VERIK
Editorial · Agentic AI Governance
VERIK / V027 / 19 JUN 2026
Operating in the FogGovernance

The Substrate That Was Open-Sourced

On June 18, 2026, the UK AI Security Institute released the AISI Engineering Playbook, open-sourcing the five-layer technical stack a Five Eyes safety institute uses to evaluate frontier AI systems. The release names something that has been missing from the agentic-AI governance conversation. Evaluations are not the governance object. The substrate under the evaluation is.

Two years of infrastructure work, presented as five named layers, each with a specific operational function. The names are not marketing. They are the parts of the system that have to exist before a single evaluation result is interpretable.

What the Playbook Names

The Playbook builds on the Inspect AI evaluation framework, which AISI open-sourced in May 2024 and which has since seen broad adoption across the safety-evaluation community. Inspect is the framework. The Playbook is what surrounds it.

Five layers, in AISI's own description:

Evaluate is the framework for testing frontier models, built so evaluations are reproducible, comparable across providers, and able to handle agentic tasks. The phrase "able to handle agentic tasks" is not a flourish. It is a design constraint. A test harness that can only handle single-turn completions is not the same instrument as one that can hold a multi-step trajectory open long enough to see a tool call cascade or a memory write.

Isolate is how those evaluations run safely, matching containment to the risk of the work. Containment scaled to risk is the operational definition of what a safety institute does that a deployment provider cannot do alone. Running a benchmark on a model that may attempt environment escape requires a sandbox engineered for that possibility.

Connect sits between researchers and the model providers they call, giving an organisation audit ability and cost control without slowing research down. This is the layer that almost no public discussion of model evaluation has named. Between the evaluator and the provider, there is a request-response surface that someone has to log, account for, and reconcile. Without it, the institute cannot tell what was actually tested, who paid for it, or which provider version was on the other end.

Run is the platform a researcher works from. The machine, the data, the compute, and the route to a deployed application. A platform, not a notebook.

Scale brings supercomputer-scale inference within reach for hosting and researching the largest open-weight models. The institute has decided that open-weight models large enough to require supercomputer-scale hosting are within the safety-evaluation perimeter. That is a choice with a budget attached.

By open-sourcing the Inspect toolkit and the surrounding methods and infrastructure, AISI's stated aim is to "help researchers, organisations, and other evaluators stand up rigorous evaluation capability without starting from zero." The argument is operational. Two years of building should not be a one-organisation moat.

What Has Been Treated as the Governance Object Until Now

The visible AI-governance conversation has been organised around three artifacts: the model card, the benchmark score, and the policy commitment. Each one is downstream of the substrate AISI has just named.

A model card describes a system whose evaluation depended on a harness that was usually undocumented. A benchmark score depends on a sandbox whose containment posture was usually undocumented. A policy commitment to evaluate a model before release depends on the existence of a provider-connection layer that could actually route the calls. The artifact has been treated as the governance object. The substrate has been treated as engineering plumbing.

This is the same shape as the gap V020 named for the patching cycle: the policy artifact lagged the function it was supposed to instrument. It is the same shape as the gap V025 named for prompt injection: the model layer was being asked to enforce a property that lives at the substrate.

When a Five Eyes institute releases the substrate as its own artifact, the implicit claim is that the substrate is the level at which independent oversight has to operate. The model is one input. The provider is another input. The evaluation result is the output. The substrate is the thing in the middle that determines whether any of those inputs and outputs are even comparable across runs.

Where the Solution-Layer Shape Now Sits

The release does not propose a procurement clause, a certification regime, or a standards-body track. It releases the substrate as code. The choice is a method, not just an artifact. Each layer is the shape of a control that a future procurement instrument, certification regime, or audit standard would have to point at.

A federal contract that requires "independent evaluation" of a deployed agentic system, of the kind proposed in the GSA GSAR clause 552.239-7001 published in the Federal Register on June 17, names the evaluator and the report. It does not name the substrate the evaluator used. The Playbook makes it possible for a procurement instrument to name the substrate by reference rather than by reinvention. A contract clause can now require that the evaluator's Connect layer logs are available to the contracting officer. That was not previously a sentence anyone could write with operational meaning.

A certification regime that requires "reproducibility of evaluation results" across providers names a property. The Evaluate layer, designed to be "reproducible, comparable across providers," is the shape of the artifact that property would have to bind to. Without the substrate, reproducibility is a claim. With the substrate, it is a configuration.

A safety-case argument that requires "containment matched to risk" names a posture. The Isolate layer is the shape of the operational artifact that posture would bind to. The institute has effectively published the floor for what containment-as-evidence has to include.

None of this is the same as a finished standard. The institute has not claimed it is. The institute has done something earlier in the cycle: it has put the substrate into the public record so that the next standard, the next clause, and the next audit can point at it.

What Composes With This

The structural argument V024 advanced about model routers (a proxy layer that needs attestation) and the structural argument V026 advanced about agent-resource interfaces (a four-property procurement instrument) both depend on a substrate whose properties can be named. The Playbook makes naming possible. Connect is the layer where router-attestation evidence could be collected. Isolate is the layer where the privacy property of an agent-resource exchange could be enforced. Evaluate is the layer where the settlement and attestation properties could be tested before deployment.

The four-property procurement instrument V026 named (identity, privacy, settlement, attestation) is one possible procurement reading of the Playbook's five layers. It is not the only one. The point is that a procurement instrument now has a substrate to point at.

What Remains on the Table

The policy instruments and the deployment tempo are not aligned. A Five Eyes safety institute has open-sourced the substrate under the evaluation. The substrate is now in the public record. Whether the procurement clauses, certification regimes, and audit standards that follow it are written against the substrate, or against the artifact that the substrate produces, is the question that determines whether the next two years close the gap or widen it.