There’s a moment in Koyuki Nakamori’s second interview with Crypto Millie that most viewers might blink past, but it might be the most important line in the whole conversation:
“I almost got hired by OpenAI, and then I decided to actually join Bittensor around the same time.”
The context she gives is unusually blunt. Watching Owen speak recently, she was reminded of a warning that’s become common among founders: don’t work with OpenAI, and don’t give them your data, because they will copy your vertical.
She cited an example. There is a reported claim that Figma’s OpenAI integration effectively fed the design tool’s business model back into OpenAI’s product roadmap, and this has been echoed across the AI founder community over the past year.
Instead of walking through that door, Koyuki chose to build Perturb (Subnet 26) on Bittensor. Not because it was easier. Because she wanted to be on what she called “the right side of history.”
This piece is about what convinced her to make that trade, what Perturb does, and why the subnet she’s building might turn out to matter more than most people currently realize.
➛ More on Perturb (subnet 26) on The TAO Daily.
Why she walked away from OpenAI
Koyuki saw three fundamental problems with putting AI safety in the hands of centralized labs like OpenAI and Anthropic:
- Concentration of power. “By now we know those people are not to be trusted. Would you trust Sam Altman? Would you trust Dario? The answer is no.” She’s not saying they have bad intentions; she’s saying it’s dangerous to concentrate this much power anywhere.
- Government entanglement. These companies are already deeply involved with policymakers deciding what people should and shouldn’t know about AI models. Whether their intentions are good is beside the point, but the structure itself is dangerous.
- Speed. Centralized labs iterate on safety maybe quarterly. Bittensor iterates every 30 minutes.
What is Perturb, in the simplest terms?

Perturbation is a real computer science term. It means introducing tiny, often imperceptible changes to an image, audio file, or text. To your eye, nothing has changed. To an AI model, it can flip everything.
Koyuki’s example is worth quoting:
“The other day I uploaded a box of mangoes because I bought a box of mangoes, and then I gave a bit of perturbation. It came back saying it’s a box of bombs. In my eyes, I’m like, those are mangoes. But it says 85% box of bombs.”
That kind of misclassification isn’t a party trick. It’s the same class of exploit that could:
- Cause an autonomous vehicle to read a stop sign as a 45 mph sign, a real vulnerability documented by researchers at UC Berkeley and other institutions since 2018
- Get social media moderation algorithms to promote harmful content instead of suppressing it
- Cause misdiagnosis in medical imaging AI
- Bypass banking fraud detection systems entirely
Perturb is the subnet that finds these vulnerabilities before attackers do. It’s the AI equivalent of a crash-test lab, but running 24/7, with hundreds of specialized miners constantly attempting to break the world’s most-used models.
How the actual mechanism works
Millie asked Koyuki to break it down without the jargon. Her explanation:
- Validators give miners a challenge: an image plus constraints (attack budget, time limit, how much change is allowed).
- Miners apply adversarial perturbations, trying to fool the model with the smallest possible change.
- Top 5 miners get rewarded each round (not winner-take-all; it’s rather a top-K model).
- Speed matters as much as quality, because attackers move fast in the real world.
Why is this different from a Big Tech AI red team? Because on Bittensor, hundreds of independent experts are simultaneously incentivized to break the model in ways no in-house team would think to try. The MLCommons AI Safety benchmarks and traditional academic red-teaming happen on quarterly cycles at best. Perturb happens every 30 minutes.
The privacy question
Koyuki’s response when asked what happens to a company’s model if they submit it for scanning:
- Model artifacts are wiped after the scan. Perturb doesn’t retain them for training or any other purpose.
- Storage will move to decentralized rails: she specifically mentioned partnering with Hippius (SN75), the Bittensor storage subnet, in the near future.
- They don’t need your model. The point of the subnet isn’t data extraction. It’s continuously discovering new attack vectors.
That last point matters. When you send your model to OpenAI or Anthropic for evaluation, you’re feeding a centralized behemoth. When you send it to Perturb, you’re feeding a decentralized security layer.
The moment this gets serious
Koyuki thinks AI has now reached the stage where the software industry once was: massive scaling, rapid deployment, and almost no attention paid to security.
In her words:
“We’ve been doing a lot of scaling, a lot of building, a lot of the shiniest models. But the attacking of those models at scale hasn’t happened yet. Once it happens, it can really trickle down.”
She’s not predicting the exact moment. She’s predicting the shape of it. Something bad happens. Everyone wakes up. Whoever has the infrastructure ready wins the mandate.
This is a pattern the cybersecurity industry has lived through before. CrowdStrike didn’t become a $70B+ company because enterprises loved endpoint security, it became one because after enough breaches, security stopped being optional.
Koyuki has been calling Perturb “the CrowdStrike for AI models” for exactly this reason.
What’s genuinely missing from AI right now
Here’s the line from the interview that should stop anyone building or investing in AI:
“Right now in the world of AI safety, if you want to have a benchmark data set, it’s very hard to find. It doesn’t really exist. There’s no industry-wide benchmark data set you can use.”
Perturb is quietly building that dataset. Every attack vector the network discovers becomes labeled data. Starting with images. Expanding into audio, text, video, and eventually multimodal. This is the kind of dataset that could become an industry standard.
If Perturb succeeds in owning the AI safety benchmark, the moat is enormous.
The regulation question
Millie asked whether government-mandated AI safety testing would help Perturb. Koyuki’s answer was more thoughtful than the obvious yes:
- Yes, it would be good for business.
- But she’s uncertain whether governments have the best intentions or the technical understanding.
- Her real position: AI safety scores should be baked into every model’s objective function, as standard as precision, recall, or F1 score in traditional ML evaluation.
- This should be an industry-driven best practice, not a regulatory hammer. “It should not come from the government.”
What’s shipping in the next 4 weeks
The interview surfaced concrete timelines. Within two to four weeks (a month at most), Perturb is launching:
- API and SDK for developers to plug Perturb directly into their CI/CD pipelines
- Full model scanning capability — upload a model, get back an AI safety score and top 10 attack vectors
- On-the-spot retraining to patch the vulnerabilities that are found
- Enterprise-tier scanning for large customers who need this baked into deployment workflows
The playground is already live at perturbai.io if you want to see the attack-flip demo yourself.
The AGI question
Millie asked the question everyone wants to ask a safety researcher: does she want AGI to happen?
Her answer wasn’t what you’d expect. She’s optimistic. She wants a future where AI helps humanity thrive, where nobody has to work 9-to-5, where humans get to spend time on hobbies and Mars trips and creative pursuits. Science-fiction-scale optimism.
But her point is that the optimistic future only exists if we solve the safety layer now.
“It’s like an autoimmune disease. You have to live with it. As long as you take care of it, you’ll be okay. But completely ignoring it, you’re gonna die.”
Perturbation is not a problem AI can outgrow. It’s a permanent property of how neural networks work. The only way to manage it is continuous adversarial testing at scale, exactly the way Bittensor is structured to enable.
Why this could save humanity
That’s a big claim. But look at the trajectory:
- AI models are being deployed into medical diagnosis, autonomous driving, financial fraud detection, content moderation, and defense systems. All critical infrastructure
- None of them are being tested against modern adversarial attack vectors at industry scale
- No standardized AI safety benchmark exists
If Perturb wins its market, the safety layer of global AI infrastructure ends up living on a decentralized network that no government or corporation controls. That’s a very different world than one where AI safety is dictated by whoever’s currently friendly with regulators.
Bottom line
There’s a specific kind of founder who could have gotten hired at OpenAI, seen where it was headed, and walked away to build the check on it. Koyuki is one of them.
Perturb isn’t loud yet. She said it herself: “We’re quietly building.” But if the AI industry has one of its inevitable public safety incidents in the next 12 months, and every historical pattern says it will, Perturb is positioned to be the layer everyone reaches for.
You can try the playground and read the whitepaper at perturbai.io, or reach her directly on X at @knakamor.
Full interview here:
Enjoyed this article? Join our newsletter
Get the latest TAO & Bittensor news straight to your inbox.
We respect your privacy. Unsubscribe anytime.
Enjoyed this article?
Join our newsletter
Get the latest TAO & Bittensor news straight to your inbox — every morning before markets open.




Be the first to comment