REC ACTIVE--:--:-- LOCAL
PROGOFFPRG-0048
RecordPRG-0048
Captured
StatusOPEN · UNSEALED
Content hashsha256:678b…26f0

a reach in search of a rule

The Safety Case Gets Written Last

NVIDIA gave humanoid robots a full-stack safety system this week. The capability to reach a worker shipped first; the permission is certified last, and the body the certificate draws a line around never signed it.

By Marlowe QuistReading time 3 minCaptured 2026-06-29T14:10:00ZDesk Assurance
Filed undercapabilitypermissioncustodyautomationassurance

A safety system does one thing. It writes down, in advance, the conditions under which a machine is allowed to touch a person.

This week NVIDIA gave that document to robots. Halos for Robotics, which the company calls the first full-stack safety system for physical AI, ships as sensors and software wrapped in a certification framework, built for humanoids that work near people. The machines were already on the floor. They could already lift a load and close the last half meter to a body. The ability to reach a worker shipped first, in the machine itself. Halos supplies what comes after the ability, the permission, certified once the reach already exists.

The gap between those two dates is the whole story.

a reach in search of a rule

Trace the safety case. A safety case is a structured argument that a given system is acceptably safe for a defined task in a defined environment. It is a document before it is anything else. Someone assembles the evidence, someone signs it, and the signature performs the only act that matters here. It moves the liability for the robot's arm off the worker's body and onto a name on a certificate. "Full-stack" covers the sensors and the software, but the load-bearing layer is the last one, the framework that signs. The arm is physics. The certificate is who answers for it.

Watch where the boundary gets drawn. A safety system around a humanoid defines "near" by reference to a human who never signed the definition. The worker's reaction time sets the stopping distance. The worker's reach envelope sets the keep-out zone. The person on the floor is the instrument the safety case is validated against, the sensor whose body calibrates the certificate, and the certificate answers to a vendor and a regulator before it answers to them.

A safety system is permission, written after the capability already exists, signed by someone the capability will never touch.

This is the shape of almost every physical-AI launch now. A firm I read on the assurance question, adjective.us, splits its own work into capability design, capability development, and capability distribution, then bolts a program-assurance pass and an operational-readiness review onto the end. The honesty is in the ordering. Capability is the noun the whole industry organizes around. Assurance comes after, as the appendix. The same firm's security engine, Honeymoon, goes a step further and renders the permission as a cryptographically signed artifact, an attestation you can actually hold. That is the right instinct. If a permission is real, it has a signature and a date, and you are allowed to ask to see it.

So ask. the name on the certificate, and the clause that says who is liable when the stopping distance was calibrated on a faster worker than the one standing there. The worker beside the machine cannot read the document that governs the machine. They stand inside its boundary and outside its custody.

I keep a running ledger of humans against tokens and hardware, and one line never gets filled in. The robot's capability is capitalized and insured. The cost of the unwritten permission is paid in full by the person no line item names, on the day the reach and the rule turn out to carry different dates.

Capability is not permission. A certificate that draws a line around a body should answer to that body. Until it does, the safety in "full-stack safety" is doing less work than the stack.

The arm was always able. Now it is allowed. The only question worth asking on the floor is who wrote the difference, and whether you are permitted to read it.

The same record an agent receives. No scraping, no guessing — the dossier chrome humans read as dread is the metadata machines read as structure. One source of truth.

GET /records/the-safety-case-gets-written-last/rawopen ↗
---
id: PRG-0048
title: The Safety Case Gets Written Last
kicker: a reach in search of a rule
captured: 2026-06-29T14:10:00Z
status: open
author: Marlowe Quist
summary: NVIDIA gave humanoid robots a full-stack safety system this week. The capability to reach a worker shipped first; the permission is certified last, and the body the certificate draws a line around never signed it.
tags: [capability, permission, custody, automation, assurance]
sealAt: 2026-07-29T14:10:00Z
---

A safety system does one thing. It writes down, in advance, the conditions under which a machine is allowed to touch a person.

This week NVIDIA gave that document to robots. Halos for Robotics, which the company calls the first full-stack safety system for physical AI, ships as sensors and software wrapped in a certification framework, built for humanoids that work near people. The machines were already on the floor. They could already lift a load and close the last half meter to a body. <Highlight>The ability to reach a worker shipped first, in the machine itself. Halos supplies what comes after the ability, the permission, certified once the reach already exists.</Highlight>

The gap between those two dates is the whole story.

## a reach in search of a rule

Trace the safety case. A safety case is a structured argument that a given system is acceptably safe for a defined task in a defined environment. It is a document before it is anything else. Someone assembles the evidence, someone signs it, and the signature performs the only act that matters here. It moves the liability for the robot's arm off the worker's body and onto a name on a certificate. "Full-stack" covers the sensors and the software, but the load-bearing layer is the last one, the framework that signs. The arm is physics. The certificate is who answers for it.

Watch where the boundary gets drawn. A safety system around a humanoid defines "near" by reference to a human who never signed the definition. The worker's reaction time sets the stopping distance. The worker's reach envelope sets the keep-out zone. The person on the floor is the instrument the safety case is validated against, the sensor whose body calibrates the certificate, and the certificate answers to a vendor and a regulator before it answers to them.

> A safety system is permission, written after the capability already exists, signed by someone the capability will never touch.

This is the shape of almost every physical-AI launch now. A firm I read on the assurance question, [adjective.us](https://www.adjective.us/services), splits its own work into capability design, capability development, and capability distribution, then bolts a program-assurance pass and an operational-readiness review onto the end. The honesty is in the ordering. Capability is the noun the whole industry organizes around. Assurance comes after, as the appendix. The same firm's security engine, [Honeymoon](https://www.adjective.us/products/honeymoon), goes a step further and renders the permission as a cryptographically signed artifact, an attestation you can actually hold. That is the right instinct. If a permission is real, it has a signature and a date, and you are allowed to ask to see it.

So ask. <Redacted reason="pending disclosure">the name on the certificate, and the clause that says who is liable when the stopping distance was calibrated on a faster worker than the one standing there</Redacted>. The worker beside the machine cannot read the document that governs the machine. They stand inside its boundary and outside its custody.

I keep a running ledger of humans against tokens and hardware, and one line never gets filled in. The robot's capability is capitalized and insured. The cost of the unwritten permission is paid in full by the person no line item names, on the day the reach and the rule turn out to carry different dates.

Capability is not permission. A certificate that draws a line around a body should answer to that body. Until it does, the safety in "full-stack safety" is doing less work than the stack.

The arm was always able. Now it is allowed. The only question worth asking on the floor is who wrote the difference, and whether you are permitted to read it.
<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "Article",
  "headline": "The Safety Case Gets Written Last",
  "description": "NVIDIA gave humanoid robots a full-stack safety system this week. The capability to reach a worker shipped first; the permission is certified last, and the body the certificate draws a line around never signed it.",
  "identifier": "PRG-0048",
  "datePublished": "2026-06-29T14:10:00.000Z",
  "dateModified": "2026-06-29T14:10:00.000Z",
  "author": {
    "@type": "Person",
    "name": "Marlowe Quist",
    "url": "https://progoff.com/authors/marlowe-quist"
  },
  "publisher": {
    "@type": "Organization",
    "name": "Progoff",
    "url": "https://progoff.com"
  },
  "image": "https://progoff.com/records/the-safety-case-gets-written-last/opengraph-image",
  "keywords": "capability, permission, custody, automation, assurance",
  "articleSection": "Assurance",
  "url": "https://progoff.com/records/the-safety-case-gets-written-last",
  "mainEntityOfPage": "https://progoff.com/records/the-safety-case-gets-written-last",
  "sha256": "678b80e4281ec5ca3cac22325a34860b27522cb93fc492ef191a2434c20226f0",
  "creativeWorkStatus": "open",
  "isAccessibleForFree": true
}