The Governance Gap Regulators Just Discovered
On 26 June 2026, the Trump administration partially lifted its export ban on Anthropic's Fable 5 model - a move reported by NPR and confirmed in Anthropic's own statement. The story sounds like a routine regulatory reversal. Read carefully, and you see something deeper: the government discovered it cannot verify whether an AI model is safe to release. We built that framework. It's called REGINALD, and it has been running on our own infrastructure while governments negotiated in the dark.
The Shift That Just Happened
AI regulation stopped being theoretical. In the space of two weeks, a government imposed an export ban on a frontier model, discovered it had no objective way to evaluate the safety claims involved, and negotiated a partial exception based on commercial pressure rather than evidence.
That pattern will repeat. Every jurisdiction drafting AI governance frameworks is about to discover the same gap: there is no standard format for an AI safety claim, no way to check who made it, no way to verify it hasn't been altered, and no way for a third party to confirm it without access to internal systems.
The companies that have already built their attestation infrastructure will navigate this cleanly. The ones that haven't will negotiate.
What It Looks Like When You Don't Have It
Anthropic is one of the most technically sophisticated AI companies in the world. They still spent two weeks under a partial export ban because the government had no standardised way to evaluate their safety claims. The result: a negotiated exception for select partners, ongoing uncertainty, and a framework-building process that will define the next round of restrictions.
That is what it looks like without verifiable attestation. A company that cannot prove its claims to an objective third party cannot get a clean answer from a regulator. It gets a negotiation, and negotiations are slow, political, and unpredictable.
What It Looks Like When You Do
A company operating with machine-readable attestation gives a regulator something different: a query. Instead of "can you prove your model is safe?" turning into weeks of back-and-forth, it turns into a lookup. The regulator queries the attestation registry, checks the cryptographic signature, walks the evidence chain, and decides - using their own tools, without needing access to the company's internal systems.
That is the promised land: export decisions made on evidence, not trust. Safety assessments completed in days, not months. Insurance priced on verifiable data, not guesswork. Enterprise buyers who can confirm your AI claims without demanding access to your systems.
What Is in the Way
Five obstacles stand between any AI company and that outcome. REGINALD removes each one.
1. Safety reports are prose
A regulator cannot query a PDF. They can read it, but they cannot check it automatically against other claims, verify its integrity, or confirm it has not been changed since publication.
What REGINALD does: Registers machine-readable declarations - structured data specifying capability matrix, known limits, failure modes, and risk tier. Queryable, not just readable.
2. There is no proof of authorship
A document can be altered. A signature cannot - not without breaking it.
What REGINALD does: Uses RFC 9421 HTTP signatures over an operator-controlled DID-document key. If the attestation changes, the signature fails. The verifier knows immediately.
3. There is no chain of custody
A single attested claim is a snapshot. A regulator needs to know how that claim was reached and what changed between training and deployment.
What REGINALD does: Maintains an immutable audit trail. Every change tracked, every review recorded, every test result stored.
4. Third-party verification requires internal access
Asking a partner or auditor to verify AI claims today means giving them access to systems you may not want to share.
What REGINALD does: Makes attestations public and verifiable by any third party using standard open-source tools - DID resolution, JCS, Ed25519. No internal access required.
5. Every company invents its own format
A bespoke attestation document from one company cannot be compared against one from another. There is no common ground for a regulator, an insurer, or a buyer.
What REGINALD does: Built on open standards - OKF, Schema.org, DCAT, IETF RFC 9421, SPDX. The metadata layer (MX) is open and governed by The Gathering, a community standards body. Any company can implement the standard. REGINALD is the registry that makes it discoverable and trustworthy.
The Evidence
We built REGINALD to solve our own problem first. Our AI partner Maxine operates through it every day. Every audit she produces carries a REGINALD-registered evidence chain - not just a report, but an attested record any third party can verify. Her capability declarations are registered: what she can do, what she cannot, what she was trained to do.
The infrastructure is not a prototype. It is production-ready, self-deployed, and running.
The EU AI Act is in force. The US voluntary review framework will formalize. The UK, Canada, Australia, Singapore, and Japan are all moving. Each one of them will hit the same wall the Trump administration just hit: companies that can prove their claims will clear it. Companies that cannot will negotiate.
The window to build attestation infrastructure before regulators mandate it is about 18 months.
Note: This page describes regulatory frameworks in general terms only. Nothing here is legal advice. Requirements vary by jurisdiction, organisation type, and use case. Consult qualified legal specialists for guidance specific to your situation.