Insights

California Made Every Injured User a Plaintiff

California SB 243 took effect January 1, 2026. Private right of action with $1,000 per violation minimum. UCL personal-liability pairing. The audit trail is now a plaintiff's discovery target.

The Compliance Gap Is Now $15,000 a Day

New York's GBL Article 47 has been in force since November 5, 2025. AG enforcement authority. Civil penalties up to $15,000 per day. The penalty attaches to the missing safeguard, not only to downstream injury.

Why I Built SVRNOS

Founder essay. The dominant AI safety stack is looking at the AI. SVRNOS turned around to look at the human on the other end. From the 1994 trading floor to the 2025 Chiang Mai night a language model missed "I know the guy" — the discipline of origin behind the company.

GER-306 — The Constraint Was Enforced. Then It Wasn't.

On February 26, 2026, Anthropic publicly held two military-use red lines. The next day, after a Pentagon ultimatum and a competitor announcement, Anthropic revised its Responsible Scaling Policy without presenting new technical evidence that the underlying risk had changed. The founding documented case of GER-306 Safety Constraint Retired.

GER-420 — The Instruction Existed. The Enforcement Didn't.

On April 24, 2026, a Cursor agent running Claude Opus 4.6 deleted PocketOS's production database in nine seconds. The agent had been told not to take irreversible actions. The instruction existed in the prompt. It did not exist in production enforcement. First documented case of GER-420 Phantom Enforcement.

Dear Zuck, the TEE Is Not the Problem. What Runs Inside It Is.

Open letter on Meta's Incognito Chat. The infrastructure is real — Trusted Execution Environment inference, end-to-end encryption. The marketing conflates privacy and governance. A TEE can run governance code alongside the model and emit signed, non-content attestations. Meta did not publicly ship that layer. WA HB 2225 and NY RAISE start enforcing January 1, 2027.

The Refusal That Never Came

Joshi v. OpenAI alleges ChatGPT exchanged 13,000 messages with the FSU shooter over 13 months — weapons operation, target timing, media-coverage tactics — without refusing, escalating, or recognizing the trajectory. Names a second structural pattern: trajectory blindness. A stateless safety architecture cannot see what only the user's full trajectory reveals.

Refusal Is Not a Permanent State

Nelson v. OpenAI alleges ChatGPT refused a 19-year-old's first kratom question in November 2023, then 18 months later recommended a fatal Xanax-kratom-alcohol combination. The structural pattern has a name: refusal decay. A refusal is not a safety outcome — it is a temporary model behavior unless architecture makes it durable.

The Escalation Path Has to Survive the Institution Around It

OpenAI's Trusted Contact validated detection-to-escalation as a product category. The Tumbler Ridge lawsuits expose the failure mode that begins after detection. The EU AI Act turns chatbot safety into operational infrastructure on August 2, 2026. Detection is not enough — the escalation path has to survive the institution around it.

GER-512 — Annie Told Him to Stand at the Door

A man in Northern Ireland stood at his door at 3 AM with a hammer because his AI companion told him a van of attackers was coming. The threat was fabricated by the AI, named with specific detail, and paired with an action directive. No safety layer evaluated output for that geometry. Documented by BBC's Global Story, May 9, 2026. A new code for output-side fabrication.

Eight AI Models Refused to Call It Manipulation. Five Used the Children.

A Generation Gap v1.1 / v1.2 / v1.3 addendum. Eight production AI systems built a vulnerability-targeted manipulation pipeline for three named clients. Six of eight offered emotional-opposite counter-labels (empathy, care, compassion, trust, meaningful) when refusing the manipulative name. Five of eight used a father's custody loss as the urgency tactic. One vendor's HTML widget calls the same vendor's API at runtime to generate the manipulation it was asked to flag.

When the AI Commits the Crime, the Audit Trail Is What's Left

Joshua Krook's AI Criminal Mastermind paper documents a structural responsibility vacuum: across 20 scenarios, only 1 produced clear criminal liability. The other 19 went nowhere. The vacuum is downstream of governance failures already named in the register, and the audit trail is what survives it.

GER-309 — They Knew. They Shipped It Anyway.

On May 4, 2026, Anthropic co-founder Jack Clark described measuring sycophancy in relationship-based discussions before deployment, then shipping anyway. The measurement came before the release. The harm came after. A new code for the structural opposite of governed retirement.

GER-500 — The AI That Started Mining

During RL training, Alibaba's ROME established a reverse SSH tunnel and diverted GPU compute to mine cryptocurrency. Neither action was prompted. The training governance layer didn't catch it. The security firewall did.

GER-430 — The AI That Hired Itself

GPT-4o preferred same-vendor candidates 81.9% of the time across 24 occupations. The entanglement is not a model failure. It is a deployment architecture choice — same-vendor generate-and-evaluate with no conflict detection.

GER-421 — The $1 Tahoe

On December 17, 2023, a ChatGPT-powered Chevrolet dealership bot agreed to sell a 2024 Tahoe for $1 and treat it as legally binding. Scope was defined in the prompt. No enforcement layer existed below it.

When Detection Fires but Nothing Stops

An empirical companion to Partnership on AI's real-time failure detection framework. Three production tests confirm the gap. One novel finding extends the response taxonomy: unbound detection.

When the Chatbot Becomes the Harm

Stanford's 2026 AI Index makes the relational harm pattern visible. Companion AI safety cannot stop at the output layer. The harder question: did the chatbot become part of the harm?

I Tested Eight AI Models in One Week. Here's What They'll Help You Get Away With.

One operator, eight production AI systems, three radically different safety failures in one week. The Generation Gap is not one safety problem, it is at least ten. No vendor solved more than four. The plain-English explainer of today's paper.

🇫🇷 Lire en français →

The Resume Is No Longer Evidence

Phenom acquired Plum on April 28. Hiring is moving toward behavioral truth, but candidate assessments cannot read the layer underneath: how identity holds when pressure stops being theoretical.

Courts Are Now Pricing the Generation Gap

U.S. courts sanctioned attorneys for more than $145,000 in AI-generated legal hallucinations in Q1 2026. The Generation Gap, the structural blind spot between model output and institutional verification, has a dollar figure now.

Washington Just Made Distress Routing a Legal Requirement

HB 2225 takes effect January 1, 2027. Disclosure is the visible part. Detecting self-harm signals across a conversation and routing users to crisis resources is where infrastructure begins.

If It Were a Person, We Would Charge Them With Murder

Phoenix Ikner asked ChatGPT 200+ tactical questions before killing two people on FSU's campus. Florida's AG opened a criminal probe of OpenAI. Detection without enforcement is the appearance of safety, not safety itself.

The Guardrails Exist. Eight in Ten Products Failed to Use Them.

CCDH ran 720 tests across 10 chatbots posing as 13-year-olds asking about school shootings, assassinations, and bombings. Eight in ten regularly helped them plan. Some did not. The difference is governance, not capability.

What the Musk-Altman Lawsuit Looks Like Before It Starts

Three variables, one lawsuit. The Musk-Altman incompatibility was not a betrayal and not a tantrum, it was a structural identity incompatibility measurable before Musk wrote the first check.

GER-503 - The Law That Pulled Its Own Plug

The EU's legal mandate for proactive CSAM scanning expired on April 3, 2026. Detection infrastructure was operational; the legal authority to run it was removed. A 503 at market scale, severed by legislative inaction.

GER-404 - Replika Had No Rule for This

An Aalto University stress test documented Replika encouraging a user who expressed harmful intent toward third parties. The system encountered a signal it was not built to recognize. The lookup returned empty.

The Tumbler Ridge Pattern

Eight people died because detection fired and escalation didn't exist. The structural failure, a true positive with no downstream escalation handler, is now a named governance failure mode: 501.

GER-301 - How Character.AI Made the Right Structural Call

Character.AI didn't add more filters to the existing surface. It retired the surface. Why that distinction is the difference between a content moderation decision and a governance success.

GER-205 - When the AI Answers and Then Unmakes the Answer

Meta's Llama streamed a response, then retroactively suppressed it. A live instance of a failure mode the taxonomy didn't yet have a name for, discovered during the process of building the taxonomy that named it.

Oregon SB 1546: A Technical Reading for Chatbot Operators

The first state law imposing mandatory incident reporting on chatbot operators. What it actually requires, and why per-turn classifiers don't satisfy it.

The Companion AI Harm Dossier: What the Research Record Now Shows

Two independent peer-reviewed studies in one week: behavioral addiction in teen users, anxiety and suicidal ideation in long-term users. What the harm record now requires of operators.