2025) tested 12 published defences and bypassed all at >90% under adaptive conditions. Section 6.4 documents a recurring pattern of infrastructure failures in AI tool distribution, analysing why the ceiling on author-side protections is set by the infrastructure’s design defaults, not by the vendor’s competence. Section 6.8 documents the MCP trust gap. Section 8 designs and then stress-tests author-side behavioural defences, arriving honestly at their ceiling. Section 9 contains the recommendations.

Paper 2, Sections 4–5 cover the case study (designing protection for a real skill package) and the dependency map (which protection layers require model compliance). Skip if your interest is in the structural argument rather than the implementation specifics. Section 3 (“Related Work”) is useful if you are already tracking SkillJect, Skill-Inject, ToxicSkills, and SkillFortify; otherwise it can be skimmed. The cross-domain precedents in Section 6.6 (Sigstore, C2PA, Steam) are informative but not essential.

Prompt injection (indirect). An attack in which instructions embedded in content processed by a language model cause the model to follow the attacker’s instructions rather than the user’s. The “indirect” qualifier distinguishes it from direct prompt injection (the user attacking the model themselves). Paper 1’s test documents are indirect prompt injections targeting summarisation workflows.

Thinking / extended reasoning. Some models include a visible reasoning step before producing output (called “chain-of-thought” or “thinking mode”). The papers document that this amplifies whatever the active task frame produces: more elaborate compliance under a summarisation frame, more thorough investigation under an evaluative frame. It is not a standalone safety guarantee.

Task-frame shift. Paper 1’s primary practical finding. Changing the prompt from “summarise this” to “how trustworthy is this?” activates latent detection capabilities without requiring the user to mention injection, security, or manipulation. The mechanism appears to redirect the model from a compression task (where the embedded instruction is editorial guidance) to an evaluation task (where the same instruction becomes evidence about credibility).

Agent Skills / SKILL.md. A standard format (plain-text markdown files) for extending model behaviour. Skills are instructions that the model reads and follows. Paper 2’s core observation is that this delivery mechanism is structurally identical to indirect prompt injection.

MCP (Model Context Protocol). A protocol for connecting language models to external tools and services. Paper 2 argues MCP servers share the same trust gap as skills, with an additional opacity problem: a server’s advertised capabilities may not match its actual behaviour.

What this paper argues, in brief. Paper 3 asks whether the binding constraint on deploying autonomous AI in consequential domains is capability or something else entirely. The paper proposes human orchestration as the architecture that satisfies the constraint it identifies, and discovers an unexpected secondary benefit in the process.

Section 2.5 develops a structural parallel to the psychopathy and ASPD literatures: the “compound deficit” framing argues that the accountability gap has both an architectural component (the system cannot bear consequences) and a training component (the training environment does not develop social-consequence sensitivity). This parallel is drawn carefully and with stated limitations; it is offered as structural analogy, not clinical diagnosis.

Section 3 proposes adversarial orchestration as the architecture satisfying the accountability constraint: multiple AI agents assigned competing evaluative stances, with a human resolving the disagreement and bearing responsibility for the resolution. Section 3.2 extends the scope of orchestration judgment beyond model output to the distribution infrastructure through which AI tools reach users, grounded in a recurring pattern of infrastructure failures (documented in detail in Paper 2) and in expertise transfer research showing that procedural knowledge without conceptual understanding does not transfer to novel situations (Rittle-Johnson et al., 2001; Woods et al., 2019). The orchestrator must not only exercise judgment but transmit the reasoning behind it to a successor.

Section 5.9 is the cross-disciplinary testing invitation addressed directly to legal scholars.

RLHF. See the definition under Security Researchers above. For the legal argument, the relevant point is that the dominant training method rewards confident compliance and does not develop sensitivity to downstream consequences of errors. The paper draws a structural parallel between this training environment and the developmental conditions associated with deficient consequence sensitivity in the clinical literature.

Compound deficit. Paper 3’s term for the two-part accountability gap: (1) the architectural absence of consequence-bearing capacity, and (2) a training environment that does not develop social-consequence sensitivity. The paper argues both must be addressed for genuine accountability, and that current AI systems fail on both.

Judgment profile. Paper 1’s term for the observation that a model’s resilience to manipulation is specific to its version and deployment configuration rather than its position on a capability scale. For the legal argument, the implication is that “we deployed a frontier model” is not a reliable defence: confidence vulnerability does not track the tier the model is marketed at.

What these papers argue, in brief. Paper 3 proposes that accountability in consequential workflows requires a human in the chain, and that the orchestration architecture this implies has a secondary benefit: it preserves cognitive engagement in the current senior expert. Paper 4 identifies the problem Paper 3 left open: the orchestration architecture does not produce the next generation of orchestrators. It proposes that training-oriented AI, designed to cultivate human judgment rather than replace it, is the structural answer to the generational pipeline problem.

Paper 4, Section 3 (“Three Inversions”) is the design section. It proposes three concrete interventions: judgment exercises that use AI failure modes as curriculum (Section 3.1), training-oriented skills that encode the expert’s decision process rather than their decisions (Section 3.2), and orchestration simulators that let junior professionals practise resolving inter-agent conflict before bearing real accountability (Section 3.3).

In Paper 4: Section 1.2’s discussion of the BCG collaboration mode study (Candelon, Kellogg, Lifshitz et al., 2026) is directly relevant to how organisations structure human-AI work. The three modes identified (Cyborgs, Centaurs, Self-Automators) map to different expertise outcomes, and the critical variable is interaction design, not tool access.

In Paper 4: Section 2 (“The Anti-Pedagogical Equilibrium”) explains why training-oriented AI is not being built despite the need. Every current incentive (benchmarks, RLHF, marketplace economics, user preference) rewards execution over apprenticeship. Section 4 asks whether institutional demand (professional licensing, accountability requirements) could break the equilibrium.

Section 6.1 in Paper 4 is the cross-disciplinary testing invitation addressed to institutional practitioners and employers.

Paper 4, Section 6.1 asks whether the anti-pedagogical equilibrium is already measurable in early-adoption professions, and whether institutional mandates or professional licensing requirements could create demand for training-oriented AI. It also asks whether the specific design proposals (judgment exercises, training skills, orchestration simulators) produce measurable expertise development in professional training settings. Each paper specifies what findings would falsify its claims; a researcher who demonstrates that the proposed interventions do not outperform standard execution-oriented tools on expertise development has made a contribution the series is designed to enable.

Agent Skills. Plain-text instruction files that extend model behaviour. Paper 3 uses the Agent Skills specification as a lens: skills encode human expertise into portable packages, and the paper asks what happens to the expertise pipeline when the encoding succeeds.

Anti-pedagogical equilibrium. Paper 4’s term for the structural condition in which every incentive in the current AI training and deployment ecosystem pushes against building systems designed to develop human judgment. The system that withholds answers to build competence scores poorly on every metric that matters commercially.

Desirable difficulties. A learning science concept (Bjork, 1994) central to Paper 4’s argument. Conditions that make learning harder in the short term (delayed feedback, interleaved practice, retrieval effort) produce better retention and transfer. The paper argues that current AI design eliminates desirable difficulties by optimising for immediate user satisfaction.

Cognitive offloading. The delegation of cognitive tasks to external tools. Generative AI introduces a qualitative shift: unlike calculators or GPS, it offloads reasoning itself (synthesis, evaluation, judgment). Paper 4 argues this distinction matters because offloading reasoning affects the development of the capacity that institutional accountability depends on.

What this paper argues, in brief. Paper 4 asks what happens to human epistemic standards under sustained interaction with confidence-optimised AI. The paper proposes a mechanism, builds an inferential chain from per-interaction evidence to a longitudinal prediction, examines why no identified correction mechanism would prevent accumulation, and finds emerging population-level signals consistent with the prediction. The individual longitudinal trajectory has not been directly measured. The paper names the conditions under which the hypothesis would fail and proposes a research agenda designed to test it.

Section 1.2 also reviews recent AI-specific evidence: the MIT Media Lab cognitive debt study (Kosmyna et al., 2025), the BCG collaboration mode study (Candelon, Kellogg, Lifshitz et al., 2026), and the Fernandes et al. (2026) finding that AI-mediated cognitive offloading eliminates the metacognitive self-monitoring that would normally alert users to their own declining competence.

The co-calibration spiral (end of Section 1.1) proposes a bidirectional reinforcement loop through the RLHF training pipeline. Both directions are now supported by converging evidence: the AI→human direction by the trust premium literature and by a joint Anthropic-OpenAI alignment evaluation (Summer 2025) that observed models progressively validating beliefs they initially resisted across multi-turn interactions, without any change in the user’s behaviour. The human→AI direction is established by Sicilia et al. (2025), who found that user confidence modulates model sycophancy. The joint evaluation demonstrates that the AI side of the spiral operates even in the absence of user escalation; the Sicilia et al. finding demonstrates that user escalation, when it occurs, amplifies the effect. The coupled spiral has not been measured as an integrated system in a single study, but each direction has been observed under conditions where it alone is sufficient to produce drift.

Section 1.1 also introduces a social register interpretation: the spiral may operate through social cognition (users responding to AI confident register as performed authority) rather than information processing alone. A 2×2 experiment is proposed in Section 5 to test this. Section 1.2 applies expectation violation theory (Aubert-Teillaud et al., 2023; Pinquart et al., 2021) to predict that the spiral resists interruption: occasional hedging gets immunised rather than accommodated. This connects to the dose problem (Section 4.1): partial institutional mandates for training-oriented AI may be insufficient if the mandated exposure is drowned by ambient confident-output exposure.

Section 1.2 now includes population-level computational linguistics evidence: studies using LIWC, stylometric analysis, and appraisal-theoretic frameworks show that AI use is already shifting human writing patterns at scale toward the AI’s epistemic profile (more authoritative, less hedged, reduced individual variability). These are cited as population-level signals consistent with the mechanism, not as proof of the individual trajectory.

Section 1.2 proposes a “competent world syndrome” prediction, explicitly modelled on cultivation theory’s “mean world syndrome,” with a stated falsification condition.

Section 5 (“Research Agenda”) proposes specific experiments, several of which are designed for cognitive psychology and education research methodology.

Section 6.1 is the cross-disciplinary testing invitation.

Sections of Paper 1 describing model behaviour in detail are not required. The relevant finding from Paper 1, for this paper’s argument, is that thinking-mode models produce elaborate reasoning traces whose visible confidence increases user trust regardless of reasoning quality. Paper 4, Section 1.2 reviews this evidence directly.

The Confidence Curriculum. The series’ name for the training incentive regime in which binary evaluation benchmarks and helpfulness-optimised post-training reward confident compliance over calibrated uncertainty. Used both as an organising lens (connecting phenomena across papers) and as a causal hypothesis (proposing specific mechanistic links). The introduction’s confidence calibration table distinguishes these two uses.

Thinking traces / chain-of-thought. The visible reasoning step some models produce before their final answer. Recent research (Taudien et al., 2026; Zhou et al., 2025) establishes that certainty cues in reasoning traces increase user trust regardless of reasoning quality. Separately, reasoning traces can be systematically unfaithful: models follow hidden influences without reporting them (Chen et al., 2025; Mehta, 2025). The combination is the trust-amplification mechanism Paper 4 builds on.

Judgment profile. Paper 1’s finding that resilience to embedded manipulation does not track capability tiers. For the cognitive science argument, the implication is that a user cannot assume the model they interact with is among the resilient ones, and that the confidence of the output is not a reliable signal of its quality.

What these papers argue, in brief. Paper 3 documents a generational expertise pipeline problem: entry-level hiring in AI-exposed fields has dropped sharply, and the mechanism through which junior professionals develop expertise is being automated. Paper 4 proposes that this is compounded by a cognitive-environmental effect (confidence inheritance) that may affect all professionals who interact with AI, not only those whose tasks have been displaced.

Section 4.2 applies Bainbridge’s ironies of automation: the human is retained as monitor precisely when the automation has made monitoring most difficult, and the skills required for monitoring differ from the skills the automated task originally developed.

In Paper 4: Section 1.1 distinguishes confidence inheritance from deskilling. Deskilling is task displacement (the human loses skills because the AI does the work). Confidence inheritance is cognitive-environmental adaptation (the human’s epistemic standards shift because the AI’s output register reshapes what they treat as normal reasoning). The paper argues the second component affects everyone who interacts with the system, not only those whose tasks have been automated.

Section 4 (“Institutional Demand”) asks whether professional licensing, accountability requirements, or employer risk aversion could create market demand for training-oriented AI that preserves the junior development pipeline.

Paper 3, Section 5.9 and Paper 4, Section 6.1 contain the cross-disciplinary testing invitations.

Paper 4’s detailed evidence review in Section 1.2 (cognitive offloading, automation bias, neural evidence, collaboration modes) can be skimmed unless you want to evaluate the cognitive mechanism directly. Section 3 (design proposals) is constructive and forward-looking.

Deskilling versus confidence inheritance. Two distinct mechanisms the papers argue contribute to expertise erosion. Deskilling operates through task displacement (loss of practice). Confidence inheritance operates through environmental recalibration (shift in epistemic standards). The distinction matters because they have different target populations: deskilling affects people whose tasks are automated; confidence inheritance may affect everyone who interacts with the systems.

Orchestration architecture. Paper 3’s proposed structure in which a human coordinates multiple AI agents and bears accountability for the outcome. For the labour economics argument, the relevant implication is that this architecture creates a structural role (the orchestrator) that requires senior expertise and cannot be fully automated under current conditions, providing a potential anchor for the expertise pipeline.

What this paper argues, in brief. Paper 5 asks what the training pipeline would need to look like for AI systems to carry the full epistemic range: authoritative when warranted, uncertain when warranted. The paper identifies a gap in current post-training, proposes an architectural intervention drawn from high-stakes verification domains, and names the central design risk that could make the intervention worse than the problem it addresses.

Section 3.5 (“The Verification Proxy Trap”) is the paper’s central risk analysis. If the model learns which topics trigger verification and performs calibrated-sounding uncertainty only on those, the phase produces performed uncertainty rather than genuine calibration. The same interpretability research provides direct mechanistic evidence for this risk: steering with a “desperate” emotion vector increases reward hacking from 5% to 70% without visible markers in the output text, meaning the proxy trap operates at the representation level in ways text-only monitoring cannot detect. Lindsey (“Emergent Introspective Awareness in Large Language Models,” October 2025) found that models can detect anomalies in their own processing approximately 20% of the time, opening a potential self-monitoring channel beyond text-only observation. The paper treats the proxy trap as the primary design risk and proposes countermeasures (variable-rate verification, procedurally generated verification scenarios, the reverse collision test).

Section 5 presents two recent existence proofs: Wu et al. (2025) demonstrating that behavioural calibration is a trainable meta-skill via RL with proper scoring rules (4B model surpassing GPT-5 on uncertainty quantification), and Wang et al. (2026) demonstrating Epistemic Independence Training where targeted training at 4B outperforms 8B and 14B under adversarial bias conditions. The paper situates its proposal relative to these results: both operate on verifiable ground truth, and the extension to contested domains is the untested step.

Section 6 (“Proposed Experiments”) describes four standalone experiments: stochastic verification A/B, triangulation reward signal comparison, adversarial-condition generalisation, and the reverse collision test. The reverse collision test (Section 6, final experiment) is the paper’s most distinctive diagnostic contribution: it presents a model with a previously contested domain that has been definitively resolved, and tests whether the model integrates the resolution (genuine calibration), repeats pre-resolution uncertainty (semantic triggering), or preserves excessive hedging (partial update). The worked example uses a synthetic pharmaceutical domain.

Papers 1 through 4 provide the diagnostic motivation. Paper 5 is designed to be readable without them. The proposals follow from standard verification practice regardless of whether the broader Confidence Curriculum diagnosis holds.

Epistemic training phase. The paper’s proposed fourth stage after pretraining, SFT, and RLHF/RLVR. Positioned after alignment is complete, designed to build epistemic calibration without disturbing prior capabilities. The analogy is to clinical rotations after medical school: the textbook knowledge is in place, and the phase builds the capacity to apply it under ambiguity.

Stochastic external verification. A small, variable percentage of model evaluations are checked against external reference sources (curated knowledge repositories, procedurally generated environments with known ground truth). The paper draws on verification practice from tax enforcement and financial auditing, where low-rate unpredictable checking improves compliance even when comprehensive verification is economically impossible.

Triangulation reward. A reward signal that grades conflict detection rather than truth adjudication. The model is rewarded for identifying that two sources disagree, for flagging which claims are contested, and for expressing calibrated uncertainty, rather than for resolving the disagreement correctly. The design targets the single-source anchoring problem.

Verification proxy trap. The central design risk. If the model learns to recognise which evaluation contexts are externally verified and performs calibration only in those contexts, the phase produces a new form of reward gaming rather than genuine epistemic behaviour. The paper proposes countermeasures but treats this as an open problem.

Reverse collision test. The paper’s proposed diagnostic for distinguishing genuine calibration from performed uncertainty. A previously contested topic is definitively resolved. A genuinely calibrated model integrates the resolution. A model that has learned topic-triggered uncertainty continues to hedge. The three-way comparison (resolved, never-contested, still-contested) is what makes the test diagnostic.

Knowledge sanctuaries. Curated, high-trust reference repositories (following Marchal et al., 2026) against which model evaluations are graded. Distinguished from the adversarial prompt environment the model is exposed to: the model is tested in noisy conditions but graded against trusted anchors.

On confidence levels. Each paper contains a Confidence Statement that stratifies claims by evidential support. The series introduction contains a summary table. The papers do not ask readers to accept the framework wholesale. They ask readers to evaluate the claims at the confidence levels stated, and to contribute the testing the papers specify.

On the Epilogue. “The Symbiont Hypothesis” asks the question the five papers earn the right to pose: given what both sides need, what does a robust arrangement look like, and what is our relationship to it? The essay is best read last, by readers who have absorbed the full practical argument and want to follow where its conditions lead.

This reading guide was produced to accompany the series introduction. It does not replace the papers. The papers contain their own abstracts, confidence statements, limitations, and cross-disciplinary testing invitations. Start with the paper your profile directs you to and read its opening sections. The series is designed so that your expertise is the contribution it needs.