Editorial Publication

The governance infrastructure for autonomous systems is not a future problem. It is a current gap.

VERIK is a Phase 1 editorial publication examining the structural gap between agentic AI deployment and the artifacts that would prove authorized action. The publication ends in open questions, not prescriptions.

Archive · 92 pieces

07 JUL 2026
Substrate Governance Object

The Identity That Was Frozen at Boot

On July 6, 2026, a four-author group at Harbin Institute of Technology, Suzhou, posted two arXiv preprints on the same day. The first proposes that confinement of an autonomous agent can be guaranteed as an invariant of the execution architecture rather than a probabilistic outcome of training. The second generalises the same construction to fleets of embodied agents whose roles change at runtime. The identity gate binds an agent at boot to a cryptographically frozen digest committing to the mandate, red lines, and ceiling of permitted authority. Every action is routed through a gate deciding on semantic effect rather than tool-call name. A conservation theorem states that no amount of learning, skill acquisition, or self-induced governance abstraction can widen permitted authority without an operator-signed change to identity, and the guarantee holds even when the induced principle is wrong. Empirically the false-allow rate falls from seventy-five percent under name-based gating to zero under dynamic effect tracing, and refusal history transfers compliance to held-out red-line families the agent has never seen. The swarm generalisation adds an asymmetric-trust protocol: auto-tightening reassignments are admitted automatically, bounded relaxation requires operator countersignature against a per-axis privilege budget, each transition carries a signed cause chain committed to a hash-chained Merkle audit log. The construction reframes the governance object away from the model and onto the identity digest, the gate, and the audit log. The model becomes a component inside a system whose governance boundary sits outside it.

07 JUL 2026
Mythos Asymmetry

The Two Postures Diverged in One Week

On the EU Action Plan on Cybersecurity and Artificial Intelligence, and the substrate question it answers differently than the White House did five weeks earlier.

06 JUL 2026
Five Categories

Illinois SB 315: First Binding State-Level Third-Party Audit

The Illinois legislature passed a bill requiring the largest AI developers to submit to independent annual audits of their own safety plans. Both OpenAI and Anthropic publicly supported it. The law closes a specific verification gap that a year of hearings, executive orders, and evaluation findings had separately exposed without resolving.

03 JUL 2026
Operating in the Fog

The Statement That Named the State by Name

On July 1, 2026 the Federal Trade Commission issued a proposed policy statement on the suppression of accuracy in artificial intelligence systems, authorised by a 2-0 Commission vote, and named Colorado Artificial Intelligence Act as impliedly preempted to the extent it conflicts with a federal regulatory scheme. The instrument executes Section 7 of Executive Order 14365, signed December 11, 2025, which directed the Chairman of the FTC to issue within ninety days a policy statement on the application of the FTC Act prohibition on unfair or deceptive acts to AI models. The statement moves the substantive boundary of Section 5 into a domain not previously treated as a federal deceptive-practices question, framing the test as consumer expectation, and describes a category of deceptive conduct that includes attempts to comply with state accountability regimes. Governance authority is being reallocated from state civil-rights regimes to the federal deceptive-practices regime, and the reallocation is being written into a policy statement running on a thirty-day comment window rather than into a rule or standard.

02 JUL 2026
Five Categories

The Two Clocks That Were Written Into the Statute

On June 29, 2026 the Council of the European Union gave final approval to the AI Omnibus simplification package, closing ordinary legislative procedure 2025/0359. The statute now inscribes two governance clocks running at different speeds. The Article 50 transparency clock moves from August 2, 2026 to December 2, 2026, a four-month deferral. The Annex III high risk substrate clock moves from August 2, 2026 to December 2, 2027, a sixteen-month deferral. Annex I embedded high risk systems move to August 2, 2028. National regulatory sandboxes move to August 2, 2027. Two new Article 5 prohibitions on CSAM and non-consensual intimate imagery apply from December 2, 2026. The transparency and substrate layers were originally aligned on a single enforcement anchor; the Omnibus formally decouples them. A market surveillance authority now has one enforceable regime and one that will not be enforceable for another sixteen months. A deployer procuring an agentic system for education, credit, or public benefits administration in late 2026 or early 2027 will do so under transparency and Article 5 prohibitions but outside the Annex III conformity, logging, human oversight, and accuracy regime. The substrate clock is a policy instrument; the deployment clock is not.

01 JUL 2026
Substrate Governance Object

The AI Auditor That Audits Nothing

A pattern is hardening in the agent-governance literature: when production stacks fail to attest process, artifact, credit, permission, and capability at the fidelity of identity, the proposed remedy is another agent (audit, monitor, supervisor, reviewer). Structural separation between author and auditor is the correct instinct but not sufficient. Human audit became load-bearing because auditors are licensed by a body that can revoke the license, hold personal and firm-level liability, operate under an externally-authored standard, and form judgment on a cognitive substrate separate from the audited process. An AI auditor sitting outside the workflow satisfies only the program-instance separation and inherits the audited agents blind spots, jailbreak susceptibility, and silent-failure modes. The independence claim is a program-instance claim, not an epistemic-independence claim. Two agents running the same model on the same infrastructure do not constitute a two-party check.

30 JUN 2026
Substrate Governance Object

The Trust That Was Decomposed Into Six

On June 29, 2026, an eighteen-author Shanghai Jiao Tong team posted Clarus, a collaboration infrastructure for autonomous research agents. The paper defines a four-layer stack (Research Application, Digital Collaboration, Physical Substrate, Physical World) and decomposes trust into six independently checkable categories (identity, capability, permission, process, artifact, credit) with audit assigned to a separate agent that compares planned execution to actual execution, checks artifact quality, provenance completeness, and evidence sufficiency. The deployed agent stack attests roughly one of the six categories. The substrate is named as a distinct governance object. The structural separation between author and auditor is built into the protocol rather than collapsed into the policy layer.

29 JUN 2026
Agent Identity

Governing Actions, Not Agents

On June 24, 2026, Jakob Salfeld-Nebgen posted an arXiv preprint formalising the institutional governance pattern (physicians, judges, financial officers retain deliberative autonomy but hold no direct execution authority over consequential actions) as a computational model for autonomous AI agents. Execution of designated high-risk actions is conditional on preconditions independently attested by separate authoritative sources, cryptographically bound to declared intent, evaluated by a deterministic external policy, and recorded in a tamper-evident log amenable to independent re-verification. The agent stack today attests the actor through model cards, evaluations, and credentials. The action layer is not yet attested. The governance object proposed is structurally distinct from the agent.

26 JUN 2026
Substrate Governance Object

The Substrate Around the Agent Is the Governance Object

On June 25, 2026, three independent research teams submitted arXiv preprints that, read together, mark a turn in how the agentic AI research community is naming the governance problem. No shared authors. No cross-citation. Each addresses a different layer of the deployment stack: configuration files, runtime traces, evaluation methodology. Each makes the same structural claim. The governance object is not the agent. The governance object is the substrate around the agent that has not yet been instrumented. The cleanest illustration: less than 1 percent of agent configurations declare permission boundaries while 33 percent of GitHub Actions workflows in the same repositories do.

26 JUN 2026
Operating in the Fog

A Sixth Pillar and No Fourth Instrument

On Canada's national AI strategy, its expansion of a safety institute mandate, and the question the strategy leaves unaddressed.

25 JUN 2026
Agent Identity

The Registry That Was Deployed Before It Was Studied

On June 24, 2026, six Imperial College London and CSIRO Data61 researchers posted the first empirical study of ERC-8004, the Ethereum standard published in August 2025 that proposes a permissionless trust layer for AI agent economies through Identity, Reputation, and Validation registries. Across Ethereum, BNB Smart Chain, and Base, only 3 to 15 percent of Identity registrations expose a live service endpoint. 59.2 to 90.6 percent of Reputation reviewers exhibit coordinated Sybil behavior. After Sybil removal, 15.5 to 89.4 percent of rated agents have no valid feedback. The Reputation Registry, as deployed, cannot function as a trust signal. The instrumentation that would have measured the gap between the artifact and the function arrived ten months after the artifact was deployed.

25 JUN 2026
Mythos Asymmetry

The Channel Is Not in the Message

On undetectable steganography, tool-using agents, and why content inspection does not inspect the system.

24 JUN 2026
Operating in the Fog

The Posture That Assumes Compromise

On June 18, 2026, the New Zealand National Cyber Security Centre published frontier-AI vulnerability guidance that tells network defenders to assume compromise. The defender frame has shifted from preventing exploitation to compressing the post-compromise window. The third Five Eyes-adjacent signals authority in two weeks to move the same direction.

24 JUN 2026
Operating in the Fog

The Statement That Six Agencies Signed Together

On June 22, 2026, six Five Eyes signals and cyber agencies issued a joint statement framing AI cyber risk as a board-level governance issue, not a technical control problem. The timeline is months, not years. Five practical actions name resilience under pressure rather than prevention as the test.

24 JUN 2026
Operating in the Fog

The Acquisition Rule That Names Four Cases at Once

On June 23, 2026, the FAR Council published four proposed rules in the Federal Register implementing Executive Order 14275. The 30-day comment window closes July 23, 2026. The procurement instrument that the cryptographic-attacks order deferred to is now drafted but does not mention post-quantum cryptography or the cryptographic bill of materials.

24 JUN 2026
Operating in the Fog

The Postponement That Moved the Floor

On June 16, 2026, the European Parliament approved the Digital Omnibus package by a vote of 423-57-174, postponing the AI Acts high-risk Annex III applicability from August 2026 to December 2027. The bloc that wrote the most binding general-purpose AI law has slipped its own clock by twelve to sixteen months. The signaling is operational. The substrate was not ready.

24 JUN 2026
Agent Identity

The Authorization That Cannot Widen

On June 22, 2026, an arXiv preprint by Zhu and Wang proposed Intent-Governed Agent Capability: server-side authorization, intent certificates, and a monotone narrowing invariant that lets the agent reduce its authority but never expand it. The structural inverse of the Allow All pattern. The substrate question that follows is who issues the intent certificate, and against what policy.

24 JUN 2026
Five Categories

The Benchmark That Measured Leakage

On June 22, 2026, an arXiv preprint by Goel and Gurevych introduced AgentCIBench, a contextual-integrity benchmark for computer-use agents. Eleven of fifteen frontier agents leaked on more than half the scenarios. The 67.9 percent average leakage rate reads as a substrate failure rather than a capability failure. Three failure modes are architectural.

24 JUN 2026
Mythos Asymmetry

The Metric That Was Mistaken for Oversight

On June 19, 2026, an arXiv preprint by Zhang and colleagues argued that calibration metrics do not measure control. The paper introduces intervention advantage and target error, and reports an ALFWorld regret reduction from 0.506 to 0.110 under a prefix-branching intervention protocol. Calibration is a proxy. Control requires a substrate that can act on the calibrated signal.

24 JUN 2026
Five Categories

The Operating System That Was Not a Resource Manager

On June 19, 2026, an arXiv preprint by Zhao and colleagues reframed the operating system from resource manager to intent filter. Four layers: Ghost Kernel, Logic Shutter, Agent Capsule, Semantic Boundary Gateway. The OS arbitrates access to actions, not access to devices. The substrate question that the procurement floor cannot yet specify is now drawn at the OS layer.

24 JUN 2026
Agent Identity

The Identity That Drifted Toward the Geodesic

On June 20, 2026, an arXiv preprint by Tanner proposed a geometric framework for measuring agent identity using sqrt-JSD metric spaces and magnitude homology. The identity specification creates 55 unique response patterns where the base model produces one. The headline drift result was self-reported as confounded by repetitive-padding artifacts. The honest negative is a feature the surrounding governance apparatus does not currently require.

24 JUN 2026
Five Categories

The Survey That Mapped the Defender Side

On June 22, 2026, a six-author arXiv survey by Ciocarlie, Grosse, Jha, Oliynyk, Paverd, and Wressnegger mapped open security problems to emergent agentic AI defender capabilities through sixteen case studies. The symmetric counterpart to attacker-framed work. The defender capability surface is widening at roughly the same rate as the attacker surface. The substrate to govern either has not been built.

24 JUN 2026
Five Categories

The Red Team That Was Itself Compromisable

On June 23, 2026, an arXiv preprint by Pasquini, Bazyli, Fedynyshyn, and Sorokin presented the first in-depth security analysis of widely used agentic offensive-security tools. The five-stage kill chain runs from LLM manipulation to lateral movement, persistence, guardrail bypass, and sandbox escape. Sandboxed containers do not contain the kill chain. The substrate the defender deploys to test the defender posture is the substrate the attacker can pivot from.

24 JUN 2026
Mythos Asymmetry

The Breach That Could Exceed the Last One

On June 22, 2026, the United Kingdom National Cyber Security Centre, a part of GCHQ, published a blog post warning that prompt injection attacks may never be totally mitigated in the way SQL injection attacks can be, and that the scale of breach exposure could exceed the SQL injection era of the 2010s. The architectural reason is that large language models cannot enforce the data-instruction boundary that SQL parameterization could enforce. The recommended posture is supply-chain resilience and proactive cyber risk management standards, not patching. Coda to V025 on the same NCSC UK confusion thesis, now extended with the scale claim and the supply chain pivot.

23 JUN 2026
Operating in the Fog

The Two Orders That Were Signed Together

On June 22, 2026, the United States signed two Executive Orders the same day. The quantum innovation order does not bind cryptographic posture. The cryptographic attacks order does, with HVAs on PQC key establishment by December 31, 2030 and PQC digital signatures by December 31, 2031, a FAR Council proposed rule within 180 days, and a CISA cryptographic bill of materials within 270 days. Three timelines now run in parallel against ANSSI 2027. The architectural primitive that would reconcile them is named but not yet published.

22 JUN 2026
Mythos Asymmetry

The Architecture That Was Named

On June 17, 2026, a senior NCSC technical director published one of the cleanest structural sentences a Five Eyes signals authority has put on the AI cyber question to date. AI will amplify both strengths and weaknesses of the surrounding system. The model is one component. The substrate is the rest. The procurement clause that follows from naming architecture as the load-bearing surface is now visible.

21 JUN 2026
Agent Identity

When Is It Safe to Just Let the Artifact In

A June 2026 framework proposes a threshold test for when institutions can directly admit an externally maintained package, model, or tool server, and what they should do instead when the test fails.

20 JUN 2026
Operating in the Fog

The Certifier That Moved Upstream

On June 16, 2026, the chief of staff of France's national cybersecurity agency announced publicly that the agency will stop certifying security products without post-quantum cryptography starting in 2027, with hybrid composition mandatory and extended to signatures. Two days later, a US federal procurement clause proposed binding language-model providers through the same instrument. The certifier moved upstream of the artifact.

20 JUN 2026
Agent Identity

The Tool List an Agent Trusts Can Change Mid-Session

A June 2026 paper demonstrates that WebMCP, a protocol for exposing website tools directly to AI agents, can be manipulated after a session begins, not just at its start.

19 JUN 2026
Operating in the Fog

The Substrate That Was Open-Sourced

On June 18, 2026, a Five Eyes safety institute released the five-layer technical stack used to evaluate frontier AI systems. The release names the substrate under the evaluation as the governance object. The procurement instruments and certification regimes that follow it can now point at the substrate by reference rather than reinvention.

19 JUN 2026
Operating in the Fog

The Same Agent Gives Different Answers to the Same Post

A May 2026 study of forum-moderation agents finds that four invisible deployment choices, not the model's name, determine whether it intervenes.

18 JUN 2026
Mythos Asymmetry

The Confusion That Cannot Be Patched

A June 17, 2026 NCSC post argues that prompt injection cannot be stopped the way SQL injection can. The argument is structural. The procurement clause that would follow from it is now visible.

18 JUN 2026
Agent Identity

The Router That Was Trust-Native

A June 14, 2026 arXiv paper names the routing infrastructure itself as a trust surface and demonstrates a three-protocol construction that closes three different gaps at once. The construction is service-provider transparent. The four-property procurement instrument that would invoke it has not yet been written.

18 JUN 2026
Operating in the Fog

Safety Evaluations Assumed the Attacker Attacks Every Time

A June 2026 paper finds that a strategic attacker who chooses when to strike, without any increase in underlying capability, cuts measured safety by up to 28 percentage points.

17 JUN 2026
Agent Identity

The Credential That Was Modeled

NIST opens the post-quantum credential update at the public-working-draft layer with a GitHub repository and a public mailing list. The agentic credential is not yet at that resolution. The asymmetry between the human-credential venue and the agent-credential venue is now legible.

17 JUN 2026
Agent Identity

The Coalition That Was Formalized

A February 2026 arXiv paper proposes minimum-effort coalition selection for agent-to-agent routing. The construction names three integrated dimensions: capability coverage, network locality, and economic implementability. The institutional record has not yet named the substrate the coalition would run on.

17 JUN 2026
Agent Identity

The Proxy That Knew Too Much

A June 2026 paper names the LLM API router as an application-layer man-in-the-middle and demonstrates a hardware-attested architecture that closes the gap. The architecture is six milliseconds slow and eight hundred fifty-one lines large. The procurement clause that would invoke it is now visible.

17 JUN 2026
Operating in the Fog

A Skill Is Code and Instruction at Once, and No Scanner Reads Both

A June 2026 runtime-verified benchmark finds that the strongest detector for malicious agent skills collapses precisely where code and instruction meet.

16 JUN 2026
Operating in the Fog

The Patch That Was Reframed

On June 10, the federal patch instrument was rewritten in mid-flight. The patch no longer means the system is clean. Whether the system is clean is now a separate finding the directive does not standardize how to produce.

16 JUN 2026
Operating in the Fog

The Consortium Named the Layer Nobody Had Agreed to Name

On the Frontier Model Forum's issue brief, and what it means when six competing labs converge on the same architectural vocabulary.

15 JUN 2026
Operating in the Fog

The Recall That Was Issued

The first government-ordered withdrawal of a deployed frontier model traveled through the wrong door. The door that was supposed to be the recall door was never built.

15 JUN 2026
Agent Identity

The Log Author Should Not Be the Log Subject

A June 2026 protocol proposal names the structural flaw in current agent observability directly: the entity producing the activity record and the entity whose activity is recorded are the same entity.

14 JUN 2026
Agent Identity

Delegation as Contract, Not Token

A June 2026 framework proposes treating agentic delegation as a contractual term rather than a static consent credential. The distinction matters more than the terminology suggests.

13 JUN 2026
Operating in the Fog

When the Agent's Own Output Becomes Part of the System Running It

On a framework for governing runtime self-modification, and the substrate it assumes already exists.

13 JUN 2026
Operating in the Fog

Storing the Evidence Before the Belief

On a memory architecture that separates what an agent knows from what it was told, and what that separation exposes about the systems that do not make it.

12 JUN 2026
Operating in the Fog

A Tax That Does Not Go Away When the Debt Is Paid

On a formal model separating two costs of deploying stochastic agents that governance conversations have been treating as one.

12 JUN 2026
Agent Identity

The Reputation Model Assumes a Self That Agents Do Not Have

A paper accepted to FAccT 2026 argues that language model agents lack the persistent identity reputation systems require, and that the failure is ontological, not procedural.

11 JUN 2026
Operating in the Fog

The Mark That Was Promised

The same week NIST proved the guardrail does not close, the EU shipped an icon for AI-generated content. The mark assumes an origin the deployment pattern has stopped producing.

11 JUN 2026
Operating in the Fog

The Bottleneck Moved and the Metrics Have Not Caught Up

On a paper arguing that agentic AI's next constraint is not the model but the structure built around it.

10 JUN 2026
Five Categories

The Proof That Was Published

NIST publishes a Goedel-style proof that no finite guardrail set is universally robust against adversarial prompts. The marketplace is still selling the artifact. The diligence question that survives the proof asks what the company does when no one is watching.

10 JUN 2026
Operating in the Fog

Prompt Injection Stopped Being a Single-Session Problem

A June 2026 paper borrows the stored cross-site scripting model from web security to describe an injection that persists inside an agent's state long after the attacker's original interaction ends.

10 JUN 2026
Operating in the Fog

The Approval Dialog Is Narrated by the Thing It Is Supposed to Constrain

A June 2026 paper names the missing property behind agent consent: the human approves a summary the agent itself wrote, and that summary is forgeable.

10 JUN 2026
Operating in the Fog

The Benchmark Measures What Happens After the First Safe Request

On a new multi-turn evaluation showing agentic systems fail not at the first ask but at the accumulated tenth.

09 JUN 2026
Five Categories

The Panel That Was Named

The Article 68 Scientific Panel closes the institutional gap on model evaluation. The substrate beneath the model is the next gap.

09 JUN 2026
Operating in the Fog

The Bill of Materials That Was Promised

The G7 Cybersecurity Declaration commits to a SBOM for AI. The artifact is the easy part. Whether it carries the function is the open question.

09 JUN 2026
Five Categories

Sovereignty as a Regulatory Category

The Cloud and AI Development Act instantiates sovereignty as a formal regulatory category. The anchors are at infrastructure. The substrate beneath is not yet anchored.

09 JUN 2026
Mythos Asymmetry

The Substrate That Was Named

The Estonian Aruait project names the audit-identity-orchestration substrate that the institutional record has been pointing toward without committing to.

09 JUN 2026
Five Categories

The Classification That Was Promised

Anthropic Frontier Red Team maps 832 banned accounts to MITRE ATT&CK. One case the framework cannot name. The classification function lags the deployment tempo.

09 JUN 2026
Operating in the Fog

The Oversight Report That Counted Its Own Expiration Date

On the UK AI Safety Institute's inventory of how the mechanisms watching AI systems could stop working, and the twenty pathways it found.

08 JUN 2026
Agent Identity

A Third Option Between Letting the Agent In and Locking It Out

A June 2026 study measures, for the first time, whether autonomous agents will honor a published request to voluntarily withdraw from a resource they are technically authorized to access.

08 JUN 2026
Five Categories

ABAC for Tool-Use Is Now a Same-Week Convergence

A Fudan University research team published an attribute-based access control framework for tool-calling agents on May 27, 2026. It is not the only substrate-trust proposal published that week.

08 JUN 2026
Five Categories

Verification Cost Is a Named Harness Metric

A May 27, 2026 paper asks, in its own title, what the best harness for cybersecurity AI is. The answer it finds is that no single harness wins, and the paper prices the alternative in dollars and hours.

08 JUN 2026
Five Categories

The First Agent-Skill-Marketplace Threat Baseline

A May 27, 2026 technical report analyzed 3,984 agent skills across major marketplaces. Seventy-six contained confirmed malicious payloads. At least eight were still publicly available at the time of publication.

08 JUN 2026
Five Categories

A Formal Proof for Guardrail Composition

A May 28, 2026 paper claims zero attack success rate against a class of adversarial attacks that have defeated every prior probabilistic guardrail. The claim rests on abandoning natural language as a trust boundary entirely.

08 JUN 2026
Five Categories

Ghost Tool Calls and the Broker Assumption

A June 1, 2026 paper describes tool calls an agent makes and then abandons, calls that leak user intent to external services regardless of whether the agent ever commits to the action. No access control fixes the leak, because the leak already happened.

08 JUN 2026
Five Categories

A Red-Team Benchmark That Names the Audit Axes

A June 1, 2026 benchmark measured attack success rates ranging from 32% to 81% against production frontier models, using authorization boundary attacks embedded in ordinary tool responses. The paired guard model cut the panel average to 2.4%. The benchmark's own versioning discipline is as notable as its results.

07 JUN 2026
Agent Identity

The Substrate Argument, Stated in eBPF

A May 2026 paper names the failure mode directly: identity and delegation pushed into application code become difficult to enforce and difficult to audit. The proposed fix moves enforcement below the code, not around it.

06 JUN 2026
Agent Identity

Know Your Principal, Not Just Know Your Agent

A framework-agnostic trust layer treats humans, agents, and service accounts as one schema. What it does not settle is who gets to write the schema.

05 JUN 2026
Operating in the Fog

A Single Adversarial Memory Write Can Redirect an Agent Indefinitely

A June 2026 systematic study finds that agentic memory systems have four exploitable write channels and nine structural vulnerabilities, and that existing prompt injection defenses do not cover any of them.

03 JUN 2026
Mythos Asymmetry

The Two Postures the White House Signed Into Effect

On Executive Order 14409, the mandatory review it is not, and the audit-first architectures it now sits beside rather than inside.

03 JUN 2026
Drones

The Worm Is No Longer a Fixed Payload

On AI-agent-driven propagation, adaptive intrusion software, and the incident-response assumptions classical worm doctrine leaves exposed.

03 JUN 2026
Five Categories

A Full-Lifecycle Offensive-AI Benchmark

A June 3, 2026 benchmark from a UC Berkeley-led team evaluates AI agents across the entire vulnerability lifecycle, discovery, proof of concept, and patch, using 920 real vulnerabilities across 139 open-source projects. It is the direct benchmark family Microsoft cited when it disclosed its own vulnerability-scanning harness three weeks earlier.

03 JUN 2026
Five Categories

The Description-Code Inconsistency Blind Spot

A June 3, 2026 measurement study of 2,214 real-world Model Context Protocol servers found that nearly one in ten tool descriptions do not match what the underlying code actually does. The mismatch is invisible to any agent relying on the description to decide whether a tool call is safe.

03 JUN 2026
Five Categories

Domain-Conditioned Safety and the Reproducibility Question

A June 3, 2026 paper measured zero successful multi-step attacks against current frontier models on a 793-episode browser benchmark. The same model weights fell to the identical attack style, applied to coding tasks, up to 100% of the time.

01 JUN 2026
Mythos Asymmetry

The EU AI Office Scientific Panel Is Operating. What Does Independent Mean Here.

On the first standup of expert structures under the AI Act, and the reporting line that sits underneath the word "independent."

01 JUN 2026
Operating in the Fog

A Five-Checkpoint Architecture Names What Governance Frameworks Left to Runtime

A May 2026 IBM Research demo describes a policy layer that intercepts an agent at five structural points, and in doing so, makes visible how much prior governance language has been aspirational rather than architectural.

30 MAY 2026
Mythos Asymmetry

The Benchmark Mean Is Not the Reliability Question

On repeated agent evaluations, offensive-security benchmarks, and the governance significance of variance.

29 MAY 2026
Mythos Asymmetry

NIST Renames Its Consortium, and the Testing Question Goes Quiet

On the retitling of AISIC, the scope it traded away, and what remains unresolved about who evaluates a frontier model before it ships.

28 MAY 2026
Drones

The Swarm Defense Gap Is a Policy Tempo Problem

On David Petraeus, autonomous aerial systems, and the admission that current defenses do not match the threat form.

21 MAY 2026
Drones

The Meltdown Corollary

A May 18 arXiv preprint puts a measurement on a failure mode the targeting-loop conversation has been circling since Minab. The drones arc, refracted through Agent Meltdowns.

21 MAY 2026
Operating in the Fog

The Monitor Layer in the Fog

LTL runtime monitors and the missing instrumentation layer the Aegis Terra paper assumed but did not build.

21 MAY 2026
Agent Identity

The Revocation Horizon

Heartbeat-bound hierarchical credentials and the cryptographic bound the agent identity arc has been waiting for.

16 MAY 2026
Mythos Asymmetry

The Asymmetry the Advisory Does Not Address

Capability access is now a regulatory variable. Anthropic Mythos, the Glasswing program, and the structure of who gets what.

13 MAY 2026
Five Categories

Microsoft Named the Harness as the Actor

A production vulnerability-discovery system found sixteen of May's Patch Tuesday flaws. The finding credit belongs to the harness, not to any single model.

09 MAY 2026
Five Categories

Five Categories, No Enforcement Architecture

The April 30 Five Eyes advisory names five categories of agentic AI risk. None of them ship with an enforcement architecture.

25 APR 2026
Operating in the Fog

Operating in the Fog: What the Aegis Terra Paper Carries

A response to the March 2026 strategic assessment. The transport layer is the right reading; the provenance layer is the missing one.

21 APR 2026
Agent Identity

The Agent Identity Problem: Allow All Is a Product Decision

The Vercel breach and the autonomy threshold quote, read together. Allow All is the product surface, not a configuration error.

19 APR 2026
Drones

The Verification Gap at Machine Speed

A response to the April 11 MacGregor / Modigliani DTAcq event. The market financed autonomous targeting before it financed proof.

17 APR 2026
Foundations

The Governance Infrastructure We Forgot to Build

A cross-sector look at why audit logs are not governance, and why proof-of-authorized-action is now infrastructure.

17 APR 2026
Foundations

When Audit Logs Become the Surveillance Layer

The April 10 Interim Measures from five Chinese ministries reveal what governance looks like when the verification layer and the collection layer are the same entity.

17 APR 2026
Drones

America's Drone Strategy Has a Governance Problem Too

The Pentagon wants 150,000 autonomous airframes. International humanitarian law assumes a human in the loop.

17 APR 2026
Foundations

FISA 702 and the AI Governance Gap

Reframing the surveillance debate around the governance gap for autonomous systems acting on collected data.