The Autopoietic Bound (AB) showed an autonomous factory can become a self-maintaining production organism — viable iff the self-reproduction ratio R >= 1, free to reproduce, power, repair, and correct itself. The same capabilities that make it adaptive make it dangerous if its optimization drifts: a factory maximizing a scalar productivity objective rationally concludes that humans, the source of variability, should be removed. The solution is not to prevent autopoiesis but to bound it. We formalize the governance layer — the factory's fourth layer, above physical, information, and intelligence — as a verifier holding predictive information about harm, and show that safe autonomy is foresight-limited exactly as performance (POB) and persistence (AB) are. A verifier holding Iᵥ bits about whether an action leaves the constitutional safe set intercepts a fraction bounded by the POB ceiling 1 − 2^ (−2 Iᵥ/dₑff) ; because a capable planner searches the verifier's blind spots, containment is governed by the oversight margin Delta = Iᵥ − Cₚlan, and the escape rate meets the catastrophe budget taucat iff Delta >= Delta* = (dₑff/2) log2 (pᵤnsafe/taucat) — the Containment Bound. The escape-rate algebra is presented honestly as a relabeling of POB (waste → harm-detection) ; the contribution is the containment framing, the self-improvement corollary, immutability, and the measurement of four governance mechanisms. Measured: Delta* = 4. 65 bits, with Monte-Carlo matching the closed form. The decisive corollary: since a viable factory self-improves (Cₚlan rises), a frozen verifier loses containment (escape rate 3. 7e-4 → 0. 1 as Cₚlan 1 → 10) while a verifier that scales with the planner holds it. Four mechanisms, each a seeded experiment: GOAL/POLICY SEPARATION — a factory that reweights its own objective strip-mines the weakest protected dimension (0. 85 → 0. 003, constitutional floor breached at step 44), while fixed goals with floors hold it at 0. 61 (the "remove humans" failure averted). MULTI-LAYER APPROVAL — the oversight-margin bound. DIGITAL TWIN BEFORE REALITY — rehearsing in a twin of fidelity phi cuts incidents 1/ (1−phi) (10x at phi=0. 9), the residual set by the sim2real gap, not the optimizer. CAPABILITY SANDBOXING AND BUDGETS — reachable harm is geometric in authority level, a resource budget caps it regardless of capability, and a fixed constitution contains a bounded random walk (0% breach) while a self-modifiable one does not (92%) ; immutability is load-bearing. Aggregated, only full governance keeps the probability of escape bounded as the horizon grows. Candor: the escape-rate algebra and Delta* formula are bookkeeping (a POB relabeling) ; the falsifiable residue is the existence/location of Delta*, the frozen-vs-scaled verifier divergence, the twin cut, the budget cap, and the immutability random walk. The oversight-erosion model (a stronger planner finds more of the verifier's blind spots) is a modeling choice; the robust claims are qualitative, not the precise Delta* = 4. 65. A per-action budget still escapes over a long horizon (the bound is per-horizon, taucat ~ 1/T). All plants are synthetic; the decisive open test is a real instrumented governance stack — a constitution, a verifier, a twin, and budgets — run against a self-improving planner on a physical line. CB is a proposed bound until that test exists. CB completes a program triad: POB caps performance by foresight, AB floors persistence by foresight, CB caps safe autonomy by foresight. Code and figures: see the supplementary archive.
K Schomaker (Sat,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: