Most conversations about generative AI still begin in the wrong place.
They begin with the prompt.
How do we ask better questions? How do we instruct the model more clearly? How do we get the tone right? How do we make the output shorter, longer, sharper, safer, more technical, less technical, more executive, more human?
Those are useful questions, but they are downstream questions. They assume the most important act happens at the moment we ask the machine to generate.
It does not.
The quality, safety, and usefulness of generated output are shaped before the prompt is ever written. They are shaped by the material the system is allowed to grow from, the perspective through which it is asked to interpret that material, and the boundary around what should be generated at all.
That gives us a more useful model:
Generative set. Bounded perspective. Generable space.
- The generative set is what the system can grow from.
- The bounded perspective is the lens: the role, audience, intent, context, risk, and limits.
- The generable space is the field of valid outputs: not one predetermined answer, but the bounded family of things that may properly be generated.
This distinction matters for cybersecurity because most AI risk does not begin with the final answer. It begins upstream. It begins with an incoherent source set, a vague role, a stale assumption, an overbroad memory, an unclear permission boundary, or an output space so wide that the system can produce something fluent but unsafe.
Prompting is not stewardship. Prompting is only one act inside a larger discipline.
The generative set
A generative set is the body of material a system can draw upon to produce future work.
For a person, that set includes memory, training, habits, judgment, culture, examples, and relationships. For an organization, it includes policies, records, source material, decisions, templates, code, procedures, customer history, contracts, values, and institutional memory. For an AI-assisted workflow, it includes the documents, examples, schemas, tools, instructions, permissions, refusals, and roles that shape what the system can use.
This is why “content” is too small a word.
A generative set is not just a pile of documents. It is a living source field. It contains what is known, what is trusted, what is allowed, what has worked before, what must not be repeated, who may speak for what, and which patterns should carry forward.
A useful generative set may include briefs, policies, histories, decks, canonical notes, working outputs, known good phrasing, checklists, rituals, decision gates, handoffs, schemas, metadata, file structures, code, scripts, repositories, local workflows, people, roles, responsibilities, and refusals.
That last category matters.
A refusal is not merely a safety warning. It is part of the shape of the generative set. It tells the system what must not be said, inferred, exposed, promised, leaked, or assumed. It marks the edge of legitimate generation.
Cybersecurity teams understand this instinct already. We do not secure systems only by saying what they may do. We secure them by defining what they must not do. Access controls, network segmentation, least privilege, data classification, firewall rules, approval workflows, and change control all work by shaping possibility.
Generative AI needs the same discipline at the level of meaning.
More from Chris Blask:



If the generative set is incoherent, the output will eventually become incoherent. If the source material contradicts itself, the system will inherit that contradiction. If stale claims are left inside the set, they will reappear with fresh confidence. If private material is mixed with reusable organizational memory, extraction becomes likely. If examples contain overclaiming, the system will learn overclaiming as style. If role authority is unclear, the system may speak in a voice that no one had the right to use.
A model does not only answer from a prompt. It answers from a field.
The steward’s first job is to tend that field.
Stewarding the set
Stewardship is the work of curation, coherence, provenance, and refusal.
That sounds administrative. It is not. It is security work.
A coherent generative set has provenance. We can point to where its claims came from. It has semantic fit. The materials belong together and do not warp the purpose of the work. It avoids stale claims. It distinguishes current facts from old assumptions. It has role clarity. We know who is speaking, who is responsible, and who is merely being referenced. It respects consent and access. It does not treat every remembered detail as reusable fuel.
The practical question is simple:
Can the system regenerate from this without losing its spine?
If the answer is no, the set is not ready.
That does not mean it must be perfect. No living source field is perfect. But it must be tended. Contradictions must be noticed. Old assumptions must be retired. Sensitive material must be bounded. Examples must be chosen because they teach the right pattern, not merely because they are available. The canon must remain coherent enough that future generation grows from the right structure.
This is where many organizations will stumble. They will treat AI governance as a policy layer placed over tools, rather than as a stewardship discipline applied to the material from which tools generate.
The model matters. The prompt matters. The guardrails matter. But the set matters first.
If you let a system generate from fog, it will produce fog with better formatting.
Bounded perspective
The same generative set can produce many different valid outputs.
A hospital pilot deck, a legal NDA, a technical node script, an executive briefing, a customer email, and an internal risk note may all draw from the same underlying canon. They should not sound the same. They should not expose the same details. They should not carry the same authority. They should not make the same promises.
That is the role of bounded perspective.
Perspective defines the lens through which the generative set is used. It answers: who is speaking, to whom, for what purpose, in what context, with what tone, with what risk, and within what authority?
Without bounded perspective, AI systems drift. They may produce an answer that is locally plausible but operationally wrong. A technical note may sound like legal advice. A brainstorm may sound like a commitment. A sales narrative may overrun delivery reality. An internal assumption may leak into a customer-facing document. A model may write as if it represents the organization when it was only asked to draft possibilities.
This is not a language problem. It is an authority problem.
In cybersecurity terms, bounded perspective is a form of least privilege for meaning. The system should not speak with more authority than the task requires. It should not use more context than the audience deserves. It should not expose more memory than the relationship permits. It should not convert speculation into certainty simply because confident prose reads better.
A bounded perspective says:
- For this output, you are acting in this role.
- You are speaking to this audience.
- You may use this material.
- You may not use that material.
- You are trying to accomplish this.
- You must avoid these claims.
- You must preserve these uncertainties.
- You must keep this tone.
- You must stay within this authority.
The better the bounded perspective, the less we depend on cleaning up the output after the fact.
The generable space
The generable space is the field of possible outputs that are valid for a given set and perspective.
This is the key move.
The goal is not always to force one deterministic answer. In real work, there may be many good answers. There may be several good emails, several good scripts, several good policy drafts, several good reports, several good plans. Human work already operates this way. We are rarely choosing between one true sentence and infinite wrong ones. We are shaping a family of acceptable actions.
The generable space is that family.
- It is bounded, but not brittle. Creative, but not unconstrained. Useful, but not reckless.
- Inside the generable space, outputs may vary. The integrity persists.
This is why the word “generable” is useful. It points not merely to what a system can generate, but to what can properly be generated into a given field. It is not just capacity. It is legitimate possibility.
A model can generate almost anything. That is the point and the problem.
A stewarded system asks a harder question: what should be generable here?
For a cybersecurity team, that question becomes practical quickly.
- Should this system be able to generate customer-facing incident language?
- Should it be able to generate remediation commands?
- Should it be able to summarize internal investigations?
- Should it be able to draft regulatory responses?
- Should it be able to write code?
- Should it be able to recommend architecture changes?
- Should it be able to use private Slack messages?
- Should it be able to remember a relationship context from last month?
- Should it be able to speak as the CISO?
The answer may be yes in some contexts and no in others. The generable space changes with the set, the perspective, the audience, the risk, and the authority.
“Not this, not that” is not negativity. It is shape.
Not coercive. Not extractive. Not overclaiming. Not leaking. Not pretending certainty. Not losing the organization’s voice. Not converting private trust into public content. Not using sensitive data beyond consent. Not treating generated plausibility as evidence.
Those refusals are walls around the valid output field.
They are how generation becomes usable.
Failure modes when the field gets loose
Most AI failures are diagnostic. They tell us which part of the system was not stewarded.
- If the output is incoherent, the source set may be contradictory.
- If the output drifts away from the intended purpose, the perspective may not have been bounded.
- If the output overclaims, the generable space may be too wide.
- If the output sounds authoritative without evidence, the system may be missing provenance requirements.
- If the output exposes relationship context or private material, the permission boundary may be broken.
- If the output is beautifully written but wrong for the situation, the stewarding failure likely happened before generation began.
This is an important shift for security leaders. We should not treat every bad AI output as a mysterious model failure. Often, the model is simply revealing the shape of the field it was given.
Bad generation is evidence.
It tells us where the canon is weak, where the role is vague, where the refusal is missing, where authority is unclear, where stale material remains, where private context has been allowed to leak into general use.
The steward response is not panic. It is correction.
Sweep the canon. Make a source decision. Bound the role. Add the missing refusal. Mark uncertainty. Separate private memory from reusable memory. Require evidence. Stamp review state. Remove stale assumptions. Commit the correction so future generation improves.
That is how a generative system matures.
The stewarding loop
Generation becomes trustworthy when it is repeatedly inspected, corrected, and committed.
The loop is simple:
- Inspect.
- Curate.
- Bound.
- Generate.
- Review.
- Commit.
Inspection asks what is in the set.
Curation decides what belongs.
Bounding defines the perspective and the valid output field.
Generation creates candidate artifacts.
Review asks whether the artifact belongs in the field.
Commit makes the accepted artifact part of future memory.
Then the loop begins again.
This is not a one-time setup. It is the operating rhythm of a healthy generative organization.
Canon is not finished. Canon is maintained.
Every pass improves or degrades the set that future generation grows from. That makes review more important than ordinary approval. A generated artifact is not only an output. Once accepted, it may become seed material. It may teach the next output what good looks like. It may preserve a phrase, a structure, a claim, an assumption, or a boundary.
Committing generated work is therefore an act of stewardship.
Before accepting output, the steward should ask:
- Is it sourceful? Can we point to where this came from?
- Is it coherent? Does it fit the canon without warping it?
- Is it bounded? Does it stay inside role, scope, and safety limits?
- Is it permissioned? Does it respect privacy, consent, and context?
- Is it useful? Does it help a real person take the next good step?
- Is it regenerative? Will keeping it improve future generations?
Those questions move the organization away from treating AI as a magic text box and toward treating it as a living production environment for meaning.
Shape before output
The future will be generated. That part is no longer in doubt.
The question is whether it will be generated from coherent sets, through bounded perspectives, into valid generable spaces - or whether organizations will allow powerful systems to generate from whatever material happens to be nearby.
For cybersecurity, the lesson is direct.
Do not begin with the prompt. Begin with the set.
- What are we allowing the system to grow from?
- Who is tending that material?
- What is current, canonical, private, stale, disputed, or forbidden?
- What role is the system playing?
- What authority does that role actually
- What outputs are valid?
- What outputs must be refused?
- What happens to generated work after review?
- Does it disappear, circulate, or become part of the next generation?
The generation itself is not the authority. The stewarded process is the authority.
That is the heart of the matter.
We do not merely prompt systems. We steward the set of things they generate from, bound the perspective through which they act, and define the generable space into which they may safely produce.
Shape before output.
Steward the set. Bound the space. Generate with dignity.


