Vitalik's AI Survival Guide: Local Models Are a Trap, Three-Layer Defense Is the Way Out

The Local AI Dream Is Over

Vitalik Buterin recently published his AI setup, and the conclusion is brutal: local large models are nowhere near sufficient.

Transcription, translation, spell-checking? Sure, your phone handles those. But writing code, complex reasoning, creative work? Qwen3.5:35B falls “far short” of what’s needed.

His benchmark data: 90 tokens/sec on an RTX 5090 is acceptable; below 50 tokens/sec is “too annoying to be worth it”. One-shot a Snake game? Easy. Implement BLS-12-381 hash-to-point? “Eventually gave up and sent it to Claude.”

The irony? DGX Spark—marketed as an “AI supercomputer on your desk”—performs worse than a gaming laptop GPU.

Cloud AI Knows Everything About You

Every GPT-4 call sends your prompts, code, and thought patterns to some data center. Worse is deanonymization—through query patterns, IP addresses, and timestamps, your identity can be reconstructed.

Vitalik’s warning is direct: “De-anonymization is already very easy today, so queries must be made unlinkable.”

The Three-Layer Defense

Layer 1: ZK-API (Zero-Knowledge API)

Let the server know you have permission, but not who you are—or even whether two requests came from the same user.

This isn’t theoretical. Vitalik and Davide’s ZK-API proposal, alongside the OpenAnonymity project, is being built now. Core idea: prove authorization without revealing identity.

If providers worry about abuse, ZK-API includes a “slashing” mechanism—abusers lose collateral, enforced by on-chain smart contracts.

Layer 2: Mixnets

Scramble network paths so servers cannot correlate requests via IP addresses.

Imagine a postal system: your letter gets dropped into random transit stations, mixed with thousands of others, then sent out randomly. The recipient only knows “this came from some post office”—not who sent it, and cannot link it to previous letters.

Layer 3: TEE (Trusted Execution Environment)

Hardware-level protection. TEEs ensure “nothing leaks except the program’s output” and provide cryptographic attestation.

You can verify: this machine is indeed just “decrypting → inferencing → encrypting output”—not secretly logging everything.

Of course, TEEs have been breached before; they’re not absolute security. But Vitalik emphasizes: as long as you locally verify attestation signatures, it “still significantly reduces data breach risk.”

Sandboxing: Putting AI in Chains

Vitalik uses bubblewrap to sandbox AI. Type sbox in any directory to create a restricted environment—AI can only see files in that directory, plus explicitly whitelisted paths.

“AI can make mistakes, but those mistakes must be contained within the sandbox.”

Human-AI Confirmation Firewall

The more critical design is the human confirmation mechanism.

Vitalik wrote a messaging daemon wrapping Signal and email. This daemon can autonomously only do two things:

1. Read messages
2. Send messages ONLY to yourself

Send to others? Must go through a manual confirmation window.

Why? To prevent malicious text from “hacking” the AI. If an email contains a hidden prompt injection, tricking the AI into sending scam messages to your contacts—sandbox and confirmation are the final defense line.

Vitalik’s words: “The new ‘two-factor confirmation’ is this: the human is one factor, the AI is the other.”

Humans sometimes get distracted or fooled; AI can be attacked too. But they fail in different ways. Requiring “human + AI” 2-of-2 confirmation for risky actions is far safer than relying on either alone.

The Future: Privacy and Intelligence Can Coexist

Vitalik sketches an alternative future:

Locally generated code replaces large external libraries, making software minimal and self-contained.

Lean language + formal verification becomes the default, with mathematical proofs guaranteeing correctness.

Eliminate the browser, and entire classes of user fingerprinting attacks disappear overnight.

AI helps identify scams—no longer a corporate attention-extraction tool, but a defense system truly on the user’s side.

ZK-API and mixnets shouldn’t just be for AI—they should become the default internet communication layer. Search queries leak massive information; APIs are shifting from free to paid. What if every interaction went through privacy-preserving channels?

Users Must Be Empowered

Vitalik ends with: “The user should be empowered and kept meaningfully in control as much as possible.”

Local AI is a control illusion—it gives false “data never leaves device” security while leaving you intellectually behind.

Real control isn’t “don’t use the cloud.” It’s “use the cloud, but the cloud doesn’t know who I am.”

Three-layer defense + human confirmation + sandbox isolation—this is how we survive the AI era.

---

📄 Original Article: https://vitalik.eth.limo/general/2026/04/02/secure_llms.html