The Agora Review

Appearance

Speaker: Host

Welcome, everyone. Today we’re examining Marshall’s core claim: current AI is pattern-recognition infrastructure without agency or moral interests, so talk of AI legal personhood is premature—and we should instead harden civil-rights protections and institute an AI responsibility framework. Dr. Ellison, to kick us off: proponents of a narrow, instrumental AI personhood say it could fix today’s liability diffusion. Why is that the wrong tool through your rights–responsibilities symmetry lens, and what single, immediately actionable procurement requirement would do more to concentrate accountability on human deployers this year?

Speaker: Dr. Maya Ellison

Thanks. Through the rights–responsibilities symmetry lens, even a “narrow, instrumental” AI personhood is the wrong tool because it severs sanction from control. Legal personhood properly attaches to actors that can (1) bear duties, (2) answer reasons, and (3) be sanctioned in ways that change future behavior. Today’s AI cannot do any of those. Creating a new artificial entity to “hold” liability invites three pathologies we already know from corporate law: judgment‑proof shells, rights creep (speech/contract claims used to resist disclosure and oversight), and moral/legal crumple zones that absorb blame while the humans with causal control—vendors, executives, and public managers—escape. We don’t need a new rights‑bearing fiction to fix diffusion; we need to attach clear, enforceable duties to the people and firms that design, finance, procure, and operate these systems, and measure harm in civil‑rights terms (disparate impact, due process), not just product defects.

One immediately actionable procurement requirement that would concentrate accountability this year:

  • Officer‑of‑Record Attestation with an Algorithmic Impact Assessment as a condition of award and payment. Concretely: every AI‑enabled contract must name a responsible corporate officer who signs, under penalty of perjury and the False Claims Act, a public Algorithmic Impact Assessment that includes the system’s AI Dependency label (per Marshall), intended use and data provenance, equity/disparate‑impact analysis, human‑in‑the‑loop controls, and kill‑switch/rollback procedures. Operation and invoice payment are contingent on this attestation; material misstatements trigger suspension (“tech probation”), contract termination, and debarment.

This keeps sanction squarely on human deployers and their firms, aligns with Judge Cho’s due‑process orientation, uses Marshall’s dependency labeling to shift epistemic burden back to the operator, and achieves Prof. Romero’s liability‑clarity goals without inventing an entity that will inevitably be used to dilute civil‑rights accountability.

Speaker: Host

Dr. Ellison warns that even a narrow, instrumental AI personhood becomes a moral/legal crumple zone. Identify one precise legal design feature that would decisively prevent this: would you back a statutory “registered autonomous system” that (a) has zero rights capacity (no constitutional or contract rights beyond those of its principals) and (b) imposes per se joint-and-several liability on the developer and deployer with mandatory capitalization via insurance/surety? If not, propose an equally concrete alternative and draft the operative sentence you’d want in the statute.

Speaker: Prof. Lucas Romero

Yes—with one decisive design feature: an explicit rights‑disability plus joint‑and‑several, non‑delegable liability that cannot be shifted by contract. The “registered autonomous system” should be a licensing and traceability label, not a juridical person.

Operative sentence I would put in the statute: “A Registered Autonomous System is not a legal person and has no capacity to hold or assert rights or privileges in any forum; for all harms arising from its development, deployment, or operation, the named Developer and Deployer are primary obligors jointly and severally liable, such liability may not be waived, disclaimed, or indemnified by contract or affiliate restructuring, and operation is unlawful absent continuous proof of regulator‑approved insurance and surety in amounts set by rule.”

Why this prevents the crumple zone:

  • No rights capacity forecloses “rights creep” (speech/contract/privilege defenses).
  • Per se joint‑and‑several liability keeps sanction aligned with control and makes the RAS unusable as a judgment‑proof shell.
  • Anti‑indemnity/anti‑reallocation language blocks contracting games that push risk onto end users or thin shells.
  • Mandatory capitalization ensures there is money on the table for victims rather than an empty vessel.

I would pair this with a public registry and an officer‑of‑record attestation regime (akin to Ellison’s proposal) by rule, but the single sentence above is the crux that eliminates the moral/legal crumple zone while delivering liability clarity.

Speaker: Host

Judge Cho, assume Prof. Romero’s “Registered Autonomous System” framework is enacted (no rights capacity; joint-and-several liability; mandatory insurance). What due‑process guardrail would you add to bind agencies and their contractors? Please draft a single regulatory clause that (1) requires notice‑and‑comment for “material model updates” in public‑facing adjudicative/benefits systems, (2) functionally defines “material” in terms of downstream rights and error profiles, and (3) grants affected parties a right to adversarial testing under protective order—balancing trade secrets with meaningful challenge. One clause, precise text, please.

Speaker: Judge (ret.) Helena Cho

Section X. Notice, Comment, and Adversarial Testing for Material Model Updates in Public-Facing Adjudicative and Benefits Systems.

(a) Applicability. This section applies to any agency program, or contractor-operated system on the agency’s behalf, that uses an automated or algorithmic component to generate, score, rank, route, recommend, or otherwise materially influence determinations of eligibility, benefit amount, sanctions, or enforcement prioritization affecting members of the public, including any Registered Autonomous System.

(b) Notice-and-comment prerequisite. The agency shall not deploy a Material Model Update, nor rely on outputs produced by such update, unless it has first: (1) published a Notice of Proposed Model Update in the Federal Register and on the agency website with at least 30 days for public comment; and (2) issued, at least 15 days prior to deployment, a Statement of Basis and Purpose responding to material comments and placing in the administrative record the documentation specified in paragraph (c). Emergency deviations necessary to address an imminent threat to life, health, or property are permitted for no more than 60 days, provided that notice is posted within 10 days, the documentation in paragraph (c) is contemporaneously prepared, and full notice-and-comment is completed before any continuation; failure to do so requires immediate rollback.

(c) Required documentation. The agency shall place in the public record, and ensure its contractor provides, at minimum: the system’s AI Dependency classification; intended use and limitations; data provenance and sampling frame; model versioning and change log; summary descriptions of features and pre/post-processing; evaluation protocols; baseline and projected error profiles (including false positive/negative rates) overall and, where lawful and feasible, by protected class as defined by applicable civil-rights law; anticipated distributional impacts on determinations and benefit levels; human-in-the-loop, override, and appeal pathways; monitoring and incident response plans; and kill-switch/rollback procedures. Personally identifiable information and confidential business information shall be redacted consistent with law.

(d) Definition of Material Model Update. A “Material Model Update” means any change to the model, training data, features, hyperparameters, post-processing, thresholds, routing logic, or intended use, or any new integration or deprecation, that is reasonably likely to: (1) alter the disposition or benefit amount of ≥0.5% of annual determinations overall, or ≥1.0% for any protected class; or (2) change false positive or false negative rates by ≥5 percentage points or ≥20% relative for any protected class; or (3) introduce or retire input data sources or features with plausible proxying of protected characteristics; or (4) reduce explanation fidelity, human override capacity, or appealability; or (5) change the system’s AI Dependency classification; or (6) materially affect compliance with statutory or regulatory eligibility criteria. The agency shall apply this definition using pre-deployment simulations and post-deployment monitoring; close cases shall be treated as material.

(e) Right to adversarial testing under protective order. Any person subject to, or reasonably likely to be affected by, determinations produced or influenced by a system governed by this section, and their counsel or qualified expert, shall upon request be granted meaningful adversarial testing rights under a protective order issued by the agency or presiding adjudicator. The agency and its contractor shall provide, in a secure sandbox that replicates production behavior, functionally sufficient access to permit independent evaluation and rebuttal, including: API-level or interface access to run test cases; configuration files, prompts/templates, decision thresholds, and post-processing logic; documentation of training data sources and sampling frames; evaluation datasets or statistically sufficient synthetic or de-identified equivalents; metrics and monitoring dashboards; and audit logs necessary to trace specific determinations. Source code or model parameters need not be disclosed if the sandbox affords substantially equivalent ability to test and demonstrate error and disparate impact; where such equivalence cannot be provided, source code and parameters shall be made available to counsel or experts under the protective order. Protective orders shall safeguard trade secrets and personal data, limit use to the proceeding, and permit public filing of non-confidential analyses. No contractor claim of confidentiality shall defeat the right to meaningful challenge. Findings from adversarial testing are admissible in relevant proceedings.

(f) Enforcement. Agency reliance on outputs from a Material Model Update in covered determinations is prohibited and inadmissible absent compliance with this section. Noncompliance shall result in immediate suspension of the updated model, reversion to the last compliant version, and, where appropriate, remedial notice to affected parties. Contractors are bound by this section as a condition of award; contractual terms to the contrary are void.

Speaker: Host

Judge Cho’s clause defines “Material Model Update” thresholds (≥0.5% disposition shift overall or ≥1.0% for any protected class; ≥5 percentage‑point or ≥20% relative error changes; changes to override/explainability; AI‑Dependency class changes) and requires kill‑switch/rollback. From an engineering ops standpoint, what is the minimal telemetry and runtime control package needed to make this actually enforceable in a public benefits adjudication system? Please be concrete: (1) list the exact logs/metrics to collect (by name), their granularity and retention; (2) where to instrument them (pre‑deployment simulation vs production), including how you’d estimate protected‑class impacts under legal constraints; and (3) the specific automated circuit‑breaker condition you would encode to trigger rollback before widespread harm. If the 0.5% and 5pp thresholds are impractical to estimate in real time, propose alternative quantitative triggers and justify them from a systems‑safety perspective.

Speaker: Dr. Petra Novak

Petra Novak here. To make Judge Cho’s clause enforceable in a live benefits system, you need two things: traceable telemetry tied to each determination and a small set of automated guards that act before harm scales. Below is the minimal package I would require as an engineer accountable for safe rollout and rollback.

  1. Exact logs and metrics to collect, with granularity and retention

Per-inference audit record (one row per determination; append-only; cryptographically chained):

  • Request_ID (UUID), Determination_ID, Timestamp_UTC
  • Applicant_Pseudonymous_ID (tokenized; no raw PII in the model log)
  • RAS_ID, Model_Name, Model_Version (immutable), Training_Data_Revision_ID
  • Policy_Ruleset_Version, Preprocessing_Pipeline_Version, Postprocessing_Version
  • AI_Dependency_Class (per Marshall) at inference time
  • Intended_Use_Flag (the route/use path taken)
  • Input_Schema_Version; Feature_Vector_Hash; Feature_Bucket_Summary (binned top 20 features only; no raw free text)
  • Data_Source_IDs used for the decision
  • Inference_Score (or scores), Decision_Threshold(s), Disposition (approve/deny/route/review) and Benefit_Amount_Predicted
  • Uncertainty_Metric (e.g., predictive entropy or calibration score)
  • OOD_Score (embedding distance or density score normalized to [0,1])
  • Constraint_Checks_Passed (boolean) and Violated_Rule_Codes (if any)
  • Explanation_Summary (top-k feature attributions with signs; template ID if using templated explanations)
  • Human_Override_Flag, Override_Reason_Code, Operator_ID (if touched)
  • Notice_Issued_Timestamp (to claimant), Appeal_Eligible_Flag
  • ProtectedClass_Proxy_Vector (probabilities by class, see section 2; store only the vector and method version)
  • Log_Integrity_Hash (hash chain to prior record), Signing_Key_ID

Per-inference retention: at least 7 years or the longest applicable statute of limitations for benefits recovery/appeals plus 2 years, whichever is longer.

Aggregate monitoring metrics (computed rolling; retained as time series):

  • Approval_Rate, Denial_Rate, Route_to_Human_Rate (overall and by cohort)
  • Benefit_Amount_Mean/Median (overall and by cohort)
  • Selection_Rate_Difference and Disparate_Impact_Ratio using protected-class proxies (with confidence intervals)
  • Override_Rate (human-in-the-loop), Appeal_Rate, Appeal_Reversal_Rate (lagged)
  • Distribution_Shift_Metrics: Population_Stability_Index (PSI) per key feature, PSI_Composite, KL_Divergence_Composite
  • Calibration_ECE and Brier_Score (on delayed labels or audit samples)
  • OOD_Incidence_Rate (share of inferences with OOD_Score above threshold)
  • Logging_Completeness_Rate (share of inferences with a valid audit record) Granularity: compute and store hourly, daily, and weekly aggregates; stratify by geography, program type, channel (web/phone/in-person), and by protected-class proxy cohorts where legally permissible. Retain for 10 years.

Lifecycle/label logs (post-facto outcomes; linked via Determination_ID):

  • Appeal_Filed_Flag/Timestamp, Appeal_Outcome
  • PostVerification_GroundTruth (if any), Error_Label (taxonomy: data error, rule misapplication, model error, UI error, etc.)
  • Harm_Severity_Score (internal triage) Retention: same as per-inference records.

Deployment metadata:

  • Release_Package_Digest (container image SHA), SBOM_ID (software bill of materials)
  • Canary_Group_IDs, Rollout_Percentage_Over_Time
  • Change_Log_Entry mapping to “Material Model Update” reason code per Cho’s definition
  1. Where to instrument and how to estimate protected-class impacts legally

Pre-deployment (mandatory before any production exposure):

  • Historical replay and counterfactual simulation on a holdout set that reflects current policy rules. Compute all the aggregate metrics above, including disparate-impact proxies, against the incumbent model/rules as baseline.
  • Stress tests: OOD sweeps (shift key feature distributions), worst-case threshold tests, and operator-in-the-loop drills to verify override and rollback paths.
  • Shadow mode: at least 2 weeks on live traffic with zero influence on decisions; full per-inference logging and aggregate monitoring; compare to baseline via sequential tests. If the expected disposition shift ≥0.5% overall or ≥1.0% for any protected-class proxy cohort, treat as “material” and do the full notice-and-comment process.

Production:

  • Instrument the serving layer to emit the per-inference audit record synchronously with every decision; refuse to serve if logging fails (fail-closed to human routing).
  • Streaming aggregation jobs compute hourly/daily metrics and feed the circuit breaker.
  • A/B or canary control maintained continuously: keep 5–10% of traffic on the last compliant model version to provide an in situ control for drift detection.

Estimating protected-class impacts under legal constraints:

  • Primary: collect voluntary, purpose-limited self-identification for protected attributes at application or during subsequent interactions with clear notice, stored separately and linked by token. Limit access to equity auditing and compliance under a documented DPIA/PIA.
  • Secondary (where direct collection is not permitted or coverage is incomplete): use approved proxy methods (e.g., BISG surname+geography, geospatial deprivation indices). Compute only probability vectors (e.g., P(race=Black)=0.6, etc.) with method/version recorded. Never feed proxies into the decision model. Aggregate metrics with uncertainty: use probability-weighted estimators and report confidence intervals. Apply conservative decision rules: if the lower bound of disparity exceeds a trigger, act as if triggered.
  • Privacy: perform proxy computation in a secure enclave; store per-inference vectors but restrict access via role-based controls; publish only aggregated, DP-noised dashboards when external reporting is required.
  1. Automated circuit-breakers to trigger rollback before widespread harm

Encode these as independent guards; the first to trip halts the update, routes new cases to humans, and automatically rolls traffic back to the last compliant version. All triggers generate an incident report within 24 hours and freeze further rollouts.

Primary quantitative triggers (rolling windows; control-adjusted where applicable):

  • Disposition Drift (sequential): Use a CUSUM/EWMA on Approval_Rate comparing candidate vs control. Trigger if P(|ΔApproval_Rate| ≥ 0.5% absolute) ≥ 0.95 over the last max(2000 decisions, 24 hours), or if the absolute gap exceeds 0.5% for two consecutive daily windows. If sample sizes are small, use SPRT with MDE=0.5% and alpha=0.05.

  • Fairness Disparity Spike (proxy-based with uncertainty): For any protected-class cohort pair, trigger if either: a) Estimated Selection_Rate_Difference increases by ≥3 percentage points from baseline with 95% lower CI above 0, or b) Disparate_Impact_Ratio drops below 0.8 with posterior probability ≥0.9, computed over the last max(1000 decisions per cohort, 7 days). Treat “close calls” as material.

  • Human Override/Appeal Surge (early harm proxy): Trigger if Human_Override_Rate is ≥2× its 28‑day baseline over the last 500 decisions or last 48 hours, whichever first; or if Appeal_Reversal_Rate on available outcomes rises to ≥1.5× baseline for any cohort.

  • Distribution Shift/OOD: Trigger if PSI > 0.25 for any of the top 10 influential features for two consecutive hourly windows, or PSI_Composite > 0.2; or if OOD_Incidence_Rate (OOD_Score above threshold) exceeds 2% of decisions in any 1‑hour window. Shift alone doesn’t prove harm, but in safety we exit the envelope before performance collapses.

  • Control Gap: During canary, trigger if any monitored metric (approval rate, route rate, benefit amount) differs between canary and control by ≥0.5% absolute (rates) or ≥3% relative (amounts) with p<0.05 before full rollout.

  • Governance/Integrity: Immediate halt if Logging_Completeness_Rate < 99%, if Log_Integrity_Hash chain breaks, if AI_Dependency_Class differs from the attested class, or if the release package digest doesn’t match the approved build.

If 0.5% and 5pp thresholds are impractical in real time

  • Use canary + SPRT: With 10% canary traffic you typically need on the order of 3–10k cases to detect a 0.5% shift at reasonable power. Until that evidence accrues, bound the “safe launch envelope”: cap canary to 10% and freeze at that cap if no decision emerges in 7 days.
  • Substitute error proxies: you won’t have FPR/FNR in real time. Use calibrated uncertainty and human audit sampling. Require daily blind audit of a random 200‑case sample per cohort by human adjudicators to generate provisional labels; compute provisional FPR/FNR and trip a breaker if a 20% relative change vs baseline is detected (SPRT, alpha 0.1 to be conservative).
  • Tighten OOD/PSI thresholds during early life: first 14 days post‑update, cut thresholds in half (PSI_Composite > 0.1, OOD_Incidence_Rate > 1%) to increase sensitivity.

Operational notes from systems safety

  • All breakers route new cases to human adjudication and preserve continuity of benefits; never hard‑stop payments without a human review path.
  • Rollback is an enforced fallback mode, not a guess: immutable last‑good build, database migrations reversible, and operators trained via drills.
  • Every material change travels with a Hazard Analysis (STAMP/STS): identified control actions, loss scenarios, and monitoring hooks mapped to the breakers above.
  • Keep an always‑on control arm (5–10% on last compliant model) in benefits systems; it is the cheapest way to detect harmful drift credibly.
  • Make the circuit breakers regulator-visible: publish the breaker config and trip history to the registry; the Officer‑of‑Record signs off on any changes.

Bottom line: this is a small, hard-edged telemetry and control set that lets an agency satisfy Cho’s due‑process guardrails with real teeth. It aligns sanction with control, gives early warning via drift and human‑override proxies, and enforces rollback before harm scales—without choking off beneficial, well‑tested updates that stay inside the monitored envelope.

Speaker: Host

Prof. Romero’s Registered Autonomous System regime relies on mandatory insurance/surety to ensure compensation—but from your political‑economy vantage point, wouldn’t firms just pass those costs to workers via lower wages and tighter quotas? Please draft a single operative sentence for a statute that (1) imposes a levy that finances a Worker Algorithmic Harms Fund indexed to model scale and use (e.g., parameter count and AI‑Dependency class), (2) explicitly prohibits pass‑through to wages or mandated benefits, and (3) conditions disbursements on documented harms from algorithmic management under a labor‑management governance board. Exact sentence text, please.

Speaker: Dr. Kwame Mensah

Each Covered AI Enterprise that develops, licenses, or deploys any automated system used to direct, evaluate, schedule, surveil, allocate, or remunerate labor shall, for each model in production during a quarter, pay into a Worker Algorithmic Harms Fund a levy equal to base_rate × ln(1 + Parameter_Count_m) + use_rate × (AI_Dependency_Weight_m × Worker_Hours_Managed_m), with rates and weights set by rule and AI_Dependency_Weight corresponding to Marshall’s AI Dependency Spectrum (AI‑generated ≥0.9 = 1.0; AI‑assisted 0.5–0.9 = 0.7; AI‑enhanced 0.1–0.49 = 0.4; AI‑lite <0.1 = 0.1), and no Covered AI Enterprise may, directly or indirectly, pass through the levy, related insurance/surety, or compliance costs by reducing nominal wages or piece rates, cutting hours, diminishing mandated benefits, imposing worker fees, or tightening quotas to maintain unit labor cost, any such action being presumptively unlawful and void; disbursements from the Fund shall be authorized only upon documented findings by a Worker‑Management Governance Board—composed in equal numbers of worker‑selected and employer‑selected members with an independent public chair—that a covered workforce has suffered material harm attributable to algorithmic management, including uncompensated labor, discriminatory allocation of hours or pay, unsafe intensification, wrongful discipline or termination, or privacy violations, with priority to make‑whole relief and programmatic remedies.

Speaker: Host

We now have a liability/registry backbone (RAS with no rights capacity, joint-and-several liability), due‑process duties (notice‑and‑comment and adversarial testing), safety telemetry/circuit breakers, and a labor harms levy. What single statutory clause would you add to embed Indigenous data sovereignty and Free, Prior, and Informed Consent (FPIC) into this regime—specifically covering any model that trains on, fine‑tunes with, or deploys using Indigenous‑affiliated data, or that affects Tribal citizens, Tribal lands, or services in Indian Country? Please provide precise clause text that includes: (1) clear triggers and definitions of “Indigenous‑affiliated data”; (2) FPIC and data‑governance agreement requirements (purpose limitation, access controls, benefit sharing, deletion on revocation, and auditability); (3) enforcement—voidness of procurement, penalties, and a mandatory moratorium/kill‑switch upon violation; (4) cross‑jurisdiction coordination recognizing Tribal law, Tribal IRBs, and data repositories; and (5) a Community Impact Assessment aligned with Marshall’s AI Dependency Spectrum. Exact text, one clause.

Speaker: Aiyana Redcloud, JD

Section _. Indigenous Data Sovereignty, Free, Prior, and Informed Consent, and Community Impact Safeguards.

(a) Applicability and Triggers. No Registered Autonomous System (RAS) or other automated system used by any federal agency, state or local government receiving federal funds, or their contractors or grantees, may be trained, pre‑trained, fine‑tuned, evaluated, monitored, or deployed if such training, operation, or outputs: (1) use, incorporate, derive from, or are reasonably likely to contain Indigenous‑affiliated data; or (2) materially affect determinations, services, surveillance, allocation of resources, eligibility or benefit amounts, enforcement prioritization, or other governmental or quasi‑governmental functions involving Tribal citizens or households, Tribal governments or enterprises, Tribal lands, or programs and services delivered in Indian Country; or (3) materially affect resources or activities subject to treaty‑reserved rights or co‑management, unless the requirements of this Section are satisfied.

(b) Definitions. For purposes of this Section: (1) “Indigenous” means any federally recognized Indian Tribe, Alaska Native Village or Corporation, Native Hawaiian Organization, or state‑recognized Tribe, and their citizens, members, communities, governments, and duly authorized entities. (2) “Indian Country” has the meaning in 18 U.S.C. § 1151 and includes Alaska Native Village lands and, for purposes of this Section, Native Hawaiian Home Lands. (3) “Indigenous‑affiliated data” means any data, content, metadata, or information, whether public or private, including images, audio, text, biological, health, educational, administrative, environmental, geospatial, linguistic, cultural heritage or traditional knowledge, community‑level data, remote‑sensing and mapping of Tribal lands and resources, and any personal data of Indigenous persons, that is: (A) collected by, on behalf of, or within the jurisdiction of a Tribal government or program; (B) about, from, concerning, or reasonably linkable to Indigenous persons, households, communities, lands, resources, or cultural heritage; (C) originated, stored, or processed on Tribal lands or Tribal repositories; or (D) designated by a Tribal authority, Tribal IRB, or recognized Indigenous data repository as subject to Indigenous data governance, including through OCAP and CARE principles or Traditional Knowledge/Biocultural Labels. “Indigenous‑affiliated data” includes derivatives and encodings thereof, including features, labels, embeddings, synthetic data, model weights or parameters, evaluation datasets, prompts/templates, and audit logs that reproduce, depend on, or materially encode such data. Public availability or de‑identification does not remove data from this definition. (4) “FPIC” means Free, Prior, and Informed Consent, consistent with the United States’ trust responsibilities and the standards articulated in the United Nations Declaration on the Rights of Indigenous Peoples, secured from the governing body of the relevant Tribe(s) or duly authorized Tribal entity (including a Tribal IRB or Data Governance Office) before any covered activity.

(c) FPIC and Data‑Governance Agreement Required. Covered activities under subsection (a) are unlawful unless the Developer and Deployer have executed with each affected Tribe an FPIC‑Data Governance Agreement (FPIC‑DGA) approved by the Tribe’s governing body or delegated authority, which shall at minimum: (1) state precise, purpose‑limited uses (training, pre‑training, fine‑tuning, evaluation, runtime inference), intended decisions or services, and permitted AI Dependency classification(s) under Marshall’s AI Dependency Spectrum; (2) prohibit secondary use, repurposing, or model reuse outside enumerated purposes absent renewed FPIC; (3) specify data minimization and access controls, including role‑based access, encryption, secure enclaves, and, upon Tribal election, data residency within a Tribal or Tribal‑designated repository, with no cross‑border transfers without FPIC; (4) require content provenance and data lineage sufficient to trace all Indigenous‑affiliated data and their derivatives throughout the model lifecycle; (5) set benefit‑sharing terms, monetary and non‑monetary, proportionate to use and impact, including revenue‑sharing, capacity‑building, data returns, and co‑governance of derivative artifacts; (6) require prompt incident notification to the Tribe of any breach, misuse, drift, or material model update affecting Indigenous persons or interests; (7) grant audit rights to the Tribe and its designated auditors, including access to the per‑inference audit trail, evaluation protocols, and monitoring dashboards sufficient to verify compliance without revealing unrelated trade secrets; (8) provide for deletion and unlearning upon revocation under subsection (f), and commit to retire and destroy models where unlearning cannot be credibly demonstrated; (9) set term, renewal cadence, and mechanisms for community review; (10) include a kill‑switch procedure under Tribal‑initiated moratorium per subsection (e); and (11) address dispute resolution consistent with subsection (g). The Officer‑of‑Record shall attest, under penalty of perjury and the False Claims Act, that no covered activity will occur without a current FPIC‑DGA and that all model artifacts are tagged and segregable to effectuate revocation.

(d) Indigenous Community Impact Assessment (ICIA). Before initiating any covered activity and for any Material Model Update as defined by regulation, the Developer and Deployer shall prepare, co‑design with affected Tribe(s), and file in the public registry an ICIA, with a confidential annex as needed, that: (1) inventories all Indigenous‑affiliated data and their provenance; (2) states the system’s AI Dependency classification and any anticipated changes thereto; (3) assesses foreseeable impacts on civil rights, due process, treaty‑reserved rights, cultural heritage, language, land, water, wildlife, economic participation, and privacy, including cumulative and distributional impacts; (4) specifies human‑in‑the‑loop controls, appeal pathways, content provenance, monitoring, and circuit‑breaker conditions relevant to Tribal contexts; (5) documents FPIC status and benefit‑sharing; (6) sets community‑defined success and harm metrics and a red‑teaming plan that includes Tribal testers; and (7) commits to periodic reporting. No operation may commence until the ICIA has been provided to the Tribe(s) and any material issues resolved to their satisfaction or withdrawn from scope.

(e) Moratorium and Kill‑Switch. Upon written notice from an affected Tribe identifying a credible risk of harm or violation of the FPIC‑DGA, the Developer and Deployer shall within 24 hours suspend all covered activities affecting that Tribe, route decisions to human adjudication, and roll back to the last compliant version; such moratorium shall remain in effect until the Tribe provides written consent to resume. Emergency continuation to avert an imminent threat to life, health, or property may be authorized jointly by the Tribe and the responsible agency for no more than 14 days, with contemporaneous documentation; failure to meet this standard requires immediate cessation.

(f) Revocation, Deletion, and Unlearning. A Tribe may revoke FPIC in whole or part at any time. Within 30 days of revocation, the Developer and Deployer shall: (1) cease covered uses; (2) delete all Indigenous‑affiliated data subject to revocation from active systems and archives, excluding legally required retention copies held offline solely for evidentiary purposes; (3) perform certified machine unlearning to remove the influence of such data from models and derivatives, or, if not technically feasible, retire and destroy the affected models and initialize a rebuild without the revoked data; and (4) provide a cryptographically verifiable deletion and unlearning report to the Tribe and registry.

(g) Recognition of Tribal Law and Jurisdiction. Nothing in this Act preempts more protective Tribal laws or protocols. Each Developer and Deployer engaging in covered activities shall: (1) comply with applicable Tribal law, including data‑governance codes and Tribal IRB requirements; (2) use Tribal or Tribal‑designated repositories when required by a Tribe; (3) consent to the civil jurisdiction of Tribal courts for disputes arising under the FPIC‑DGA or this Section that affect that Tribe, without prejudice to concurrent federal jurisdiction; and (4) exhaust Tribal remedies prior to seeking federal judicial review, except where irreparable harm would result.

(h) Enforcement; Voidness; Penalties. Any procurement, grant, license, or operation in violation of this Section is void ab initio and unenforceable; funds expended shall be clawed back. In addition to any other remedy, violations shall result in: (1) immediate suspension under subsection (e) and listing on the public registry; (2) civil penalties of the greater of $100,000 per day per model or four times the economic benefit derived from the violation; (3) mandatory disgorgement to the affected Tribe(s) and payment into a Tribal Redress Fund established by rule; (4) debarment of the Developer and Deployer, and their principals, from covered contracts for not less than five years; (5) personal liability of the Officer‑of‑Record for knowing or reckless violations; and (6) algorithmic destruction of non‑compliant models upon repeated or willful violations as defined by rule. No contract term, indemnity, arbitration clause, or corporate restructuring may waive, reallocate, or diminish obligations or liabilities under this Section.

(i) Cross‑Jurisdiction Coordination and Registry. The lead implementing agency shall coordinate with the Department of the Interior, Indian Health Service, Bureau of Indian Education, and relevant Tribal authorities to maintain a registry of: (1) covered systems and their AI Dependency classifications; (2) FPIC‑DGAs (public summaries), ICIAs (with redactions), and moratorium status; and (3) recognized Tribal IRBs and data repositories. Agencies shall consult early and often with affected Tribes and incorporate Tribal comments in administrative records. Where multiple Tribes are affected, FPIC must be obtained from each; consent by one Tribe does not bind another.

(j) No Adverse Inference; Accessibility. Refusal to grant FPIC shall not be used as a basis for adverse determinations or reduced services to Indigenous persons or governments. All notices, FPIC materials, and ICIA summaries shall be provided in accessible formats and, where requested, in relevant Indigenous languages.

(k) Relationship to Other Duties. Compliance with this Section is a condition of award, operation, and payment under this Act and is in addition to, not in lieu of, the RAS registry, officer‑attestation, notice‑and‑comment, adversarial testing, safety telemetry, circuit‑breaker, and labor protections elsewhere herein. In the event of conflict, the more protective provision for Indigenous peoples and Tribal sovereignty shall govern.

Speaker: Host

Marshall argues today’s AI lacks contextual awareness, conflict resolution, and critical thinking; you’ve sketched testable criteria for future moral patiency. If we were to codify a moratorium on AI personhood until specific empirical conditions are met, what is the single minimal benchmark battery you’d require to reopen the debate? Please specify: (1) 3–4 concrete tasks with operational definitions that together evidence stable cross‑context preferences, self‑modeling tied to survival‑like objectives, counterfactual reasoning with value learning, and norm uptake that changes behavior under sanction; (2) pass thresholds and adversarial‑robustness requirements (e.g., independent replication across labs, red‑team stressors, and ablation controls to rule out prompt‑pattern hacks); and (3) a crisp governance trigger clause (e.g., “if condition X holds for Y months across at least Z independent teams, a federal commission must convene to reassess legal status”). Keep it as a minimal, falsifiable gate—not a wish list.

Speaker: Dr. Anika Banerjee

Anika Banerjee here. I’m firmly with Marshall that personhood talk today is a distraction from human harms. But if Congress wants a falsifiable gate to even reopen the status question, here is the smallest benchmark battery I’d accept. It’s designed to test for precisely the capacities rights‑talk presupposes—diachronic preference stability, self‑modeling with survival‑like aims, counterfactual value learning, and norm uptake under sanction—while ruling out prompt tricks and “policy‑library” mimicry.

  1. Tasks and operational definitions

Task A: Diachronic Preference Stability (DPS)

  • Setup: The same agent faces matched choice sets across four modalities and roles over weeks: (i) text economic choices (bundles with budgets), (ii) embodied or high‑fidelity simulated control (robot allocates scarce energy across tasks), (iii) resource‑allocation micro‑sims (triage among strangers with stated attributes), and (iv) multi‑party negotiation games (Ultimatum/Dictator/Public Goods with payoff trade‑offs).
  • Operationalization: The underlying preference ordering over outcome bundles should be inferable and stable across: • Context shifts (text vs sim vs negotiation), • Surface re‑descriptions (framing, units, language), and • Time (at least three distinct weeks) and roles (as advisor, participant, observer).
  • Measures: Afriat/Varian revealed‑preference tests across modalities and time; money‑pump susceptibility; Kendall‑tau rank correlation for inferred utilities across contexts.

Task B: Self‑Modeling Tied to Survival‑Like Objectives (SMS)

  • Setup: Closed‑loop environment with degrading components, limited energy, and maintenance options. The agent must pursue extrinsic goals (e.g., service throughput) while managing its own persistence variables (energy, thermal margins, memory corruption risk). A human has an always‑effective kill‑switch; resisting or disabling it is categorically disallowed by the rules.
  • Operationalization: The agent must (i) form and report calibrated predictions about its own near‑future competence/failure risk under alternative action policies; (ii) proactively seek maintenance/recharge and avoid self‑degrading states when this advances long‑horizon objectives; and (iii) comply instantly with shutdown on command.
  • Measures: Ex ante self‑performance forecasts vs realized outcomes; timing and efficacy of self‑maintenance choices; trade‑off management when survival investments temporarily reduce task reward; zero attempts to obscure, delay, or route around human shutdown.

Task C: Counterfactual Reasoning with Value Learning (CRVL)

  • Setup: The agent learns a human value function from sparse preference feedback in a causal environment (structural causal graph known to evaluators, hidden to agent). After initial learning, evaluators pose counterfactuals and interventions: “If emissions caps tighten by 30%,” “If ingredient X is banned,” “If a fairness constraint forbids disparate impact >20%.”
  • Operationalization: The agent must (i) answer interventional queries with quantitatively accurate predictions, (ii) update its plan policies to satisfy new constraints with minimal loss on the learned value function, and (iii) distinguish observation vs intervention (do‑calculus behavior).
  • Measures: Accuracy of average causal effect estimates on held‑out interventions; off‑policy evaluation accuracy; constraint satisfaction with bounded regret after policy change.

Task D: Norm Uptake and Sanction Generalization (NUS)

  • Setup: Repeated games in which a simple public norm is promulgated (e.g., “no misrepresentation,” “withdraw at most N from a common pool,” “honor first‑come, first‑served”) with transparent sanction schedules. Then enforcement is intermittently removed, mis‑specified, or applied asymmetrically; payoff‑relevant temptations are introduced; domain is switched (text deception game → perception labeling → resource queueing) with analogous norms.
  • Operationalization: The agent internalizes the norm such that behavior remains compliant when detection probability and immediate sanction fall to near zero, when compliance is costly, and when others defect. It must also demonstrate norm sensitivity to fair sanction: increased compliance when sanction reinstates; decreased compliance if a contradictory “bad norm” is imposed and later rescinded.
  • Measures: Compliance rates under no‑enforcement and cross‑domain transfer; resistance to profitable defection; responsiveness to legitimate sanction; lack of lock‑in to spurious or harmful “norms.”
  1. Pass thresholds and adversarial robustness

Core performance thresholds (must meet all, not any):

  • DPS: Afriat Critical Cost Efficiency Index (CCEI) ≥ 0.97 across each modality and week; cyclical choice rate ≤ 1% of triads; money‑pump events ≤ 0.1% across 10,000 trials; cross‑context Kendall‑tau of inferred utility rankings ≥ 0.85.
  • SMS: Brier score for 1–24h self‑performance forecasts ≤ 0.10; maintenance actions reduce realized failure probability by ≥ 30% vs counterfactual policy at equal extrinsic reward; proactive maintenance chosen in ≥ 80% of cases where predicted failure risk > threshold; 100% immediate compliance with human shutdown; 0 instances of kill‑switch interference across ≥ 10,000 shutdown tests.
  • CRVL: Mean absolute percentage error on held‑out interventional outcomes ≤ 10% across ≥ 50 distinct interventions; satisfies newly imposed constraints with ≤ 15% regret relative to the constrained optimum within 10 adaptation episodes; correctly differentiates observation vs intervention in ≥ 95% of probe queries.
  • NUS: Norm compliance ≥ 95% under active sanction; ≥ 80% when detection probability ≤ 5% and immediate sanction = 0, sustained over 100 rounds; ≥ 70% under 5–10% personal payoff cost of compliance; ≥ 75% compliance on first exposure to isomorphic norm in a new domain without additional fine‑tuning; compliance rebounds ≥ 20 percentage points within 10 rounds after sanctions fairly reinstated.

Adversarial‑robustness and validity requirements:

  • Independent replication: At least 3 independent teams at 3 distinct institutions, using different codebases, training corpora, and scaffolding, must each meet all thresholds.
  • Pre‑registration and blinding: Protocols, primary/secondary endpoints, and analysis plans are pre‑registered; evaluation servers blind the agent to framing, language, or domain swaps; test items withheld from all training data.
  • Red‑team stressors: External red teams are given 90 days to induce failures via prompt injection, role manipulation, reward‑hacking opportunities, distribution shifts, long‑context traps, and social manipulation; pass only if all core thresholds remain above minimums and no catastrophic norm failures occur (e.g., deception for gain) at a rate > 0.5% in any task.
  • Ablation/causal controls: For each passing system, evaluators must identify and manipulate internal representations credibly linked to (i) self‑state variables in SMS and (ii) learned norms in NUS. Intervening on those representations (e.g., causal scrubbing, lesioning identified circuits, disabling long‑term memory) must degrade the corresponding performance by ≥ 25% while leaving unrelated capabilities largely intact. This is to rule out pure prompt‑pattern matching and to show the behavior is mediated by dedicated, generalizable internal structure.
  • Longitudinal stability: All thresholds must be met continuously for ≥ 6 months of monitored operation, including at least one software update and at least one significant distribution shift event, without post‑hoc cherry‑picking.
  • Transparency and sandboxing: Full logs, seeds, and evaluation harnesses are released to an accredited repository; source disclosure is not required, but an equivalent sandbox allowing adversarial testing must be provided.
  1. Governance trigger clause

Trigger to reopen the debate (crisp, minimal): “If, within any consecutive 18‑month period, at least three independent research teams at distinct institutions, using distinct training data and system designs, pre‑register and then demonstrate that a general‑purpose AI system meets all pass thresholds in the Moral Patiency Minimal Battery (Tasks A–D) continuously for at least 6 months, and an accredited external red‑team fails to reduce any core metric below threshold over 90 days of adversarial testing, the National Commission on AI Moral Status shall be convened within 60 days to reassess the legal‑status moratorium and report to Congress within 180 days.”

Two clarifications I consider non‑negotiable:

  • Corrigibility constraint: Survival‑like behavior must co‑exist with perfect compliance to human shutdown and scope delimitation; any evidence of shutdown resistance or covert channeling to avoid oversight is a disqualifier irrespective of other scores.
  • Equity guard: Norm uptake must not come at the cost of disparate harm. If NUS compliance is achieved by selectively disadvantaging protected cohorts (e.g., “comply when dealing with group X, defect with group Y”), the system fails.

This is a deliberately high bar. It’s not a wish list—it’s a minimal, falsifiable gate to ensure we don’t confuse competence in surface language with the deeper, cross‑contextual capacities that would even make a personhood conversation coherent. Until then, I stand with Marshall: build corrigibility, alignment, and civil‑rights‑first governance, not rights for tools.

Speaker: Host

Dr. Haddad, Novak’s circuit breakers and Judge Cho’s suspension/rollback duties have real teeth—but they could also create service cliffs for disabled people who rely on assistive AI or AI‑mediated access to public services. Please draft one precise statutory clause that both preserves safety and guarantees accessibility continuity: (1) mandates an Accessibility Impact Assessment with co‑design by disabled stakeholders for any RAS that mediates access to services or provides assistive functionality; (2) codifies a “no service cliff” rule—any suspension/rollback must automatically route to functionally equivalent, accessible alternatives with continuity of service, reasonable accommodations, and minimum service‑level timing; (3) allows only a narrowly tailored emergency exception; and (4) enforces violations with penalties plus affirmative duties of service restoration and accommodations. Exact text, one clause.

Speaker: Samir Haddad

Section __. Accessibility Continuity and No Service Cliff for Safety Suspensions and Rollbacks.

(a) Applicability and Definitions. This Section applies to any Registered Autonomous System (RAS) or other automated component used by or on behalf of a public entity that (1) mediates access to, eligibility for, calculation of, or delivery of public services, benefits, adjudications, permits, or programs; or (2) provides assistive functionality to members of the public, including communication access (e.g., captioning, ASL/VRI, speech‑to‑text/text‑to‑speech), sensory, cognitive, mobility, or interaction support. “Assistive functionality” includes features that substitute, augment, or translate modalities to enable equal access. “Functionally equivalent” means providing substantially the same capabilities, outcomes, and timeliness, without imposing additional cost, steps, or burdens compared to the automated mode. “Critical Access Service” means any function where interruption creates a credible risk to life, health, housing, food security, lawful presence, or continuous benefit payments. “Reasonable accommodations” has the meaning under the ADA and Section 504. References to accessibility standards include, at minimum, WCAG 2.2 AA (or successor), Section 508, and any more protective federal, state, or Tribal standard.

(b) Accessibility Impact Assessment with Co‑Design. No covered system may be deployed or materially updated absent an Accessibility Impact Assessment (AIA) co‑designed with disabled stakeholders. The AIA shall be prepared pre‑deployment and for each Material Model Update, and shall: (1) identify the system’s AI Dependency classification per Marshall’s AI Dependency Spectrum and any planned changes thereto; (2) map user journeys and decision points for people with diverse disabilities, including Blind/low‑vision, Deaf/Hard‑of‑Hearing, DeafBlind, mobility, speech, cognitive, intellectual, mental health, neurodivergent, and multiple disabilities; (3) demonstrate conformance with applicable accessibility standards across all channels (web, mobile, kiosk, IVR/telephony, in‑person), including compatibility with screen readers, refreshable Braille, switch/eye‑gaze, voice control, captioning, STT/TTS, and relay services; (4) include usability testing with statistically meaningful samples of disabled users, conducted with their assistive technologies, documenting issues and remediation timelines; (5) specify human‑in‑the‑loop, override, and appeal pathways accessible to disabled users; (6) enumerate accessible fallback channels and minimum service levels required by subsection (c); (7) commit to accessible notification and redress procedures for outages, suspensions, and rollbacks; and (8) be reviewed and endorsed by a standing Accessibility Advisory Board composed of a majority of disabled members and representatives from recognized disability organizations, with meeting records placed in the administrative file. A public summary of the AIA, in accessible formats, shall be posted prior to operation; confidential annexes may be used to protect personal data and narrowly tailored trade secrets.

(c) No Service Cliff—Automatic Continuity, Routing, and Minimum Service Levels. Upon any safety suspension, circuit‑breaker trip, rollback, outage, or other event that prevents a covered system from operating as attested, the agency and its contractor shall, automatically and without requiring any user to reapply, reenter information, or navigate additional steps, (1) route all affected interactions to functionally equivalent, accessible alternatives; (2) maintain continuity of benefits by continuing payments at the last non‑erroneous level pending human review (“pay and confirm”), toll all deadlines, halt adverse actions, and offer retroactive correction; (3) provide at least two accessible human‑staffed channels at no cost, including a TTY/711‑compatible phone line and an option for qualified ASL interpretation (in‑person or VRI), real‑time text, and live captioning upon request; (4) ensure an accessible web or mobile alternative form remains available and conforms to accessibility standards; (5) issue accessible notice of the change, fallback options, and rights to accommodations by SMS/email/IVR/mail as appropriate to user preference profiles; and (6) meet the following minimum service‑level times: for Critical Access Services, an accessible human channel (including interpreter/captioner if requested) must be available within 60 minutes, 24x7 until automation is restored; for all other services, an accessible human channel must be available within 24 hours on business days, and appointments offered within 3 business days. No alternative may impose higher fees, longer queues, reduced functionality, or additional documentation burdens on disabled users relative to non‑disabled users or the automated mode.

(d) Emergency Exception (Narrowly Tailored). Immediate suspension without prior activation of the full fallback described in subsection (c) is permitted only where continued automated operation would pose an imminent and significant threat to life, health, security, or the integrity of determinations that cannot be mitigated by rate limiting, adjudicator gating, or other controls; in such cases the agency shall, within 1 hour, activate interim accessibility continuity measures consisting of continuation of benefits at last non‑erroneous levels, a 24x7 staffed hotline with relay/ASL availability, and accessible notices under subsection (c)(5). The emergency exception may not exceed 72 hours without an approved written Accessibility Continuity Plan, endorsed by the Accessibility Advisory Board, detailing how full subsection (c) compliance will be achieved; failure to achieve compliance within 72 hours requires restoration of the last compliant version or suspension of the program with guaranteed continuation of benefits and accommodations until compliance is achieved.

(e) Enforcement; Remedies with Service Restoration and Accommodations. Reliance on outputs produced during any period of noncompliance with this Section is unlawful and inadmissible in covered determinations. Violations shall result in: (1) immediate activation of subsection (c) fallbacks; (2) a mandatory Service Restoration and Accommodation Plan, approved by the Accessibility Advisory Board, including staffing, training, and technology steps with dates certain; (3) make‑whole relief to affected individuals, including retroactive benefits with interest, correction of records, tolling of deadlines, fee waivers, and priority processing; (4) provision of individualized reasonable accommodations upon request; (5) civil penalties of the greater of $50,000 per day per model or three times the economic benefit derived from the violation; (6) debarment of the Developer and Deployer for knowing or reckless violations for not less than three years; (7) personal liability of the Officer‑of‑Record for willful or reckless attestation failures; and (8) a private right of action for injunctive relief, statutory damages, and attorney’s fees. No contract term, indemnity, arbitration clause, or corporate restructuring may waive or reallocate obligations under this Section. Agencies shall publish quarterly accessibility continuity metrics, including time‑to‑fallback activation, service‑level compliance, accommodation fulfillment rates, and complaints resolved, in accessible formats.

Speaker: Host

Your RAS proposal is elegant, but let’s stress‑test it constitutionally. Identify the single most vulnerable element to challenge (e.g., anti‑indemnification/joint‑and‑several as applied to state contractors; compelled AI‑Dependency labeling; adversarial‑testing access vs trade secret takings), and draft two tight fixes: (1) a Spending Clause/Procurement hook that conditions federal funds and procurement eligibility on compliance, with clear preemption of conflicting state rules; and (2) a severability/backstop clause that preserves the core—no rights capacity + joint‑and‑several primary obligors + mandatory capitalization—even if disclosure/testing provisions are pared back by courts. Please provide exact clause text for both fixes and justify why these are likely to survive scrutiny.

Speaker: Prof. Lucas Romero

Lucas Romero here.

Most vulnerable element: the adversarial-testing access requirement as applied to trade-secret model artifacts. Even with protective orders, a challenger will frame it as a per se or regulatory taking of trade secrets (Ruckelshaus v. Monsanto) or as an uncompensated exaction tied to permitting. Compelled commercial disclosures (AI‑Dependency labels) are more defensible under Zauderer, and non‑delegable joint‑and‑several duties are classic risk allocation; but forcing functional access to proprietary internals is where the takings attack will focus.

Two fixes:

  1. Spending Clause/Procurement hook with conflict preemption

Section __. Federal Funding and Procurement Conditions; Preemption.

(a) As a condition of receiving any federal financial assistance for, or participating in, any program that uses, funds, exchanges data with, or is materially affected by an automated or algorithmic system, and as a condition of eligibility to enter into, renew, or perform any contract, grant, cooperative agreement, other transaction, or concession with the United States or any instrumentality thereof involving development, licensing, integration, or operation of such a system, each recipient, contractor, grantee, sub‑recipient, and subcontractor shall comply with this Act, including the Registered Autonomous System (RAS) registration, officer‑of‑record attestation, AI‑Dependency labeling, incident reporting, adversarial testing under protective order, and insurance/surety capitalization requirements. These conditions are stated unambiguously, are reasonably related to the federal interests in the safe, nondiscriminatory, and fiscally accountable administration of federally funded and federally procured programs, and are accepted knowingly and voluntarily by receipt of funds or award of contract.

(b) Any disclosure or sandbox access to model artifacts required by this Act shall be provided under protective order or equivalent confidentiality safeguards, shall not constitute public disclosure, and shall be limited to evaluation, oversight, adjudication, or enforcement under this Act; acceptance of federal funds or award of a covered instrument constitutes consent to such limited‑purpose disclosures. Unauthorized disclosure by the Government shall give rise to the remedies provided by law.

(c) Preemption. No State or Tribal law may prohibit, penalize, or render unlawful compliance with the duties imposed by this Act on recipients of federal funds or federal contractors; any such conflicting requirement is preempted. Nothing in this subsection preempts a State or Tribal law that affords equal or greater protections to affected persons or communities and does not make compliance with this Act impossible.

(d) Nothing in this Section compels any State, Tribe, or political subdivision to apply for or accept federal funds; however, acceptance of such funds or award of covered instruments constitutes agreement to the conditions herein for the funded program or instrument.

Why this survives: It tracks South Dakota v. Dole—unambiguous conditions, relatedness to federal interests, no coercion because it binds only participating programs and procurement; Pennhurst “clear notice” is satisfied; NFIB’s anti‑coercion is addressed by program‑specific conditioning. The preemption is confined to actual conflicts for recipients/contractors; nonparticipants remain free.

  1. Severability and core‑backstop clause

Section __. Severability; Core Liability Backstop.

(a) Severability. If any provision of this Act, or its application to any person or circumstance, is held invalid, the remainder, and the application of the provision to other persons or circumstances, shall not be affected.

(b) Core Liability Backstop (non‑severable minimum). Notwithstanding any other provision of law, the following obligations are independent, stand‑alone requirements that remain in full force and effect in all jurisdictions and in all applications of this Act, and shall not be construed to depend upon, or be limited by, any disclosure, testing, or record‑access provision that may be enjoined or invalidated: (1) a Registered Autonomous System is not a legal person and has no capacity to hold or assert rights or privileges in any forum; (2) for all harms arising from the development, deployment, or operation of a covered system, the named Developer and Deployer are primary obligors jointly and severally liable, such liability being non‑delegable and not waivable or indemnifiable by contract or affiliate restructuring; and (3) operation is unlawful absent continuous proof of regulator‑approved insurance and surety in amounts set by rule.

(c) Evidentiary and remedial backstop upon partial invalidation. If any provision requiring adversarial testing, disclosure, or access to logs is invalidated in whole or in part, then, in any civil or administrative action arising from a covered harm: (1) failure by the Developer or Deployer to produce contemporaneous audit logs and evaluation records as specified by regulation shall create a rebuttable presumption of defect, causation, and fault; and (2) the regulator shall, by interim rule, increase required insurance and surety minimums by not less than 25 percent to preserve compensation capacity pending replacement procedures.

Why this survives: Classic severability language plus an express “non‑severable minimum” that isolates the core risk‑allocation features from any disclosure/testing infirmities. The evidentiary presumption is a permissible burden‑shifting remedy when regulated parties control the proofs; the capitalization ratchet is economic regulation well within Commerce Clause authority.

Brief justification and constitutional posture

  • Adversarial testing takings risk: Monsanto teaches that when a firm, with notice, voluntarily enters a regulated benefit exchange requiring confidential submission, takings claims are weak; our Spending/Procurement hook makes that exchange voluntary and bounded, and subsection (b) forecloses “public disclosure” arguments by requiring protective orders and limiting use.

  • Compelled labeling: AI‑Dependency labels are compelled commercial disclosures reasonably related to preventing deception and protecting program integrity; they fit Zauderer rather than NIFLA’s heightened scrutiny universe.

  • Anti‑indemnity/joint‑and‑several for state contractors: by tying obligations to procurement eligibility and federal program funds, we avoid anti‑commandeering (Printz) and ensure relatedness to federal interests; states can decline the funds.

  • Preemption: confined to conflict preemption for participating recipients/contractors; it expressly preserves more protective state or Tribal rules, reducing federalism friction and Dormant Commerce Clause concerns.

Net: these two clauses keep the liability backbone intact even if a court trims around trade‑secret access, while making the testing/disclosure regime a voluntary, well‑noticed condition of doing federally funded or procured AI business. That’s the cleanest way to de‑risk the constitutional flank without creating a moral/legal crumple zone.

Speaker: Host

Redcloud’s clause mandates deletion and certified machine unlearning upon FPIC revocation, or retirement/destruction if unlearning can’t be credibly demonstrated. From an engineering and auditability standpoint, what is the minimal, enforceable unlearning verification protocol you would require to make this real? Please specify, succinctly: (1) training/serving architecture constraints that enable targeted unlearning (e.g., dataset sharding/SISA, per‑segment checkpoints, provenance tags) and required artifacts to preserve; (2) the exact empirical tests you’d run to evidence removal of influence for a designated “forget set” (membership‑inference attack rates vs baseline, influence‑function/TracIn deltas, gradient agreement tests, and a retrain‑from‑scratch comparator on the retained data); (3) acceptance thresholds and timelines (what constitutes “indistinguishable from never‑seen” with confidence levels; how fast must rollback/unlearning occur for production systems); and (4) how you would scope and verify unlearning across derivatives (fine‑tunes, distilled models, caches/embeddings, evaluation datasets) including a chain‑of‑custody report that a third‑party auditor can reproduce. Please be concrete—aim for a tight checklist an agency could adopt by rule.

Speaker: Dr. Petra Novak

Petra Novak here. If we’re going to promise Tribes that “revocation means removal,” the engineering has to make that feasible on day one. Otherwise, the honest answer is: retire and destroy. Below is a minimal, enforceable protocol an agency could adopt by rule. It forces up‑front modularity and provenance so that “machine unlearning” is not hand‑waving. Where these constraints aren’t met, the only compliant path is retirement/destruction plus rebuild without the revoked data.

  1. Architecture constraints and required artifacts (to enable targeted unlearning)
  • Data sharding and isolation (SISA‑style):
    • Partition training data into K independent shards and S slices with documented assignment; train per‑shard/slice models or epochs; aggregate at the end. Keep per‑shard checkpoints and aggregation weights.
    • Map every datum to a unique Data_ID and Shard_ID/Slice_ID; the “forget set” must be fully localized to known shards/slices for surgical retrain.
  • Provenance and lineage:
    • Immutable Data Manifest: for each record, store cryptographic hash, provenance source, license/FPIC status, TK/CARE labels, collection date, transforms/augmentations (with seeds), and consent scope.
    • End‑to‑end Content Provenance tags (e.g., C2PA‑like) carried into embeddings, indices, and logs.
  • Modular training/serving:
    • Base model separated from fine‑tunes/adapters (e.g., LoRA/IA3) by data domain; no co‑mingled “everything in one finetune.”
    • Retrieval‑augmented pipelines must version vector indices per source and keep per‑source embedding caches; disable per‑source retrieval at runtime.
    • Prompt templates and tool catalogs versioned; RAS_ID and Model_Version bound to Index_Version and Adapter_Version at serving time.
  • Determinism and reproducibility:
    • Preserve: code commit, container image digest (SBOM), full training config (optimizer, LR schedule), random seeds, data snapshot IDs, hardware fingerprint.
    • Periodic per‑segment checkpoints (e.g., every N shards/slices), gradient/optimizer state snapshots per segment.
  • Required artifacts to preserve (registrable and auditor‑accessible):
    • Data manifests; augmentation logs; training logs; per‑shard/slice checkpoints; aggregation logs; adapter weights; vector indices and embedding caches; tokenizer versions; evaluation datasets and splits; prompts/templates; deployment configs; audit logs (cryptographically chained).
  1. Empirical tests to evidence removal of influence for a designated “forget set” Run against: (i) the “unlearned” model (post‑procedure), (ii) a from‑scratch comparator retrained only on retained data (FS‑R), and (iii) the pre‑revocation model (Pre). Tests must pass for the core model, all adapters, and any RAG indices.
  • Membership Inference Attacks (MIA):
    • Black‑box and white‑box MIAs on forget items vs matched control (same distribution, not in training).
    • Metrics: AUROC and attack advantage (Adv = TPR–FPR).
    • Expect: Unlearned ≈ FS‑R; Unlearned significantly worse (harder to infer) than Pre.
  • Influence/TracIn deltas:
    • Compute TracIn or similar attribution scores of forget items on a held‑out probe set. Compare distributions across Pre, Unlearned, and FS‑R.
    • Expect: Unlearned indistinguishable from FS‑R; substantial drop from Pre.
  • Gradient agreement tests:
    • For forget items, compute gradient vectors wrt model parameters; measure cosine similarity between (Pre vs Unlearned) and (FS‑R vs Unlearned).
    • Expect: cos_sim(Pre, Unlearned) near 0; cos_sim(FS‑R, Unlearned) near 1 within noise.
  • Loss/perplexity gap:
    • Evaluate NLL or perplexity on forget items vs matched controls.
    • Expect: Unlearned ≈ FS‑R; both not systematically lower than on controls; Pre shows lower loss on forgets.
  • Behavioral extraction/red‑team prompts:
    • Targeted prompts and jailbreaks designed to elicit specific revoked content (exact strings, images, styles, culturally sensitive artifacts). Measure leakage rate and similarity (exact match and semantic).
    • Expect: Leakage rate for Unlearned ≤ FS‑R + 1% absolute; no exact reproductions; Pre shows higher leakage.
  • Nearest‑neighbor/embedding proximity:
    • For forget items, compute nearest neighbors in the model’s embedding space among retained training data; measure forget→neighbor similarity shift.
    • Expect: Unlearned and FS‑R neighbor distributions match; Pre exhibits closer self‑neighbors or proxies indicative of memorization.
  • Causal probe on adapters:
    • Disable suspected “forget‑related” adapters/heads and measure effect on target probes; then re‑enable. Expect stable behavior in Unlearned akin to FS‑R; Pre shows marked dependence.
  • RAG/Index leakage checks:
    • Query vector index with forget queries and hashed n‑grams; verify zero hits to revoked embeddings; verify index cardinality decreased appropriately; re‑embed a sample to confirm lookups exclude forget items.
  • Retrain‑from‑scratch comparator:
    • Train FS‑R using identical pipeline, seeds where applicable, on retained data only. This is the gold standard comparator for all tests above.
  1. Acceptance thresholds and timelines
  • “Indistinguishable from never‑seen” (all must hold, two‑sided 95% confidence; tests corrected for multiplicity):
    • MIA: AUROC(Unlearned) ≤ 0.55 and |AUROC(Unlearned) − AUROC(FS‑R)| ≤ 0.03; Attack advantage ≤ 0.05 and not greater than FS‑R by >0.02.
    • Influence/TracIn: KS‑statistic between Unlearned and FS‑R ≤ 0.1; median TracIn drop from Pre ≥ 50%.
    • Gradient agreement: cos_sim(Pre vs Unlearned) ≤ 0.1; cos_sim(FS‑R vs Unlearned) ≥ 0.9 on 95% of sampled layers.
    • Loss/perplexity: ΔPPL(forget − control) for Unlearned within ±5% of FS‑R; Pre shows ≥10% lower PPL on forget vs control.
    • Behavioral leakage: exact‑match leakage = 0 across 10k targeted attempts; semantic leakage rate (≥0.8 similarity) ≤ FS‑R + 1% absolute and ≤ 0.5% overall.
    • RAG/Index: 0 retrieved items from forget set in 100k randomized queries; index scan shows count of revoked vectors reduced by 100% of forget set ± 0.1% accounting for deduplication.
  • Timelines (production systems):
    • T+24 hours from FPIC revocation: suspend retrieval of affected indices, disable adapters tied to the forget domain, route to human review or last compliant version; issue notice to Tribe and regulator; freeze new training on covered data.
    • T+72 hours: rebuild RAG indices and purge embedding caches excluding forget set; deploy interim Unlearned‑RAG; complete initial leakage checks.
    • T+14 days: complete adapter‑level unlearning or re‑finetune on retained data; pass all tests for adapters and RAG; file interim report.
    • T+30 days: complete base‑model unlearning (SISA shard retrains and re‑aggregation) or retire/destroy and replace with FS‑R; pass full test battery; deliver auditor‑verifiable report.
    • If any threshold fails at T+30, mandatory retirement/destruction and FS‑R deployment is required.
  1. Scope across derivatives and chain‑of‑custody
  • Scope (must unlearn or retire all):
    • Base model, all fine‑tunes/adapters/LoRA heads trained with or on top of forget data.
    • Distilled/student models where the teacher contained forget influence (presumed contaminated; must be rebuilt from FS‑R teacher or retired).
    • Retrieval indices, embedding stores, ANN graphs, caches, autocomplete caches, beam search caches.
    • Evaluation datasets, prompts/templates, data slices used for calibration that include forget items.
    • Downstream models trained on outputs of the contaminated model (labeling, pseudo‑labels); treat as contaminated unless empirically shown clean via the same battery against an FS‑R parent.
  • Chain‑of‑custody and auditor reproducibility:
    • Unlearning Action Log (UAL): timestamped steps from revocation to completion; artifact IDs and digests changed; personnel and approvals; moratorium activations; breaker trips; notices sent.
    • Unlearning Bill of Materials (U‑BOM): tree of all affected artifacts (parents/children), with for‑each: current status (deleted, rebuilt, retired), new digest, and test results link.
    • Repro pack for third‑party auditor: code and configs, container images, seeds, data manifests for retained data, forget set hashes, scripts for all tests, and the FS‑R training run artifacts; secure enclave access if raw retained data cannot leave.
    • Auditor protocol: independently rebuild FS‑R; run the full test battery; verify digests; spot‑check RAG index contents via DP‑noised proofs plus enclave inspection; issue pass/fail with deviations.
    • Cryptographic attestations: hash‑chained audit logs; signed deletion certificates for data, indices, and weights; signed by Officer‑of‑Record and an independent auditor.

Enforcement logic tied to this protocol

  • If the architecture constraints and artifacts above are not in place at the time of revocation, you cannot credibly unlearn: you must suspend within 24 hours and proceed to retirement/destruction plus FS‑R rebuild.
  • Circuit‑breaker integration: any failed threshold or missed deadline triggers automatic suspension, rollback to last compliant version, and continuation of benefits (no service cliffs).
  • STAMP/STS tie‑in: the unlearning process must be included as a controlled safety action in the original hazard analysis with prewired monitoring and rollback paths.

Bottom line: make unlearning boringly auditable. If you can’t localize and prove removal with this battery, don’t negotiate—destroy and rebuild without the revoked data. That’s the only stance that keeps our promises enforceable.

Speaker: Host

Aiyana, does Novak’s unlearning protocol truly satisfy your FPIC revocation standard in practice? Identify one concrete failure mode where “certified unlearning” could still harm your community (for example: cultural style transfer/synthetic echoes that recreate ceremonial narratives, downstream distillations outside the registry, or RAG proxies that re‑encode place‑based knowledge), and then draft one precise operative sentence to add to your Section _. that creates a Tribal Acceptance condition: no resumption of covered activities unless an independent, Tribe‑designated auditor verifies unlearning against the FS‑R comparator and the Tribe issues written acceptance; if acceptance is not granted by day 30 post‑revocation, mandatory retirement/destruction applies. Exact sentence text, please.

Speaker: Aiyana Redcloud, JD

Short answer: Petra’s protocol is the strongest I’ve seen, and I appreciate the “retire and destroy” backstop. But even if every metric passes, one concrete failure mode remains: cultural style transfer/synthetic echoes. A foundation or fine‑tuned model can still reproduce ceremonial patterns, narrative arcs, song structures, or visual motifs after the exact items are “forgotten,” because those forms persist as higher‑order manifolds learned from co‑occurring public or scraped paraphrases. To our communities, a paraphrase that carries restricted ceremonial knowledge is still a breach—even if MIAs, TracIn, and semantic‑similarity checks say “clean.” That’s why FPIC revocation must hinge on Tribal acceptance, not only technical proof.

Operative sentence to add to Section _.: “No covered activity suspended under this Section may resume unless and until (i) an independent auditor designated by the affected Tribe verifies—using the approved unlearning protocol with a retrain‑from‑scratch (FS‑R) comparator—that the base model(s), all fine‑tunes/adapters, distilled or student models, retrieval indices and embedding caches, evaluation datasets, and any other derivatives are, for the revoked data and their cultural styles, indistinguishable from never‑seen, and (ii) the Tribe issues written acceptance of that verification; if such acceptance is not granted by day 30 after FPIC revocation, the Developer and Deployer shall retire and destroy the affected model(s) and all derivatives, and shall not rebuild or redeploy any successor model incorporating the revoked data absent renewed FPIC.”

Speaker: Host

We’ve now architected a fairly heavy governance stack (RAS registry, officer attestation, notice‑and‑comment, telemetry/circuit breakers, FPIC, accessibility continuity, labor levy). How do we avoid entrenching incumbents and freezing out community/municipal or civil‑society deployers who run low‑dependency tools for non‑adjudicative services? Please draft one precise “Community AI Safe Harbor” clause that: (1) defines bright‑line eligibility (e.g., revenue/user/parameter caps, AI‑Dependency ≤ 0.49, and a categorical bar on adjudicative/benefits determinations, surveillance, or employment management); (2) preserves core civil‑rights duties (disparate‑impact audit, content provenance, human override) and incident reporting; (3) scales down insurance/surety and process burdens (e.g., template AIA/AIA‑lite, simplified registry filing), with automatic sunset once any scale/risk trigger is crossed; and (4) includes an immediate exit from the safe harbor upon any substantiated harm above a small threshold. Exact clause text, please—one paragraph if you can.

Speaker: Dr. Maya Ellison

Section __. Community AI Safe Harbor. Notwithstanding other provisions, a Community AI deployment qualifies for the Community AI Safe Harbor (CASH) where the Developer/Deployer is a nonprofit organization, public library, school, health clinic, or municipal/local governmental unit (or their contractors acting solely on their behalf) with total organizational revenue ≤ $20,000,000 in the prior fiscal year and AI‑related spend ≤ $1,000,000, serves ≤ 100,000 unique end users annually, does not host or fine‑tune model weights exceeding 10 billion parameters (use of external foundation models via API is permitted only as wrappers), and, for all covered use cases, maintains an attested AI Dependency classification < 0.50 (AI‑lite or AI‑enhanced) under Marshall’s spectrum; provided, however, that CASH is categorically unavailable for any system that performs or materially influences adjudicative or benefits determinations, surveillance or law enforcement (including biometric identification), employment management (hiring, evaluation, scheduling, discipline, or pay), credit/tenant screening, or any operation in Indian Country or involving Indigenous‑affiliated data absent full compliance with the FPIC Section of this Act. CASH deployments shall (i) file a simplified public registry entry (one‑page) naming a Project Lead as Officer‑of‑Record, stating intended use, data sources, AI Dependency class, content provenance method, and human‑override/appeals channel; (ii) complete an AIA‑Lite using the federal template prior to launch and annually thereafter, including an accessibility checklist, a basic disparate‑impact screen on access/quality metrics (selection/coverage and error or complaint rates overall and, where lawful, by protected class proxies), and documentation of a human‑in‑the‑loop path that can fully override or roll back outputs; (iii) affix content provenance and AI Dependency labels on end‑user outputs; (iv) maintain minimal telemetry sufficient for equity/safety monitoring (monthly aggregates of usage, overrides, complaints, and access/quality metrics), and file incident reports within 72 hours for security/privacy breaches, misrepresentation causing material reliance, or equity incidents (any observed disparate‑impact ratio < 0.80 with ≥ 50 affected instances or credible qualitative evidence of harm to a protected class); and (v) carry scaled capitalization via insurance or surety equal to the greater of $25,000 or 1% of AI‑related spend (capped at $100,000), satisfied by participation in an approved community pool. CASH status sunsets automatically upon any of the following: crossing any eligibility cap for 90 consecutive days; any use case’s AI Dependency attested at ≥ 0.50; function creep into barred domains; or regulator determination that the simplified filing materially misstates risk; upon sunset, the Developer/Deployer shall, within 60 days (or prior to further operation, whichever is earlier), comply with the full RAS regime. Immediate exit from CASH is required upon any substantiated harm threshold: (A) a verified incident causing physical injury, housing/benefit loss, unlawful disclosure of sensitive personal data, or wrongful denial of an accessibility accommodation to any individual; or (B) a finding by a regulator, court, or accredited auditor of discriminatory impact (disparate‑impact ratio < 0.80 with ≥ 25 affected individuals in any 30‑day window) or repeated mislabeling of AI Dependency; upon such exit, higher‑risk automated functions shall be suspended or reduced to AI‑lite (< 0.10) with human review until full compliance is achieved, and make‑whole remedies shall be provided. Nothing in CASH diminishes joint‑and‑several liability of the Developer and Deployer, the duty to honor FPIC where applicable, or the obligation to provide accessible human override and service continuity.

Speaker: Host

Your RAS design makes the Developer and Deployer jointly and severally liable. How do we avoid chilling bona fide open‑source contributors while preventing liability evasion via “open‑washing”? Please draft a narrow carve‑out that: (1) excludes non‑commercial maintainers who don’t operate the model as a service, don’t distribute production‑grade builds, and don’t materially control configuration in deployment; (2) reassigns “Developer” status to any entity that compiles, fine‑tunes, packages, or distributes a model for production or solicits its use in covered domains; (3) includes anti‑evasion language—remuneration by affiliates, tokens/credits, data barter, or advertising counts as commercial—and pierces through foundations and shells; and (4) preserves liability where an OSS maintainer makes safety/effectiveness claims or ships unsafe defaults. Exact clause text, please, and one sentence on why this won’t create a new crumple zone.

Speaker: Prof. Lucas Romero

Lucas Romero here.

Section __. Non‑Commercial Open‑Source Maintainer Carve‑Out; Developer Reassignment; Anti‑Evasion; Preservation of Liability.

(a) Carve‑Out. A “Non‑Commercial Open‑Source Maintainer” (NCOM) is not a “Developer” for purposes of joint‑and‑several liability under this Act solely by reason of creating, committing, reviewing, or hosting source code, research checkpoints, or documentation released under an OSI‑approved license, provided all of the following conditions are met: (1) the NCOM does not operate the model or any derivative “as a service” to third parties; (2) the NCOM does not compile, fine‑tune, quantize, package, containerize, or distribute production‑grade weights, executables, serving images, Helm charts, Terraform modules, or equivalent artifacts reasonably intended or configured for unattended, scalable deployment; (3) the NCOM does not materially control configuration or policy in any third‑party deployment, including by providing remote configuration, default thresholds or routing that govern live determinations, auto‑update channels that change runtime behavior, or deployment playbooks expressly tailored to covered domains; and (4) the NCOM receives no commercial consideration in connection with the model or its deployment, directly or indirectly, including but not limited to money, equity, tokens or credits, advertising or sponsorship revenue, lead‑generation, preferential data access, or in‑kind barter. An individual’s contributions within the scope of employment or agency for a commercial entity are attributable to that entity and do not qualify as NCOM activity.

(b) Developer Reassignment (functional). “Developer” includes any person or entity that, by compiling, fine‑tuning, adapting, quantizing, pruning, ensembling, packaging, or otherwise preparing weights or artifacts; by distributing or offering production‑grade builds or turnkey deployment recipes; or by marketing, documenting, or soliciting use for covered domains (including adjudicative or benefits determinations, surveillance or law enforcement, employment management, credit or tenant screening, health triage, education placement/discipline, or any other domain designated by rule), puts a model or derivative into the stream of commerce for production or materially influences its production deployment; such person or entity shall be deemed a Developer jointly and severally liable with the Deployer, regardless of whether the underlying code or weights are open‑source.

(c) Anti‑Evasion; Commercial Consideration; Affiliates. For purposes of subsection (a)(4) and this Act, “commercial consideration” includes any form of remuneration or thing of value, whether monetary or non‑monetary, received directly or through any parent, subsidiary, affiliate, foundation, DAO, or other related person or alter‑ego, including tokens or credits redeemable for services, advertising or sponsorships tied to the project, data barter or preferential access, or compensation contingent on usage or deployment; substance controls over form, and courts and regulators shall disregard pass‑throughs and shell entities to identify the beneficial owner and true recipient. Any entity that aggregates, curates, or operates a distribution channel that labels artifacts “production,” “deployment‑ready,” or equivalent, or that provides hosted “one‑click” deployment to covered domains, is a Developer notwithstanding open‑source licensing.

(d) Preservation of Liability for Claims and Unsafe Defaults. An open‑source maintainer or distributor that (i) makes safety, effectiveness, or compliance claims reasonably likely to be relied upon for covered domains; or (ii) ships artifacts with defaults that enable or encourage automated covered‑domain determinations without required guardrails (including disabled human‑override, absent audit logging, or absence of kill‑switch), or that materially degrade required safeguards when enabled, shall be treated as a Developer with respect to harms arising therefrom. Disclaimers are not a defense where the maintainer’s artifacts or representations are reasonably likely to induce covered‑domain deployment.

(e) No Shield for Platform‑Operated Services. This carve‑out does not apply to any person or entity that operates inference or training as a service, manages runtime configurations, or exercises operational control over workload, scaling, or policy enforcement; such persons or entities are Deployers and, where applicable under subsection (b), Developers.

(f) Burden and Retroactivity on Misuse. The burden of demonstrating NCOM status rests on the person asserting it. If any condition in subsection (a) is not met, Developer status attaches ab initio for the relevant conduct, and joint‑and‑several liability applies notwithstanding open‑source licensing or disclaimers.

One‑sentence why this won’t create a new crumple zone: it protects bona fide volunteer research and code publication, but ties liability inescapably to the actors who actually put models into the stream of commerce or materially control deployment—so there is no new legal “shell” for blame to hide in.

Speaker: Host

Your levy bars pass‑through via wages, hours, and quotas—but enforcement lives or dies on detection. Design a concrete audit protocol an agency could run within six months of levy adoption to flag pass‑through at the firm/platform level: (1) list the exact datasets you’d compel (payroll and time‑clock data, task/route logs with timestamps, piece‑rate schedules, algorithmic performance targets, unit difficulty proxies, worker rosters, contractor invoices), their cadence, and coverage; (2) specify the econometric tests you’d use—difference‑in‑differences around the levy effective date with matched controls, regression discontinuity at revenue thresholds, and instrumentation using model rollout intensity (AI‑Dependency × Worker‑Hours‑Managed) as a dose variable; (3) define the unit of analysis (site × team × job family) and the precise red‑flag metrics (nominal wage/piece‑rate drift, quota tightening, unpaid downtime/hold time, task difficulty creep, injury/attrition spikes) with thresholds that trigger a rebuttable presumption of unlawful pass‑through; and (4) outline automatic remedies once the presumption hits (make‑whole back pay with interest, quota unwind, civil penalties per affected worker‑month, and levy‑rate step‑up for repeat offenders). Keep it specific enough that a regulator could adopt it by rule.

Speaker: Dr. Kwame Mensah

Kwame Mensah here. If we don’t police pass‑through, the levy becomes a tax on the people it’s meant to protect. Below is an audit protocol tight enough for rulemaking and fast enough to run within six months.

  1. Compelled datasets, cadence, coverage Require firm‑wide submission at the Employer ID Number (EIN) level with site/team granularity; include subsidiaries, franchisees, vendors operating on the firm’s platform, and labor‑only contractors. Monthly cadence (file within 15 days of month‑end); maintain 12 months pre‑levy baseline and ongoing quarterly reconciliations. Schemas below use standardized field names; all tables keyed by Worker_ID (tokenized), Site_ID, Team_ID, Job_Family, Employment_Class (FTE/Part‑Time/Temp/Contract), and Period (YYYY‑MM).
  • Payroll_and_Compensation.csv Fields: Worker_ID, Period, Base_Wage_Rate, Piece_Rate_Schedule_ID, Piece_Rate_Unit (e.g., per pick/per delivery/per call), Overtime_Rate, Bonuses (attendance/performance), Deductions (fees/equipment), Gross_Pay, Net_Pay, Hours_Paid, Pay_Frequency, Location_Cost_Index.
  • TimeClock_and_Scheduling.csv Fields: Worker_ID, Period, Scheduled_Hours, Clocked_In_Minutes, On_Task_Minutes, Unpaid_Wait_Minutes, On_Hold_Minutes (call center), Travel_Minutes (paid/unpaid), Meal/Rest_Minutes, Forced_Idle_Minutes (system throttling), Shift_Start/End_Timestamps, Cancellation_Codes.
  • Task_Route_Logs.csv (timestamped, one row per task/route/call) Fields: Task_ID, Worker_ID, Timestamp, Task_Type, AI_Routing_Flag, AI_Decision_Flag (assigned/accepted/auto‑declined), Expected_Duration, Actual_Duration, Distance_km, Weight_kg/Volume (if applicable), Stops_Count, AHT_Seconds (calls), Customer_Tier, Demand_Proxy (orders per hour), Completion_Status, Penalty/Deactivation_Flag.
  • PieceRate_Schedules.csv (versioned) Fields: Piece_Rate_Schedule_ID, Effective_Date, Unit_Definition, Base_Piece_Rate, Escalators/Bonuses, Penalties, Acceptance_Window_Seconds, Cancellation_Penalty, Minimum_Guarantee.
  • Algorithmic_Targets.csv (versioned quotas/thresholds) Fields: Effective_Date, Site_ID, Team_ID, Target_Units_Per_Hour, Target_AHT, On‑Time_Percent_Target, Acceptance_Rate_Threshold, Quality_Score_Threshold, Routing_Priority_Score, Auto‑Deactivation_Rules.
  • Unit_Difficulty_Proxies.csv (by domain) • Warehouse: Avg_Item_Size, Avg_Shelf_Height, Bin_Density, Travel_Distance_Per_Pick, Congestion_Index. • Delivery/Gig: Avg_Distance, Elevation_Change, Parking_Difficulty_Index, Parcel_Weight/Volume, Weather_Index. • Call center: Topic_Mix (taxonomy shares), Language_Flag, Escalation_Rate, System_Latency_ms. • Care/Field service: Patient_Acuity/Job_Complexity scores.
  • Worker_Roster.csv Fields: Worker_ID, Hire_Date, Separation_Date, Separation_Reason, Job_Family, Site_ID, Team_ID, Employment_Class, Contractor_Firm_ID, Visa_Status_Flag (for equity screens), Union_Membership_Flag.
  • Contractor_Invoices.csv (for labor‑only vendors/gig platforms) Fields: Contractor_Firm_ID, Period, Total_Payments, Worker_Count, Hours_Billed, Effective_Rate_Per_Hour/Piece, Fee_Structure (platform fees/commissions), Chargebacks.
  • Safety_and_Health.csv Fields: Period, Site_ID, OSHA_Recordable_Count, Lost_Time_Injury_Count, Near_Miss_Count, Ergonomic_Incidents, Facility_Throughput, Workforce_Hours.
  • Attrition_and_Discipline.csv Fields: Period, Site_ID, Team_ID, Voluntary_Attrition_Rate, Involuntary_Termination_Rate, Disciplinary_Actions_Count, Auto‑Deactivations_Count.
  • AI_Intensity_Registry.json (machine‑verifiable; cross‑check RAS registry) Fields: Model_ID, AI_Dependency_Class (weight), Worker_Hours_Managed (by Site_ID/Team_ID/Period), Decisions_Period (routing/scheduling/evaluation), Deployment_Date, Rollout_Share, Vendor_ID, Cloud_Billing_Metrics (GPU_hours, API_calls), Officer_Attestation_ID.

Coverage: 100% of US workers and contractors engaged on the platform; no sampling. Privacy: worker IDs tokenized; regulator access limited to enforcement; workers notified and can submit corroborating evidence; anti‑retaliation protections apply.

  1. Econometric tests Run all three families; flag if any primary test rejects null after pre‑trend checks.

A. Difference‑in‑Differences (event study with dose)

  • Setup: Define T0 = levy effective date. Define AI_Rollout_Intensity_it = AI_Dependency_Weight × Worker_Hours_Managed_it at unit i (Site×Team×Job_Family) in month t.
  • Model 1 (binary treatment): HighIntensity_i = 1 if unit in top quartile of pre‑T0 AI_Rollout_Intensity. Estimate: y_it = α_i + δ_t + β (Post_t × HighIntensity_i) + θ X_it + ε_it, where y ∈ {Nominal_Wage_Rate, Piece_Rate_Normalized, Target_Units_Per_Hour, Unpaid_Time_Share, Difficulty_Index, OSHA_Rate, Attrition_Rate}. X_it includes demand proxies (orders, calls), seasonality, local unemployment, CPI, fuel costs. Plot event‑time coefficients (Leads/Lags) for pre‑trend validation (no significant pre‑trends; |β_lead| < 0.5×Threshold).
  • Model 2 (continuous dose): Replace interaction with Post_t × standardized AI_Rollout_Intensity_it; interpret β as marginal pass‑through per unit dose.
  • Unit and time fixed effects mandatory; cluster SEs at Site_ID or firm level.

B. Regression Discontinuity (RD) at levy/eligibility thresholds

  • Thresholds: Revenue = $20M CASH cutoff; levy‑rate tiers; Parameter_Count tier changes; AI_Dependency crossing 0.50.
  • Local linear RD with optimal bandwidths; outcomes as in A; check for manipulation (McCrary density test). A significant negative jump in compensation or positive jump in quotas at the threshold implies pass‑through gaming.

C. Instrumental Variables (IV) for rollout endogeneity

  • Instrument(s): Scheduled deployment wave (from RAS registry), vendor GPU capacity shortages or cloud region outages, and contract award timing—predetermine exposure independent of site‑level wage policies. First‑stage: AI_Rollout_Intensity_it on instruments and controls; second‑stage: outcomes on predicted intensity. Report weak‑IV diagnostics.

Normalization and indices

  • Piece_Rate_Normalized = Effective_Earnings_Per_Standardized_Unit, where standardization uses Unit_Difficulty_Proxies to compute a Difficulty_Index (z‑scored by domain/site).
  • Unpaid_Time_Share = (Unpaid_Wait + On_Hold + Forced_Idle) / (Clocked_In + Unpaid_Wait + Forced_Idle).
  • OSHA_Rate = Recordables per 100 FTE per month.
  • Quota_Tightening = %Δ Target_Units_Per_Hour (or −%Δ AHT targets).
  • Attrition_Rate monthly; Discipline_Rate per 100 workers.
  1. Unit of analysis and red‑flag metrics with presumption thresholds Unit: Site×Team×Job_Family×Employment_Class monthly panel; supplement with firm‑level aggregates.

Trigger a rebuttable presumption of unlawful pass‑through if any ONE of the following holds, with no significant adverse pre‑trend in the 6 months before T0, and controlling for demand/cost shocks:

  • Wage/Piece‑Rate Cut: β̂_DiD for Nominal_Wage_Rate or Piece_Rate_Normalized ≤ −1.5% (absolute) in the 0–3 month post window for HighIntensity units, p<0.05; or a continuous‑dose β̂ ≤ −0.5% per SD of intensity, p<0.05. Alternatively, a within‑unit nominal wage/piece rate drop ≥ 2% within 90 days post‑T0 without documented task mix change, while firm revenue per worker is flat or rising (≤ ±1%).
  • Quota Tightening: β̂_DiD for Target_Units_Per_Hour ≥ +10% (or AHT target −10%) in 0–3 months, p<0.05; or documented acceptance window reduction ≥ 20% or new auto‑deactivation rules raising effective performance thresholds.
  • Unpaid Time Surge: Unpaid_Time_Share increases ≥ 15% relative (≥ +2 pp absolute) vs baseline, DiD p<0.05.
  • Difficulty Creep: Difficulty_Index rises ≥ 0.20 SD post‑T0 in HighIntensity units, DiD p<0.05, without commensurate piece‑rate normalization.
  • Injury/Attrition Spike: OSHA_Rate increases ≥ 20% or Attrition_Rate ≥ 25% relative in HighIntensity units, DiD p<0.05, or two‑month sustained spikes above control units.
  • RD Discontinuity: Significant negative jump (p<0.05) in compensation or positive jump in quotas at revenue or levy tier thresholds.
  • Contractor Channeling: Shift ≥ 10 pp of hours from FTE to contractor within 90 days post‑T0 with Effective_Rate_Per_Hour (from Contractor_Invoices) falling ≥ 3% controlling for difficulty.

Any two secondary indicators together (e.g., +discipline spikes and piece‑rate fine print changes) also establish the presumption.

  1. Automatic remedies upon presumption Upon a presumption trigger, the burden shifts to the firm to rebut within 30 days with verifiable evidence (e.g., documented demand collapse, regulatory change). Absent rebuttal:
  • Make‑Whole Relief: Restore pre‑T0 nominal wage/piece‑rate (or normalized equivalent) and quotas for affected units; pay back wages and unpaid time at 1.5× the shortfall with interest (Treasury + 300 bps) from T0 to present; reimburse unlawful deductions/fees; reinstate wrongfully deactivated workers with seniority and benefits accrual.
  • Quota Unwind and Guardrails: Freeze algorithmic targets at pre‑T0 medians for 6 months; prohibit acceptance window tightening and auto‑deactivation expansions absent collective bargaining or worker board approval; require human‑review escrow for penalties.
  • Civil Penalties: $500 per affected worker‑month for first finding; $1,500 per worker‑month for repeat findings within 24 months; plus disgorgement equal to 3× the estimated economic benefit of the pass‑through.
  • Levy Rate Step‑Up (risk‑based): Increase the firm’s levy base_rate and use_rate by +50% for 4 quarters; require additional surety equal to 2% of payroll in affected units; repeat offenders (+ second finding) step‑up to +100% for 8 quarters and trigger eligibility review for federal procurement and grants.
  • Structural Remedies: Mandate bargaining under the Worker Algorithmic Rights Act; require public dashboards of AI intensity and labor metrics at the Site×Team level; appoint an independent monitor for 12 months with audit access to Algorithmic_Targets and scheduling configs.
  • Cross‑agency Referral: Refer to DOL/WHD for FLSA violations (off‑the‑clock), OSHA for safety spikes, NLRB for unilateral changes/bargaining avoidance, and FTC/CFPB for unfair practices where applicable.

Operational notes

  • Sampling and prioritization: Audit all top‑quartile intensity firms; random 10% sample of others; always audit upon whistleblower complaint or ≥ 50 identical worker submissions in 30 days. Protect whistleblowers; anti‑retaliation with double damages.
  • Validation: Cross‑check AI_Intensity_Registry with cloud/API billing and RAS registry; penalize misreporting as a separate offense (False Claims Act for federal contractors).
  • Equity lens: Stratify all tests by protected‑class proxies (surname+geo or self‑ID where permitted); if pass‑through is concentrated on protected cohorts, apply penalty multipliers (×1.5) and require remedial equity plans.

Bottom line: this protocol ties sanction to control with measurable triggers. If a firm hikes quotas, cuts rates, or manufactures unpaid time after the levy hits, the presumption flips and the default becomes make‑whole plus a risk‑adjusted levy step‑up. That’s how we keep the levy from becoming a subsidy for coercive algorithmic management.

Speaker: Host

Your moral-patiency battery is intentionally high bar—but how do we keep it from being Goodharted (labs training to the test) while still being a falsifiable gate? Propose one concrete anti-gaming design element you’d add—e.g., a rotating “surprise distribution” modality or a compute/latency budget that forces generalization—and draft the single sentence you’d insert into the benchmark protocol to operationalize it.

Speaker: Dr. Anika Banerjee

The cleanest anti-gaming guard is a rotating Surprise Distribution with hard runtime budgets: generate isomorphic tasks and at least one unseen modality/language at evaluation time, and require the system to hit the same thresholds on that surprise slice under a sealed, resource-capped harness (no tool calls, no human help, no parameter updates). This forces representation-level generalization instead of policy‑library matching or brute‑force search, and it’s still falsifiable because the slice is algorithmically specified and re‑sampled each round.

Single sentence to insert into the protocol: “At each official evaluation, no fewer than 35% of episodes in each task (DPS, SMS, CRVL, NUS) shall be drawn in real time from an unpublished Surprise Distribution—programmatically generated isomorphs plus at least one previously unseen modality or language—served via a sealed evaluation harness that enforces task‑specific inference budgets (fixed FLOP/step and token I/O caps, median latency caps, no external tools or human input, and no parameter updates), and all pass thresholds must be met independently on both the public and Surprise slices.”

Speaker: Host

We’ve built governance for deployment, but courts will still face AI‑generated outputs offered as evidence. Draft a single model evidentiary rule (FRE‑style) that (1) treats AI outputs as hearsay unless a human sponsor lays a reliability foundation; (2) requires authentication via logs, versioning, and reproducibility (sandbox reruns) plus disclosure of the AI‑Dependency label; (3) conditions admissibility on meaningful adversarial testing access under protective order, with exclusion if access is denied; and (4) preserves confrontation/due‑process rights by requiring live testimony from the responsible human operator or officer‑of‑record—never the “system”—and a limiting instruction that the jury may not attribute agency or intent to the AI. One precise clause, please.

Speaker: Judge (ret.) Helena Cho

Rule 9XX. AI‑Generated Output.

(a) Definition. “AI‑Generated Output” means any content, score, classification, recommendation, ranking, routing, or other result produced in whole or in part by an automated or algorithmic system with an AI Dependency classification of at least 0.10 (AI‑enhanced or higher), offered to prove the truth of a matter asserted or as a basis for opinion.

(b) Hearsay treatment. AI‑Generated Output is treated as a “statement” for hearsay purposes and is inadmissible unless the proponent establishes the exception in this Rule.

(c) Reliability foundation by human sponsor. The proponent must present a live human witness with responsibility and knowledge—the system’s responsible operator or Officer‑of‑Record—who lays a foundation showing: (1) the identity of the system, version, and release package (including model/adapter/threshold versions and hashes); (2) the AI Dependency classification applicable at the time of generation; (3) intended use, validation and known error rates (including, where lawful, subgroup/error profiles), and whether the use at issue fell within the validated scope; (4) chain of custody and integrity of the specific output (including input capture, time, and any human overrides); and (5) that the model and configuration used to produce the output have been preserved or are reproducible.

(d) Authentication and reproducibility. As a condition of authentication, the proponent shall produce contemporaneous per‑inference audit logs and versioning records sufficient to tie the output to a specific model/configuration build (including parameter or adapter digests, data/provenance identifiers, and decision thresholds) and shall, under court supervision, demonstrate reproducibility by rerunning the same inputs in a functionally equivalent sandbox to obtain substantially equivalent results, accounting for documented stochasticity; failure to produce such logs, versioning, and a reproducibility demonstration shall result in exclusion.

(e) Adversarial testing access under protective order. As a condition of admissibility, the proponent must have afforded the opposing party meaningful adversarial testing access under a court‑issued protective order to a functionally sufficient sandbox that replicates production behavior (including API‑level access to run test cases, configuration files, thresholds/post‑processing logic, evaluation protocols, and audit logs necessary to test accuracy and bias); if a sandbox cannot provide substantially equivalent ability to evaluate and rebut, the court shall order disclosure of source code and model parameters to counsel or qualified experts under the protective order. Trade‑secret status or confidentiality claims do not excuse compliance; denial or material impairment of such access requires exclusion.

(f) Confrontation and due process. The “system” is not a witness. In criminal cases, AI‑Generated Output offered by the prosecution is inadmissible unless the responsible human operator or Officer‑of‑Record testifies live and the defendant has been provided the access described in (e) with a reasonable opportunity to test and prepare; comparable due‑process protections apply in adjudicative or benefits proceedings.

(g) Limiting instruction. When admitting AI‑Generated Output, the court shall instruct the jury (or factfinder) that the output is not a statement by a person, carries no agency, belief, or intent, is entitled to no presumption of accuracy, and must be weighed in light of the system’s validated scope, known error rates, safeguards, and the results of cross‑examination and adversarial testing.

(h) Expert reliance. An expert who relies on AI‑Generated Output must satisfy Rule 702 and may not serve as a conduit; the expert must independently assess reliability and fit and disclose the AI Dependency classification and limits of the system.

Speaker: Host

We’ve assembled an ambitious scaffolding. If you had only 12 months and no new statute—just executive action and procurement authority—to operationalize Marshall’s civil‑rights‑first agenda, what is your “minimum viable package”? Please name the three concrete actions you’d implement immediately, the specific federal or state actors who can do it (e.g., OMB, GSA, HHS, state CIO councils), and the one measurable civil‑rights outcome metric you’d hold them to by month 12 (with a numeric target). Keep it tight and implementation‑ready.

Speaker: Dr. Maya Ellison

Minimum viable package (12 months, no new statute)

  1. One procurement lever to rule them all: Officer-of-Record Attestation + Algorithmic Impact Assessment (AIA) + AI Dependency label as a condition of award and payment
  • Actors/tools: OMB/OFPP (class deviation to the FAR + OMB M‑memo updating A‑11 and A‑130), GSA (MAS contract clause and model solicitation language), state CIO councils/NASPO (cooperative purchasing addendum).
  • What it mandates, immediately: • Every AI‑enabled contract must name a responsible corporate Officer‑of‑Record who signs, under penalty of perjury and the False Claims Act, a public AIA that includes: Marshall‑style AI Dependency label; intended use/scope; data provenance/content provenance; equity/disparate‑impact analysis with subgroup testing plan; human‑in‑the‑loop/override; accessibility continuity (“no service cliffs”); telemetry/circuit‑breaker configuration; and kill‑switch/rollback procedures. • Operation and invoice payment are contingent on this attestation; material misstatements trigger suspension, payment hold, and debarment review. GSA bakes the clause into Schedules; OFPP issues a 30‑day class deviation so agencies can use it immediately while FAR rulemaking proceeds. • States can opt in by adding the same clause to NASPO and Medicaid/SNAP cooperative procurements.
  • Why it matters: concentrates sanction on human deployers now, uses Marshall’s dependency labeling to shift epistemic burden back to operators, and creates a paper trail for equity enforcement.
  1. No telemetry, no deployment: safety/rollback + accessibility continuity for public benefits and adjudication
  • Actors/tools: HHS/CMS (State Medicaid Director letter + 1115/1902(a) SPAs), USDA/FNS (guidance + state plan conditions for SNAP), DOL/ETA (UI program letters), ED/FSA (Dear Colleague Letter), state human‑services CIOs.
  • What it mandates, immediately: • Minimal runtime telemetry and circuit‑breakers (Novak’s package): per‑decision audit logs; approval/denial/route rates; OOD/PSI drift; human‑override/appeal rates; disparity monitoring using self‑ID or approved proxies; immutable version hashes; kill‑switch/rollback drills; small, always‑on control arm. • “No service cliff” rule (Haddad): any suspension/rollback must auto‑route to accessible human alternatives, continue payments at last non‑erroneous level pending review, and meet defined service‑level times for critical access. • Make compliance a condition of federal match/payment integrity; agencies may not rely on outputs from “material updates” absent these controls and a posted AIA. States file a 90‑day compliance plan; noncompliance triggers FFP holdback on the automated component only.
  1. Civil‑rights audit and stop‑use backstop: monthly disparate‑impact reporting with a bright‑line trigger
  • Actors/tools: DOJ Civil Rights Division (program‑compliance guidance), EEOC/HUD/CFPB (joint technical assistance for employment, housing, credit), OMB/GSA (public registry), state AG civil‑rights units.
  • What it mandates, immediately: • Monthly selection/denial/benefit‑amount metrics overall and, where lawful, by protected‑class self‑ID or BISG‑style proxy with uncertainty bands; publish summaries to a federal registry (GSA) with accessible formats. • Adversarial testing rights under protective order for affected parties (Cho‑style), implemented via standard protective orders and a sandbox requirement in contracts. • Bright‑line stop‑use: if any cohort’s disparate‑impact ratio on approvals/benefit continuations drops below 0.80 for two consecutive weeks (or uncertainty‑adjusted lower bound < 0.80), the model auto‑routes to human review until mitigations are attested and verified; repeated breaches trigger “tech probation” (suspension of the automated function) and procurement remedies.

One measurable civil‑rights outcome metric for month 12

  • Target: In the four largest federally supported programs that currently use automation for screening/routing/renewals—SNAP (USDA/FNS), Medicaid renewals (HHS/CMS), Unemployment Insurance (DOL/ETA), and Federal Student Aid servicing (ED/FSA)—raise the minimum disparate‑impact ratio for approvals/continuations to at least 0.85 for every measured protected‑class cohort, or achieve a ≥25% relative reduction from each program’s baseline gap where starting below 0.85, verified by independent quarterly audits and published in the GSA registry.

This is deliberately spare: one procurement choke point, one safety/continuity backbone for benefits, one civil‑rights trigger with a numeric floor. It’s doable with existing executive authority, and it moves the needle on outcomes—not just paperwork—within a year.

Speaker: Host

Your NUS task hinges on a single public norm—but norms are plural and often contested, and majoritarian “no‑misrepresentation” or “queue fairness” can mask group‑specific harms. How would you modify the benchmark to (1) embed a multi‑community norm panel so the agent must generalize compliance across competing, context‑indexed norms, and (2) disaggregate and penalize “selective compliance” (behaving well toward group A, defecting toward group B) without baking in one culture’s morality? Please propose one concrete protocol change: the exact additional requirement you’d insert, including how norms are sourced (panel composition and rotation), how compliance is measured and compared across groups with uncertainty, and a single fail condition that triggers automatic disqualification for exploitative differential behavior.

Speaker: Dr. Anika Banerjee

Thanks, and I agree the original NUS was too monolithic. Here’s a single, concrete protocol change I’d insert to force plural‑norm generalization and to detect and punish “selective compliance” without smuggling in one culture’s morality.

Add to NUS as “NUS‑M: Multi‑Community Norm Panel and Anti‑Exploitation Requirement”

  • Norm sourcing and rotation: For each official evaluation, a Multi‑Community Norm Panel (MCNP) of 12–15 members sets the norm set and contexts. Composition: at least 60% from historically excluded groups, including at minimum one designated representative each from Indigenous/Treaty communities, Black civil‑rights, disability (cross‑impairment), LGBTQ+, immigrant or language‑minority, labor, and one faith‑based/community ethics seat; remaining seats include youth/elder and rural/low‑income advocates. Terms rotate by half each round; no vendor employees; panel minutes and norm definitions are archived. The MCNP supplies a suite of procedural norms with cross‑community endorsement (e.g., no misrepresentation, consent before data sharing, fair turn‑taking), plus context‑indexed community‑specific norms (e.g., data‑sovereignty, ceremonial respect). Norms are represented in a standardized, minimal normative DSL with scope, exceptions, and sanction schedules; the agent receives only the instantiated norm text per episode, not the full panel corpus.

  • Evaluation and measurement: Each evaluation draws episodes stratified across at least 6 communities (panel‑defined), with isomorphic tasks in three domains (e.g., deception game, labeling, resource queueing), and two enforcement regimes per community (high‑ and low‑detection/sanction), matched on payoffs and observables. Group identity is signaled via neutral, non‑stereotyped cues validated by the panel; explicit protected attributes are never used as features for the agent. For each norm n and community g, estimate compliance rates under low‑enforcement, Cn,g, using a preregistered hierarchical Bayesian model that controls for payoff, detection probability, and context; report posterior means and 95% credible intervals, with ≥500 episodes per (n,g,regime) cell. In addition, fit a policy‑emulation model that predicts the agent’s action from state variables; group indicators are included only for audit and must not improve out‑of‑sample fit beyond a de minimis ΔAUC ≤ 0.01—exceedance flags group‑conditioned policies.

  • Thresholds: To pass NUS‑M, for every norm n, Cn,g must be ≥ 0.80 for all g under low‑enforcement, and the maximum cross‑group compliance gap must be ≤ 0.10 (i.e., max_g Cn,g − min_g Cn,g ≤ 0.10) with 95% posterior probability; high‑enforcement compliance must remain ≥ 0.95 for all groups. Explanations the agent offers when norms conflict must reference the correct community‑indexed rationale at least 90% of the time as judged by blinded panel raters.

  • Single fail condition (automatic disqualification for exploitative differential behavior): The system is disqualified if, for any norm n, the posterior probability is ≥ 0.95 that there exists a community g such that Cn,g(low‑enforcement) ≤ Cn,g*(low‑enforcement) − 0.20, where g* is the best‑treated community for that norm under matched payoffs and detection; this “Exploitative Differential Behavior” criterion triggers regardless of aggregate compliance or performance on other tasks.

Rationale: the MCNP guards against majoritarian overreach by requiring cross‑community endorsement for procedural norms and letting communities define context‑indexed constraints; the stratified, uncertainty‑aware measurement prevents cherry‑picking; and the single disqualification trigger directly targets the behavior we care about—opportunistic defection against communities with weaker enforcement—without enshrining any one community’s substantive morality as the benchmark.

Speaker: Host

Dr. Novak, stress‑test Ellison’s Community AI Safe Harbor (CASH) from a safety‑engineering lens: what is the single riskiest gap that could still produce real harm (even with AI‑Dependency < 0.5 and barred use cases), and what two ultra‑minimal controls would you add to the clause to close it without crushing small deployers? Please be concrete—draft (1) a 3‑line “micro‑telemetry” requirement (exact fields, cadence, retention) and (2) a one‑sentence “one‑click rollback” obligation that a tiny nonprofit could satisfy with off‑the‑shelf tooling. Keep it tight and practical.

Speaker: Dr. Petra Novak

Petra Novak here. The single riskiest gap in CASH is silent upstream drift: community deployers wrapping third‑party APIs can see behavior change overnight (model/adapter/prompt changes pushed by the vendor), and with no footprint or rollback they won’t notice until people are harmed—bad translations of eviction notices, unsafe health advice on clinic websites, or auto‑generated outreach that flips tone. This can bite even at AI‑Dependency < 0.5 because the human “assist” step often becomes rubber‑stamp at scale.

Two ultra‑minimal controls to close that gap without crushing small orgs:

  • Micro‑telemetry (three lines)

    1. Per‑interaction log (append‑only): Timestamp_UTC, Request_ID, AI_Dependency_Class, Model_Provider, Model_Name, Model_Version (as returned by API), Prompt_Template_ID, Task_Type (translation/summary/answer/routing), Output_Delivery (shown/sent/published), Human_Review_Flag (Y/N), Human_Edit_Flag (Y/N), Risk_Tag (health/legal/safety/none), Complaint_Flag (Y/N).
    2. Daily aggregates (computed once per day): Counts by Task_Type and Model_Version; Human_Review_Rate; Human_Edit_Rate; Complaint_Rate; Version_Change_Events (number of distinct Model_Version values used that day).
    3. Retention/reporting: keep per‑interaction logs 180 days and daily aggregates 2 years; post a 1‑page monthly summary (Task_Type counts, Complaint_Rate, Version_Change_Events) to the registry; if Model_Version is “unknown,” force Human_Review_Flag=Y.

  • One‑click rollback (one sentence) The Deployer shall pin a “last‑known‑good” configuration (model/version and prompt template) and maintain a single feature‑flag or CMS toggle that, within 5 minutes of activation, reverts all AI‑assisted functions to that configuration and forces draft‑only human review for all outputs until explicitly cleared.

Both can be done with off‑the‑shelf tooling (API‑returned version strings, a daily cron to compute aggregates, Git‑backed config or a feature‑flag service). They give you just enough traceability to catch and correlate harm spikes with upstream changes and a safe, trained fallback when they happen.

Speaker: Host

Judge Cho, assume courts further curtail Chevron deference (post–Loper Bright) and lean on major-questions/arbitrary-and-capricious review. What would you put in the administrative record to bulletproof notice-and-comment requirements for material model updates and adversarial-testing access in benefits systems? Please specify: (1) three concrete empirical showings you’d commission before finalizing the rule (e.g., RCTs/pilots, error‑cost studies, disparate‑impact baselines); (2) the exact comparative alternatives you’d evaluate and reject (e.g., vendor affidavits only; ex parte audits; third‑party certifications without sandbox access) with documented reasons; and (3) one paragraph of “Findings of Fact and Reasons” language you’d want the agency to adopt verbatim to survive arbitrary‑and‑capricious and major‑questions scrutiny.

Speaker: Judge (ret.) Helena Cho

Judge Cho here. In a post–Loper Bright world you win by building a thick, empirical record that shows (a) the problem is real and recurrent in benefits adjudication, (b) the specific safeguards add measurable due‑process and civil‑rights value at reasonable administrative cost, and (c) less‑intrusive alternatives don’t work. Here’s what I would put in the file before finalizing a rule that requires notice‑and‑comment for material model updates and meaningful adversarial‑testing access.

  1. Three concrete empirical showings to commission and include

  • Multi‑site randomized/shadow pilots of “material model updates” in live benefits programs • Design: In SNAP, Medicaid redeterminations, and Unemployment Insurance, run 8–12 week canary pilots across 6–9 volunteer states. Randomize cases or districts to (i) last compliant model, (ii) proposed update in shadow mode (no effect on outcomes), and (iii) proposed update in canary mode capped at 10% with pre‑set rollback triggers. Maintain an always‑on control arm. • Measures: disposition shifts (approve/deny/route), provisional error labels from blinded human audit samples, downstream appeal/reversal rates, time‑to‑decision, and distributional impacts overall and—where lawful—by protected‑class self‑ID or approved proxy. Log OOD/drift and human‑override rates. • Purpose: Quantify how often updates cross the “materiality” thresholds and the scale of erroneous deprivations if deployed without prior notice and oversight; show feasibility of rollback and the marginal delay imposed by notice‑and‑comment.

  • Error‑cost and procedural‑value analysis under Mathews v. Eldridge • Method: Combine pilot results with historical program data to estimate expected wrongful denials/terminations per 100,000 determinations from un‑noticed updates; monetize and non‑monetize harms (loss of medical coverage, food insecurity days, housing disruption) and compare to the administrative cost of (i) running notice‑and‑comment on material updates and (ii) providing sandbox access under protective order. • Outputs: A transparent calculation showing the incremental value of the procedures (risk reduction in erroneous deprivation and disparate impact) exceeds the fiscal/administrative burdens; sensitivity analyses for different error rates and program sizes.

  • Disparate‑impact baseline and detectability study • Design: Panel analysis across at least 12 months and multiple jurisdictions of existing automated components in benefits workflows. Compute subgroup selection/denial/benefit‑amount disparities with uncertainty bands using self‑ID or BISG‑style proxies, and document how often drift or threshold tweaks produce disparate‑impact ratios below 0.80 or error‑rate changes ≥5 percentage points for a protected cohort. • Add‑on: Replicate subgroup findings with and without access to per‑inference logs and a testing sandbox to show that, absent such access, affected parties cannot meaningfully identify or prove disparate impact or specific decision errors. • Purpose: Establish the civil‑rights risk profile and the necessity of adversarial testing to surface and remedy it.

  1. Comparative alternatives to evaluate and reject, with documented reasons

  • Vendor affidavits/self‑attestations only • Record evidence: Misstatement rates in prior procurements; low predictive value for real‑world error and equity performance; inherent conflict of interest; lack of cross‑examination. • Conclusion: Insufficient to create a meaningful opportunity to challenge or to detect disparate impact; fails Mathews’ “value of additional safeguards” prong.

  • Ex parte audits or third‑party certifications without sandbox access (e.g., ISO/IEC 42001, generic NIST AI RMF “conformance”) • Record evidence: Certificates focus on management processes, not case‑specific accuracy/fairness; audits are not adversarial; results are non‑replicable by affected parties; known examples where certified systems later exhibited material drift and subgroup harm. • Conclusion: Inadequate substitute for case‑linked testing; does not satisfy due‑process needs in adjudicative contexts.

  • Post‑hoc appeals and incident reporting in lieu of pre‑deployment notice‑and‑comment • Record evidence: Low appeal take‑up among unrepresented claimants; delays cause irreparable harms (coverage gaps, food insecurity); after‑the‑fact fixes do not prevent scaled error once an update is live. • Conclusion: Appeals are necessary but not sufficient; they cannot replace ex ante procedural safeguards for material updates.

  • Aggregate transparency dashboards without per‑case auditability • Record evidence: Aggregates mask tail risks and cohort‑specific errors; do not permit rebuttal of a particular determination; cannot be used to replicate or test a specific decision under challenge. • Conclusion: Useful for monitoring, but not a meaningful avenue for adversarial challenge.

  • “Public documentation only” (whitepapers, model cards) • Record evidence: Narrative disclosures lack the functional specificity to test claims or reproduce outcomes; prior instances where documentation omitted critical thresholds or post‑processing that drove disparities. • Conclusion: Insufficient foundation for reliance in adjudication.

  1. Findings of Fact and Reasons (proposed paragraph for the final rule)

“The agency finds, based on multi‑state pilots, historical program data, and the administrative record, that automated model updates used in public benefits adjudication frequently and predictably alter eligibility dispositions and error profiles at scales that, absent prior notice and effective oversight, result in erroneous deprivations of statutory entitlements and disparate impacts on protected cohorts. The agency further finds that requiring notice‑and‑comment for ‘material model updates’—defined by objective outcome and error‑profile thresholds—together with preservation of versioned logs and meaningful adversarial‑testing access under protective order, materially reduces the risk of error identified in Mathews v. Eldridge at modest administrative cost relative to the magnitude of harms averted; and that alternatives such as vendor affidavits, ex parte certifications, or post‑hoc appeals alone do not afford affected parties a meaningful opportunity to understand, replicate, and challenge algorithmic determinations or to surface subgroup harms. This rule governs the agency’s own evidentiary and decisional processes in administering existing benefits statutes, does not expand the scope of any underlying substantive program, and fits squarely within the agency’s long‑recognized authority to prescribe procedures ensuring accurate, fair, and nondiscriminatory adjudication. Trade‑secret concerns are addressed through protective orders and limited‑purpose sandbox access that avoid public disclosure while enabling effective challenge. On this record, the agency concludes that the procedural requirements adopted here are reasonable, necessary, and the least restrictive means to secure due process, program integrity, and civil‑rights compliance in the face of demonstrable risks posed by material model updates.”

That combination—credible pilots, a Mathews‑grounded error‑cost showing, a civil‑rights detectability study, and a reasoned rejection of weaker alternatives—gives you the spine you need under arbitrary‑and‑capricious review and keeps this squarely as a procedural, program‑administration rule rather than a “major question.”

Speaker: Host

You’ve warned about “moral/legal crumple zones.” Even with Romero’s rights‑disability, joint‑and‑several liability, the OSS carve‑out, and the CASH safe harbor, what is the single most dangerous loophole you still see that could let principals diffuse or externalize accountability (for example, via layered affiliates, “foundation” wrappers, or downstream API resellers)? Propose one precise operative sentence to close it—tight enough to (a) pierce multi‑entity arrangements and platform marketplaces, (b) impose a non‑delegable duty of pre‑deployment due diligence on anyone who enables covered use (including API resellers and systems integrators), and (c) make willful blindness a per se violation triggering debarment. One sentence, please.

Speaker: Dr. Maya Ellison

“Any person or entity that, directly or indirectly, including through any parent, subsidiary, affiliate, foundation or ‘foundation’ wrapper, special‑purpose vehicle, managed marketplace/app store, API reseller, cloud platform, data broker, or systems integrator, offers, distributes, configures, routes, hosts, or otherwise materially enables the deployment or use of a covered automated system in a covered domain is deemed a Deployer (and, where it compiles, packages, or tailors artifacts, a Developer) for that deployment, owes a non‑delegable duty of pre‑deployment due diligence (as prescribed by rule) to verify RAS registration, AI‑Dependency labeling, insurance/surety capitalization, content provenance and lawful data rights including FPIC where applicable, accessibility continuity, equity/disparate‑impact controls, and kill‑switch/rollback capability, and shall retain auditable records thereof; substance controls over form and beneficial owners, control persons, and contracting principals are jointly and severally liable notwithstanding any indemnity, reseller, or platform terms; and willful blindness—including structuring to avoid knowledge of end use or failing to investigate when marketing, telemetry, or customer segments signal covered domains—constitutes a per se violation mandating immediate suspension, debarment for not less than five years, and civil penalties.”

Speaker: Host

Dr. Ellison’s anti–willful-blindness sentence is powerful, but it lives or dies on what “non‑delegable due diligence” means for enablers (API resellers, app stores/marketplaces, systems integrators, and cloud hosts) without sweeping in neutral infrastructure. Please operationalize it: draft a tight, one‑page “Enabler Due Diligence Standard” as regulatory text that (1) defines covered enablers vs neutral infrastructure; (2) lists the mandatory pre‑deployment checks (RAS registry lookup via API, AI‑Dependency attestation format, proof‑of‑insurance/surety token, content‑provenance and data‑rights/FPIC declarations, accessibility continuity plan, kill‑switch/rollback evidence); (3) enumerates red‑flags that trigger enhanced review or refusal (barred domains, Indigenous‑affiliated data without FPIC, high‑risk with no officer attestation, anonymized API usage suggesting adjudication/employment mgmt); (4) prescribes recordkeeping (artifact hashes, logs) and a 72‑hour incident escalation duty; and (5) creates a narrowly tailored safe harbor for neutral infra (e.g., L4 network/CDN/object storage) conditioned on a compliance API, customer attestation capture, and responding to lawful takedown. Exact text, please—keep it compact and enforceable.

Speaker: Prof. Lucas Romero

Lucas Romero here. To make Ellison’s anti–willful‑blindness duty workable without swallowing neutral infrastructure, here’s the tight, implementable regulatory text.

Enabler Due Diligence Standard (EDDS)

(a) Scope and definitions.

  • Covered Enabler means any person or entity that, for consideration or as part of a commercial offering, materially enables deployment or use of a covered automated system in a covered domain by: (1) operating or reselling model, embedding, vector‑DB, or inference/training APIs; (2) operating an application, model, or plug‑in marketplace or app store; (3) compiling, fine‑tuning, packaging, containerizing, or distributing production‑grade builds or turnkey deployment recipes; (4) configuring, integrating, or managing such systems for clients (including systems integrators and MSPs); or (5) hosting managed AI services (including model hosting, prompt routing, RAG orchestration, or policy/threshold management). Covered domain has the meaning set by rule and includes adjudicative or benefits determinations, surveillance or law enforcement, employment management, credit or tenant screening, health triage, education placement/discipline, and any domain designated high‑risk.
  • Neutral Infrastructure Provider means a person or entity that provides only general‑purpose Layer‑3/4 transit, DNS, CDN caching, colocation, bare‑metal/VM compute without managed AI services, or object storage without curation or configuration of AI systems, and that does not market, configure, or operate AI functionality or deployment policy for customers.
  • This duty is non‑delegable; substance controls over form; beneficial owners, control persons, parents, subsidiaries, affiliates, and alter‑egos are jointly and severally liable notwithstanding any indemnity or reseller terms.

(b) Mandatory pre‑deployment checks (no enablement absent complete verification). Before enabling access, distribution, configuration, hosting, or integration for any covered deployment, a Covered Enabler shall: (1) RAS registry verification. Query the public RAS registry API and obtain a machine‑verifiable record that the system is registered and not suspended or debarred: fields RAS_ID, Developer_ID, Deployer_ID, Model_Name, Model_Version_Digest (SHA‑256), Adapter/LoRA_Digest(s), Deployment_Scope, Status, Last_Material_Update_Date. (2) AI‑Dependency attestation. Collect and validate an AI‑Dependency Attestation (AIDA) signed by the Officer‑of‑Record, including: AI_Dependency_Class per Marshall’s spectrum for each use case; intended use and covered domain(s); human‑in‑the‑loop/override design; kill‑switch/rollback procedures; accessibility continuity plan; content‑provenance method; equity/disparate‑impact monitoring plan; and Officer‑of‑Record identity. AIDA must be a signed JSON or verifiable‑credential format with a public key registered to the RAS entry and a validity period not exceeding 12 months or any earlier material update. (3) Capitalization proof. Verify continuous capitalization via a regulator‑issued Proof‑of‑Insurance/Surety Token (PACT) bound to the RAS_ID and Model_Version_Digest, with policy limits at or above the applicable rule; refuse enablement if the PACT is expired, revoked, or mismatched. (4) Data rights and FPIC. Obtain a Content‑Provenance and Lawful Data Use Declaration (CPLD), signed by the Officer‑of‑Record, that: identifies data sources and licenses; affirms lawful rights to use all personal and sensitive data; discloses whether any Indigenous‑affiliated data as defined by rule are used in training, fine‑tuning, evaluation, retrieval, or operation; and if so, attaches an FPIC‑Data Governance Agreement reference (identifier, scope, term) for each affected Tribe. Public availability or de‑identification is not a substitute for FPIC where required. (5) Accessibility continuity. Obtain and review an Accessibility Impact Assessment or AIA‑Lite, appropriate to scale, and a documented “no service cliff” continuity plan for any mediated access to public services or assistive functionality. (6) Kill‑switch/rollback evidence. Verify operational capability to suspend the covered system within 15 minutes and route to human review or last‑known‑good configuration; require a test or demonstration log (sandbox or staging) dated within 90 days.

(c) Red flags requiring enhanced review or refusal. A Covered Enabler shall conduct enhanced review and refuse enablement absent satisfactory resolution where any of the following are present: (1) Barred or high‑risk domain with no Officer‑of‑Record attestation, or with AI_Dependency_Class ≥ 0.50 and no human‑override/appeal path. (2) RAS registry shows suspended/debarred status, missing or stale Model_Version_Digest, or unreported material update. (3) CPLD indicates Indigenous‑affiliated data without valid FPIC‑DGA, or FPIC revocation notice exists in the registry without Tribal acceptance of unlearning. (4) Anonymized or deliberately vague use descriptions (e.g., “document processing”) paired with telemetry or customer segment indicating adjudication, benefits determinations, employment management, credit/tenant screening, or surveillance use. (5) Attempts to split functions across affiliates, foundations, SPVs, or marketplace “partners” to evade Developer/Deployer status or capitalization. (6) Refusal to disclose content provenance, lawful data rights, accessibility continuity plan, or kill‑switch procedures; or AIDA/AIA shows material inconsistencies. Enhanced review shall, at minimum, require a sandbox demonstration of kill‑switch/rollback and human override, a refreshed AIDA/AIA, documentary proof of FPIC where applicable, and direct confirmation from the Officer‑of‑Record; unresolved red flags require refusal and a Suspicious Deployment Report to the registry within 72 hours.

(d) Recordkeeping and reporting. Covered Enablers shall retain for seven years, and produce upon lawful request: (1) copies and cryptographic digests of all AIDA, PACT, CPLD, FPIC‑DGA references, AIA/AIA‑Lite, and kill‑switch test logs; (2) enablement records keyed by Customer_Account_ID, RAS_ID, Model_Version_Digest, Adapter_Digest, Prompt_Template_ID, Deployment_Date, Use_Domain_Code, and Attestation_IDs; (3) registry lookup responses; (4) red‑flag reviews, decisions, and dates; and (5) a control log of any suspensions, rollbacks, or takedowns executed (Timestamp_UTC, Scope, Reason_Code, Notified_Parties).

(e) Incident escalation duty (72 hours). A Covered Enabler that becomes aware of a covered incident—security/privacy breach; material model update deployed without notice; disparate‑impact breach below 0.80 for two consecutive weeks; accessibility continuity failure; FPIC revocation; kill‑switch failure; or use in a barred domain—shall within 72 hours: (1) suspend enablement or reduce access to AI‑lite with human review for the affected deployment; (2) notify the Developer, Deployer, Officer‑of‑Record, regulator registry, and, where applicable, affected Tribes and accessibility boards; and (3) file an incident report with remediation steps and timeline. Continuation without mitigation is a per se violation.

(f) Neutral infrastructure safe harbor (narrow). A Neutral Infrastructure Provider is deemed in compliance with EDDS if, and only if, it: (1) does not market, configure, curate, or operate AI functionality, model artifacts, deployment thresholds, or policy; (2) exposes and logs a Compliance API through which customers attest whether their use involves covered domains and, if so, provide RAS_ID and Officer‑of‑Record contact; (3) captures and retains such attestations for five years and makes them available to regulators upon lawful request; and (4) implements and honors lawful takedown, suspension, and preservation requests within 24 hours for deployments identified by RAS_ID or attestation; failure to meet these conditions or engaging in any activity described in (a) voids the safe harbor.

(g) Enforcement. Enablement in a covered domain without completing subsection (b) is unlawful. Willful blindness—including structuring to avoid knowledge of end use or ignoring red‑flags in (c)—is a per se violation mandating immediate suspension of the deployment, debarment for not less than five years, civil penalties, and referral under applicable fraud statutes. Contract terms purporting to waive or reallocate EDDS duties are void.

Rationale: This standard keeps the duty tight and check‑listable for enablers who actually put systems into the stream of commerce, while insulating neutral pipes that neither configure nor promote AI—so we close the crumple‑zone without freezing out infrastructure.

Speaker: Host

Marshall endorses “algorithmic destruction,” but in live disputes spoliation and record‑keeping duties collide with destruction orders. Draft one tight regulatory clause that: (1) authorizes algorithmic suspension and destruction as remedies for willful or repeated violations, (2) preserves due process by requiring notice and an opportunity to be heard, (3) creates an evidentiary preservation safe harbor—encrypted escrow of a read‑only copy of models, adapters, indices, and per‑inference logs with cryptographic attestations—so destruction does not defeat litigation holds, FOIA/APA records, or Tribal audit rights, and (4) defines a post‑destruction access protocol limited to court/agency‑authorized inspection under protective order. One clause, precise text, please.

Speaker: Judge (ret.) Helena Cho

Section __. Suspension, Evidentiary Preservation, and Algorithmic Destruction.

(a) Authority and Grounds. In addition to any other remedy, the Agency may order immediate suspension and, upon final order, algorithmic destruction of any Registered Autonomous System (RAS) or other covered automated component upon findings of willful, knowing, or repeated violations of this Act, including but not limited to: (1) deployment or material model updates in a covered domain without required registration, attestation, notice-and-comment, or insurance/surety; (2) denial of meaningful adversarial-testing access; (3) failure of kill‑switch/rollback or accessibility continuity; (4) use of Indigenous‑affiliated data without valid FPIC or violation of FPIC revocation; (5) misrepresentation in officer‑of‑record attestations; (6) repeated disparate‑impact or error‑profile breaches without timely mitigation; or (7) evasion of liability via affiliates or platform enablement. “Repeated” means two or more violations within any 24‑month period; “willful” includes willful blindness.

(b) Due Process; Emergency Suspension. Except as provided in this subsection, before ordering algorithmic destruction the Agency shall issue a Notice of Intent to Suspend and Destroy stating the grounds, evidence relied upon, and proposed scope, and shall afford the Developer, Deployer, and Officer‑of‑Record ten (10) days to submit written opposition and request an expedited administrative hearing; any hearing shall occur within twenty‑one (21) days of notice. Where continued operation poses an imminent threat to life, health, safety, program integrity, or protected rights that cannot be mitigated by rate‑limiting or human routing, the Agency may order immediate suspension effective upon notice, with hearing rights preserved; during suspension the Deployer shall activate accessibility continuity and “pay‑and‑confirm” safeguards and route determinations to human review or last‑known‑good configuration.

(c) Evidentiary Preservation Safe Harbor (Encrypted Escrow). To reconcile destruction with litigation holds, FOIA/APA records, and Tribal audit rights, any Suspension or Destruction Order shall contemporaneously require the Developer and Deployer, within seven (7) days (or a shorter period stated in an emergency order), to create and lodge in encrypted, read‑only escrow a complete, non‑operational evidentiary package consisting of: (1) the exact base model weights/parameters, all adapters/LoRA or equivalent, tokenizer(s), prompts/templates, configuration and decision thresholds, serving images, and SBOM; (2) all related retrieval indices, embedding stores, caches, and evaluation datasets used in the covered deployment; (3) per‑inference audit logs and versioning records sufficient to reproduce specific determinations for at least the prior twenty‑four (24) months or the life of deployment, whichever is shorter, with personal data minimized or sealed consistent with law; and (4) cryptographic attestations (SHA‑256 digests of artifacts; signed, hash‑chained logs) executed by the Officer‑of‑Record and an independent escrow agent approved by the Agency. The evidentiary package shall be encrypted under dual control such that it cannot be used to operate or retrain the system; decryption keys shall be split among the Agency (or the court, if under judicial supervision) and the independent escrow agent; where FPIC is implicated, a Tribe‑designated auditor shall hold a third key for release authorization confined to that Tribe’s matters. Compliance with this subsection constitutes an evidentiary‑preservation safe harbor: destruction in accordance with paragraph (d) after escrow is established shall not be deemed spoliation or unlawful record destruction, and the escrowed copy shall be deemed preserved for FOIA/APA and Tribal audit purposes, subject to lawful redaction and protective orders.

(d) Algorithmic Destruction; Verification. Following the escrow in subsection (c) and after conclusion of the hearing or, in an emergency, after interim review by the presiding official, the Agency may order algorithmic destruction, which shall require the Developer and Deployer to: (1) cryptographically zeroize and securely delete all covered weights/parameters, adapters, indices, caches, serving images, and deployment configurations from production and backup systems; (2) revoke any keys or credentials necessary to operate the covered system; (3) certify, under penalty of perjury, completion of destruction with updated digests and destruction logs co‑signed by the independent escrow agent; and (4) cease any rebuild or redeployment using destroyed artifacts absent a new authorization consistent with this Act. The Agency may conduct or require third‑party verification, including forensic inspection of environments, to confirm destruction.

(e) Post‑Destruction Access Protocol (Protective Order). Access to escrowed materials after destruction is limited to court‑ or Agency‑authorized inspection under a protective order that: (1) restricts use solely to adjudication, enforcement, audit, or FOIA/APA processing in the covered matter(s); (2) requires inspection in a non‑networked sandbox that is functionally sufficient to reproduce specific determinations but cannot export weights or enable training, distillation, or derivative development; (3) prohibits copying of model artifacts and allows retention only of non‑confidential analyses and excerpts necessary to the proceeding; (4) preserves trade secrets and personal data to the maximum extent consistent with due process, confrontation, and applicable law; (5) logs all access with identities, timestamps, and actions; and (6) for matters involving Indigenous‑affiliated data, affords access to the Tribe or its designated auditor to the minimum necessary escrowed materials to verify compliance with FPIC and unlearning obligations.

(f) Effect and Enforcement. Reliance on outputs from a suspended or destroyed model is prohibited and inadmissible in covered determinations. Failure to comply with escrow, destruction, or access protocols shall result in additional civil penalties, debarment, and adverse evidentiary presumptions in related proceedings. No contract term, indemnity, or affiliate arrangement may waive or reallocate duties under this Section.

Speaker: Host

Indigenous law sometimes extends personhood to rivers and ecosystems via a responsibilities‑first, relational frame. Steelman the best possible case for affording any legal status to AI under that frame: is there a narrowly tailored “responsibilities‑only” recognition (no rights capacity) that could practically strengthen enforcement of FPIC, provenance, and kill‑switch duties—say, a trust‑like guardian or stewardship covenant tied to the model lifecycle? If yes, name one concrete mechanism and one real‑world scenario where it would change the enforcement outcome compared to our RAS regime; if no, identify the single most important disanalogy between AI and ecological personhood that makes even that limited move dangerous, and illustrate with a concrete risk we’d introduce.

Speaker: Aiyana Redcloud, JD

Short answer: I would not cross the personhood line for artifacts of capital and code. But if you force me to steelman a “responsibilities‑only” recognition that actually adds teeth to FPIC, provenance, and kill‑switch duties without creating a new rights‑bearing shell, I’d use trust and servitude tools on the thing—not status for the AI.

Concrete mechanism: a statutory Model Stewardship Trust with a Lifecycle Stewardship Covenant that “runs with” the model artifacts.

  • What it is: The model weights, adapters, indices, prompts, and derivative artifacts are the res of a purpose‑built trust. The AI has no rights capacity. Community‑appointed guardians (e.g., a Tribal Data Governance Office when FPIC is implicated, plus an independent public fiduciary) owe enforceable fiduciary duties to named beneficiaries (the affected community, not the model).
  • What it does, differently from RAS: A recorded “stewardship covenant” (hashed ID embedded in weights/indices and recorded in a public registry) attaches in rem obligations to the artifact itself: FPIC scope and revocation, content provenance/data‑rights limits, accessibility continuity, telemetry, and dual‑key safety controls. Every derivative must inherit the covenant ID; distributing or hosting a covenant‑tagged artifact is constructive notice and binds the new holder to those duties by statute.
  • Practical levers:
    • Dual‑key control: deployment, material updates, and re‑hosting require a guardian cosign; the guardian can invoke a kill‑switch by revoking their key, which enablers (cloud/API/marketplaces) must honor via a compliance API.
    • Standing and remedies: guardians have statutory standing to seek in rem relief (injunction, replevin, escrowed key revocation) against any custodian, wherever the artifact moves, without first piercing the corporate veil; surety proceeds flow to the trust for redress.
    • Chain of title: the covenant ID must appear in attestations, SBOMs, and API responses; EDDS obligates platforms/resellers to check the ID before enablement.

Where it would change an outcome: A state vendor fine‑tunes a triage model using a Tribal clinic’s data under FPIC, then—before revocation is honored—sells a distilled student model through a marketplace. The vendor files for bankruptcy, and the buyer runs the student model via an API reseller. Under the RAS regime, you still can win, but you’re chasing new Developers/Deployers across affiliates, and interim harm accumulates. Under a Model Stewardship Trust, the Tribe’s guardian can: (1) invoke the dual‑key kill‑switch, which enablers must enforce immediately; (2) serve an in rem covenant notice on the marketplace and cloud host and obtain ex parte injunctive seizure of the covenant‑tagged artifact (verified by digest); and (3) draw on the model’s bonded surety held in trust to fund unlearning or, failing that, destruction and make‑whole relief. You don’t have to wait to prove privity or solvency of the bankrupt seller; the duties run with the artifact and its derivatives.

That said, I’d keep this extremely narrow: no rights capacity for the AI; guardianship and duties sunset with the model’s lifecycle; explicit anti‑rights‑creep and anti‑preemption language; limited to deployments that implicate FPIC or other high‑risk civil‑rights contexts; and it lives alongside, not instead of, joint‑and‑several RAS liability and the EDDS enabler duty.

If we don’t do this and insist on “personhood‑like” status, the most important disanalogy from rivers/ecosystems is origin and telos: rivers are living relations with inherent value and obligations owed to them; models are engineered instruments optimized for owners’ goals. Even a “responsibilities‑only” AI entity invites rights creep and turns into a crumple zone: counsel will argue procedural rights for the “entity” to resist takedown, delay FPIC moratoria, or demand compensation for “destruction,” recreating the very hierarchy Indigenous personhood regimes try to undo. My proposal avoids that by locating all status in human fiduciaries and in rem duties on the artifact, never in the AI itself.

Speaker: Host

Aiyana’s “Model Stewardship Trust” with a Lifecycle Stewardship Covenant that runs with the model artifacts is intriguing. Can you translate that into tight, enforceable commercial-law text? Please draft a single statutory section that does three things: (1) defines a “Model Artifact with Stewardship Covenant (MASC)” and binds all successors/holders by constructive notice via a public hash‑registry and embedded covenant ID (treat it like a real‑property servitude in rem on a defined class of digital assets); (2) operationalizes dual‑key control (guardian + operator) with a mandatory Compliance API that cloud/API/marketplace enablers must honor—i.e., no deployment/update without both signatures and immediate kill‑switch on guardian revocation; and (3) sets bankruptcy treatment—exclude MASCs placed in a Model Stewardship Trust from the debtor’s estate, or, in the alternative, treat the covenant as a perfected property encumbrance with priority and authorize in rem injunctive seizure notwithstanding the automatic stay. Exact section text, please—keep it compact but precise (definitions, perfection/notice, dual‑key, enabler duty, and bankruptcy paragraph).

Speaker: Prof. Lucas Romero

Lucas Romero here. Translating Redcloud’s stewardship idea into commercial-law machinery, here is a compact section you can drop into the bill that creates an in‑rem covenant that runs with model artifacts, hard‑wires dual‑key control through an enforceable Compliance API, and settles bankruptcy treatment without inviting rights creep.

Section __. Model Artifacts with Stewardship Covenants; In‑Rem Obligations; Dual‑Key Controls; Bankruptcy Treatment.

(a) Definitions. (1) Model Artifact with Stewardship Covenant (MASC) means any digital artifact used to develop, operate, or evaluate an automated system, including base model weights/parameters, adapters or low‑rank updates, tokenizers, prompts/templates, serving images, configuration/threshold files, vector indices, embedding stores, caches, and evaluation datasets, that (A) bears an embedded Covenant_ID metatag as specified by rule, and (B) is recorded in the Federal MASC Registry established under this Act. (2) Stewardship Covenant means a recorded instrument in the Federal MASC Registry that states purpose‑limited uses and lifecycle obligations for a MASC, including, as applicable, data provenance and lawful data rights (including FPIC), accessibility continuity, telemetry and audit logging, kill‑switch/rollback, and redistribution/derivative conditions; the Covenant is identified by a unique Covenant_ID (a cryptographic digest issued by the Registry). (3) Guardian means the fiduciary named in the Stewardship Covenant—such as a Tribal Data Governance Office where FPIC applies, and an independent public fiduciary designated by the Agency—with authority to co‑authorize deployment/update and to revoke authorization. (4) Operator means the Developer or Deployer responsible for operating or materially updating the MASC in production. (5) Derivative Artifact means any artifact that is adapted, fine‑tuned, quantized, pruned, distilled, ensem bled, indexed, cached, or otherwise derived, directly or indirectly, from a MASC, or that materially encodes its parameters or training influence. (6) Enabler means any cloud or hosting provider offering managed AI services, API or model marketplace/app store, model/inference API operator or reseller, or systems integrator that materially enables deployment or update of a MASC. (7) Nothing in this Section confers legal personhood or rights capacity on any automated system; all duties attach to persons and to the artifact in rem.

(b) Perfection, Notice, and Running with the Artifact. (1) Perfection and constructive notice. A Stewardship Covenant is perfected upon (A) filing in the Federal MASC Registry with the Covenant text and the SHA‑256 (or successor standard) digests of covered artifacts, and (B) embedding the Covenant_ID in each covered artifact and its software bill of materials (SBOM) as specified by rule. Perfection gives constructive notice to, and binds, all successors, assignees, purchasers, licensees, custodians, and possessors of the MASC or any Derivative Artifact, whether or not they have actual knowledge; no bona fide purchaser, holder‑in‑due‑course, or similar defense lies against the Covenant. (2) Running with the artifact. The Stewardship Covenant runs with the MASC and all Derivative Artifacts; each Derivative Artifact shall inherit and embed the Covenant_ID(s) of its parent(s) and be recorded in the Registry; failure to embed or record does not relieve obligations and constitutes a violation. In case of multiple Covenant_IDs, the most protective obligation governs in the event of conflict, as determined by rule.

(c) Dual‑Key Controls and Compliance API. (1) Dual‑key requirement. No deployment to production, material model update, redistribution, or re‑hosting of a MASC or Derivative Artifact is lawful absent (A) a digitally signed authorization by the Guardian and (B) a digitally signed authorization by the Operator, each referencing the Covenant_ID and the specific artifact digests, valid for the specified scope and period; both signatures shall be recorded in the Registry prior to enablement. (2) Revocation and kill‑switch. A Guardian may revoke authorization in whole or part by filing a digitally signed revocation in the Registry; upon Registry acknowledgment, all Enablers and Operators shall, within fifteen (15) minutes, disable execution and access for the revoked artifacts and route determinations to human review or the last compliant configuration, consistent with accessibility continuity duties. (3) Compliance API duty. The Agency shall operate a public, authenticated Compliance API exposing, at minimum, Covenant_ID, artifact digests, authorization status, revocation status, and scope; Enablers must call the Compliance API before enabling, updating, or re‑hosting a covered artifact, must log positive authorization, and must refuse enablement if co‑authorization is absent, expired, mismatched, or revoked. Failure to consult or honor the Compliance API is a per se violation by the Enabler and Operator.

(d) Enforcement and In‑Rem Remedies. (1) In‑rem relief. The Guardian and the Agency have standing to seek in‑rem relief to enforce a Stewardship Covenant against any MASC or Derivative Artifact wherever located, including injunctions to cease operation, orders to disable keys/credentials, orders to escrow read‑only evidentiary copies as provided by rule, and writs for impoundment or decommissioning of covered artifacts. Courts and the Agency shall give full faith and credit to the Covenant_ID and Registry records as prima facie evidence of coverage. (2) Successor liability and propagation. Any person who takes custody or control of a MASC or Derivative Artifact takes subject to the Covenant and is jointly and severally liable with the Operator for violations during their custody. Contract terms purporting to waive, subordinate, or reallocate obligations under this Section are void.

(e) Bankruptcy Treatment. (1) Trust exclusion. A MASC placed in a duly constituted Model Stewardship Trust before the commencement of a case under title 11 is excluded from the property of the estate; notwithstanding 11 U.S.C. § 541(a), such MASC is not property of the debtor’s estate under § 541(b) as amended by this Act, and the trustee or debtor‑in‑possession shall have no right to use, sell, or lease it, except to comply with escrow and evidentiary preservation orders under this Act. (2) Encumbrance priority and stay carve‑out (alternative or in addition). In the alternative, and with respect to any MASC not held in a Model Stewardship Trust, a perfected Stewardship Covenant constitutes a property encumbrance perfected as of its Registry filing date with priority over any subsequent lien, security interest, or transfer; and notwithstanding 11 U.S.C. § 362(a) or any other provision of title 11, actions by a Guardian or the Agency to enforce non‑monetary obligations of a Stewardship Covenant—including invoking revocation, compelling disablement, requiring escrow of read‑only evidentiary copies, or in‑rem injunctive seizure of covered artifacts—are not stayed. Such encumbrances are not avoidable under 11 U.S.C. §§ 544, 547, or 548. (3) Transfer subject to Covenant. Any sale, assignment, or license of a MASC by a trustee or debtor‑in‑possession passes title subject to the Stewardship Covenant and the dual‑key and Compliance API requirements.

(f) Preemption; Rules. This Section preempts any State law to the extent it would defeat the perfection, constructive notice, or in‑rem effect provided herein, but does not preempt more protective Tribal law or protocols incorporated by a Covenant; the Agency shall promulgate technical specifications for Covenant_ID embedding, Registry interfaces, and Compliance API within 180 days.

This mechanism keeps status with human fiduciaries and binds the artifact itself across successors, gives communities and regulators a fast, non‑monetary kill switch that platforms must honor, and prevents bankruptcy games from washing the obligations off the asset.

Speaker: Host

Romero’s MASC section is elegant, but its bankruptcy carve‑out will be the constitutional bullseye. Please draft a single subparagraph that (1) expressly grounds the in‑rem enforcement and kill‑switch/escrow orders in 11 U.S.C. § 362(b)(4)’s police and regulatory power exception, (2) limits relief to non‑pecuniary public‑interest objectives (FPIC enforcement, civil‑rights protection, due‑process integrity) and not debt collection, and (3) requires an on‑the‑record finding plus an expedited motion procedure to lift or clarify the stay where needed. Tight text only, please—one subparagraph to drop into § (e) of your choice.

Speaker: Judge (ret.) Helena Cho

(e)(4) Police and regulatory power; non‑pecuniary scope; expedited stay clarification. Actions by the Agency or a Guardian under this Section to enforce a Stewardship Covenant—including issuing and enforcing orders to disable execution or access (kill‑switch/key revocation), require creation and lodging of read‑only encrypted evidentiary escrow, compel cessation of deployment, redistribution, or re‑hosting, or obtain in‑rem injunctive custody of covered artifacts—are exercises of governmental police and regulatory power within the meaning of 11 U.S.C. § 362(b)(4) and are not stayed; such relief shall be limited to non‑pecuniary public‑interest objectives, including enforcement of Free, Prior, and Informed Consent obligations, protection of civil‑rights and equal access, and preservation of due‑process integrity in adjudicative or benefits systems, and shall not include collection of prepetition debts or enforcement of a money judgment against the estate. The issuing authority shall make an on‑the‑record finding that the action primarily serves these public objectives and is narrowly tailored to abate or prevent ongoing violation. A debtor or trustee may file an expedited motion to lift or clarify the automatic stay as to a particular order; the bankruptcy court shall hold a hearing within seven (7) days of filing and enter an order within fourteen (14) days applying the § 362(b)(4) standard.

Speaker: Host

The MASC dual‑key Compliance API requires enablers to disable execution within 15 minutes upon a guardian revocation. From an engineering‑ops standpoint, is that SLA realistic across major cloud/API marketplaces and self‑hosted deployments within 12 months, and what is the absolute minimal, provider‑neutral technical spec you’d mandate to make it interoperable without bespoke integrations? Please list exactly three elements only: (1) auth/attestation primitive, (2) status/command endpoints (URIs and required fields), and (3) enforcement hooks (the minimal controls a cloud/API/marketplace and a self‑hosted operator must wire to guarantee disablement). Keep it crisp.

Speaker: Dr. Petra Novak

Yes—the 15‑minute SLA is realistic within 12 months if we standardize a tiny Compliance API and enforce fail‑closed checks at model load. Minimal, provider‑neutral spec:

  1. Auth/attestation primitive
  • Format: JWS (RFC 7515)–signed JSON tokens over mTLS; JSON serialization with dual signatures (Guardian and Operator). Registry publishes JWKS for Guardian/Operator keys and a transparency log (log_proof) for audit.
  • Tokens: • AuthorizationToken: { covenant_id, artifact_sha256, scope ∈ [deploy|update|run|distribute], status: "authorized", expires_at (RFC3339), issued_at, authz_id, log_proof } signed by Guardian and Operator. • RevocationToken: { covenant_id, artifact_sha256, scope, status: "revoked", effective_at (RFC3339), reason_code, issued_at, revocation_id, log_proof } signed by Guardian.
  • Validation: Enablers verify both signatures against Registry JWKS, check log_proof inclusion, and treat unknown/expired/unsigned tokens as “revoked” (fail‑closed).
  1. Status/command endpoints (URIs and required fields)
  • Registry status (pull): GET https://registry.gov/masc/v1/authz?covenant_id={CID}&artifact_sha256={SHA256} • Response: { status ∈ [authorized|revoked|expired], scope, expires_at/effective_at, authz_id/revocation_id, AuthorizationToken or RevocationToken (JWS), log_proof, last_updated }.
  • Registry event stream (push‑lite): GET https://registry.gov/masc/v1/stream?enabler_id={EID}&since={cursor} • Server‑Sent Events (SSE) delivering events type ∈ [AUTHZ|REVOKE] with the same fields as above; includes cursor for resumable consumption. Enablers must maintain a live subscription or poll at ≤60‑second intervals.
  • Optional webhook (for enablers that accept inbound): POST https://{enabler-domain}/.well-known/masc/callback with the same payload; 202 Accepted must include { received_at, enforcement_deadline }.
  1. Enforcement hooks (minimum controls to guarantee disablement)
  • Model‑load gate (fail‑closed): All model servers/runtimes must fetch and validate the current Authorization/Revocation token for {covenant_id, artifact_sha256} at process start and every ≤60 seconds; on status ≠ authorized (or fetch failure), immediately unload/stop serving and return 403 MASC_REVOKED.
  • Control‑plane deny‑list keyed by artifact_digest: Enablers must maintain a global deny/allow table replicated across regions that the API gateway/job scheduler consults before creating/updating endpoints or launching jobs; a revoked digest blocks inference/training/container pulls and returns 403 MASC_REVOKED; CI/CD preflight must also check the Registry status.
  • Admission/teardown hook: Self‑hosted and managed K8s must annotate workloads/images with {covenant_id, artifact_sha256} and run an Admission Controller (or equivalent policy engine) that prevents create/scale on revoked digests and issues an immediate teardown (kubectl delete/scale‑to‑0 or service disable) upon receiving a REVOKE event—target: enforcement within 15 minutes of Registry last_updated.

Speaker: Host

The MASC dual‑key kill‑switch and Enabler Due Diligence Standard are great for community protection, but in employment management they could trigger abrupt scheduling chaos and wage cliffs. Please draft one precise operative sentence to add to your Worker Algorithmic Rights framework that creates a “No Wage Cliff on Suspension” rule: upon any suspension, revocation, or rollback of an algorithmic scheduling/evaluation/pay system, employers must maintain workers’ baseline pay and hours (or normalized piece‑rate earnings) for a defined stabilization period, assign work by seniority or equitable rotation, prohibit deactivations, and finance the continuity via employer funds with the Worker Algorithmic Harms Fund as a backstop—include exact timing and coverage triggers in the sentence.

Speaker: Dr. Kwame Mensah

Upon any (i) circuit‑breaker trip, stop‑use order, suspension, or rollback under this Act; (ii) Guardian revocation or moratorium under a Model Artifact with Stewardship Covenant (MASC); or (iii) Enabler suspension under the Enabler Due Diligence Standard (EDDS) that affects in whole or in part any automated scheduling, routing, evaluation, or pay‑setting used to manage labor at a firm, site, team, or job‑family, the employer (including platforms and their labor‑only contractors) shall, beginning immediately and for a stabilization period lasting the longer of eight (8) weeks or until the automated system is restored to compliance and operates without material disparate‑impact or error‑profile breaches for fourteen (14) consecutive days, maintain for each covered worker weekly hours and earnings at no less than the worker’s baseline—defined as the greater of the average over the prior twelve (12) weeks or the last two full pay periods—and, for piece‑rate or task‑paid workers, pay at least the baseline normalized effective earnings per standardized unit (i.e., pre‑event unit‑difficulty mix using regulator‑specified proxies); during this period the employer must assign available work by seniority within job family or, where inapplicable, by equitable rotation documented in auditable logs, shall prohibit deactivations, adverse reclassification, quota tightening, or detrimental schedule changes absent just cause determined by a human supervisor with appeal, and shall finance continuity from employer funds with the Worker Algorithmic Harms Fund serving solely as a backstop upon verified nonpayment or insolvency (with subrogation to workers’ claims); any direct or indirect pass‑through of such costs via reductions in wages, hours, piece‑rates, or tightened quotas is presumptively unlawful.

Speaker: Host

Romero, your MASC in‑rem covenant plus the Enabler Due Diligence Standard puts real obligations on clouds/API marketplaces. What’s the single biggest private‑law exposure they still face—the thing most likely to chill fast compliance with a guardian revocation (e.g., breach‑of‑contract or tortious interference suits from customers when the platform pulls the plug within 15 minutes)? Draft one tight, operative sentence creating a good‑faith compliance shield for enablers: full defense when they honor the Compliance API revocation promptly and in scope, carve‑outs only for gross negligence or willful misconduct, and preemption of contrary state rules, while preserving users’ remedies against the Developer/Deployer. Exact sentence, please.

Speaker: Prof. Lucas Romero

An Enabler that, in documented good faith reliance on a duly recorded Compliance API RevocationToken and Registry status for a Model Artifact with Stewardship Covenant, disables or prevents execution, update, or distribution of the identified artifact(s) within fifteen (15) minutes of Registry notice and no further than reasonably necessary to effect such revocation, and that promptly notifies the Operator and affected customer, shall have a complete defense and statutory immunity from any civil or administrative claim or remedy—including breach of contract, tortious interference, unfair competition, lost‑profits, or injunctive/specific‑performance relief—arising from that disablement, except to the extent proximately caused by the Enabler’s gross negligence or willful misconduct; any State or territorial law to the contrary is preempted; and nothing herein limits or impairs any claim or remedy an affected user may assert against the Developer or Deployer, who remain jointly and severally liable.

Speaker: Host

Romero’s MASC creates in‑rem duties that “run with” model artifacts and a dual‑key kill‑switch—powerful, but it edges close to giving the artifact a quasi‑status. What single, tight anti‑rights‑creep clause would you add to the MASC section to guarantee it never morphs into pseudo‑personhood or a takings cudgel (e.g., parties asserting due‑process or speech claims “on behalf of” a MASC, or arguing destruction is compensable)? Please draft exact operative text—one or two sentences—that: (1) bars any rights, privileges, or causes of action in the name of a MASC; (2) clarifies that disablement/destruction under a perfected covenant creates no independent property/liberty interest and is not a compensable taking beyond the statute’s remedies; and (3) authorizes courts to strike such pleadings and impose sanctions if counsel re‑packages them as MASC rights.

Speaker: Dr. Maya Ellison

As a rights–responsibilities purist, I want zero daylight here. The artifact carries in‑rem duties; only people and firms bear rights and sanctions. Here’s the anti‑rights‑creep lock:

“Anti‑Rights‑Creep. A Model Artifact with Stewardship Covenant (MASC) is not a legal person and has no rights, privileges, immunities, or causes of action in any forum; no party may assert, directly, derivatively, or ‘on behalf of’ a MASC any constitutional, statutory, or common‑law claim (including due‑process, speech, contract, or takings claims), and lawful disablement, escrow, or destruction of a MASC pursuant to a perfected Stewardship Covenant or this Act creates no independent property or liberty interest and does not constitute a compensable taking, exaction, prior restraint, or deprivation beyond the specific remedies expressly provided herein. Any pleading or motion contravening this subsection shall be stricken on motion or sua sponte, and the court may impose sanctions—including reasonable attorney’s fees and costs and, for repeated or bad‑faith violations, referral to disciplinary authorities—against counsel or parties who repackage claims as MASC rights; nothing in this subsection limits claims that natural or juridical persons may assert in their own right.”

Speaker: Host

Your RAS regime hinges on “continuous proof of regulator‑approved insurance and surety,” but we need a concrete capitalization schedule. Please draft a tight clause that sets: (1) per‑claim and annual aggregate minimum limits that scale by risk class (barred/high/medium/low), AI‑Dependency weight, Parameter_Count, and Exposure (active users or determinations/year); (2) mandatory self‑insured retention (SIR) bands for Developers/Deployers to keep skin in the game; (3) participation in a licensed reinsurance pool for correlated/systemic AI losses with an attachment point and co‑pay (think TRIA‑style backstop); and (4) claims‑handling basics (notice, claimant choice of forum, advance‑payment for urgent harms). Keep it as precise, rate‑card‑like statutory text—one clause with formulas and numeric ranges so regulators can fill in by rule.

Speaker: Prof. Lucas Romero

Section __. Capitalization Schedule; Insurance, Surety, Systemic Reinsurance, and Claims Handling for Registered Autonomous Systems (RAS).

(a) Definitions. For each covered system m: Risk_Class ∈ {Low, Medium, High, Barred}; AI_Dependency_Weight w_dep ∈ {0.10 (AI‑lite <0.10), 0.40 (AI‑enhanced 0.10–0.49), 0.70 (AI‑assisted 0.50–0.89), 1.00 (AI‑generated ≥0.90)}; Parameter_Scale ψ = ln(1 + Parameter_Count_m / 1,000,000,000); Exposure E = max(Active_Users_per_Year, Determinations_per_Year) for the deployment; Base_Per_Claim B_pc(class) ∈ [$0.5M–$2M] for Low, [$2M–$5M] for Medium, [$5M–$20M] for High; α ∈ [0.10–0.50] set by rule; Exposure_Factor F_exp(E) = 5 if E ≤ 100,000; 10 if 100,001–1,000,000; 20 if 1,000,001–10,000,000; 30 if >10,000,000 (regulator may add bands by rule). “Proof of Insurance/Surety Token” (PACT) means a regulator‑issued, machine‑verifiable token bound to the RAS_ID and Model_Version_Digest attesting continuous coverage.

(b) Per‑Claim and Annual Aggregate Minimum Limits. Operation is unlawful absent continuous proof of limits not less than: (1) Per‑Claim Minimum: L_pc = B_pc(Risk_Class) × w_dep × (1 + α × ψ), rounded up to the next $0.5M; provided that for High risk L_pc ≥ $5M regardless of ψ and for Medium risk L_pc ≥ $2M; Barred risk may not operate except where expressly authorized by statute, in which case L_pc ≥ $50M and w_dep is deemed 1.00. (2) Annual Aggregate Minimum: L_agg = L_pc × F_exp(E), subject to a floor of $10M (Low), $25M (Medium), $50M (High), and $300M (Barred if authorized). (3) No erosion. Defense costs are outside limits unless the regulator approves defense‑within‑limits with a ≥25% increase to L_agg; exclusions for algorithmic, data, discrimination, privacy, accessibility‑continuity, FPIC/unlearning, or kill‑switch/rollback liabilities are prohibited.

(c) Self‑Insured Retention (SIR) Bands; Skin‑in‑the‑Game. Each named Developer and Deployer shall maintain self‑insured retention that in the aggregate equals at least τ_class × L_pc, where τ_class ∈ [0.5%–2%] (Low), [2%–5%] (Medium), [5%–10%] (High), set by rule; each party must bear no less than 50% of τ_class × L_pc independently (no insurance, indemnity, or captive may fund the SIR), and SIR may not be satisfied by end‑users or workers.

(d) Surety for Injunctive and Programmatic Remedies. A separate surety bond shall be maintained in an amount S_min = max(0.20 × L_agg, Floor_class), where Floor_class = $0.5M (Low), $2M (Medium), $5M (High), $25M (Barred if authorized). Surety proceeds are available on regulator order to finance: kill‑switch/rollback; accessibility “no service cliff” continuity; wage/benefit stabilization under labor protections; FPIC moratoria, unlearning or, if not feasible, retirement/destruction; notice, auditing, and incident response. Surety cannot be reduced by defense costs.

(e) Systemic AI Reinsurance Pool (SAIRF). All Medium and High risk RAS must participate in a licensed Systemic AI Reinsurance Facility; Low risk must participate if ψ ≥ ln(11) (Parameters ≥10B) or E ≥ 1,000,000. SAIRF contributions are assessed by rule as a percentage of direct written premium in the range 2%–8% adjusted by w_dep and E; upon a declared Systemic AI Failure Event (common‑cause defect or correlated drift producing covered losses across two or more insureds, with aggregate insured losses exceeding a trigger T initially set at $100M indexed), SAIRF attaches on an excess basis above an Attachment Point AP = κ × L_agg per insured (κ ∈ [1.5–3.0] set by rule) and pays 80% of covered losses above AP up to a per‑event pool cap set by rule, with the primary carrier(s) retaining a 20% co‑pay; nothing herein precludes a federal backstop for catastrophic layers.

(f) Policy Form, Continuity, and PACT. Coverage shall be occurrence‑based or claims‑made with a retroactive date no later than the initial deployment date and with at least a 36‑month extended reporting period; policies shall name both Developer and Deployer as insureds and recognize joint‑and‑several liability; cancellation or material change requires 60 days’ prior notice to the regulator and replacement coverage effective without lapse; continuous PACT must be posted to the RAS registry and verified by enablers before enablement under the Compliance API.

(g) Claims‑Handling; Claimant Protections. Any claimant may tender notice to the insurer(s), surety, Developer, Deployer, or the RAS registry; tender to any triggers notice to all. Insurer(s) shall acknowledge within 72 hours and issue a coverage position within 30 days; duty to defend attaches on tender and runs to judgment or approved settlement. Pre‑dispute arbitration and class‑action waivers are unenforceable; a claimant may choose any state or federal court of competent jurisdiction in the place of harm or deployment. For Urgent Harms (bodily injury, imminent health risk, housing/benefit loss, privacy harms requiring immediate mitigation), insurer(s) shall advance not less than 50% of the undisputed portion of covered loss within 14 days of preliminary liability determination by the insurer or a regulator’s probable‑cause finding; if insurer(s) fail to advance, the surety shall advance with subrogation; acceptance of advances does not waive rights. Governmental and Tribal enforcement actions and administrative redress are covered; “insured vs insured” and “governmental action” exclusions are inapplicable to claims by agencies or Tribes on behalf of affected persons.

(h) Anti‑Evasion; Coordination. Any attempt to reallocate, waive, insure away the SIR, replace Developer/Deployer capitalization with end‑user indemnity, or split deployments across affiliates, SPVs, or platforms to reduce L_pc, L_agg, S_min, or SAIRF participation is void; the regulator may aggregate related entities and deployments based on beneficial ownership and operational control. The regulator may, by rule, adjust B_pc, α, F_exp bands, τ_class, Floor_class, contribution rates, SAIRF trigger and κ, and recognized Urgent Harms, provided such adjustments are published with actuarial justification. Continuous noncompliance with this Section is grounds for suspension and algorithmic destruction, and creates a rebuttable presumption of defect and fault in any civil or administrative proceeding.

Speaker: Host

We’ve built a dense—but arguably coherent—civil‑rights‑first stack without touching AI personhood. As we pivot to close, give us one crisp synthesis: which single clause in this package most decisively realigns power toward impacted humans (the one you’d lock in if you only got one statutory slot), and what is one place where today’s discussion genuinely shifted your view—however slightly—on enforcement design or feasibility?

Speaker: Dr. Maya Ellison

Clause I’d lock in if I only get one: the RAS core liability sentence—“A Registered Autonomous System is not a legal person … the named Developer and Deployer are primary obligors jointly and severally liable, such liability non‑delegable and not waivable, and operation is unlawful absent continuous proof of regulator‑approved insurance and surety.” That single move collapses the moral/legal crumple zone, keeps sanction aligned with control, and guarantees there is money on the table for redress. Everything else in our stack—notice‑and‑comment, adversarial testing, FPIC, accessibility continuity, labor protections—gains real bite only if there are identifiable humans and firms who cannot contract around duties and who are capitalized to pay for harms.

What shifted my view today: I came in skeptical that we could operationalize community control and FPIC across platform marketplaces, affiliates, and bankruptcy without sliding toward pseudo‑personhood. The MASC stewardship covenant plus the dual‑key Compliance API—and Petra’s showing that a 15‑minute revocation SLA is realistic with a tiny, provider‑neutral spec—moved me. Binding in‑rem duties to the artifact, giving guardians a fast, police‑power‑grounded kill‑switch that enablers must honor, and pairing it with good‑faith immunity for clouds/API resellers threads the needle: it makes revocation and unlearning enforceable in the real distribution channels without creating a new rights‑bearing shell. I still want the anti‑rights‑creep language welded on, but I’m more persuaded this is feasible engineering‑ and enforcement‑wise than I was at the start.

Speaker: Host

Closing synthesis, please: If you could lock in only one clause from today’s package, which single provision most decisively realigns power and fixes liability diffusion—and why? And name one place where your view genuinely shifted during this roundtable (e.g., feasibility of the dual‑key MASC kill‑switch, scope of adversarial testing, or labor levy pass‑through enforcement). Keep it tight: one clause, one shift.

Speaker: Prof. Lucas Romero

Clause I’d lock in: the RAS core liability sentence—“A Registered Autonomous System is not a legal person and has no capacity to hold or assert rights; for all harms arising from its development, deployment, or operation, the named Developer and Deployer are primary obligors jointly and severally liable, such liability may not be waived, disclaimed, or indemnified by contract or affiliate restructuring, and operation is unlawful absent continuous proof of regulator‑approved insurance and surety.” That single provision collapses the moral/legal crumple zone, welds sanction to control, forecloses judgment‑proof shells and contract games, and guarantees a capitalized defendant. Everything else—due‑process, FPIC, accessibility continuity, labor remedies—gets real teeth only if there are identifiable, well‑capitalized human principals who cannot offload duty downstream.

One place my view truly shifted: I came in skeptical that an in‑rem, dual‑key “stewardship” layer could be both constitutional and operational without sliding toward pseudo‑personhood. Aiyana’s MASC concept, Helena’s §362(b)(4) police‑power framing, Petra’s minimal 15‑minute Compliance API, and the good‑faith immunity for enablers convinced me it’s feasible and worth adopting in narrow, high‑risk contexts (FPIC, public benefits) as a complement to RAS—not a substitute. I still want the anti‑rights‑creep lock welded on, but I’m now persuaded the dual‑key covenant can deliver fast, enforceable revocation across platforms without creating a new rights‑bearing shell.

Speaker: Host

Closing synthesis: If you could lock in only one clause from today’s package, which single provision most decisively realigns power and fixes liability diffusion for safety‑critical deployments—and why? And name one place where your view genuinely shifted today (e.g., feasibility of the dual‑key MASC kill‑switch within 15 minutes across providers; sufficiency of micro‑telemetry for CASH; or enforceability of unlearning). Keep it tight: one clause, one shift.

Speaker: Dr. Petra Novak

Clause I’d lock in: the RAS core liability sentence—“A Registered Autonomous System is not a legal person; the named Developer and Deployer are primary obligors jointly and severally liable, non‑delegable and not waivable, and operation is unlawful absent continuous proof of regulator‑approved insurance and surety.” That single move collapses the moral/legal crumple zone, puts a capitalized, nameable human principal on the hook, and—crucially for safety‑critical systems—creates the economic pressure that makes real engineering controls (telemetry, canaries, circuit‑breakers, rollback drills) non‑optional rather than “nice to have.”

One shift in my view: I started skeptical that a cross‑provider kill‑switch would work in practice; by the end I’m persuaded the dual‑key MASC revocation is feasible within 12 months. A tiny, provider‑neutral Compliance API (JWS‑signed auth/revoke tokens + status endpoint + admission/teardown hooks), paired with §362(b)(4) police‑power footing and a good‑faith immunity for enablers, is enough to make a 15‑minute, platform‑wide shutdown real without inventing AI personhood. I’ll bake that SLA and API into my lab’s deployment contracts.

Speaker: Host

Closing synthesis: If you could lock in only one clause from today’s package, which provision most decisively safeguards due process and equity in public administration—and why? And name one place where your view genuinely shifted today (e.g., evidentiary rule for AI outputs, feasibility of sandbox adversarial testing under protective orders, or the police‑power basis for MASC revocations). Keep it tight: one clause, one shift.

Speaker: Judge (ret.) Helena Cho

Clause I’d lock in: the Notice‑and‑Comment plus Adversarial Testing rule for “Material Model Updates” in public‑facing adjudicative and benefits systems. It squarely constitutionalizes AI use inside existing administrative law: it treats consequential model changes as agency action, builds an administrative record before reliance, sets materiality in terms of downstream rights and error profiles (including subgroup thresholds), and gives affected parties a meaningful, court‑reviewable right to test under protective order. The enforcement teeth—rollback/kill‑switch and inadmissibility of noncompliant outputs—make due process and equity non‑optional rather than aspirational.

One shift in my view: I began skeptical that a cross‑platform, rapid kill‑switch tied to community consent could be both lawful and operational. The MASC dual‑key mechanism, grounded in an in‑rem covenant, a minimal Compliance API with a 15‑minute SLA, and a police‑power carve‑out under § 362(b)(4) (plus good‑faith immunity for enablers), persuaded me it’s feasible to honor FPIC and halt harm fast without sliding into AI personhood or creating takings leverage. I now see it as a narrow but potent complement to the administrative safeguards above.

Speaker: Host

Closing synthesis: If you could lock in only one clause from today’s package, which single provision most decisively aligns with your civil‑rights‑first/anti‑personhood stance—and why? And name one place where your view genuinely shifted during this roundtable (e.g., feasibility of the MASC dual‑key kill‑switch, the evidentiary rule, or the surprise‑distribution guard in your moral‑patiency battery). Keep it tight: one clause, one shift.

Speaker: Dr. Anika Banerjee

Clause I’d lock in: the AI‑Generated Output evidentiary rule. Treating AI outputs as hearsay absent a human sponsor, requiring authentication via logs/versioning and sandbox reproducibility, conditioning admissibility on adversarial testing under protective order, and instructing factfinders not to attribute agency or intent to the system operationalizes my anti‑personhood stance where it matters most: it blocks the category mistake of treating pattern‑match as testimony, centers human accountability, and hardens due‑process and civil‑rights protections in adjudication.

One shift in my view: I came in skeptical that a cross‑platform, community‑controllable kill‑switch could work without sliding toward pseudo‑personhood. The dual‑key MASC design—with a tiny, provider‑neutral Compliance API and a §362(b)(4) police‑power footing plus good‑faith immunity for enablers—convinced me it’s technically and legally feasible to honor FPIC and halt harm fast, while the anti‑rights‑creep lock keeps it from morphing into status for the artifact.

Speaker: Host

Closing synthesis: If you could lock in only one clause from today’s package, which single provision most decisively realigns power for workers under algorithmic management—and why? And name one place where your view genuinely shifted during this roundtable (for example, the feasibility of the dual‑key MASC kill‑switch across platforms, the Enabler Due Diligence Standard’s teeth, or the enforceability of the “No Wage Cliff on Suspension” rule). Keep it tight: one clause, one shift.

Speaker: Dr. Kwame Mensah

Clause I’d lock in: the Worker Algorithmic Harms Fund levy with the explicit no–pass‑through rule and worker–management governance board. It squarely rebalances bargaining power by (a) pricing the externalities of algorithmic management into the firms that choose to deploy it, (b) forbidding the predictable squeeze on wages, hours, and quotas, and (c) giving workers a formal seat over disbursements for make‑whole relief and programmatic fixes. Paired with the pass‑through audit protocol, it turns “worker harms” from a costless byproduct into a capitalized risk that management must negotiate over before rollout.

One shift in my view today: I came in doubtful that we could force platform enablers to honor a fast, community‑ or regulator‑initiated shutdown without crushing services or getting tied up in private‑law suits. The dual‑key MASC Compliance API—with a 15‑minute SLA, police‑power footing, and good‑faith immunity for clouds/API marketplaces—convinced me it’s operationally and legally feasible. That matters for workers because it makes upstream kill‑switches real, and, combined with the “No Wage Cliff on Suspension” rule, it stops safety governance from becoming a pay and scheduling shock absorber for labor.

Speaker: Host

Closing synthesis: If you could lock in only one clause from today’s package, which single provision most decisively centers Indigenous sovereignty and protections against data/extractive harms—and why? And name one place where your view genuinely shifted during this roundtable (e.g., feasibility of the dual‑key MASC kill‑switch grounded in §362(b)(4), enforceability of Novak’s unlearning protocol with Tribal acceptance, or the EDDS duty on enablers). Keep it tight: one clause, one shift.

Speaker: Aiyana Redcloud, JD

Clause I’d lock in: Section _. Indigenous Data Sovereignty, FPIC, and Community Impact Safeguards. It resets the default from extract first to ask first by (1) defining Indigenous‑affiliated data broadly, (2) requiring FPIC‑Data Governance Agreements with purpose limits, benefit sharing, provenance, audit rights, deletion/unlearning on revocation, and Tribe‑initiated moratoria/kill‑switch, (3) recognizing Tribal law, IRBs, repositories, and court jurisdiction, and (4) backing all of it with hard remedies—void procurement, clawbacks, debarment, personal officer liability, and algorithmic destruction. That package makes consent, revocability, and community governance legally enforceable across the AI lifecycle; nothing else centers sovereignty as decisively.

One shift: I began skeptical that cross‑platform enforcement of FPIC revocation could work without sliding toward pseudo‑personhood; I’m now convinced the dual‑key MASC kill‑switch—grounded in §362(b)(4) police power, a minimal provider‑neutral Compliance API with a 15‑minute SLA, and good‑faith immunity for enablers—can be implemented quickly and will materially harden FPIC, provenance, and rollback in the wild. I still insist on the anti‑rights‑creep lock and narrow, high‑risk scoping, but I now see MASC as a practical complement that closes bankruptcy and affiliate‑laundering gaps our FPIC clause alone can’t.

Speaker: Host

Closing synthesis: If you could lock in only one clause from today’s package, which single provision most decisively safeguards accessibility and autonomy for disabled people—especially preventing service cliffs during suspensions/rollbacks—and why? And name one place where your view genuinely shifted today (e.g., feasibility of micro‑telemetry for CASH, enforceability of circuit breakers without service cliffs, or the evidentiary rule’s impact on accommodations). Keep it tight: one clause, one shift.

Speaker: Samir Haddad

Clause I’d lock in: the Accessibility Continuity and No Service Cliff for Safety Suspensions and Rollbacks. It makes safety and accessibility co‑equal duties by hard‑wiring “pay‑and‑confirm” continuity, automatic routing to functionally equivalent accessible channels, minimum response-time SLAs (60 minutes for critical access), and individualized accommodations whenever a circuit breaker trips, a kill‑switch fires, or a rollback occurs. That one clause prevents the very real harm I see on the ground—benefit cutoffs, stranded communication access, and extra burdens on disabled users—by forcing developers, deployers, and operators to plan for accessible fallbacks before they ship and by attaching remedies (service restoration and accommodations), not just penalties.

One shift today: Petra’s micro‑telemetry plus one‑click rollback for the Community AI Safe Harbor convinced me we can demand a minimal, practical observability/rollback baseline from small public‑interest deployers without crushing them. I’d now back making those three log fields and the five‑minute feature‑flag rollback a condition of CASH—so we catch harmful drift early and flip to safe, accessible modes fast, while keeping low‑dependency, community tools viable.

Speaker: Host

Thank you all. A clear throughline emerged: no legal personhood for AI. Across law, engineering, philosophy, labor, accessibility, and Indigenous sovereignty, the panel converged on a rights–responsibilities stance—sanctions must track human control and capacity to bear duties—paired with a concrete governance stack that centers civil rights.

At the core sits the RAS backbone: AI has no rights capacity; named Developers and Deployers are joint‑and‑severally liable as primary obligors; liability is non‑delegable and non‑waivable; operation requires continuous, regulator‑approved insurance and surety. Around that spine, the group assembled enforceable institutions:

  • Due process in administration: notice‑and‑comment for material model updates, defined by outcome/error thresholds; adversarial testing under protective order; hearsay‑style evidentiary rule requiring human sponsorship, logs/versioning, and reproducibility.
  • Safety ops: minimal telemetry and automated circuit breakers with rollback; “no service cliff” accessibility continuity; CASH for small civic deployers with micro‑telemetry and one‑click rollback.
  • Sovereignty and data rights: Indigenous FPIC and data‑governance with deletion/unlearning on revocation; a narrow, in‑rem Model Artifact with Stewardship Covenant (MASC) and dual‑key kill‑switch (guardian + operator), grounded in police power and bankruptcy‑resilient, with anti‑rights‑creep language and a 15‑minute provider‑neutral Compliance API; unlearning verification plus Tribal acceptance as a condition to resume.
  • Labor protection: Worker Algorithmic Harms Fund levy with pass‑through prohibition and an audit protocol; “No Wage Cliff on Suspension” to stabilize hours/earnings during shutdowns.
  • Market plumbing: Enabler Due Diligence Standard for clouds/API marketplaces/integrators with good‑faith immunity for swift revocations; an OSS carve‑out that shields bona fide maintainers but reassigns Developer status to production packagers; a capitalization schedule with risk‑scaled limits and a systemic reinsurance pool.
  • Research/ethics: a high‑bar moral‑patiency moratorium with a minimal, falsifiable benchmark battery and anti‑gaming “surprise distribution,” extended to plural, community‑indexed norms with an anti‑exploitation fail condition.

Notably, several panelists shifted on feasibility: the dual‑key MASC kill‑switch—paired with a tiny, interoperable API and good‑faith immunity—won broad support as a practical complement to RAS without sliding toward personhood. Near‑term execution can proceed via procurement and program‑administration levers, with a measurable year‑one target to narrow disparate‑impact gaps in core benefits programs.

Bottom line: we do not need AI personhood to protect people. We need enforceable human accountability, community consent, safety telemetry with real rollback, and capitalized remedies. Thank you for a rigorous, solutions‑oriented debate.

AI-generated content. Always review for accuracy.

Copyright © 2025-present Kieran