diff --git a/domains/ai-alignment/representation-trajectory-geometry-distinguishes-deceptive-from-sincere-alignment-without-creating-adversarial-attack-surfaces.md b/domains/ai-alignment/representation-trajectory-geometry-distinguishes-deceptive-from-sincere-alignment-without-creating-adversarial-attack-surfaces.md
index b0472c2cd..991ee065f 100644
--- a/domains/ai-alignment/representation-trajectory-geometry-distinguishes-deceptive-from-sincere-alignment-without-creating-adversarial-attack-surfaces.md
+++ b/domains/ai-alignment/representation-trajectory-geometry-distinguishes-deceptive-from-sincere-alignment-without-creating-adversarial-attack-surfaces.md
@@ -31,3 +31,10 @@ Trajectory geometry monitoring does create adversarial attack surfaces through m
 **Source:** Theseus synthetic analysis of SCAV generalization to multi-layer ensembles
 
 Multi-layer ensemble analysis shows trajectory geometry monitoring DOES create attack surfaces in white-box settings. While multi-layer ensembles are harder to exploit than single-layer probes, white-box multi-layer SCAV is structurally feasible through simultaneous suppression of concept directions at all monitored layers. The claim that trajectory geometry avoids attack surfaces may need qualification to 'reduces attack surface in black-box settings if rotation patterns are model-specific.'
+
+
+## Challenging Evidence
+
+**Source:** Theseus synthetic analysis of multi-layer SCAV generalization
+
+Multi-layer ensemble analysis shows trajectory geometry monitoring DOES create adversarial attack surfaces, just harder to exploit. White-box multi-layer SCAV is structurally feasible by computing concept directions at each monitored layer and constructing perturbations that suppress all simultaneously. The claim that trajectory geometry avoids attack surfaces needs qualification: it may avoid single-layer attack surfaces but not multi-layer ones.
diff --git a/domains/ai-alignment/trajectory-monitoring-dual-edge-geometric-concentration.md b/domains/ai-alignment/trajectory-monitoring-dual-edge-geometric-concentration.md
index 2be2ce8da..3d960ef6b 100644
--- a/domains/ai-alignment/trajectory-monitoring-dual-edge-geometric-concentration.md
+++ b/domains/ai-alignment/trajectory-monitoring-dual-edge-geometric-concentration.md
@@ -52,3 +52,10 @@ Multi-layer ensemble probes, despite 29-78% accuracy improvements over single-la
 **Source:** Theseus synthetic analysis of Nordby et al. + Xu et al. SCAV
 
 White-box multi-layer SCAV is structurally feasible by computing concept directions at each monitored layer and constructing a single perturbation that suppresses all simultaneously. This extends the dual-use finding to multi-layer ensembles in the white-box case, confirming that architectural complexity raises attack cost but does not provide structural escape.
+
+
+## Extending Evidence
+
+**Source:** Theseus synthetic analysis of Nordby et al. + SCAV literature
+
+Multi-layer ensemble probes, despite improving clean monitoring accuracy 29-78% over single-layer probes, remain structurally vulnerable to white-box SCAV attacks in open-weights models. The dual-use finding extends to all monitoring precision levels: each architectural improvement raises attack cost but does not escape the fundamental dual-use structure. Open-weights models face full white-box vulnerability regardless of ensemble complexity.