{ "$schema": "https://agenticsurfaces.org/patterns.schema.json", "generated": "build-time", "count": 72, "patterns": [ { "id": "1.1", "title": "Cryptographic content provenance", "territory": 1, "slug": "cryptographic-content-provenance", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For images and video, where binding provenance to a file at intake is a settled response." }, { "level": "emerging", "note": "For documents, where the same approach is being worked out but not yet routine." }, { "level": "frontier", "note": "For government text submissions, where the chain breaks at every copy-paste boundary and provenance for pasted text has not been solved." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "C2PA Technical Specification (v2.4)", "jurisdiction": "C2PA", "year": 2026, "source": "https://spec.c2pa.org/specifications/specifications/2.4/specs/C2PA_Specification.html" }, { "name": "C2PA Explainer", "jurisdiction": "C2PA", "source": "https://spec.c2pa.org/specifications/specifications/2.4/explainer/Explainer.html" }, { "name": "Content Credentials (Wikipedia)", "source": "https://en.wikipedia.org/wiki/Content_Credentials" }, { "name": "C2PA v2.1 Specification", "jurisdiction": "C2PA", "year": 2024, "source": "https://spec.c2pa.org/specifications/specifications/2.1/specs/_attachments/C2PA_Specification.pdf" }, { "name": "C2PA Standard History & Limitations Analysis", "source": "https://truescreen.io/articles/c2pa-standard-history-limitations/" } ], "assurance": "Government needs confidence that a digital submission's origin and edit history are what they claim to be, so an agency receiving it can rely on where it came from and how it was changed rather than judging the content alone.", "access": "C2PA depends on cryptographic infrastructure (certificate authorities, signing tools, verification services) that most text editors and word processors do not implement, which risks a two-tier system penalizing the low-resource submitter who drafts in a plain text box. Content Credentials stay an optional enhancement that adds assurance, never a precondition for a submission to be accepted.", "surface": { "summary": "A submission-platform intake that cryptographically signs each document on receipt, surfacing a badge that records the time of receipt and the submitter's identity without claiming to prove authorship.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Because the provenance chain breaks at every copy-paste boundary, the response signs each document where the agency controls it, at intake, recording the time of receipt and the submitter's identity. It records that the submission arrived and was unaltered after that point, and makes no claim about who originally authored it." } ] }, "whereThingsGoWrong": "The failure mode here is a flawed derivation: a figure authentic in origin yet wrong in how it was computed, such as a debt averaged from annual income data. Provenance on the document alone misses this, because the document is genuine. Only a tamper-evident chain of how each figure was derived makes the calculation method auditable after the fact.", "challenge": "Tools that generate, modify, and fabricate digital content (images, video,\naudio, and increasingly documents) are now widely available, and as citizens\nuse them routinely to prepare what they send to government, submissions arrive\nwith no reliable signal of their origin or editing history. An agency receiving\na digital submission cannot tell an original document from a synthetic one by\nexamining the content alone, and that gap widens as agent-generated material\nbecomes a normal part of the intake.\n", "precedentsNote": "**C2PA specification (v2.4, April 2026).** The Coalition for Content\nProvenance and Authenticity (founded by Adobe, ARM, Intel, Microsoft, and\nTruepic) has developed an open technical standard for cryptographically binding\nprovenance metadata to digital assets. The core construct is the Content Credential,\na tamper-evident structure recording who created an asset, what tools were used,\nand how it was modified. Each edit adds to the provenance chain rather than\nreplacing it. The standard is backed by a broad cross-industry membership spanning\ntechnology, media, and hardware companies (the allied Content Authenticity Initiative\nalone reports over 5,000 members). See the [C2PA Technical Specification](https://spec.c2pa.org/specifications/specifications/2.4/specs/C2PA_Specification.html)\nand the [C2PA Explainer](https://spec.c2pa.org/specifications/specifications/2.4/explainer/Explainer.html).\n\n**Implementation ecosystem.** Samsung's Galaxy S25 became the first consumer\nsmartphone integrating C2PA signing directly into the native camera app. Adobe's\nContent Authenticity Initiative embeds Content Credentials across Creative Cloud.\nThe BBC has adopted Content Credentials for news media provenance, and Microsoft\nhas integrated the standard into its media tools. See\n[Content Credentials (Wikipedia)](https://en.wikipedia.org/wiki/Content_Credentials).\n\n**Text and document support.** C2PA v2.1 (September 2024) added new regions of\ninterest for text-based formats including PDF, Office documents, and EPUB, and the\nspecification defines provenance for \"an asset in a form such as an image, video,\naudio recording, or document.\" However, practical implementations remain heavily\nconcentrated on images and video; text document tooling is nascent. Cloud-based\nmanifests in v2.2 (May 2025) extended coverage to formats that cannot embed\nmetadata directly, creating a pathway for plain-text provenance. See the\n[C2PA v2.1 Specification](https://spec.c2pa.org/specifications/specifications/2.1/specs/_attachments/C2PA_Specification.pdf)\nand a [limitations analysis](https://truescreen.io/articles/c2pa-standard-history-limitations/).\n", "transferability": "**Medium transferability, with significant gaps.** C2PA's architecture binds a\ncryptographic manifest to a file at creation and through each subsequent edit.\nThis maps well to document submissions where the government controls the\nsubmission tool (an online form that generates a signed PDF). It maps poorly to\nthe more common case: a citizen drafting text in an arbitrary word processor,\nemail client, or AI assistant and pasting it into a web form. The chain of\nprovenance breaks at every copy-paste boundary.\n\nFor government consultation submissions, C2PA would need to operate at the\nsubmission-platform level rather than the authoring-tool level. The platform\ncould sign the submission at intake, recording the submitter's identity and\ntimestamp, but this proves reception, not authorship. Proving authorship\nprovenance for text remains an open problem in the specification.\n\nThe image-text gap is structural. Images have a 1:1 relationship between file and\ncontent; text is routinely composed across tools, edited collaboratively, and\nsubmitted by pasting. C2PA's file-centric provenance model does not transfer\ncleanly to text-centric workflows, and proving authorship provenance for pasted\ntext remains the unsolved gap.\n" }, { "id": "1.2", "title": "Verifiable credentials and decentralized identity", "territory": 1, "slug": "verifiable-credentials-decentralized-identity", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For identity verification — verifying who someone is to a credential is a settled response (W3C Recommendation, eIDAS mandate)." }, { "level": "frontier", "note": "For using the same credentials to attest how a submission was prepared — binding a preparation-method claim to that verified identity has not been built." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "W3C Verifiable Credentials 2.0 — Recommendation Announcement", "jurisdiction": "W3C", "year": 2025, "source": "https://www.w3.org/news/2025/the-verifiable-credentials-2-0-family-of-specifications-is-now-a-w3c-recommendation/" }, { "name": "W3C Verifiable Credentials Overview", "jurisdiction": "W3C", "source": "https://www.w3.org/TR/vc-overview/" }, { "name": "W3C VC Working Group Charter 2026", "jurisdiction": "W3C", "year": 2026, "source": "https://w3c.github.io/vc-charter-2026/" }, { "name": "Regulation (EU) 2024/1183 (eIDAS 2.0) — EUR-Lex", "jurisdiction": "EU", "year": 2024, "source": "https://eur-lex.europa.eu/eli/reg/2024/1183/oj" }, { "name": "Qualified Electronic Attestations Explained", "jurisdiction": "EU", "source": "https://www.corbado.com/glossary/qualified-electronic-attestations" }, { "name": "QEAA Put Simply — Bundesdruckerei", "jurisdiction": "EU", "source": "https://www.bundesdruckerei.de/en/innovation-hub/qeaa-put-simply" }, { "name": "Digital ID Act 2024", "jurisdiction": "AU", "year": 2024, "source": "https://www.digitalidsystem.gov.au/what-is-digital-id/digital-id-act-2024" }, { "name": "Legislating the Future of Identity Verification — Allens", "jurisdiction": "AU", "year": 2026, "source": "https://www.allens.com.au/insights-news/insights/2026/04/legislating-the-future-of-identity-verification-navigating-australias-digital-id-act/" }, { "name": "Trusted Digital Identity Framework (TDIF) — AGA", "jurisdiction": "AU", "source": "https://architecture.digital.gov.au/standard/trusted-digital-identity-framework-tdif" }, { "name": "Digital ID Is Going Mainstream in 2026 — Authsignal", "year": 2026, "source": "https://www.authsignal.com/blog/articles/digital-id-is-going-mainstream-in-2026" } ], "assurance": "Government needs confidence that a claim about a submitter (their identity, qualification, or authority to act for others) holds to a sufficient level, without forcing the submitter to disclose more than the purpose requires, and with an accountable holder standing behind the claim.", "access": "Digital identity wallets require smartphone ownership, digital literacy, and willingness to engage with biometric or document verification; the EU's 80% adoption target concedes that 20% will not use the wallet, and required identity excludes legitimate anonymous and pseudonymous participation. Verified identity stays an optional signal that adds weight to provenance claims, anonymous channels stay open, and the trade-off is shown rather than applied as a silent discount on anonymous input.", "surface": { "summary": "A consent-and-disclosure step where a submitter optionally presents a verified credential and attaches a self-asserted 'submission process attestation' claim bound to that identity.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Because a verified credential proves who is submitting but says nothing about how the submission was prepared, the response keeps the two claims plainly apart: an independently attested identity sits beside a preparation-method declaration the submitter makes themselves, cryptographically bound to that identity but not separately verified. The reader can see at a glance which claim is vouched for and which is the submitter's own word." } ] }, "whereThingsGoWrong": "Identity binding governs who is submitting, not how an agency reaches a decision, so it does not by itself stop a bad automated decision. The transferable failure it guards against is a system issuing consequential demands with no named author to answer for them. Binding each automated determination to an accountable decision-maker creates the chain of responsibility that is otherwise missing.", "challenge": "Tools that let a citizen carry portable, machine-verifiable credentials and have\nan agent present them are now widely available. As that becomes routine, an\nagency must be able to verify a claim about a submitter (their identity,\nqualifications, organizational affiliation, or authority to speak on behalf of\nothers) without requiring the submitter to disclose more information than the\npurpose at hand calls for.\n", "precedentsNote": "**W3C Verifiable Credentials Data Model v2.0 (W3C Recommendation, May 2025).** The\nfull family of VC specifications achieved Recommendation status in 2025,\nestablishing a web standard for expressing credentials (driver's licenses,\ndegrees, professional registrations) in a cryptographically secure,\nprivacy-respecting, and machine-verifiable form. The model supports selective\ndisclosure. See the [Recommendation announcement](https://www.w3.org/news/2025/the-verifiable-credentials-2-0-family-of-specifications-is-now-a-w3c-recommendation/),\nthe [VC overview](https://www.w3.org/TR/vc-overview/), and the\n[2026 Working Group charter](https://w3c.github.io/vc-charter-2026/) signaling\nsustained institutional commitment.\n\n**EU eIDAS 2.0 and Qualified Electronic Attestation of Attributes (QEAA).** The\nrevised eIDAS regulation (Regulation (EU) 2024/1183), which entered into force on\n20 May 2024, mandates that all EU member\nstates provide European Digital Identity Wallets by end of 2026, with services\nrequired to accept them from 2027. The QEAA trust service provides a legally\nrecognized form of Verifiable Credentials issued by Qualified Trust Service\nProviders, with cross-border interoperability via the Architecture Reference\nFramework and an 80% adoption target by 2030. See\n[Regulation (EU) 2024/1183](https://eur-lex.europa.eu/eli/reg/2024/1183/oj),\n[QEAA explained](https://www.corbado.com/glossary/qualified-electronic-attestations),\nand [QEAA put simply](https://www.bundesdruckerei.de/en/innovation-hub/qeaa-put-simply).\n\n**Australian Digital Identity System.** The Digital ID Act 2024 established a\nlegislated accreditation scheme building on the Trusted Digital Identity Framework\n(TDIF) pilot operational since 2019. The TDIF is now the former accreditation\nframework — under review, with new accreditation paused — having been superseded in\npractice by the Australian Government Digital ID System (AGDIS) under the Digital ID\nAct 2024. The system, most recognizable as myGovID, opens to the private sector from\nDecember 2026, with November 2025 rule reforms adding a redress framework. But it\nis designed for identity verification, not content provenance or submission\nprocess attestation. See the\n[Digital ID Act 2024](https://www.digitalidsystem.gov.au/what-is-digital-id/digital-id-act-2024),\n[Allens' analysis](https://www.allens.com.au/insights-news/insights/2026/04/legislating-the-future-of-identity-verification-navigating-australias-digital-id-act/),\nand the [TDIF standard](https://architecture.digital.gov.au/standard/trusted-digital-identity-framework-tdif).\n\n**India: Aadhaar Verifiable Credentials in Google Wallet (April 2026).** Google\nadded Aadhaar-based Verifiable Credentials to Google Wallet for India using the\nW3C Digital Credentials API and ISO/IEC 18013-5, demonstrating government-scale VC\nintegration into consumer wallet infrastructure. See\n[Authsignal's coverage](https://www.authsignal.com/blog/articles/digital-id-is-going-mainstream-in-2026).\n", "transferability": "**High transferability for identity verification; low transferability for content\nprovenance.** Verifiable Credentials solve the \"who is submitting\" problem well.\nThey do not solve the \"how was this submission prepared\" problem at all. A citizen\npresenting a verified credential proves their identity but says nothing about\nwhether their submission was personally drafted, AI-generated, or copied from a\ncampaign template.\n\nVCs could be extended with custom claim types, such as a \"submission process\nattestation\" claim where the holder declares the preparation method. This would be\nself-attested but cryptographically bound to identity, creating accountability for\nfalse declarations. No such credential type has been built, so it is an unbuilt\nresponse rather than an adaptation of an existing one.\n\nThe gap is concrete wherever a national digital identity scheme already exists.\nA government authentication wallet typically handles sign-in to public services\nbut offers no mechanism for attaching provenance claims to the submissions a\ncitizen lodges through it. An accreditation framework could in principle support\nattribute assertions about preparation methods, but where no such use case has\nbeen contemplated in the legislation, rules, or technical architecture, closing\nthe gap depends on amending the scheme's rules rather than on the technology\nalone.\n" }, { "id": "1.3", "title": "Self-attestation and disclosure", "territory": 1, "slug": "self-attestation-disclosure-ux", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "In academic publishing and legal practice, where asking submitters to declare how they prepared their work is a settled response." }, { "level": "emerging", "note": "For government consultations, where applying it to citizen submissions is still new but has strong analogues to draw from." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Publisher AI Policies & Disclosure Rules — Enago", "source": "https://www.enago.com/responsible-ai-movement/resources/publisher-ai-policies-disclosure-rules-authors" }, { "name": "AI Disclosure Policies by Journal — AI Usage Cards", "source": "https://ai-cards.org/ai-disclosure-policies-by-journal/" }, { "name": "AI Policies in Academic Publishing 2025 — Thesify", "year": 2025, "source": "https://www.thesify.ai/blog/ai-policies-academic-publishing-2025" }, { "name": "AI Hallucination Cases Database — Damien Charlotin (HEC Paris)", "jurisdiction": "Global", "year": 2026, "source": "https://www.damiencharlotin.com/hallucinations/" }, { "name": "AI Court Disclosure Map 2026 — AI Vortex", "jurisdiction": "US", "year": 2026, "source": "https://www.aivortex.io/legal/guides/ai-court-disclosure-map-2026/" }, { "name": "Mata v Avianca — Legal AI Governance", "jurisdiction": "US", "year": 2023, "source": "https://legalaigovernance.com/tracker/cases/mata-v-avianca/" }, { "name": "AI Disclosure Requirements in Legal Work — Spellbook", "jurisdiction": "US", "source": "https://spellbook.com/learn/ai-disclosure-requirements-legal-work-product" }, { "name": "AI Declaration Statement — Pressbooks", "source": "https://kpu.pressbooks.pub/booktemplate/front-matter/ai-declaration-statement/" }, { "name": "Three Disclaimers for Safe Disclosure — arXiv", "source": "https://arxiv.org/pdf/2404.09041" }, { "name": "Registering and Declaring Interests — UK Parliament", "jurisdiction": "UK", "source": "https://guidetoprocedure.parliament.uk/articles/xl01eB4L/registering-and-declaring-interests" }, { "name": "Conflict of Interest Declaration Form — UK Procurement Pathway", "jurisdiction": "UK", "source": "https://www.procurementpathway.civilservice.gov.uk/documents/template/pa-2023-conflict-of-interest-declaration-form/manage-and-monitor" }, { "name": "Conflict of Interest — Australian Department of Finance", "jurisdiction": "AU", "source": "https://www.finance.gov.au/government/procurement/clausebank/conflict-interest" }, { "name": "Preventing and Managing Conflicts of Interest in the Public Sector — UNODC", "source": "https://www.unodc.org/documents/corruption/Publications/2020/Preventing-and-Managing-Conflicts-of-Interest-in-the-Public-Sector-Good-Practices-Guide.pdf" } ], "assurance": "Government needs a usable, low-barrier provenance signal that nearly any submitter can produce, and that carries real weight rather than being a formality. A self-declaration meets that need only when a false certification carries professional or reputational consequence.", "access": "Complex multi-field disclosure forms create a compliance burden falling disproportionately on individuals (versus organizations with compliance teams) and may deter submitters with low literacy, cognitive disabilities, or limited English. Provide a simple default ('I prepared this submission myself without AI tools') as the fastest path, offer the form in plain language with examples, and treat incomplete disclosure as a flag for follow-up, never a barrier to submission.", "surface": { "summary": "A 'preparation method' section in the intake form with a one-tap default and progressively disclosed structured fields for those who used AI or submit on an organization's behalf.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Because a structured account of tool, version, task, and extent tells a decision-maker far more than a yes-or-no checkbox, the response opens with a single default for the common case and reveals the specific fields only once a submitter says they used AI assistance. Most people finish in one tap, and the detail appears only for the submissions where it informs how the entry should be read." } ] }, "whereThingsGoWrong": "Self-attestation governs how a submission was prepared, not how an agency reaches a decision, so it does not bear on a decision-side failure. The transferable lesson is that attestation without consequence is performative, which is exactly why an unaccountable automated process must never be trusted on its own assertion.", "challenge": "In the absence of cryptographic proof, the most widely deployed provenance\nmechanism is self-declaration: asking the submitter to state how their submission\nwas prepared. This is cheap and universal but relies on honesty, and its\neffectiveness depends heavily on form design.\n", "precedentsNote": "**Academic publisher AI disclosure policies (2024–2026).** Nearly every major\nacademic publisher now requires authors to disclose AI tool usage, with no\npublisher allowing AI to be listed as an author. *Science* bans AI-generated text\noutright; *Springer Nature / Nature* prohibits AI authorship but allows undisclosed\ncopy-editing; *IEEE* requires acknowledgment-section disclosure; *Elsevier, Wiley,\nTaylor & Francis, SAGE* permit AI use with detailed, section-tied disclosure.\nVersion information is now standard: \"ChatGPT (GPT-4o, OpenAI, accessed January\n2026)\" with task description. See\n[Enago](https://www.enago.com/responsible-ai-movement/resources/publisher-ai-policies-disclosure-rules-authors),\n[AI Usage Cards](https://ai-cards.org/ai-disclosure-policies-by-journal/), and\n[Thesify](https://www.thesify.ai/blog/ai-policies-academic-publishing-2025).\n\n**Legal profession AI disclosure (post-Mata v Avianca).** In June 2023, Judge\nP. Kevin Castel (SDNY) sanctioned attorneys who submitted a brief containing\nfabricated ChatGPT citations under Rule 11. The case catalysed a wave of judicial\ndisclosure requirements; Judge Brantley Starr (N.D. Tex.) and the Fifth Circuit\nnow require certification that filings were either not AI-drafted or\nhuman-verified. The problem did not abate: a research database tracking court\ndecisions on AI-fabricated content had catalogued over 1,200 such cases worldwide\nby early 2026. See the\n[AI Hallucination Cases Database (Damien Charlotin)](https://www.damiencharlotin.com/hallucinations/),\nthe [AI Court Disclosure Map 2026](https://www.aivortex.io/legal/guides/ai-court-disclosure-map-2026/),\n[Mata v Avianca](https://legalaigovernance.com/tracker/cases/mata-v-avianca/), and\n[Spellbook](https://spellbook.com/learn/ai-disclosure-requirements-legal-work-product).\n\n**The Artificial Intelligence Disclosure (AID) Framework.** An emerging structured\nframework featuring a self-assessment rubric, checkbox declarations with toggle\ndescriptions, and version tracking (tool, version, access date, task). See the\n[AI Declaration Statement template](https://kpu.pressbooks.pub/booktemplate/front-matter/ai-declaration-statement/)\nand [Three Disclaimers for Safe Disclosure](https://arxiv.org/pdf/2404.09041).\n\n**Conflict-of-interest declarations in government and parliamentary contexts.** The\nUK Parliamentary Register of Members' Financial Interests requires registration\nwithin 28 days, with API access under the Open Parliament Licence. The UK's\nProcurement Pathway provides a standardized conflict-of-interest declaration form,\nAustralia's Department of Finance maintains a clausebank template, and the UNODC\ndocuments international good practice. See\n[UK Parliament](https://guidetoprocedure.parliament.uk/articles/xl01eB4L/registering-and-declaring-interests),\n[UK Procurement Pathway](https://www.procurementpathway.civilservice.gov.uk/documents/template/pa-2023-conflict-of-interest-declaration-form/manage-and-monitor),\n[Australian Department of Finance](https://www.finance.gov.au/government/procurement/clausebank/conflict-interest),\nand [UNODC](https://www.unodc.org/documents/corruption/Publications/2020/Preventing-and-Managing-Conflicts-of-Interest-in-the-Public-Sector-Good-Practices-Guide.pdf).\n", "transferability": "**High transferability for the mechanism; uncertain effectiveness.** Self-attestation\nis the lowest-barrier provenance signal: no special technology, no identity\ninfrastructure, no changes to authoring tools. The academic and legal precedents\nshow that structured disclosure forms specifying tool, version, task, and extent\nproduce more useful information than binary checkboxes.\n\nA government intake form could include a structured \"preparation method\" section:\nwhether the submission was drafted personally, by someone else, or with AI\nassistance; if AI-assisted, which tools and for which parts; and whether it is made\non behalf of an organization. The academic model of requiring this in a specific\nsection translates to a structured field at submission time rather than text\nburied in the submission.\n\nThe critical limitation is that self-attestation without consequences is\nperformative. The legal model works because false certification triggers\nprofessional sanctions; academic disclosure works because misconduct findings\ndamage careers. Government consultations typically lack equivalent enforcement, so\nthe declaration needs pairing with a way to bind it to a verified identity, or\nwith meaningful consequences for a false declaration, before it carries weight.\n" }, { "id": "1.4", "title": "Proof of personhood at submission", "territory": 1, "slug": "proof-of-personhood-at-submission", "maturity": "emerging", "maturityLevels": [ { "level": "emerging", "note": "The building blocks (World ID, Privacy Pass, the House-passed Comment Integrity and Management Act) now make tiering a consultation's personhood bar to the stakes possible, and the FCC crisis showed the need." }, { "level": "frontier", "note": "As a deployed response for public consultations — no government platform has yet tiered its personhood bar to the stakes with a lower-friction fallback." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "How World ID Works — Gate Learn", "source": "https://www.gate.com/learn/articles/how-world-id-works" }, { "name": "World: Proof of Personhood — world.org", "source": "https://world.org/blog/world/proof-of-personhood-what-it-is-why-its-needed" }, { "name": "World 2026: Navigating Digital Identity — AMBCrypto", "year": 2026, "source": "https://ambcrypto.com/world-worldcoin-2026-navigating-digital-identity-in-the-age-of-artificial-intelligence/" }, { "name": "Comment Integrity and Management Act of 2024 (H.R. 7528)", "jurisdiction": "US", "year": 2024, "source": "https://www.congress.gov/bill/118th-congress/house-bill/7528" }, { "name": "House Bill Targets AI-Generated Comments — Nextgov", "jurisdiction": "US", "year": 2024, "source": "https://www.nextgov.com/artificial-intelligence/2024/05/house-bill-targets-ai-generated-comments-rulemaking/396419/" }, { "name": "Artificial Intelligence and Public Comment — CSG", "jurisdiction": "US", "source": "https://www.csg.org/2025/01/14/artificial-intelligence-and-public-comment/" }, { "name": "NY Attorney General report on fake net neutrality comments", "jurisdiction": "US", "year": 2021, "source": "https://ag.ny.gov/press-release/2021/attorney-general-james-issues-report-detailing-millions-fake-comments-revealing" }, { "name": "Millions of IDs Misused to Submit Net Neutrality Comments — IAPP", "jurisdiction": "US", "source": "https://iapp.org/news/a/millions-of-ids-misused-to-submit-net-neutrality-comments-to-fcc/" }, { "name": "FCC Flooded with Fake Comments — The Hill", "jurisdiction": "US", "year": 2017, "source": "https://thehill.com/policy/technology/332753-fcc-flooded-with-thousands-of-fake-anti-net-neutrality-comments/" }, { "name": "Mass, Computer-Generated, and Fraudulent Comments — ACUS", "jurisdiction": "US", "year": 2021, "source": "https://www.acus.gov/sites/default/files/documents/Final%20Report%20on%20Mass,%20Computer-Generated,%20and%20Fraudulent%20Comments%20(Final%2006-01-2021)_0.pdf" } ], "assurance": "Government needs confidence that a human was involved in a submission, a question distinct from knowing who that human is, and it needs that confidence to be proportionate to what the process decides, so a routine comment is not held to the same bar as a high-stakes proceeding.", "access": "Every proof-of-personhood mechanism excludes someone: CAPTCHAs exclude people with visual or cognitive disabilities, phone verification excludes the 3–5% of Australian adults without mobiles, government digital ID excludes those lacking documents or digital literacy, and biometrics exclude people with relevant physical conditions. Always provide a fallback pathway (submissions without proof of personhood are accepted but may be weighted or flagged for review), never require the highest-assurance proof for routine comment, and publish the trade-off openly.", "surface": { "summary": "A submission flow that picks a proof-of-personhood tier proportionate to the stakes, always offering a lower-friction fallback so no single method is a hard gate.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Because personhood is treated as a gradient rather than a single gate, the response attaches a visible assurance signal to each submission (email-verified, phone-verified, or ID-verified) for the analysts who read it, instead of forcing one submit-or-don't checkpoint. A submission that clears only a lower tier still goes through, carrying a signal that tells the analyst how much weight its personhood claim can bear." } ] }, "whereThingsGoWrong": "Proof of personhood concerns inbound submissions, not outbound automated decisions, so it does not bear directly on a decision-side failure. The FCC fake-comment crisis carries the mirror-image lesson: volume-based systems are trivially gameable, and the damage surfaces only retrospectively, the same way harm from an unaccountable automated process appears long after the fact.", "challenge": "Tools that can generate and lodge submissions at unlimited volume are now widely\navailable, so as automated submission grows, a consultation process must be able\nto separate input a real person was involved in from input produced entirely by\nautomated systems. This is distinct from identity verification (knowing who\nsomeone is): proof of personhood asks only whether a human was involved, without\nnecessarily identifying them.\n", "precedentsNote": "**World ID (formerly Worldcoin).** World's proof-of-personhood system uses iris\nscanning via custom biometric devices (Orbs) to generate a unique encrypted\nidentity marker. The Semaphore protocol enables zero-knowledge proof of uniqueness,\nproving membership in the \"verified humans\" set without revealing identity. By\nearly 2026 nearly 18 million people had verified at an Orb, with consumer\nintegrations including Razer, Tinder (Match Group), Zoom, and Docusign. It is\nprivacy-preserving in theory but raises serious concerns about\nbiometric data collection, centralized control, and accessibility. See\n[Gate Learn](https://www.gate.com/learn/articles/how-world-id-works),\n[world.org](https://world.org/blog/world/proof-of-personhood-what-it-is-why-its-needed),\nand [AMBCrypto](https://ambcrypto.com/world-worldcoin-2026-navigating-digital-identity-in-the-age-of-artificial-intelligence/).\n\n**CAPTCHA and its successors.** Traditional CAPTCHAs are increasingly ineffective\nagainst AI. Google's reCAPTCHA v3 operates invisibly via behavioral analysis, but\nits scoring is opaque and declining in accuracy. Privacy Pass (Cloudflare and\nApple) offers token-based proof of humanness without tracking.\n\n**The US Comment Integrity and Management Act of 2024 (H.R. 7528).** This bill\npassed the US House of Representatives by voice vote in May 2024 but never passed\nthe Senate and lapsed when the 118th Congress ended in January 2025, so it did not\nbecome law. As a House-passed bill it nonetheless evidences legislative intent: it\nsought to address the flood of AI-generated comments on Regulations.gov by\nrequiring \"human verification to ensure that the comments are coming from a real\nperson.\" It did not propose to block AI-generated comments outright but would have\nestablished a management framework, including how mass \"form letter\" comments must\nbe published. It is the most direct legislative precedent for requiring proof of\npersonhood in a public submission context, even though it never came into force.\nSee\n[Congress.gov](https://www.congress.gov/bill/118th-congress/house-bill/7528),\n[Nextgov](https://www.nextgov.com/artificial-intelligence/2024/05/house-bill-targets-ai-generated-comments-rulemaking/396419/),\nand [CSG](https://www.csg.org/2025/01/14/artificial-intelligence-and-public-comment/).\n\n**The FCC net neutrality comment crisis (2017).** The FCC received 22 million\ncomments on its net neutrality repeal; the New York Attorney General estimated 9.6\nmillion may have used stolen identities. A 19-year-old submitted 7.7 million\ncomments via automated software; another 1.6 million came from fictitious entities.\nThe crisis demonstrated that volume-based comment systems are trivially gameable\nand that the damage is retrospective, with fake submissions identified months or\nyears later. See\n[IAPP](https://iapp.org/news/a/millions-of-ids-misused-to-submit-net-neutrality-comments-to-fcc/),\n[The Hill](https://thehill.com/policy/technology/332753-fcc-flooded-with-thousands-of-fake-anti-net-neutrality-comments/),\nand the [ACUS final report](https://www.acus.gov/sites/default/files/documents/Final%20Report%20on%20Mass,%20Computer-Generated,%20and%20Fraudulent%20Comments%20(Final%2006-01-2021)_0.pdf).\n", "transferability": "**Medium transferability with serious access trade-offs.** Proof of personhood\naddresses the \"unlimited volume\" half of the problem directly, and the Comment\nIntegrity and Management Act provides a direct legislative analogue for Australian\nconsultations. But the spectrum of mechanisms involves difficult trade-offs:\n\n| Mechanism | Assurance level | Privacy cost | Access barrier |\n|---|---|---|---|\n| CAPTCHA | Low (AI can solve) | Low | Medium (accessibility) |\n| Email verification | Low-medium | Medium | Low |\n| SMS/phone verification | Medium | Medium | Medium |\n| Government digital ID (myGovID) | High | High (identified) | High (requires setup) |\n| Biometric (World ID) | High | Very high (iris scan) | Very high |\n\nA tiered approach lets agencies set requirements proportionate to the stakes and\nvulnerability of the process. Low-stakes consultations might accept email\nverification; high-stakes regulatory proceedings might require verified identity.\nThe critical design decision is whether personhood verification is binary (submit\nor don't) or gradient (submissions carry different assurance signals visible to\nanalysts).\n" }, { "id": "1.5", "title": "Structured intake with process metadata", "territory": 1, "slug": "structured-intake-with-process-metadata", "maturity": "emerging", "maturityLevels": [ { "level": "emerging", "note": "The building blocks (session analytics, paste detection, structured forms) are mature, and the tax software audit trail offers a strong analogue." }, { "level": "frontier", "note": "Capturing how a submission was prepared as a byproduct of intake — no government consultation platform currently records preparation method as structured data." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "Building an AI Audit Trail — Axiom Studio", "source": "https://axiomstudio.ai/blog/building-an-ai-audit-trail-from-model-selection-to-production" }, { "name": "AI Audit Trails — Cobbai", "source": "https://cobbai.com/blog/ai-audit-trails-support" }, { "name": "Show Editors in Google Docs — Google Workspace Updates", "year": 2021, "source": "https://workspaceupdates.googleblog.com/2021/05/view-more-context-on-google-docs-edits-with-show-editors.html" }, { "name": "AI in Public Consultations — Delib", "source": "https://www.delib.net/newsroom/ai-in-public-consultations" }, { "name": "Designing for Agentic AI: Practical UX Patterns — Smashing Magazine", "year": 2026, "source": "https://www.smashingmagazine.com/2026/02/designing-agentic-ai-practical-ux-patterns/" } ], "assurance": "Decision-makers need to interpret how a submission was prepared, not just read its final text, so they can weigh a week of personal drafting differently from a thirty-second generation or a circulated form letter. Government needs that preparation signal to be reliable enough to act on while costing the submitter little or no extra effort to produce.", "access": "Structured forms are slower than free-text boxes and can feel like bureaucratic interrogation, and multi-section forms are harder to navigate with assistive technology, so time-poor or frustrated citizens may abandon them. Always allow a free-text alternative alongside the structured intake, and treat the simple path as equivalent (just with less process metadata available), never as a disadvantaged submission.", "surface": { "summary": "A guided composition environment with sectioned fields, a non-blocking paste-disclosure prompt, and quietly captured session metadata, sitting beside a one-field free-text escape hatch.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Because the preparation signal should come from the workflow itself rather than from an extra disclosure burden, the response is a guided intake that records timing and paste patterns as the submitter works, and offers a paste-detection prompt ('looks like you pasted from another source; want to note where it came from?') that the submitter can answer or skip. The information is gathered as a byproduct of building the submission, never as a gate the submitter must clear." } ] }, "whereThingsGoWrong": "Structured intake records how a citizen prepared a submission, not how an agency reached a decision, so it does not catch a decision-side failure. Its design principle still transfers: capturing a complete provenance chain from raw inputs to final output, as a byproduct of the workflow, is exactly the auditability that an opaque calculation pipeline lacks.", "challenge": "Conventional submission forms capture what was submitted but not how it was\nprepared. A 2,000-word consultation response looks identical whether it was\npersonally drafted over a week, generated by an AI in thirty seconds, or\ncirculated as a form letter by a campaign organization. Decision-makers need\nprocess metadata to interpret submissions appropriately.\n", "precedentsNote": "**Tax preparation software audit trails.** Consumer tax software (TurboTax, H&R\nBlock, Xero Tax) records every interaction during preparation: which questions the\nuser answered, which fields were auto-populated, which calculations ran\nautomatically, and where the user overrode a suggested value, a complete\nprovenance chain from raw inputs to filed return. The audit trail is invisible to\nthe user during preparation but available to the tax authority on request. The key\ninsight: process metadata is captured as a byproduct of the structured workflow,\nnot as an additional disclosure burden. See\n[Axiom Studio](https://axiomstudio.ai/blog/building-an-ai-audit-trail-from-model-selection-to-production)\nand [Cobbai](https://cobbai.com/blog/ai-audit-trails-support).\n\n**Collaborative document edit history.** Google Docs automatically records who\nwrote or edited every passage, with timestamps and color-coded attribution. The\n\"Show Editors\" feature reveals the edit provenance of any highlighted range, and\nversion history preserves every state, recording per-passage authorship as a\nbyproduct of collaborative editing. See\n[Google Workspace Updates](https://workspaceupdates.googleblog.com/2021/05/view-more-context-on-google-docs-edits-with-show-editors.html).\n\n**Consultation platform analytics (Citizen Space / Delib).** Purpose-built\nplatforms capture submission metadata including timing patterns, completion rates,\nand session data, with AI analysis on the 2026 roadmap and all AI outputs required\nto be traceable to original submissions. But current platforms capture metadata\nabout the submission event (when, from what IP, session length) rather than the\npreparation process. See [Delib](https://www.delib.net/newsroom/ai-in-public-consultations).\n\n**Agentic AI UX patterns for audit and accountability.** Smashing Magazine's 2026\npattern catalog includes \"Action Audit & Undo\" and \"Explainable Rationale and\nConfidence Signal\" patterns, concrete designs for a human-legible record of what\nan AI system did and why. These assume the AI tool records its own actions; the\nchallenge for submissions is extending this to tools the agency does not control.\nSee [Smashing Magazine](https://www.smashingmagazine.com/2026/02/designing-agentic-ai-practical-ux-patterns/).\n", "transferability": "**High transferability for the design principle; medium for implementation.** The\ntax software model is the strongest analogue: a structured workflow that captures\nprocess metadata as a natural byproduct. A government consultation platform could\nimplement this through a structured composition environment (sectioned guidance\nrather than a single free-text box, capturing timing and paste patterns per\nsection), a non-blocking paste-detection prompt that creates a natural disclosure\nmoment, and session metadata (duration, edit count, sequence, typed-to-pasted\nratio) treated as behavioral rather than content analysis.\n\nThe critical limitation is that process metadata from the submission platform\ncaptures only the final-mile activity. If a citizen drafts in Word, refines with\nChatGPT, and pastes the result, the platform sees only the paste event. The tax\nsoftware model works because preparation happens inside the tool; consultation\nsubmissions are typically prepared externally.\n" }, { "id": "1.6", "title": "Binding individual input to final text", "territory": 1, "slug": "show-your-working", "maturity": "frontier", "maturityNote": "Frontier. Letting a submitter show how a piece was built is a response no government consultation platform yet offers. The building blocks (document timelines, contribution attribution, source annotation) exist in collaborative editing tools but have not been adapted to the submission intake context. The academic disclosure model is the closest analogue, but it works after the fact in a published paper rather than at the point of submission, so the response still has to be designed for intake.", "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "What is an Audit Trail in Document Management — Folderit", "source": "https://www.folderit.com/glossary/what-is-an-audit-trail-in-document-management/" }, { "name": "Audit Trails for Accountability in LLMs — arXiv", "source": "https://arxiv.org/html/2601.20727v1" }, { "name": "AI Disclosure Patterns — Shape of AI", "source": "https://www.shapeof.ai/patterns/disclosure" }, { "name": "How to Disclose AI Tools in Academic Writing — InstaText", "source": "https://instatext.io/how-to-disclose-ai-tools-in-academic-writing-with-templates/" }, { "name": "Interoperable Architecture for Digital Identity Delegation for AI Agents — arXiv", "year": 2026, "source": "https://arxiv.org/pdf/2601.14982" } ], "assurance": "Government needs to be able to tell genuine deliberation from assembly-line production, so a decision-maker can read individual thought in a submission that may have been shaped by multiple contributors, AI assistance, or a campaign template. The signal has to set a disclosure norm rather than depend on technical enforcement, because a determined submitter can defeat any detection.", "access": "'Show your working' requirements risk recreating academic peer review, where detailed process documentation favors well-resourced, institutionally supported submitters over individuals writing from lived experience who should not need to document a 'methodology.' Make these features available and encouraged but never mandatory, and design the UX so the simplest truthful declaration ('I wrote this myself based on my own experience') is the fastest path through the form.", "surface": { "summary": "An optional composition timeline and per-section source-annotation affordance that lets a submitter (but never requires them to) show how a piece was built and where each part came from.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Because disclosure works here as a norm rather than as enforcement, the response is a voluntary 'annotate your sources' control that is encouraged and visible, while the unannotated 'I wrote this myself' path stays the fastest route to submit. Showing your working is something a submitter chooses to do, and choosing not to costs them no extra steps." } ] }, "whereThingsGoWrong": "'Show your working' targets the provenance of inbound submissions, so on its own it does not constrain the agency side. Applied to the agency's own reasoning, the same principle (an inspectable chain from each input to the final output) is precisely what exposes an unjustified leap, such as deriving a fortnightly liability from annual data, before it stands as fact.", "challenge": "Tools that assemble polished text from multiple contributors, AI assistance, or a\ncampaign template are now widely available, so the final submission increasingly\nobscures the contribution of individual thought. As that becomes the norm,\ndecision-makers cannot tell genuine deliberation from assembly-line production\nby reading the submitted text alone.\n", "precedentsNote": "**Document audit trails and version history.** Modern document management systems\nrecord a sequential history of every action: upload, edit, share, approve. The\ndistinction between version history (what changed in the content) and audit trail\n(who accessed, viewed, shared, or approved it) is well-established, and immutable\nevent logs create a defensible chain of custody. Platforms like Google Docs,\nSharePoint, and Notion maintain per-character authorship attribution. See\n[Folderit](https://www.folderit.com/glossary/what-is-an-audit-trail-in-document-management/)\nand [Audit Trails for Accountability in LLMs](https://arxiv.org/html/2601.20727v1).\n\n**AI disclosure verb patterns.** Emerging UX research suggests disclosure labels\nwith specific verbs (\"Summarized with AI,\" \"Rewrote with AI,\" \"Translated with\nAI\") are more informative than generic \"AI\" markers. The Shape of AI pattern\nlibrary documents disclosure patterns communicating the nature and extent of AI\ninvolvement at a granular level. See\n[Shape of AI](https://www.shapeof.ai/patterns/disclosure).\n\n**Academic \"use of AI\" statements as structured metadata.** The emerging standard\nrequires tool name and version, access date, specific task, and which sections were\naffected, converting a binary disclosure into structured process metadata (\"I used\nGPT-4o via ChatGPT on 15 January 2026 to generate an initial literature summary in\nSection 2, which I then substantially revised\"). The shift from binary to\nstructured is the key UX insight. See\n[InstaText](https://instatext.io/how-to-disclose-ai-tools-in-academic-writing-with-templates/).\n\n**Interoperable architecture for AI agent identity delegation.** A 2025 research\npaper proposes binding AI agent actions to the delegating human's verifiable\ncredentials through blockchain-based audit trails, creating a cryptographic \"show\nyour working\" chain from principal (human) through agent (AI) to action\n(submission), using W3C DIDs and Verifiable Credentials. See\n[the arXiv paper](https://arxiv.org/pdf/2601.14982).\n", "transferability": "**Medium transferability.** The document audit trail model works when drafting\nhappens within a controlled environment. A consultation platform could implement a\nlightweight feature: a composition timeline (\"Draft started 14:32; 847 words typed\nover 45 minutes; 312 words pasted at 15:05\"), optional source annotation (\"this\nsection draws on [organization]'s position paper\"), and a contribution breakdown for\norganizational submissions.\n\nThe critical limitation is that \"show your working\" is voluntary: a submitter\nusing AI can simply type the AI-generated text rather than pasting it, defeating\npaste detection. The pattern works as a norm-setting device (making disclosure\nculturally expected) rather than technical enforcement. The legal profession model\nshows this can work: once disclosure is expected, non-disclosure becomes the\nanomalous behavior that attracts scrutiny.\n" }, { "id": "1.7", "title": "The attestation-verification gap", "territory": 1, "slug": "attestation-verification-gap", "maturity": "frontier", "maturityLevels": [ { "level": "established", "note": "The individual components — attestation forms, identity verification, risk-based assurance levels — are each settled." }, { "level": "frontier", "note": "As a coherent response that pulls them into a submission intake scaling assurance to the stakes, tying the assertion to consequence, and keeping access open — not yet attempted for government consultation contexts." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Qualified Electronic Attestations Explained — Corbado", "jurisdiction": "EU", "source": "https://www.corbado.com/glossary/qualified-electronic-attestations" }, { "name": "Balancing User Experience and Security — Ping Identity", "source": "https://www.pingidentity.com/en/resources/blog/post/balancing-user-experience-ux-and-security.html" } ], "assurance": "Government needs an assertion from a submitter to carry real weight without standing up full verification infrastructure for every submission. The confidence has to come from binding the assertion to an identity and attaching after-the-fact consequence, scaled to what the process decides, rather than from inspecting evidence up front.", "access": "The gap between attestation and verification is itself an equity issue: well-resourced submitters (organizations, law firms, lobby groups) can afford verified credentials, creating a de facto two-tier system where verified submissions carry more weight. Explicitly state that unverified attestation is a valid and respected submission method, and do not build UI that visually privileges verified over attested submissions in ways that imply non-verified input is suspect.", "surface": { "summary": "An intake that scales how hard it asks to what the submission decides: a one-line self-declaration for a minor comment, a binding identity-linked attestation for a formal proceeding, on a form built so identity verification can be switched on later without a redesign.", "instances": [ { "domain": "experience", "kind": "mockup", "annotation": "Because an attestation only carries weight when it can be checked later or is backed by consequence, the response makes the declaration binding without verifying it up front. It ties each submission to an identity, where even a pseudonym is enough to catch a pattern of false attestation after the fact, and scales the consequence to what the process decides: quiet reputational discounting for an ordinary comment, formal sanction for a royal-commission or planning submission. The request is framed as a norm ('most people tell us how their submission was prepared'), not a penalty under threat, and a verified-identity slot sits ready for the same form to switch on as myGovID or an EUDI Wallet becomes available." } ] }, "whereThingsGoWrong": "The attestation-verification gap concerns the assurance of citizen submissions, so it does not directly govern automated decisions. Its core principle still applies on the agency side: an assertion must be either independently verified or carry real after-the-fact consequence, which is exactly what an unaccountable automated process that issues adverse determinations violates.", "challenge": "There is a fundamental UX and trust gap between attestation (\"I declare that this\nis true\") and verification (\"I can prove that this is true\"). Most provenance\nmechanisms for government submissions will, for the foreseeable future, rely on\nattestation rather than verification. The design challenge is to make attestation\nmeaningful without the infrastructure cost of verification.\n", "precedentsNote": "**The attestation-verification spectrum in identity systems.** Digital identity\nframeworks distinguish self-asserted attributes (the user claims something),\nattested attributes (a third party vouches), and verified attributes (a trusted\nentity has inspected evidence). The eIDAS QEAA framework formalizes this: a\nQualified Electronic Attestation is issued by an accredited Trust Service Provider\nwho has verified the underlying attribute. Most government submission processes\ncurrently operate at the self-assertion level, the weakest point on the spectrum.\nSee [Corbado](https://www.corbado.com/glossary/qualified-electronic-attestations).\n\n**Legal attestation with professional consequences.** The legal profession's AI\ndisclosure model shows how self-attestation can carry real weight when paired with\nprofessional accountability. A lawyer certifying that their brief was human-verified\nis making a self-declaration, but false certification triggers Rule 11 sanctions,\nbar discipline, and reputational damage. The attestation is meaningful not because\nit is verified at submission time but because it is verifiable after the fact and\ncarries consequences.\n\n**Risk-based verification in digital identity.** Best-practice frameworks apply\nverification intensity based on risk: low-risk actions use self-assertion;\nmedium-risk actions use attested credentials; high-risk actions require full\nverification. This maps to consultation submissions: a comment on a minor\nregulatory change might accept self-attestation, while a submission to a royal\ncommission or a formal planning objection warrants higher assurance. See\n[Ping Identity](https://www.pingidentity.com/en/resources/blog/post/balancing-user-experience-ux-and-security.html).\n", "transferability": "**High transferability for the framework; the implementation is the design\nproblem.** The attestation-verification gap is a design space to navigate, not a\nbug to fix. The key insights: make the attestation binding (connect the\ndeclaration to the submitter's identity, even if pseudonymous, so a pattern of\nfalse attestation can be identified retrospectively); make the consequences\nproportionate (reputational discounting for most consultations, punitive\nconsequences reserved for formal proceedings); design for norm-setting rather than\nenforcement (normalize disclosure, framing intake as \"most people tell us how their\nsubmission was prepared\" rather than \"you are required to certify under penalty\nof…\"); and bridge toward verification over time, designing the attestation UI so identity\nverification (myGovID from December 2026, EUDI Wallet from end of 2026) can be\nlayered on without redesigning the form.\n" }, { "id": "2.1", "title": "Fine-grained scope negotiation", "territory": 2, "slug": "fine-grained-scope-negotiation", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For granting a typed, single-transaction scope." }, { "level": "frontier", "note": "In government, where no service catalog yet defines actions as machine-readable scopes to grant against." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [ "2.6" ], "precedents": [ { "name": "OAuth 2.0 Rich Authorization Requests (RAR)", "jurisdiction": "IETF", "year": 2023, "source": "https://datatracker.ietf.org/doc/html/rfc9396" }, { "name": "GNAP — Grant Negotiation and Authorization Protocol", "jurisdiction": "IETF", "year": 2024, "source": "https://www.rfc-editor.org/rfc/rfc9635.html" } ], "assurance": "An agency needs each grant to be narrow and inspectable enough to bound a single transaction, so that what the agent may do is exactly what the citizen authorized and no more.", "access": "Granular per-scope consent overwhelms users with low digital literacy or limited time, who may abandon the grant or approve everything without reading it, defeating the point of narrow scoping. Keep the path open with a plain-language summary on every scope, a pre-selected standard bundle as the default fast path, and an assisted-digital route for citizens who cannot set up the delegation alone.", "surface": { "summary": "A consent screen that renders a scope object as a plain-language permission a citizen can grant or narrow, with a sensible default bundle.", "instances": [ { "domain": "interaction", "kind": "interactive", "component": "DelegationConsent", "annotation": "Each authorized action is rendered as a single plain-language permission in a toggle list, with a standard bundle pre-selected by default that the citizen can narrow before granting." } ] }, "whereThingsGoWrong": "Without scoping, the failure is an over-broad grant: an agent given general access reaches far beyond its task. Scoped, revocable grants narrow the blast radius, so an agent authorized only to lodge the 2025 return cannot reach superannuation or trigger a debt-recovery action.", "challenge": "As citizens authorize agents to act in government services, they will need to grant\na single, bounded permission, such as \"submit my annual tax return for the 2025\nfinancial year but not access my superannuation records,\" rather than a coarse\nread-or-write grant. Conventional authorization scopes are blunt strings that cannot\ncarry that nuance, so the difficulty is expressing and granting authority narrow\nenough to bound one transaction.\n", "precedentsNote": "**OAuth 2.0 Rich Authorization Requests (RAR), RFC 9396 (May 2023).** Introduces an\n`authorization_details` parameter carrying a JSON array of typed authorization\nobjects, each specifying a `type`, `locations`, `actions`, and arbitrary\ndomain-specific fields, narrowing as far as a single transaction.\n\n**GNAP, RFC 9635.** A fine-grained delegation protocol supporting asynchronous\nauthorization (no browser required) and software-only clients. Both matter for AI\nagents that may not have a user present at the moment of request.\n", "transferability": "RAR's JSON authorization objects are directly transferable to government service\nscoping. A government service catalog could define `authorization_details` types\nfor each service action (lodge, view, amend, withdraw). GNAP's async interaction\nmodel suits agents that operate without a browser session. The gap: no government\ncurrently publishes a machine-readable catalog of actions that could populate\nthese structures.\n" }, { "id": "2.2", "title": "Digital power of attorney", "territory": 2, "slug": "digital-power-of-attorney", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For scoped, revocable delegation to an identified person." }, { "level": "frontier", "note": "Extended to a software agent, where the attorney is not a natural person." } ], "status": "reviewed", "threads": [], "dependsOn": [ "2.6" ], "precedents": [ { "name": "GOV.UK Lasting Power of Attorney service", "jurisdiction": "UK", "year": 2025, "source": "https://www.lastingpowerofattorney.service.gov.uk/home" }, { "name": "OPG blog — two million LPAs added to the online Use an LPA service", "jurisdiction": "UK", "year": 2025, "source": "https://publicguardian.blog.gov.uk/2025/04/29/two-million-lasting-powers-of-attorney-added-to-online-use-an-lpa-service/" }, { "name": "Powers of Attorney Act 2023", "jurisdiction": "UK", "year": 2023, "source": "https://www.legislation.gov.uk/ukpga/2023/45" } ], "assurance": "A relying party needs to confirm that a delegation is scoped, current, and revocable, and that the citizen who granted it had their identity verified, so it can act on the agent's authority without re-checking with the citizen.", "access": "The digital LPA service retains a paper pathway. For agent delegation, equivalent accommodations: telephone-based delegation setup with human assistance, in-person delegation at a government shopfront (Service NSW, Centrelink), and assisted-digital support where a trusted person helps set up the delegation (itself a delegation-within-delegation problem).", "surface": { "summary": "An attorney-facing screen that mints a time-limited, organization-specific access code from a registered delegation, which a relying organization enters to verify authority.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "A delegation scoped to a category of affairs is turned into a 'generate access code for this organization' action, paired with a per-organization revocation list the donor controls." } ] }, "whereThingsGoWrong": "Without organization-specific scoping, a delegate authorized for one service can drift into another. Scoped, revocable, organization-specific codes prevent that, and the donor's revocation and tracking view narrows the blast radius of any single grant.", "challenge": "As citizens delegate to software agents, an agency must be able to accept bounded,\nrevocable authority granted to an agent that has no natural-person attorney standing\nbehind it. The difficulty is reproducing the scoped authority, identity verification,\nand safeguards against abuse that paper power of attorney provided, when the delegate\nis software rather than a named person.\n", "precedentsNote": "**UK Office of the Public Guardian — Lasting Power of Attorney (LPA) digital service.**\nThe Powers of Attorney Act 2023 enables fully digital creation and registration of LPAs.\nThe Act received Royal Assent on 19 September 2023, but its substantive provisions were not\nall commenced at assent: the Office of the Public Guardian's digital LPA service remained in\nphased rollout into early 2026.\nAll parties (donor, attorneys, certificate providers) must verify their identity\nelectronically; a witness must still see the donor sign (a physical safeguard retained\neven in the digital process). The \"Use an LPA\" service lets attorneys generate secure\naccess codes for specific organizations (banks, healthcare providers), creating\norganization-specific, revocable delegation tokens. Over two million LPAs had been added\nto the online service as of April 2025; the Act's digitised process is designed to cut\nregistration time from around 20 weeks on paper to about 2 weeks online, chiefly by\ncatching and fixing errors before submission rather than by post. The paper process is\nretained for those without internet access.\n", "transferability": "The LPA model maps closely onto agent delegation. LPAs are already scoped (health & welfare\nvs. property & financial affairs), though agent delegation would need finer granularity. The\nsecure-access-code pattern (time-limited, organization-specific codes that third parties use\nto verify authority) maps directly to agent bearer tokens. Both the delegator and the\ndelegate (agent operator) must be identity-verified.\n\nThe retained witnessing safeguard suggests that for high-stakes delegation a purely digital\nprocess may be insufficient: a \"ceremony\" step may be needed. Donors can revoke access codes\nand track which organizations have been given access.\n\nThe gap: LPAs delegate to identified natural persons. Delegating to a software agent has no\nequivalent, and the model does not yet settle who counts as the \"attorney\" when the delegate\nis an AI system, the agent operator that runs it, or the specific software instance.\n" }, { "id": "2.3", "title": "Consumer data rights consent flows", "territory": 2, "slug": "open-banking-consent-flows", "maturity": "established", "maturityNote": "Established", "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "Open Banking UK — Customer Experience Guidelines", "jurisdiction": "UK", "year": 2026, "source": "https://standards.openbanking.org.uk/customer-experience-guidelines/latest/" }, { "name": "Open Banking UK — TPP Permissions and CASS considerations", "jurisdiction": "UK", "source": "https://standards.openbanking.org.uk/customer-experience-guidelines/appendices/tpp-permissions-and-cass-considerations/latest/" }, { "name": "OAIC — CDR consent, authorisation and dashboards guidance", "jurisdiction": "AU", "source": "https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/privacy-obligations/consumer-consent,-authorisation-and-dashboards" }, { "name": "Treasury — CDR Consent Review Design Paper", "jurisdiction": "AU", "year": 2023, "source": "https://treasury.gov.au/sites/default/files/2023-08/c2023-434434-consent-design-paper.pdf" } ], "assurance": "An agency needs the citizen's authorization to be specific, standing, and revocable, with the citizen authenticating to the government rather than to the agent, so that what the agent may do is informed and remains manageable over time.", "access": "Open-banking flows assume smartphone access and comfort with redirect patterns: redirect flows break screen-reader context, time-limited SCA challenges disadvantage users with motor or cognitive impairments, and SMS OTP excludes users without mobile phones. Keep the path open with extended SCA time windows, non-SMS authentication (hardware tokens, email), and consent confirmation via an alternative channel (a phone call with automated readback of permissions).", "surface": { "summary": "A bank-hosted consent screen reached by redirect that lists the requested scopes in plain language and feeds a standing consent dashboard for review and revocation.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Delegations that only view data are separated from those that act, with a higher-ceremony confirmation step required to authorize an action and a separate dashboard toggle the citizen can use to manage each permission." } ] }, "whereThingsGoWrong": "The failure to guard against is an over-broad or unauthorized data grab proceeding silently at scale. Redirect authentication keeps credentials away from the agent and forces the citizen to confirm scoped permissions, so that grab cannot happen unseen.", "challenge": "When a citizen authorizes an AI agent to reach a government service on their behalf, the\nagency needs that authorization to be specific and inspectable: which data or actions are\ncovered, for how long, and revocable afterward, with the citizen authenticating to the\ngovernment rather than handing credentials to the agent.\n\nThe challenge is to make that consent clear enough to be informed and standing enough to\nmanage, without re-prompting the citizen at every step.\n", "precedentsNote": "**PSD2 / Open Banking UK.** The consent journey follows a redirect pattern: the customer\ninitiates in the third-party provider (TPP) application; the TPP specifies the scope of\ndata or payment access; the customer is redirected to their bank (ASPSP) for Strong\nCustomer Authentication (SCA); the customer reviews and confirms the specific permissions;\nand is redirected back to the TPP. Open Banking UK's Customer Experience Guidelines (v4.0,\nupdated March 2026) mandate consent and access dashboards for ongoing management, minimal\ninformation presentation, platform-agnostic wireframes, and design principles of \"control,\nspeed, transparency, security and trust.\"\n\n**Australia's Consumer Data Right (CDR).** Both data holders (banks) and accredited data\nrecipients must provide consumer dashboards that are \"simple and straightforward to use\nand prominently displayed.\" The consent flow covers collection, use, and disclosure as\nseparate consent elements. 2024 amendments introduced bundled consent and pre-filled\nconsent for necessary data; a principles-based ban on dark patterns was considered but\nreplaced with \"standards and guidelines on manipulation.\" The CDR consent model includes a\nformal \"Consent Review\" process covering authorization, revocation, re-authorization, and\nnotification.\n", "transferability": "Open-banking consent flows are the closest existing analogue to government-to-agent\ndelegation. Directly transferable: redirect-based authentication (the citizen authenticates\nwith the government identity provider, not the agent, which never sees credentials);\nscoped permissions with human-readable summaries; consent dashboards for viewing, managing,\nand revoking active delegations; SCA for re-authorization when the agent requests expanded\nscope; and time-bound access that expires and must be renewed.\n\nKey differences for government services: government actions are often irreversible (lodging\na tax return, applying for a benefit) in ways that viewing bank data is not. The consent\nmodel needs to distinguish \"view\" delegations from \"act\" delegations, with higher ceremony\nfor the latter. The CDR's experience with dark patterns is cautionary: bundled and\npre-filled consents reduce friction but can undermine informed delegation. The temptation\nto bundle (\"just let the agent do everything\") has to be resisted by design.\n" }, { "id": "2.4", "title": "Consent receipts and records", "territory": 2, "slug": "consent-receipts-and-records", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For recording consent in a durable, machine-readable form." }, { "level": "emerging", "note": "As built systems that a relying agency can verify after the fact." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Kantara Initiative — Consent Receipt Specification", "jurisdiction": "International", "source": "https://kantarainitiative.org/download/consent-receipt-specification/" }, { "name": "ISO/IEC TS 27560:2023 — Consent record information structure", "jurisdiction": "ISO/IEC", "year": 2023, "source": "https://link.springer.com/chapter/10.1007/978-3-031-68024-3_12" } ], "assurance": "After a delegation has been used, a relying agency and the citizen both need to verify its scope, the parties, and its temporal bounds, and to tell what was authorized apart from what the agent actually did.", "access": "Machine-readable records are invisible to users unless surfaced through an accessible interface. Every delegation receipt must have a human-readable rendering (plain-language summary), available in multiple formats (web, PDF, email, SMS summary) and in the citizen's preferred language. Citizens must be able to request a complete record of all actions taken under a delegation in accessible format.", "surface": { "summary": "A delegation receipt screen that renders the machine-readable consent record as a plain-language summary of scope, parties, temporal bounds, and an action log.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "The consent lifecycle, from collection through to withdrawal, is rendered as a timeline the citizen can read, with a 'download record' action that produces the receipt in several formats." } ] }, "whereThingsGoWrong": "Without a durable record, a citizen cannot prove what an agent was authorized to do versus what it actually did. A verifiable receipt of exactly what was authorized, and what was done under it, gives the citizen the evidence to contest an action taken outside its granted scope.", "challenge": "As agents act asynchronously and at scale, a citizen needs durable proof of what was\nauthorized as against what was done, long after the moment of consent. Every party needs a\nrecord of what was consented to, when, by whom, and under what conditions, that the agency\nreceiving the agent's requests can verify.\n", "precedentsNote": "**Kantara Initiative Consent Receipt Specification.** Defines a JSON-based record\ncontaining transactional information (timestamp, receipt ID), PII Controller contact\ndetails, PII Principal information, links to privacy policies, description of data\ncollected, purposes for collection, and processing details. The specification has been\nreferenced in ISO/IEC 29184:2020 (Online privacy notices and consent).\n\n**ISO/IEC TS 27560:2023 — Consent record information structure.** Provides guidance for\ncreating machine-readable consent records and consent receipts covering the full lifecycle:\ncollection, storage, retrieval, modification, and withdrawal of consent. Works alongside\nISO/IEC 29184:2020, which handles the human-readable representation.\n", "transferability": "Consent receipts are directly applicable to agent delegation records. A \"delegation\nreceipt\" would extend the consent receipt model with: delegation scope (the specific\nactions and services authorized, using RAR-style `authorization_details`); delegate\nidentity (the agent operator and, where possible, the specific agent instance); delegator\nidentity (bound to a verified digital identity); temporal bounds (start time, expiry,\nrenewal conditions); a revocation mechanism (how to revoke, and what happens to in-flight\ntransactions); and an audit trail of actions taken under the delegation.\n\nThe ISO/IEC 27560 lifecycle model (collect, store, retrieve, modify, withdraw) maps well to\na delegation lifecycle. The gap: neither standard contemplates a non-human delegate or the\nprovenance chain needed to prove an agent acted within its delegated authority.\n" }, { "id": "2.5", "title": "Delegation registries", "territory": 2, "slug": "delegation-registries", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For verifying delegation through deployed registries." }, { "level": "emerging", "note": "Built on verifiable credentials." }, { "level": "frontier", "note": "For confirming an agent's live, scoped, unrevoked authority." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [ "2.6" ], "precedents": [ { "name": "Australia's Relationship Authorisation Manager (RAM)", "jurisdiction": "AU", "source": "https://authorisationmanager.gov.au/" }, { "name": "ATO — Accessing online services with Digital ID and RAM", "jurisdiction": "AU", "source": "https://www.ato.gov.au/online-services/accessing-online-services-with-digital-id-and-ram" }, { "name": "Australian Government Architecture — Relationship Authorisation Manager", "jurisdiction": "AU", "source": "https://architecture.digital.gov.au/design/relationship-authorisation-manager" }, { "name": "Credential Engine — trust registries for verifiable credential ecosystems", "jurisdiction": "International", "year": 2025, "source": "https://credentialengine.org/2025/06/09/building-trust-in-a-digital-world-scalable-solutions-for-verifiable-credential-ecosystems/" }, { "name": "Agent Identity Protocol (AIP) — arXiv 2603.24775", "jurisdiction": "International", "year": 2026, "source": "https://arxiv.org/abs/2603.24775" }, { "name": "AIP — IETF individual Internet-Draft (draft-prakash-aip, not a WG-adopted standard)", "jurisdiction": "IETF", "source": "https://www.ietf.org/archive/id/draft-prakash-aip-00.html" } ], "assurance": "A relying agency needs confidence that an agent's authority is current, scoped to the action at hand, and not revoked, and it must reach that confidence without contacting the citizen in real time.", "access": "Delegation registries are back-end infrastructure, but the citizen-facing management interface must be accessible. Where managing a delegation depends on a digital identity that itself requires biometric verification, users who cannot complete that check are shut out of creating or revoking authority for their own agent. Keep the path open with multiple pathways to manage delegations (web dashboard, phone service, in-person), and SMS or email notifications whenever a delegation is used, created, or modified.", "surface": { "summary": "A delegation-management dashboard backed by a verification service that agencies query to confirm an agent's authority and revocation status in real time.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "Tiered delegation roles are presented as a ranked authorization list, with per-agent revocation and a notification to the citizen each time a delegation is used." } ] }, "whereThingsGoWrong": "The failure mode is an agent that keeps acting on authority the citizen has already withdrawn. Real-time revocation checking against a registry means a cancelled delegation stops working immediately, so stale authority cannot persist across many citizens.", "challenge": "As citizens authorize agents to act for them, the agency receiving an agent's request must\nbe able to confirm that the agent's authority is live, scoped to the request, and not\nrevoked. The difficulty is reaching that confirmation at the moment of the request without\ncontacting the citizen, who will often not be present when their agent acts.\n", "precedentsNote": "**Australia's Relationship Authorisation Manager (RAM).** RAM is a delegation registry\noperated by the ATO that lets individuals link their digital identity (myID, formerly\nmyGovID) to a business and manage who can act on behalf of that business. It links digital\nidentity to an Australian Business Number (ABN), supports hierarchical delegation\n(principal authority, administrator, and standard user roles), is used across multiple\nagencies (ATO, DEWR, AusCheck), and ties authorization to the individual's verified digital\nidentity rather than a username/password.\n\n**Verifiable Credentials and Decentralized Identifiers (DIDs) as delegation infrastructure.**\nA trust framework built on W3C Verifiable Credentials enables issuance of tamper-proof\ndigital proofs of authority. Issuer identity registries maintain published DIDs for\nrecognized issuers. The model supports delegation of authority via verifiable credential\nissuance, revocation through credential status lists, and verification without contacting\nthe issuer in real time.\n\n**Agent Identity Protocol (AIP), arXiv 2603.24775 (March 2026).** A protocol proposal that\ndirectly addresses agent delegation verification. It introduces Invocation-Bound Capability\nTokens (IBCTs) that fuse identity, attenuated authorization, and provenance binding into a\nsingle append-only token chain. It operates in two wire formats, compact mode (signed JWT\nfor single-hop) and chained mode (Biscuit token with Datalog policies for multi-hop\ndelegation), and provides transport bindings across MCP, A2A, and HTTP.\n", "transferability": "RAM is the closest existing government precedent for a delegation registry, though it handles\nbusiness-to-individual delegation rather than citizen-to-agent delegation. A government agent\ndelegation registry would need to register agent operators (companies providing AI agent\nservices), on the model of tax agent registration, then bind delegations to verified\ncitizen identities, support real-time revocation checking, and provide delegation\nverification as a service to relying agencies.\n\nAIP's token-chaining model is particularly relevant for multi-hop delegation: a citizen\ndelegates to Agent A, which delegates a subset of authority to Agent B for a specific\nsub-task. The Datalog policy language allows attenuation, so each hop can only narrow the\nauthority, never expand it.\n\nThe gap: no existing registry handles the \"agent identity\" problem. Is the delegate a\ncompany (the agent operator), a specific model version, a running instance? RAM identifies\nnatural persons. AIP proposes cryptographic identity binding but has no production\ndeployments.\n" }, { "id": "2.6", "title": "Identity binding to verified identity", "territory": 2, "slug": "identity-binding-to-verified-identity", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For verifying a person's identity to a defined assurance level." }, { "level": "emerging", "note": "Modeling a representative acting for a represented person." }, { "level": "frontier", "note": "For binding an agent's delegation to that verified identity." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "Login.gov — our services", "jurisdiction": "US", "source": "https://www.login.gov/partners/our-services/" }, { "name": "Login.gov developers — integration overview (FedRAMP moderate approved)", "jurisdiction": "US", "year": 2025, "source": "https://developers.login.gov/overview/" }, { "name": "Login.gov — passport-based identity verification", "jurisdiction": "US", "year": 2025, "source": "https://www.login.gov/partners/program-updates/login-gov-begins-passport-based-identity-verification/" }, { "name": "ATO — Digital ID and RAM", "jurisdiction": "AU", "source": "https://www.ato.gov.au/online-services/accessing-online-services-with-digital-id-and-ram" }, { "name": "eIDAS 2.0 (Regulation (EU) 2024/1183)", "jurisdiction": "EU", "year": 2024, "source": "https://eur-lex.europa.eu/eli/reg/2024/1183/oj" }, { "name": "European Commission — Representation specifications (March 2025)", "jurisdiction": "EU", "year": 2025, "source": "https://ec.europa.eu/digital-building-blocks/sites/spaces/TDD/pages/887384532/2.3+-+Representation+March+2025" } ], "assurance": "A relying party needs confidence that the citizen an agent represents is who they are claimed to be, verified to a defined assurance level, so it can inspect both the agent's identity and the represented citizen's before acting.", "access": "Identity verification systems frequently rely on biometrics (facial recognition, fingerprints) that exclude people with certain disabilities, recent facial changes (surgery, injury), or older adults without the required identity documents, leaving them unable to establish the verified identity a delegation must bind to. Keep the path open with multiple verification pathways (in-person vouching, telephone verification with knowledge-based questions, trusted referee models), and the ability for a delegated human (carer, family member) to assist. This creates a bootstrapping problem where delegation requires identity verification, but identity verification may itself require delegation.", "surface": { "summary": "An identity-provider flow that issues a delegation credential binding a verified citizen identity to an agent operator, which relying agencies verify.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "The separate representative and represented attributes are shown together, so a verifier can confirm both the agent's identity and the identity of the citizen it acts for before granting access." } ] }, "whereThingsGoWrong": "Without identity binding, an agent can act on an unverified or spoofed identity, opening the door to mass automated action against the wrong people. Binding every delegation to a verified identity at a defined assurance level closes that door.", "challenge": "As agents act for citizens across government services, a relying party must be able to\ninspect both the agent and the citizen it represents, and to trust that the citizen is who\nthey are claimed to be. The difficulty is tying a delegation to an identity verified to a\ndefined assurance level, rather than to a username an agent could present for anyone.\n", "precedentsNote": "**Login.gov (United States).** Provides three service levels (authentication, basic\nidentity verification, and enhanced identity verification) mapped to NIST Digital Identity\nGuidelines (IAL and AAL). Supports SAML and OIDC integration, holds FedRAMP Moderate ATO,\nand recently added passport-based remote identity verification (August 2025). It does not\ncurrently support delegation or agent authorization.\n\n**myID / Digital Identity (Australia).** Australia's digital identity system, operated by\nthe ATO. Combined with RAM (Pattern 2.5), it provides identity-verified delegation for\nbusiness contexts. Identity proofing uses biometric verification against government-held\nidentity documents.\n\n**EU Digital Identity Wallet (EUDIW) under eIDAS 2.0.** By December 2026, all 27 Member\nStates must provide citizens with digital identity wallets containing government-verified\ncredentials. Delegation capabilities include Legal Person Identification Data (LPID)\nrepresenting a business's identity or a mandate to act for a business; a Power of\nRepresentation Scope attribute set for representatives, carrying two attribute sets (one for\nthe representative, one for the represented person); and Qualified Electronic Attestations\nof Attributes (QEAAs), which are cryptographically signed statements issued by Qualified Trust\nService Providers asserting attributes including representation authority.\n\nCaveat: the EU Digital Identity Wallet does not yet specify agent/representative delegation.\nRepresentation is ARF \"Topic 23\", with no specific requirements defined yet, and legal\nrepresentation is out of scope of the current Trust Model. It is a planned/future use case,\nnot a current capability.\n", "transferability": "The EUDIW's representation model is the most advanced for agent delegation because it\nexplicitly models the representative/represented relationship as separate attribute sets.\nThis could extend to agent delegation: the agent carries a credential attesting to the\ncitizen's delegation, and the verifying agency can inspect both the agent's identity and\nthe citizen's identity.\n\nLogin.gov and myID currently lack delegation capabilities: they verify \"who you are\" but\nnot \"who you can act for.\" For agent delegation, the identity provider must verify the\ncitizen's identity, bind the delegation grant to that verified identity, optionally verify\nthe agent operator's identity, and issue a delegation credential or token that relying\nparties can verify. The EUDIW's QEAA model could accommodate this: a Qualified Trust Service\nProvider issues an attestation that \"Citizen X has authorized Agent Operator Y to perform\nactions Z until date W.\"\n" }, { "id": "2.7", "title": "Step-up re-authorization for sensitive actions", "territory": 2, "slug": "step-up-re-authorization-for-sensitive-actions", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For demanding stronger authentication at a sensitive action." }, { "level": "emerging", "note": "Applied to human-agent delegation in tax." }, { "level": "frontier", "note": "Applied to an AI agent that must confirm asynchronously." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "Security Boulevard — step-up authentication in OIDC", "jurisdiction": "International", "year": 2026, "source": "https://securityboulevard.com/2026/05/step-up-authentication-when-to-require-it-and-how-to-implement-it-in-oidc/" }, { "name": "HMRC Research Report 754 — granular authorisations for tax agents (MTD ITSA)", "jurisdiction": "UK", "year": 2024, "source": "https://gov.uk/government/publications/exploring-customer-views-on-granular-authorisations-for-tax-agents-within-making-tax-digital-for-income-tax-self-assessment/exploring-customer-views-on-granular-authorisations-for-agents-within-making-tax-digital-for-income-tax-self-assessment" } ], "assurance": "For a high-stakes or irreversible action, an agency needs confidence that the citizen, not the agent alone, authorized this particular step, with the strength of that confirmation proportionate to what is at stake.", "access": "Step-up challenges via SMS or push notification exclude users without smartphones, and time-limited challenges penalize users who need more time, so a citizen who cannot meet the challenge is blocked from authorizing the action they intended. Keep the path open with multiple challenge channels (email, phone call, in-person at a shopfront), extended response windows (hours rather than minutes for non-time-critical actions), and a 'pre-approved actions' list the citizen configures during initial delegation setup to reduce interruptions for known-safe actions.", "surface": { "summary": "A government service that classifies each requested action by sensitivity and, for sensitive ones, pauses the agent and pushes a confirmation or re-authentication challenge to the citizen.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "Each requested action is routed by its sensitivity into one of three branches: a low-risk action proceeds on the delegation token alone, a submission pauses for citizen confirmation, and an irreversible action requires step-up re-authentication." } ] }, "whereThingsGoWrong": "The risk is an agent silently executing high-stakes, irreversible decisions en masse with no human in the loop. Forcing the citizen to re-authenticate and explicitly confirm such actions reintroduces a human decision point before harm is done.", "challenge": "As agents act under a standing delegation, some of the actions they take will be sensitive or\nirreversible while most are routine: viewing a tax return status carries little risk, lodging\nan amended return carries a great deal. The difficulty is re-inserting a human decision point\nfor the high-stakes actions without forcing the citizen to confirm every routine one.\n", "precedentsNote": "**Step-up authentication (NIST SP 800-63B alignment).** Step-up authentication maps to NIST\nAuthentication Assurance Levels: a user at AAL1 (password only) is challenged to step up to\nAAL2 (MFA) for sensitive actions. In OIDC this is implemented via `acr_values` or `max_age`\nparameters in the authorization request. Common triggers: high-value transactions, access to\nPII or medical records, account modifications.\n\n**Open Banking SCA requirements.** PSD2 mandates Strong Customer Authentication for payment\ninitiation and certain data access operations. The bank (not the TPP) performs the\nauthentication challenge, ensuring the citizen, not the agent, confirms the action.\n\n**HMRC granular authorizations research (September 2024).** HMRC published research (Report\n754) exploring customer views on granular authorizations for tax agents. A key finding: HMRC\nis considering allowing customers to \"restrict or control the tasks an agent can see or do\nwithin the account or on their behalf,\" including multiple-agent functionality (more than\none agent authorized simultaneously) with different permission sets, directly analogous to\nan AI agent delegation model.\n", "transferability": "Step-up re-authorization is directly transferable. The pattern: the agent presents its\ndelegation token; the service evaluates the requested action against a sensitivity\nclassification; low-sensitivity actions (view, status check) proceed on the token alone;\nmedium-sensitivity actions (submit, amend) interrupt the agent's flow and contact the citizen\ndirectly (push, SMS, email) for confirmation; and high-sensitivity actions (irrevocable\ndecisions, large payments) require the citizen to re-authenticate at a higher assurance level\nand explicitly confirm.\n\nThe HMRC granular-authorization model shows this is already being designed for human tax\nagents, and extending it to AI agents is a natural step.\n\nThe open problem is latency. Step-up authentication in open banking works because the human\nis present at the keyboard. For an AI agent operating asynchronously, a step-up challenge\nintroduces a delay the agent must handle gracefully: pause, notify the citizen, wait for\nconfirmation, then resume.\n" }, { "id": "2.8", "title": "Nominated-agent authorization model", "territory": 2, "slug": "tax-agent-authorization-model", "maturity": "established", "maturityNote": "Established", "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [ "2.6" ], "precedents": [ { "name": "ATO — Tax agents", "jurisdiction": "AU", "source": "https://www.ato.gov.au/online-services/tax-agents" }, { "name": "ATO — How to nominate your registered agent", "jurisdiction": "AU", "source": "https://www.ato.gov.au/businesses-and-organisations/preparing-lodging-and-paying/agent-nomination/how-to-nominate-your-registered-agent" }, { "name": "IRS — Power of Attorney and other authorizations", "jurisdiction": "US", "source": "https://www.irs.gov/businesses/small-businesses-self-employed/power-of-attorney-and-other-authorizations" }, { "name": "HMRC Research Report 754 — granular authorisations for tax agents (MTD ITSA)", "jurisdiction": "UK", "year": 2024, "source": "https://gov.uk/government/publications/exploring-customer-views-on-granular-authorisations-for-tax-agents-within-making-tax-digital-for-income-tax-self-assessment" } ], "assurance": "An agency needs the nomination of an agent to be client-initiated, scoped to a typed level of authority, and tied to an accountable operator, so that an agent cannot authorize itself and responsibility for its actions is fixed.", "access": "Requiring the client to nominate an agent from within their own authenticated session is a barrier for clients who rely on an agent precisely because they cannot use digital services independently, leaving them unable to authorize the help they need. Keep the path open with telephone-based nomination (call a government service center, verify identity through knowledge-based authentication, nominate the agent verbally), in-person nomination at a government shopfront, or nomination by a trusted intermediary (with its own delegation chain requiring verification).", "surface": { "summary": "A client-authenticated nomination screen that registers a chosen agent at a typed authorization level, supporting several concurrent agents for different services.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Typed levels of authority, from full representation through view-only to discussing a single return, are offered as a per-agent permission picker the citizen sets from their own dashboard." } ] }, "whereThingsGoWrong": "Where this goes wrong is agents self-authorizing, with no one bearing liability when an automated process fails at scale. Client-initiated nomination through the citizen's own session prevents self-authorization, and registering the operator as an accountable party fixes responsibility.", "challenge": "As citizens authorize software agents in government services, an agency must let a citizen\nnominate that agent through their own authenticated session, at a defined level of authority,\nwith an accountable operator standing behind it. The difficulty is preventing an agent from\nauthorizing itself and fixing who is responsible when it acts. Long-standing tax-agent\nauthorization, refined over decades, is the closest precedent for how to do this.\n", "precedentsNote": "**Australian Taxation Office (ATO) — tax agent authorization.** The ATO's model includes\nagent registration (tax agents must be registered with the Tax Practitioners Board, creating\na regulated class of delegates); client nomination (clients must actively nominate their\nagent through their own authenticated session, not via the agent's system); ongoing\nauthorization (typically ongoing until the client revokes it); Digital ID and RAM\nintegration (agents use myID and RAM to access ATO online services on behalf of clients,\nbinding delegation to verified digital identity); and multiple agent support (a client can\nauthorize different agents for different roles: tax agent, BAS agent, payroll services\nprovider).\n\n**IRS — Power of Attorney (Form 2848).** The IRS model includes typed authorization levels\n(Power of Attorney for full representation, Tax Information Authorization for view only,\nThird Party Designee to discuss a specific return, Oral Disclosure for a one-time phone\nconversation); digital authorization (individual taxpayers can authorize practitioners\nthrough their IRS online account); and representative eligibility limited to registered\ncategories (attorneys, CPAs, enrolled agents), with restricted access for others.\n\n**HMRC — Making Tax Digital agent authorization.** HMRC's model is evolving toward granular\nauthorizations (see Pattern 2.7). Research indicates HMRC is developing multiple-agent\nfunctionality, allowing different agents to have different permission scopes for the same\ntaxpayer, the closest existing precedent to a \"scoped agent delegation\" model.\n", "transferability": "The tax agent model is the strongest existing analogue for AI agent delegation. Transferable\nelements: agent registration/accreditation (AI agent operators could be required to register\nwith a regulatory body analogous to the Tax Practitioners Board, making the operator rather\nthan the software responsible); client-initiated nomination (the citizen must actively nominate\nthe agent through their own authenticated session, preventing self-authorization); typed\nauthorization levels (view only, submit, represent, with appropriate ceremony for each); and\nmultiple concurrent agents for different services.\n\nCritical gap: tax agents are natural persons who bear professional liability. AI agent\noperators can be corporate entities, but the AI agent itself has no professional standing, no\nliability insurance, and no disciplinary body. The institutional scaffolding (registration,\nprofessional standards, complaints mechanisms) would need to be built for AI agent operators.\n" }, { "id": "2.9", "title": "User-defined access policies", "territory": 2, "slug": "user-managed-access", "maturity": "emerging", "maturityNote": "Emerging for letting a citizen set standing, conditional rules that an agency evaluates without the citizen present; the response exists as a worked-out approach but has seen limited adoption.", "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Justin Richer — UMA 2.0", "jurisdiction": "International", "source": "https://justinsecurity.medium.com/uma-2-0-437c293c3283" }, { "name": "Kantara — UMA 2.0 Grant specification", "jurisdiction": "International", "source": "https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html" }, { "name": "arXiv — From Resource Control to Digital Trust with UMA", "jurisdiction": "International", "source": "https://arxiv.org/pdf/2411.05622" } ], "assurance": "An agency needs a citizen to be able to express standing, conditional rules in advance that it can evaluate when an agent later requests access, granting or refusing without the citizen present.", "access": "Policy-based delegation shifts the burden to the setup phase, where citizens who cannot reason through conditional rules risk setting policies that grant too much or block the access they intended, often without realizing it. Keep the path open with government-provided policy templates for common delegation scenarios ('I'm authorizing a tax professional' becomes a pre-built policy set), expressed in plain language rather than raw permission grants, with the option to customize for advanced users.", "surface": { "summary": "A policy-management console where a citizen sets conditional sharing rules in advance that the authorization server evaluates when an agent later requests access.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Conditional rules such as access only during business hours and only for tax preparation are offered through a guided template picker the citizen can edit, rather than left as raw policy to author." } ] }, "whereThingsGoWrong": "Without server-side policy limits, an agent can expand its reach into unrelated records during an automated run. Pre-set, conditional policies evaluated server-side mean it only ever gets the narrow access the citizen defined.", "challenge": "A citizen often will not be present when their agent needs to act: a tax agent files months\nafter being authorized, an assistant checks a payment status overnight. The agency needs a\nway for the citizen to set, in advance, what an agent may do and under what conditions, so\naccess can be granted or refused later without the citizen in the loop.\n\nThe challenge is to let a citizen express those standing rules in terms they understand, not\nraw permission grants.\n", "precedentsNote": "**UMA 2.0 (User-Managed Access).** An OAuth-based protocol that separates the resource owner\nfrom the requesting party. It allows a user to delegate access to software that *someone\nelse* is using; the resource owner sets sharing policies through a central console (the\nauthorization server); access decisions can be made asynchronously (the resource owner need\nnot be present when access is requested); it supports multi-user sharing where one user's\npolicies affect another's access; and policies can express conditions (\"User B can access my\ntax records only during business hours and only for the purpose of tax preparation\").\n", "transferability": "UMA's model of asynchronous, policy-based access delegation is highly relevant for AI\nagents. The citizen sets policies in advance (\"my tax agent can view my returns but not\namend them; my AI assistant can check my Centrelink payment status but not change my bank\ndetails\"). The agent requests access, the authorization server evaluates the request against\nthe citizen's policies, and grants or denies access without the citizen needing to be\npresent.\n\nLimitations: UMA has seen limited adoption compared to standard OAuth, partly due to its\ncomplexity. Government services would need to invest in the policy management UX, helping\ncitizens set meaningful policies without overwhelming them.\n" }, { "id": "2.10", "title": "Healthcare delegation models", "territory": 2, "slug": "healthcare-delegation-models", "maturity": "emerging", "maturityLevels": [ { "level": "emerging", "note": "For capping a delegate with explicit excluded actions and fallbacks, as electronic advance directives do." }, { "level": "frontier", "note": "Applied to an agent authorized to take high-stakes, irreversible actions." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "CaringInfo — Digital and Video Advance Directives", "jurisdiction": "US", "source": "https://www.caringinfo.org/planning/advance-directives/digital-video-advance-directives/" }, { "name": "CRISP Health — Advance Directives (Maryland HIE)", "jurisdiction": "US", "source": "https://www.crisphealth.org/advance-directives/" } ], "assurance": "When a delegate can take irreversible, high-stakes actions, an agency needs confidence that the delegate cannot exceed the explicit limits the citizen set, including actions placed wholly out of reach.", "access": "Citizens who are ill, aging, or cognitively impaired are the ones most likely to need an agent for high-stakes decisions, yet least able to set up complex delegation alone, and a hard-to-use flow may leave them unprotected or unable to authorize help at all. Keep the path open with simplified language, video recording as an alternative to written text, and a trusted person able to assist with setting the delegation and its excluded actions.", "surface": { "summary": "An advance-directive style flow that records a primary and secondary agent with explicit excluded actions and stores the credential where clinical or institutional workflows can read it.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Decisions the citizen placed off-limits become hard-disabled actions, shown and enforced wherever the delegation credential is read, so the delegate cannot take them at any point." } ] }, "whereThingsGoWrong": "The failure to prevent is an automated agent overstepping into irreversible decisions the citizen never authorized. Explicit excluded-action lists and hierarchical fallbacks cap what any delegate can do at exactly those points.", "challenge": "As citizens delegate to agents for consequential government decisions, an agency must let a\ncitizen grant high-stakes, irreversible authority while keeping hard limits on what the\ndelegate can do and a fallback when it should not act.\n\nThe difficulty is enforcing those limits and fallbacks reliably at the most extreme end of\nthe delegation risk spectrum. Healthcare proxies and advance directives, built for exactly\nthat end, are the closest precedent.\n", "precedentsNote": "**Electronic advance directives and healthcare proxies (US).** Several US states now\nrecognize electronic advance directives. A healthcare proxy names a specific individual as\nagent with authority to make healthcare decisions; video advance directives supplement or\nreplace paper documents in some jurisdictions; digital advance directives are stored in\nHealth Information Exchanges (HIEs) and accessible from clinical workflows; and the CRISP HIE\n(Maryland) has built infrastructure to consume and display Advance Care Plan documents within\nexisting electronic health record systems.\n", "transferability": "Healthcare delegation patterns are relevant to agent delegation for high-stakes government\ndecisions (benefits applications affecting housing, income, medical treatment access).\nTransferable elements: hierarchical delegation with fallbacks (primary agent, secondary\nagent, with explicit instructions for when delegation should be activated and when overridden);\nscope limitations (even within the delegation, certain decisions may be excluded, as in \"the\nagent may not consent to...\"); and integration with existing institutional workflows (the\ndelegation credential must be consumable by the systems that need to act on it, not held only\nby the delegate).\n\nGap: healthcare proxies are activated by incapacity, a trigger condition. Agent delegation in\ngovernment services is activated by choice (\"I want my agent to handle this\"), not by inability.\nThe trigger model is different, but the safeguard model (scope limitations, excluded actions,\noverride mechanisms) transfers directly.\n" }, { "id": "2.11", "title": "Managed agent identity", "territory": 2, "slug": "agent-identity-protocol-and-emerging-frameworks", "maturity": "frontier", "maturityNote": "Frontier for an identity layer that lets an agency prove an agent's chain of authority and halt it; no identity protocol designed for natural persons supplies this, and the response is undesigned.", "status": "reviewed", "threads": [], "dependsOn": [ "2.6" ], "precedents": [ { "name": "Agent Identity Protocol (AIP) — arXiv 2603.24775", "jurisdiction": "International", "year": 2026, "source": "https://arxiv.org/abs/2603.24775" }, { "name": "AIP — IETF individual Internet-Draft (draft-prakash-aip, not a WG-adopted standard)", "jurisdiction": "IETF", "source": "https://www.ietf.org/archive/id/draft-prakash-aip-00.html" }, { "name": "AI Identity: Standards, Gaps, and... — arXiv 2604.23280", "jurisdiction": "International", "year": 2026, "source": "https://arxiv.org/pdf/2604.23280" }, { "name": "Verifiable Credentials for AI Agents — arXiv 2511.02841", "jurisdiction": "International", "source": "https://arxiv.org/html/2511.02841v1" }, { "name": "Binding Agent ID — arXiv 2512.17538", "jurisdiction": "International", "source": "https://arxiv.org/pdf/2512.17538" }, { "name": "Zylos Research — Agent Interoperability Protocols (MCP, A2A, ACP) 2026", "jurisdiction": "International", "year": 2026, "source": "https://zylos.ai/research/2026-03-26-agent-interoperability-protocols-mcp-a2a-acp-convergence/" } ], "assurance": "A relying agency needs to prove an agent's chain of authority from the citizen who granted it, and to be able to halt that agent, without depending on an identity protocol built for natural persons.", "access": "Cryptographic identity and token-based systems are inherently invisible to users. The accessibility challenge sits in the management interface rather than the protocol: citizens must be able to understand, in plain language, what their agent is authorized to do, what it has done, and how to stop it, all without understanding tokens, Datalog, or delegation chains.", "surface": { "summary": "A plain-language agent-management interface layered over a cryptographic identity protocol, showing what the agent may do, what it has done, and a stop control.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "The underlying provenance, attenuation, revocation, and audit are surfaced as a single panel answering what this agent can do, what it has done, and how to stop it." } ] }, "whereThingsGoWrong": "Without a native identity layer, automated action can be unattributable at scale and a misbehaving agent hard to halt. An agent identity layer with verifiable provenance and propagating revocation lets any relying agency prove an action's chain of authority and stop the agent.", "challenge": "When a citizen delegates to an AI agent that then deals with a government service, the agency\nneeds to know what that agent is, who authorized it, and what it may do, and to verify that\nwithout contacting the citizen. No identity protocol built for natural persons answers this:\nOAuth, GNAP, and UMA all assume a human is operating the client.\n\nThe challenge is an identity layer for agents as delegates, with verifiable provenance and\nrevocation a relying agency can act on.\n", "precedentsNote": "**Agent Identity Protocol (AIP).** Proposes Invocation-Bound Capability Tokens (IBCTs)\ncombining public-key verifiable delegation (the delegation chain is cryptographically\nsigned), holder-side attenuation (each intermediary can only narrow permissions, never\nexpand), chained policy via Datalog (machine-evaluable rules governing what the agent may\ndo), provenance-oriented completion records (an audit trail of what the agent actually did),\nand transport bindings for MCP, A2A, and HTTP.\n\n**AI Agent Identity research (arXiv 2604.23280, April 2026).** A survey paper titled \"AI\nIdentity: Standards, Gaps, and...\" mapping the current landscape of agent identity standards\nand identifying gaps.\n\n**Verifiable Credentials for AI Agents (arXiv 2511.02841).** Proposes equipping AI agents\nwith Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs), addressing \"limited\nsupport for delegation of authority, insufficient contextualisation of trust decisions, and\nreliance on static trust models that fail to adapt dynamically.\"\n\n**Binding Agent ID (arXiv 2512.17538).** Proposes binding agent identity for \"accountability\nand credibility.\"\n\n**Agent Interoperability Protocols (MCP, A2A, ACP).** As of early 2026, the landscape\nincludes MCP (Anthropic, tool integration), A2A (Google/Linux Foundation, agent-to-agent\ncommunication), and ACP (emerging). None natively solves agent identity or delegation, but\nall provide transport layers that agent identity protocols must bind to.\n", "transferability": "These frameworks are at the research and early-specification stage. For government services,\nthe question that matters is less which protocol to adopt than what properties the delegation\ninfrastructure must have: verifiable provenance (any relying party can verify the delegation\nchain from citizen to agent without contacting the citizen); attenuation (delegation can be\nnarrowed at each hop but never widened); revocability (revocation must propagate in\nnear-real-time); audit (a complete, tamper-evident record of actions taken under the\ndelegation); and interoperability (works across multiple government services, not locked to a\nsingle system).\n\nGovernment services should track these standards but avoid premature commitment. The prudent\napproach: define the requirements (the five properties above), participate in standards\ndevelopment, and build to an abstraction layer that can adopt whichever protocol matures\nfirst.\n" }, { "id": "3.1", "title": "Draft-review-before-commit checkpoint", "territory": 3, "slug": "draft-review-before-submit-checkpoint", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Human-in-the-loop review screens are a settled pattern across government and commercial services." }, { "level": "emerging", "note": "Agent-specific review that carries data provenance for each answer is still taking shape." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "GOV.UK check your answers", "jurisdiction": "UK", "source": "https://design-system.service.gov.uk/patterns/check-answers/" }, { "name": "Scottish Government Design System — Check answers", "jurisdiction": "UK", "source": "https://designsystem.gov.scot/patterns/check-answers" }, { "name": "Intuit Content Design — Review before [action]", "source": "https://contentdesign.intuit.com/ai/ux-patterns/" }, { "name": "myTax Australia pre-lodgement review", "jurisdiction": "AU", "source": "https://www.ato.gov.au/individuals-and-families/your-tax-return/how-to-lodge-your-tax-return/lodge-your-tax-return-online-with-mytax" }, { "name": "NHS Design System — Check answers", "jurisdiction": "UK", "source": "https://service-manual.nhs.uk/design-system/patterns/check-answers" } ], "assurance": "A mandatory human-legible review screen before any consequential action (submitting a form, authorizing a payment, sharing data, or accepting a decision) gives the citizen a verification point. It surfaces what the agent will do, what data it used, and what it chose to include, before the action becomes binding.", "access": "Layered disclosure: a citizen summary by default, expandable detail, and the full draft on request. Plain-language labeling of each item, with a clearly signposted change affordance beside every answer so review never assumes legal or formatting literacy.", "surface": { "summary": "A check-your-answers screen rendered before confirmation, where each agent-supplied answer carries its data provenance and a change link.", "instances": [ { "domain": "interaction", "kind": "interactive", "component": "DraftReview", "annotation": "The policy rule 'no consequential agent action is binding without a human checkpoint' becomes a summary-list review screen that names each item's data source and offers a change link before the action is committed." } ] }, "whereThingsGoWrong": "The failure mode is consequential notices issued with no review checkpoint, so miscalculations reach citizens unseen. A mandatory draft-review before any notice creates a human verification point that surfaces errors before they are sent.", "worstCase": "Robodebt raised and issued debts through an automated process with no review checkpoint, so hundreds of thousands of incorrect notices reached citizens before a single one was examined by a human. A mandatory draft-review before any notice went out would have caught those errors while they were still drafts.", "challenge": "When an agent acts on behalf of a citizen, the citizen must have the opportunity\nto review what the agent will do (submit a form, authorize a payment, share data,\nor accept a decision) before it becomes a binding action. Without this\ncheckpoint, errors propagate into official records with no moment of human\nverification.\n", "precedentsNote": "**GOV.UK \"Check your answers\" pattern.** The GOV.UK Design System mandates a\ncheck-your-answers page immediately before the confirmation screen for all\ntransactional services, using a summary-list component for each group of answers\nwith change links beside each item. It is mandatory for services meeting the UK\nGovernment Service Standard. See [GOV.UK Design System — Check answers](https://design-system.service.gov.uk/patterns/check-answers/)\nand [Scottish Government Design System — Check answers](https://designsystem.gov.scot/patterns/check-answers).\n\n**Intuit \"Review before [action]\" AI pattern.** Intuit's Content Design system\ndocuments an AI UX pattern — a contextual reminder near AI-generated content, e.g.\n\"I drafted your email using your past campaigns and brand settings. Review before\nsending.\" It explicitly names the data sources the AI used, giving the user grounds\nfor assessment. See [Intuit Content Design — UX Patterns](https://contentdesign.intuit.com/ai/ux-patterns/).\n\n**myTax Australia pre-lodgement review.** The ATO's myTax pre-fills information from\nemployers, banks, health funds, and share registries, then presents a review screen\nbefore lodgement so the citizen can see and amend what was pulled automatically. See\n[ATO — Lodge your tax return online with myTax](https://www.ato.gov.au/individuals-and-families/your-tax-return/how-to-lodge-your-tax-return/lodge-your-tax-return-online-with-mytax).\n\n**NHS \"Check answers\" pattern.** The NHS digital service manual implements the same\ncheck-answers pattern adapted for health contexts. See\n[NHS Design System — Check answers](https://service-manual.nhs.uk/design-system/patterns/check-answers).\n", "transferability": "Directly transferable but requires adaptation. When a human fills a form, the\ncheck-your-answers page reflects what they entered. When an agent fills a form, the review\npage must additionally surface: (a) what data the agent used, (b) what inferences or\ncalculations it made, and (c) what it chose not to include.\n\nThe Intuit pattern is the closest existing model for this agent-specific variant because it\nnames the data sources; the GOV.UK pattern supplies the structural template. The combination\nof GOV.UK's layout with Intuit's provenance labeling is the starting point.\n" }, { "id": "3.2", "title": "Confirmation receipt with action record", "territory": 3, "slug": "confirmation-receipt-with-action-record", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "The confirmation receipt is a settled pattern across government and commercial services." }, { "level": "emerging", "note": "Agent-attribution on receipts — recording which agent acted, under what delegation — is still taking shape." }, { "level": "frontier", "note": "Cryptographic receipt integrity for government agent actions remains undesigned." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "GOV.UK confirmation pages", "jurisdiction": "UK", "source": "https://design-system.service.gov.uk/patterns/confirmation-pages/" }, { "name": "ONS Design System — Confirmation page", "jurisdiction": "UK", "source": "https://service-manual.ons.gov.uk/design-system/patterns/confirmation-page" }, { "name": "ATO lodgement receipt (Online Services for Business)", "jurisdiction": "AU", "source": "https://www.ato.gov.au/online-services/businesses-and-organisations-online-services/lodgments-in-online-services-for-business" }, { "name": "PSD2 transaction information (Signifyd)", "jurisdiction": "EU", "source": "https://www.signifyd.com/what-is-psd2/" }, { "name": "PSD2 Explained (Chargebee)", "jurisdiction": "EU", "source": "https://www.chargebee.com/resources/glossaries/what-is-psd2-explained/" }, { "name": "Blockchain transaction receipts (FasterCapital)", "source": "https://fastercapital.com/content/Blockchain-transparency--The-Future-of-Auditing--Leveraging-Blockchain-Transparency.html" } ], "assurance": "A durable, human-readable receipt records what was filed, when, by whom (or by what agent), under what delegation, and on what data. It serves as proof of lodgement and the anchor point for any later dispute.", "access": "Layered disclosure: a citizen-summary receipt by default, expandable detail, and the full action record on request. Plain-language statement of what was filed, with the receipt downloadable and dispute affordances pre-populated from the action record so citizens need not re-narrate history.", "surface": { "summary": "A confirmation screen that issues a saveable receipt naming the agent, the delegation authority, the data sources, and a unique reference.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "The policy rule 'every agent action produces a durable attributable record' becomes a confirmation page with agent attribution, delegation reference, data-source list, and a downloadable receipt ID." } ] }, "whereThingsGoWrong": "Where this goes wrong is a citizen receiving a determination with no transparent record of how it was calculated, leaving errors undetectable. A receipt showing the data used and the calculation method makes those errors immediately identifiable.", "worstCase": "Recipients of a Robodebt notice were given a debt figure but no record of the data or method behind it, leaving an incorrect demand impossible to check or contest. A receipt that lays out the underlying data and calculation makes such an error visible the moment it is raised.", "challenge": "As agents file actions on a citizen's behalf at growing scale, each one settles into\nan official record the moment it is submitted. The citizen needs a durable,\nhuman-readable account of what was filed, when, by whom (or by what), and on what\nbasis, so that proof of lodgement and the anchor for any later dispute survive the\ntransaction.\n", "precedentsNote": "**GOV.UK confirmation page pattern.** Confirmation pages must include a reference\nnumber (if applicable), what happens next and when, service contact details, links to\nrelated services, a feedback link, and a way to save a record (e.g. as a PDF). See\n[GOV.UK Design System — Confirmation pages](https://design-system.service.gov.uk/patterns/confirmation-pages/)\nand [ONS Design System — Confirmation page](https://service-manual.ons.gov.uk/design-system/patterns/confirmation-page).\n\n**ATO lodgement receipt.** On lodging through myTax, the ATO issues a lodgement receipt\nby email with a unique receipt ID; business lodgement confirmation screens can be printed\nor saved as PDF. See [ATO — Lodgments in Online Services for Business](https://www.ato.gov.au/online-services/businesses-and-organisations-online-services/lodgments-in-online-services-for-business).\n\n**Financial transaction receipts.** PSD2 mandates detailed transaction information to\nconsumers, making legitimate charges easier to identify, and Strong Customer\nAuthentication creates an evidence trail that serves both as receipt and dispute defense.\nSee [Signifyd — What is PSD2](https://www.signifyd.com/what-is-psd2/) and\n[Chargebee — PSD2 Explained](https://www.chargebee.com/resources/glossaries/what-is-psd2-explained/).\n\n**Blockchain transaction receipts.** Smart contracts create periodic cryptographic\nreceipts including a hash of the transaction data, providing tamper-evident proof; the\nimmutability guarantee is the strongest form of receipt integrity. See\n[FasterCapital — Blockchain Transparency](https://fastercapital.com/content/Blockchain-transparency--The-Future-of-Auditing--Leveraging-Blockchain-Transparency.html).\n", "transferability": "The GOV.UK and ATO patterns transfer directly as structural templates. For agent-mediated\nactions, the receipt must additionally record: (a) that an agent acted (not the citizen\ndirectly), (b) the identity or class of the agent, (c) the delegation authority under which\nit acted, and (d) the data sources it relied upon.\n\nBlockchain-style cryptographic hashing of receipts is worth considering for high-stakes\nfilings where receipt integrity may later be disputed: the citizen and the government each\nhold a hash that proves the receipt has not been altered.\n" }, { "id": "3.3", "title": "Structured audit trail with role-based views", "territory": 3, "slug": "structured-audit-trail-with-role-based-views", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Logging requirements are well-defined across regulated domains such as HIPAA and electronic court filing." }, { "level": "emerging", "note": "Tagging entries as automated versus human decisions is beginning to appear." }, { "level": "frontier", "note": "Citizen-legible audit views and role-based audit presentation remain undesigned." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "HIPAA audit log requirements (Keragon)", "jurisdiction": "US", "source": "https://www.keragon.com/hipaa/hipaa-explained/hipaa-audit-log-requirements" }, { "name": "HIPAA audit logs (Kiteworks)", "jurisdiction": "US", "source": "https://www.kiteworks.com/hipaa-compliance/hipaa-audit-log-requirements/" }, { "name": "Insurance AI audit trails (Kinro AI)", "source": "https://kinro.ai/blog/ai-audit-trails-insurance-compliance-quality-guide" }, { "name": "AI agent audit trails (MightyBot)", "source": "https://www.mightybot.ai/blog/what-are-ai-agent-audit-trails" }, { "name": "PACER — File a Case", "jurisdiction": "US", "source": "https://pacer.uscourts.gov/file-case" }, { "name": "US Courts — Electronic Filing (CM/ECF)", "jurisdiction": "US", "source": "https://www.uscourts.gov/court-records/electronic-filing-cm-ecf" } ], "assurance": "A structured, complete log of agent actions is captured once at source, then projected into role-appropriate views: a citizen summary, a caseworker decision view, and a full auditor trace. Accountability does not depend on a raw event stream.", "access": "Layered disclosure: a citizen summary by default ('your agent submitted X on Y using Z'), expandable detail, and the full trail on request. Audit views are designed against cognitive overload so legibility, not volume, is the default.", "surface": { "summary": "A single audit record rendered through three views, selectable by role: citizen summary, caseworker decision points, and full regulatory trace.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "The policy rule 'log everything once, show the right grain per audience' becomes a role switch that re-projects one audit record as citizen summary, caseworker lineage, or full trace." } ] }, "whereThingsGoWrong": "Without adequate logging of the basis for each determination, systemic errors cannot be reviewed or traced. A structured audit trail with a regulatory-trace view enables the systemic review that would otherwise surface an unlawful pattern far too late, if at all.", "worstCase": "Because Robodebt kept no adequate record of how each debt was derived, unlawful income-averaging ran at scale for years before any systemic review could expose it. A structured audit trail would have surfaced that pattern far sooner.", "challenge": "A complete log of all agent actions is necessary for accountability but useless if\npresented as a raw event stream. Different audiences need different views: the citizen\nneeds a legible summary; the case officer needs decision points; the auditor needs the\nfull trace; the ombudsman needs the chain of accountability.\n", "precedentsNote": "**HIPAA audit trail requirements.** Under 45 CFR § 164.312(b), covered entities must\nrecord and examine all activity involving electronic protected health information\n(who accessed data, when, what actions, which records, and whether data was viewed or\nedited/exported/shared), retained for at least six years. See\n[Keragon — HIPAA Audit Log Requirements](https://www.keragon.com/hipaa/hipaa-explained/hipaa-audit-log-requirements)\nand [Kiteworks — HIPAA Audit Logs](https://www.kiteworks.com/hipaa-compliance/hipaa-audit-log-requirements/).\n\n**Insurance claims automation audit trails.** Regulated insurers must log all data fed\ninto the AI for each decision, the AI's recommendation, its confidence score, the most\ninfluential data points, and whether a human was involved. Critically, \"audit trails\ncannot be retrofitted.\" See\n[Kinro AI — AI Audit Trails Insurance](https://kinro.ai/blog/ai-audit-trails-insurance-compliance-quality-guide)\nand [MightyBot — AI Agent Audit Trails](https://www.mightybot.ai/blog/what-are-ai-agent-audit-trails).\n\n**PACER/CM/ECF (US Federal Courts).** The Case Management/Electronic Case Files system\ncreates a complete filing trail for every document (timestamp, filer identity, docket\nentry visible to all parties), with 24/7 filing and automatic timestamping. See\n[PACER — File a Case](https://pacer.uscourts.gov/file-case) and\n[US Courts — Electronic Filing](https://www.uscourts.gov/court-records/electronic-filing-cm-ecf).\n", "transferability": "The HIPAA model provides the most detailed precedent for what to log. The insurance model\nadds the critical distinction between automated and human decisions, essential when an agent\nacts.\n\nThe design challenge is the view layer: raw HIPAA-style logs are for compliance officers, not\ncitizens. An agent accountability system needs at minimum three views: (1) a citizen-facing\nsummary (\"your agent submitted X on Y date using Z data\"), (2) a caseworker view with\ndecision points and data lineage, and (3) a full audit trail for regulatory review. This\nlayered-view approach is a genuine design problem with no established pattern library; the\ncitizen-legible audit view in particular remains unbuilt.\n" }, { "id": "3.4", "title": "Reasons for decision", "territory": 3, "slug": "reasons-for-decision", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Administrative-law reasons requirements and GDPR automated-decision rights are settled law." }, { "level": "emerging", "note": "AI Act interface-level oversight requirements are still taking shape." }, { "level": "frontier", "note": "Agent-generated explanations that satisfy legal reasons standards remain undesigned." } ], "status": "reviewed", "threads": [], "dependsOn": [ "3.1" ], "precedents": [ { "name": "Administrative Review Tribunal Act 2024 (Federal Register of Legislation)", "jurisdiction": "AU", "year": 2024, "source": "https://www.legislation.gov.au/C2024A00040/latest/text" }, { "name": "Administrative Review Tribunal", "jurisdiction": "AU", "source": "https://www.art.gov.au/" }, { "name": "GDPR Article 22 explained", "jurisdiction": "EU", "source": "https://gdprinfo.eu/gdpr-article-22-explained-automated-decision-making-profiling-and-your-rights" }, { "name": "AI and Article 22 — meaningful human review (DPO Centre)", "jurisdiction": "EU", "source": "https://www.dpocentre.com/blog/ai-and-article-22-the-need-for-meaningful-human-review/" }, { "name": "EU AI Act — Article 14 (Human Oversight)", "jurisdiction": "EU", "source": "https://artificialintelligenceact.eu/article/14/" }, { "name": "EU AI Act human oversight needs (IAPP)", "jurisdiction": "EU", "source": "https://iapp.org/news/a/eu-ai-act-shines-light-on-human-oversight-needs" }, { "name": "Robodebt report calls for ADM review body (iTnews)", "jurisdiction": "AU", "source": "https://www.itnews.com.au/news/robodebt-report-calls-for-automated-decision-making-review-body-597734" }, { "name": "Automated decision-making transparency (Keypoint Law)", "jurisdiction": "AU", "source": "https://www.keypointlaw.com.au/keynotes/automated-decision-making-using-personal-information-increasing-transparency-and-accountability-to-avoid-robodebt-2-0/" } ], "assurance": "When an agent makes or recommends a decision, the affected person can obtain articulable reasons that meet administrative-law and automated-decision standards: surfaced at the review checkpoint before submission, and durable, citable, and contestable afterwards.", "access": "Layered disclosure: a plain-language reason by default, with the fuller statement of reasons expandable and available on request. Reasons must be expressed in terms the citizen can assess rather than as confidence scores or feature lists, and an avenue to human intervention is signposted alongside.", "surface": { "summary": "A reasons panel at the review checkpoint stating why the agent reached its recommendation, in citable plain-language form.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "The legal duty to give 'reasons for decision' becomes a structured reasons panel ('decided X because of Y, having considered Z') shown before submit and retained for any later dispute." } ] }, "whereThingsGoWrong": "The failure is a consequential decision issued without legally adequate reasons, so its flaws stay hidden from scrutiny. Surfacing the reasons makes an unlawful or unjustified basis identifiable early rather than after widespread harm.", "worstCase": "Robodebt issued debts without legally adequate reasons, so the scheme's unlawfulness stayed hidden from the people billed and from outside scrutiny until a Royal Commission examined it. Reasons stated plainly at the point of decision make that basis contestable from the outset.", "challenge": "When an AI agent makes or recommends a decision that affects a citizen, the citizen has a\nright to know why, in terms they can actually assess and contest. Administrative law already\nrequires adequate reasons for a government decision; the harder question is whether reasons\ngenerated by an agent can meet that standard.\n\nThe challenge is to produce reasons that are articulable, surfaced before the decision takes\neffect, and durable enough to stand up in a later dispute.\n", "precedentsNote": "**Australian administrative law — duty to give reasons.** Under the AAT Act 1975 (now\nsuperseded by the Administrative Review Tribunal Act 2024), decision-makers must provide\nwritten reasons; parties may request a formal statement within 28 days, and inadequate\nreasons constitute an error of law and grounds for appeal. See\n[Federal Register of Legislation — Administrative Review Tribunal Act 2024](https://www.legislation.gov.au/C2024A00040/latest/text)\nand the [Administrative Review Tribunal](https://www.art.gov.au/).\n\n**GDPR Article 22 — right to explanation of automated decisions.** Data subjects have the\nright not to be subject to solely automated decisions with legal or similarly significant\neffects, with rights to human intervention, to express a view, and to contest the decision;\nArticles 13-15 require \"meaningful information about the logic involved.\" A rubber-stamp\nreview does not satisfy the requirement. See\n[GDPR Info — Article 22 Explained](https://gdprinfo.eu/gdpr-article-22-explained-automated-decision-making-profiling-and-your-rights)\nand [DPO Centre — AI and Article 22](https://www.dpocentre.com/blog/ai-and-article-22-the-need-for-meaningful-human-review/).\n\n**EU AI Act Article 14 — human oversight of high-risk AI.** High-risk systems must be\ndesigned with interface tools enabling effective oversight; for biometric identification,\nno action may be taken unless verified by at least two qualified persons. This is a design\nrequirement, not merely organizational policy. See\n[EU AI Act — Article 14](https://artificialintelligenceact.eu/article/14/) and\n[IAPP — EU AI Act Human Oversight](https://iapp.org/news/a/eu-ai-act-shines-light-on-human-oversight-needs).\n\n**Robodebt Royal Commission recommendation on transparency.** The Commission recommended\npeople be told when subject to automated decision-making and how to challenge outcomes,\nthat business rules and algorithms be available for independent scrutiny, and that a body\nhave power to monitor and audit automated decision-making for fairness, bias, and usability.\nSee [iTnews — Robodebt report](https://www.itnews.com.au/news/robodebt-report-calls-for-automated-decision-making-review-body-597734)\nand [Keypoint Law — ADM transparency](https://www.keypointlaw.com.au/keynotes/automated-decision-making-using-personal-information-increasing-transparency-and-accountability-to-avoid-robodebt-2-0/).\n", "transferability": "The administrative-law \"reasons for decision\" requirement translates directly: if an agent\nrecommends or makes a decision, the reasons must be articulable and surfaced. GDPR and the AI\nAct add that the interface itself must enable meaningful oversight: not just provide reasons\nafter the fact, but allow intervention before the decision takes effect.\n\nFor an agent pattern library this means: (a) the agent must explain its reasoning in terms\nthe citizen can assess, (b) the explanation must be available at the review checkpoint before\nsubmission, and (c) post-decision, the reasons must be durable and citable in any dispute.\nWhether an agent can generate an explanation that satisfies an administrative tribunal is\ngenuinely untested.\n" }, { "id": "3.5", "title": "Recourse and dispute affordances", "territory": 3, "slug": "recourse-and-dispute-affordances", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Chargeback and ombudsman models are well-established recourse mechanisms." }, { "level": "emerging", "note": "GDPR contest affordances for automated decisions are beginning to appear." }, { "level": "frontier", "note": "Agent-action-anchored dispute flows in government services remain undesigned." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [ "3.2", "3.3" ], "precedents": [ { "name": "Chargeback (Wikipedia)", "source": "https://en.wikipedia.org/wiki/Chargeback" }, { "name": "Fair Credit Billing Act (Wikipedia)", "jurisdiction": "US", "source": "https://en.wikipedia.org/wiki/Fair_Credit_Billing_Act" }, { "name": "Office of the Ombudsman Malta — Accountability", "jurisdiction": "MT", "source": "https://ombudsman.org.mt/news-and-events/accountability-the-second-principle/" }, { "name": "Transparency International — Complaint Mechanisms Guide", "source": "https://knowledgehub.transparency.org/assets/uploads/kproducts/ti_document_-_guide_complaint_mechanisms_final.pdf" }, { "name": "Automated Decision Making (GDPR Local)", "jurisdiction": "EU", "source": "https://gdprlocal.com/automated-decision-making-gdpr/" } ], "assurance": "Every action record carries a clear path from the specific action to a dispute mechanism, with the complaint pre-populated from the action record and time-bound response obligations on the service provider.", "access": "Dispute affordances are pre-populated from the action record so citizens need not re-narrate history. A plain-language 'dispute this action' route anchored to the receipt, with assisted channels for those who cannot self-serve, keeps recourse genuinely accessible.", "surface": { "summary": "A 'dispute this action' affordance on each receipt that opens a complaint pre-filled with the action record and a service-side response clock.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "The chargeback model's 'anchor the dispute to a specific transaction and shift the burden to investigate' becomes a dispute button on the receipt that pre-fills the complaint from the action record." } ] }, "whereThingsGoWrong": "Where this goes wrong is recourse that is effectively inaccessible, trapping citizens in engaged phone lines while errors stand. Anchoring disputes to specific action records with time-bound response obligations forces earlier correction.", "worstCase": "Robodebt left recourse inaccessible in practice: overwhelmed phone lines and months-long reviews meant the right to contest was effectively denied while wrongful debts were pursued. Genuine recourse anchors to the action record and responds within set time limits.", "challenge": "When something goes wrong (the agent filed incorrectly, used wrong data, or the citizen\ndisagrees with an outcome), there must be a clear, accessible path from the specific action\nto a dispute mechanism. The dispute must be anchored to the specific action record, not\nrequire the citizen to re-narrate the entire history.\n", "precedentsNote": "**Financial services chargeback flow.** Under Regulation Z (US) and PSD2 (EU), card holders\nhave reversal rights; the issuer must acknowledge a dispute within 30 days, investigate, and\nwithin 90 days correct or explain. Pre-dispute resolution services resolve issues before\nthey escalate to formal chargebacks. See\n[Wikipedia — Chargeback](https://en.wikipedia.org/wiki/Chargeback) and\n[Wikipedia — Fair Credit Billing Act](https://en.wikipedia.org/wiki/Fair_Credit_Billing_Act).\n\n**Ombudsman complaint mechanism.** The ombudsman model requires the public body to \"explain\nwhat it did and why\" when a complaint is lodged; the ombudsman assesses whether the decision\nwas reasonable and lawful and can surface systemic problems, though recommendations are not\nbinding. See [Office of the Ombudsman Malta — Accountability](https://ombudsman.org.mt/news-and-events/accountability-the-second-principle/)\nand [Transparency International — Complaint Mechanisms Guide](https://knowledgehub.transparency.org/assets/uploads/kproducts/ti_document_-_guide_complaint_mechanisms_final.pdf).\n\n**GDPR Article 22 contest rights.** Beyond explanation, Article 22 provides the right to\ncontest an automated decision and to express one's own point of view. This requires concrete\ninterface affordances: a way to initiate a contest, a channel to add information, and a\nmechanism to receive a revised decision. See\n[GDPR Local — Automated Decision Making](https://gdprlocal.com/automated-decision-making-gdpr/).\n", "transferability": "The chargeback model is particularly instructive: the dispute is anchored to a specific\ntransaction with a unique identifier, the burden shifts to the service provider to\ninvestigate, and there are time-bound response obligations.\n\nFor agent-mediated government services, each action receipt should include a \"dispute this\naction\" affordance that pre-populates the complaint with the action record, so the citizen\nneed not re-describe what happened. The ombudsman model adds the requirement that disputes\ncan surface systemic issues, not just individual errors.\n" }, { "id": "3.6", "title": "Liability surfacing at the point of action", "territory": 3, "slug": "liability-surfacing-at-the-point-of-action", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Professional intermediary liability models are well-settled." }, { "level": "emerging", "note": "AI Act provider/deployer liability allocation is still taking shape." }, { "level": "frontier", "note": "Citizen-facing liability disclosure patterns for AI agent actions remain undesigned." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [ "3.1" ], "precedents": [ { "name": "EU AI Act (PwC)", "jurisdiction": "EU", "source": "https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/tech-regulatory-policy-developments/eu-ai-act.html" }, { "name": "PSD2 and merchants — SCA liability shift (Ravelin)", "jurisdiction": "EU", "source": "https://www.ravelin.com/blog/why-psd2-gives-merchants-the-upper-hand-around-strong-customer-authentication" }, { "name": "ATO — Lodge your tax return", "jurisdiction": "AU", "source": "https://www.ato.gov.au/individuals-and-families/your-tax-return/how-to-lodge-your-tax-return/lodge-your-tax-return-online-with-mytax" } ], "assurance": "At the moment an agent takes a consequential action, the citizen sees a plain-language statement of who bears liability if it goes wrong: a pre-determined, disclosed allocation rather than one litigated after the fact.", "access": "Liability disclosures must be plain-language and not assume legal literacy. The statement appears at the review checkpoint in a citizen summary, with the full allocation expandable, so the citizen understands their exposure before authorizing the action.", "surface": { "summary": "A liability statement at the review checkpoint naming who is responsible if the agent's action contains errors.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "The PSD2 'liability is pre-determined and disclosed before the transaction' rule becomes a plain-language liability line at the checkpoint: 'You are authorizing [agent] to [action]. If this contains errors, [allocation].'" } ] }, "whereThingsGoWrong": "The failure mode is no clear accountability for an incorrect automated decision, often with the onus of proof reversed onto the citizen. A disclosed liability allocation at the point of action makes accountability legible before harm occurs.", "worstCase": "Robodebt reversed the onus of proof onto welfare recipients and named no clear party accountable for an incorrect debt, so the harm fell on the people least able to absorb it. Naming the responsible party at the point of action puts accountability on record before the harm lands.", "challenge": "At the moment an agent takes an action with legal or financial consequences, the citizen\nneeds to understand who bears liability if it goes wrong.\n\nThe exposure could fall on the citizen for having delegated, on the agent provider that built\nand operated the agent, or on the government for accepting an agent-mediated submission, and\nthese claims compete with no settled answer. Leaving the allocation ambiguous at this moment\nis harmful.\n", "precedentsNote": "**EU AI Act provider and deployer obligations.** The AI Act distinguishes the provider of\na system (who designs it) from the deployer (who uses it), each with distinct obligations\non oversight, documentation, and risk management, an allocation designed to be surfaced\nrather than hidden. See [PwC — EU AI Act](https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/tech-regulatory-policy-developments/eu-ai-act.html).\n\n**PSD2 authentication liability shift.** Under Strong Customer Authentication, liability for\nfraudulent transactions shifts depending on whether authentication was properly performed:\nif the merchant or payment provider fails to apply SCA, they bear the liability. This creates\na clear, pre-determined framework understood before the transaction occurs. See\n[Ravelin — PSD2 and merchants](https://www.ravelin.com/blog/why-psd2-gives-merchants-the-upper-hand-around-strong-customer-authentication).\n\n**Tax agent lodgement responsibility.** When a registered tax agent lodges on behalf of a\nclient, the agent bears professional responsibility for the accuracy of the lodgement\n(subject to the information provided), and ATO systems record whether a return was\nself-lodged or agent-lodged. See\n[ATO — Lodge your tax return](https://www.ato.gov.au/individuals-and-families/your-tax-return/how-to-lodge-your-tax-return/lodge-your-tax-return-online-with-mytax).\n", "transferability": "The tax agent model is the closest analogue: a professional intermediary acting on delegated\nauthority with defined professional responsibilities. For AI agents, the liability framework\ndoes not yet exist in most jurisdictions, but the interaction pattern should surface whatever\nframework applies.\n\nAt minimum, the review checkpoint should include a plain-language statement: \"You are\nauthorizing [agent] to [action]. If this contains errors, [liability allocation statement].\"\nThe PSD2 liability-shift model suggests the framework should be pre-determined and disclosed,\nnot litigated after the fact.\n" }, { "id": "3.7", "title": "Reversibility and undo", "territory": 3, "slug": "reversibility-and-the-undo-problem", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Compensating transactions in software and amendment processes in government are both well-established." }, { "level": "frontier", "note": "Reversibility signaling for agent-mediated government actions remains undesigned." } ], "status": "reviewed", "threads": [], "dependsOn": [ "3.1" ], "precedents": [ { "name": "Compensating transaction (Wikipedia)", "source": "https://en.wikipedia.org/wiki/Compensating_transaction" }, { "name": "Recovery-oriented computing (Wikipedia)", "source": "https://en.wikipedia.org/wiki/Recovery-oriented_computing" } ], "assurance": "Before an agent acts, the citizen is told whether the action is reversible, amendable, compensable, or irreversible. The classification is surfaced at the authorization checkpoint, with rollback mechanisms wired in where reversal is possible.", "access": "Reversibility signaling assumes understanding of administrative-law categories. The classification must be expressed in plain language at the review checkpoint, with the consequence of each category explained, so the citizen grasps the stakes before authorizing.", "surface": { "summary": "A reversibility badge at the authorization checkpoint classifying the action as reversible, amendable, compensable, or irreversible.", "instances": [ { "domain": "interaction", "kind": "interactive", "component": "ReversibilityPreview", "annotation": "The legal classification of an action's reversibility becomes a plain-language badge ('this can be amended within 28 days' / 'this cannot be undone') shown before the citizen authorizes the agent." } ] }, "whereThingsGoWrong": "Where this goes wrong is a reversal process so protracted and burdensome that even determinations identified as incorrect persist. Pre-signaling notices as 'amendable' with a streamlined correction path reduces that harm.", "worstCase": "Even debts already identified as incorrect were slow and burdensome to unwind under Robodebt, so people repaid money they did not owe while they waited. Flagging a notice as amendable, with a streamlined correction path, limits that damage.", "challenge": "Agent actions differ in how far they can be undone. Some government actions (lodging a tax\nreturn, filing a form) can be amended. Others (paying a fee, submitting a statutory\ndeclaration) cannot be simply reversed. The citizen needs to understand the reversibility of\nan action before the agent takes it, and the system needs rollback mechanisms where reversal\nis possible.\n", "precedentsNote": "**Compensating transaction pattern.** In software engineering, a compensating transaction\nsemantically undoes a completed transaction by executing the logical inverse (a \"debit $100\"\nis undone by \"credit $100\"). This works when the system models actions as events with inverse\noperations. See [Wikipedia — Compensating transaction](https://en.wikipedia.org/wiki/Compensating_transaction).\n\n**Tax return amendment process.** Tax returns can be amended after lodgement within statutory\ntime limits; the ATO allows amended returns that create a new version while preserving the\noriginal filing record. This is not a true \"undo\" but a \"correct and re-submit\": the original\naction remains on the record.\n\n**Recovery-oriented computing.** System-wide undo support covering all aspects, including\nconfiguration and application management; the principle is that systems should be designed to\nsupport recovery from errors, not just prevent them. See\n[Wikipedia — Recovery-oriented computing](https://en.wikipedia.org/wiki/Recovery-oriented_computing).\n", "transferability": "This is the hardest pattern to transfer. Government actions have real-world consequences that\ncannot always be compensated: a benefit payment to the wrong account, a statutory deadline\nmissed by an erroneous filing, a privacy breach from an agent disclosing to the wrong service.\nThe pattern library should categorize agent actions by reversibility:\n\n- **Fully reversible:** draft saved but not submitted; form pre-filled but not lodged.\n- **Amendable:** filed but correctable within a window (tax amendments, change of details).\n- **Compensable:** cannot be undone but can be offset (an overpayment can be refunded).\n- **Irreversible:** cannot be undone (statutory declarations, privacy disclosures, missed deadlines).\n\nThe review checkpoint should clearly signal which category applies before the\ncitizen authorizes the action. There is no established pattern for communicating reversibility\nof AI agent actions to citizens.\n" }, { "id": "3.8", "title": "Systemic-error detection and circuit-breaker for agent actions", "territory": 3, "slug": "systemic-error-detection-and-circuit-breaker", "maturity": "frontier", "maturityLevels": [ { "level": "established", "note": "Its primitives already run in finance, aviation, payments, and comment-system anomaly detection." }, { "level": "emerging", "note": "Bulk-submission safeguards are beginning to appear in administrative-law guidance (e.g. ACUS Recommendation 2021-1)." }, { "level": "frontier", "note": "As a control plane for fleets of citizen-acting government agents — where the trigger metric, threshold-setting, and halt-authority governance are all still undesigned." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [ "3.3", "3.5" ], "precedents": [ { "name": "SEC / Investor.gov — Stock Market Circuit Breakers (market-wide 7/13/20%; Limit Up-Limit Down)", "jurisdiction": "US", "year": 2012, "source": "https://www.investor.gov/introduction-investing/investing-basics/glossary/stock-market-circuit-breakers" }, { "name": "FAA NOTAM Statement — nationwide ground stop, 11 January 2023", "jurisdiction": "US", "year": 2023, "source": "https://www.faa.gov/newsroom/faa-notam-statement" }, { "name": "ACUS Recommendation 2021-1 — Managing Mass, Computer-Generated, and Falsely Attributed Comments", "jurisdiction": "US", "year": 2021, "source": "https://www.acus.gov/document/managing-mass-computer-generated-and-falsely-attributed-comments" }, { "name": "NY OAG — Fake Comments report (~18M of 22M FCC comments fake)", "jurisdiction": "US", "year": 2021, "source": "https://ag.ny.gov/press-release/2021/attorney-general-james-issues-report-detailing-millions-fake-comments-revealing" }, { "name": "European Payments Council — SEPA Direct Debit (8-week / 13-month refund; scheme-level reversal)", "jurisdiction": "EU", "year": 2023, "source": "https://www.europeanpaymentscouncil.eu/what-we-do/sepa-direct-debit" }, { "name": "Royal Commission into the Robodebt Scheme — Report (the cost of no circuit breaker)", "jurisdiction": "AU", "year": 2023, "source": "https://robodebt.royalcommission.gov.au/publications/report" }, { "name": "Post Office Horizon IT Inquiry — Volume 1 final report", "jurisdiction": "UK", "year": 2025, "source": "https://www.postofficehorizoninquiry.org.uk/volume-1-post-office-horizon-it-inquirys-final-report" } ], "assurance": "Government needs confidence that a systemic agent fault (a bad model version, prompt, or data mapping mis-filing for thousands) is detected and halted before it reaches population scale, rather than surfacing in a Royal Commission years later. That requires a population-level control plane: aggregate anomaly detection, pre-declared error-rate thresholds, automatic fleet suspension, and bulk rollback. It is the constructive counterpart to the failure documented in the Robodebt case study.", "access": "The remediation path must reach the harmed citizens, not merely halt the system: a Robodebt-scale error requires proactive notification and bulk reversal pre-populated from action records, so redress never depends on each citizen detecting and disputing their own error. The halt itself must not strand citizens mid-transaction without a fallback channel.", "surface": { "summary": "An operations console that turns 'measure the aggregate, not the transaction' into a fleet-level error-rate monitor with pre-declared thresholds and a halt-and-rollback control.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "The policy setting 'stop systemic error before it scales' becomes a circuit-breaker console: per-agent and per-model error-rate gauges against declared thresholds, an auto-suspend state, and a bulk-remediation action that notifies and reverses for every affected citizen." } ] }, "whereThingsGoWrong": "This is the control that would have stopped Robodebt: a continuously measured aggregate error rate and the authority to halt the scheme would have prevented roughly 470,000 unlawful debts before they reached citizens.", "challenge": "Single-action accountability controls secure the correctness of one agent action at a time.\nNone catches the failure mode where one agent, model update, prompt change, or whole agent\nplatform begins mis-filing across *thousands* of citizens at once.\n\nEach individual action can pass its local review checkpoint while the fleet is systematically\nwrong, because the fault lives in a shared upstream dependency (a model version, a prompt, a\nchanged API mapping, a corrupted reference dataset) rather than in any one transaction. The\nharm is the aggregate, and by the time it surfaces through individual disputes the damage is\npopulation-scale.\n\nWhat is missing is a population-level control plane: continuous anomaly detection on the\naggregate action stream, pre-declared rate-of-error thresholds, automatic suspension of a\nmisbehaving agent or agent class, and a mass-remediation or rollback path, so a systemic\nfault is stopped in minutes.\n", "precedentsNote": "The home-domain precedents are mature ([SEC circuit breakers](https://www.investor.gov/introduction-investing/investing-basics/glossary/stock-market-circuit-breakers),\nthe [FAA ground stop](https://www.faa.gov/newsroom/faa-notam-statement), [SEPA Direct Debit reversal](https://www.europeanpaymentscouncil.eu/what-we-do/sepa-direct-debit),\nand [ACUS 2021-1](https://www.acus.gov/document/managing-mass-computer-generated-and-falsely-attributed-comments) bulk-comment safeguards);\n[Robodebt](https://robodebt.royalcommission.gov.au/publications/report) and\n[Post Office Horizon](https://www.postofficehorizoninquiry.org.uk/volume-1-post-office-horizon-it-inquirys-final-report)\nare the cautionary cases showing the cost of having no such control.\n", "transferability": "Four design primitives transfer cleanly from finance, aviation, payments and rulemaking:\n\n- **Anomaly detection** on the aggregate action stream (per agent, version, model release, service)\n for spikes in rejections, reversals, downstream-error returns, dispute initiation, or distributional\n drift in submitted values.\n- **Rate-of-error thresholds** pre-declared as numeric bands (the SEC's explicit 7/13/20% model) so a\n class of agent action is throttled or paused automatically and contestably, not at discretion.\n- **Automatic suspension (\"kill switch\"),** on the model of an aviation ground stop, to pause a\n misbehaving agent, version or whole fleet within minutes and re-validate the shared dependency\n before resuming.\n- **Mass remediation or rollback,** a SEPA-style scheme-level reversal that identifies every action by\n the implicated agent or version in the affected window, notifies affected citizens, and reverses or\n re-processes in bulk.\n\nThe unresolved part is *what to measure and at what threshold*: \"agent error\" is multi-dimensional and\npartly only knowable downstream, so the trigger metric, the false-positive cost of halting a fleet that\nis actually fine, and the governance of who may pull (and reset) the switch are genuine design problems\nwith no production precedent in civic technology.\n" }, { "id": "4.1", "title": "Confidence and uncertainty surfacing", "territory": 4, "slug": "confidence-uncertainty-surfacing", "maturity": "emerging", "maturityLevels": [ { "level": "established", "note": "Confidence-surfacing responses are well-established in clinical decision support and weather forecasting, and the theory behind appropriate reliance is mature." }, { "level": "emerging", "note": "Not yet standard practice in government digital services." }, { "level": "frontier", "note": "Applying this response to a citizen-facing government determination remains unproven." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Lee, J.D. & See, K.A. — Trust in automation: Designing for appropriate reliance", "jurisdiction": "US", "year": 2004, "source": "https://journals.sagepub.com/doi/10.1518/hfes.46.1.50_30392" }, { "name": "Enhancing Clinician Trust in AI Diagnostics: A Dynamic Framework for Confidence Calibration and Transparency (PMC)", "year": 2025, "source": "https://www.ncbi.nlm.nih.gov/pmc/articles/PMC12428550/" }, { "name": "Eleken — Explainable AI UI Design (XAI)", "year": 2026, "source": "https://www.eleken.co/blog-posts/explainable-ai-ui-design-xai" }, { "name": "Agentic Design Patterns — Confidence Visualization UI Patterns", "source": "https://agentic-design.ai/patterns/ui-ux-patterns/confidence-visualization-patterns" } ], "assurance": "Government needs the certainty behind a determination to be legible before anyone relies on it, so a citizen can tell a confident output from a guess and calibrate reliance rather than over-trusting or blanket-rejecting it.", "access": "A citizen who cannot parse a numeric or color signal (a non-sighted user, or anyone unused to percentage or color-band cues) is left with none of the meaning the indicator carries, and over-relies or wrongly rejects the output as a result. The path stays open when every confidence signal also reads in plain language (\"We're fairly sure about this, but a person will double-check\") and a screen reader conveys the same meaning the color does, since a badge without an accessible name fails WCAG.", "surface": { "summary": "An agent output annotated with a confidence band and an action-tied caveat, so the citizen sees both how sure the agent is and what happens next.", "instances": [ { "domain": "interaction", "kind": "interactive", "component": "ConfidenceTriage", "annotation": "The determination's internal certainty score is shown as a green, amber, or red band alongside a next-step sentence reading \"medium confidence: a human officer will review before any decision takes effect\"." } ] }, "whereThingsGoWrong": "The failure mode is an automated estimate issued with false certainty, masking determinations that should never have stood. Surfacing low confidence on such an estimate, tied to mandatory human review, flags exactly those determinations before they go out at scale.", "challenge": "Agents that produce determinations of varying certainty are now widely available, and as\ngovernment services run on them they will issue far more of these determinations than any\ncaseworker did. Presenting them all with uniform authority drives either uncritical\nacceptance (automation bias) or blanket rejection (automation aversion).\n\nWhen the certainty behind an output is invisible, a citizen cannot tell a confident\ndetermination from a guess, so they cannot calibrate how far to rely on it.\n", "precedentsNote": "**Lee & See (2004).** The seminal trust-in-automation framework established that\n\"calibrated trust\" is the correspondence between a user's trust in an automated\nsystem and that system's actual capabilities. Miscalibrated trust produces\npredictable failure modes: over-trust leads to complacency; under-trust leads to\ndisuse. Designers must surface reliability information to enable appropriate\nreliance.\n\n**Healthcare AI confidence calibration.** Clinical decision support systems have\ndeveloped confidence-visualization patterns: color-coded bands (for example, green\nfor high confidence, amber for medium, red for low), uncertainty intervals alongside\npredictions, and \"low certainty\" labels that trigger escalation. Clinicians are\ngenerally receptive to evidence-based AI tools, but override rates stay high when\ncalibration is poor.\n\n**Explainable-AI interface patterns.** Emerging patterns include confidence\nmeters, progress bars distinguishing \"sure bets\" from \"best guesses\", and\nescalation pathways when confidence dips (rephrase, escalate to a human, or view\nsupporting evidence).\n", "transferability": "**High transferability.** Government services regularly produce determinations of\nvarying certainty (eligibility assessments, risk classifications, benefit\ncalculations), so surfacing confidence is directly applicable. The healthcare\nparallel is apt: clinicians and caseworkers both need to know when to rely on a\nsystem versus apply professional judgment. The color-coded band pattern is\nsimple and well understood.\n\n**Key adaptation:** government confidence signals have to be tied to a next step\nthe citizen can act on (\"This assessment has medium confidence; a human officer\nwill review before any decision takes effect\"), not displayed as passive\ninformation the citizen can do nothing with.\n" }, { "id": "4.2", "title": "Trust marks and certification interfaces", "territory": 4, "slug": "trust-marks-certification-ui", "maturity": "emerging", "maturityLevels": [ { "level": "established", "note": "The trust-mark response is established for generic security seals, and certifiable standards exist to back an AI mark." }, { "level": "emerging", "note": "For AI-specific certification, an evidence-linked mark for a government AI service remains largely conceptual, with no widely adopted visual scheme yet rendering one for citizens." } ], "status": "reviewed", "threads": [], "dependsOn": [ "8.1" ], "precedents": [ { "name": "Baymard Institute — Which Site Seal do People Trust the Most?", "source": "https://baymard.com/blog/site-seal-trust" }, { "name": "CXL Research — Which Site Seals Create The Most Trust?", "source": "https://cxl.com/research-study/trust-seals/" }, { "name": "ISO/IEC 42001:2023 — AI Management System", "jurisdiction": "ISO", "year": 2023, "source": "https://www.iso.org/standard/42001" }, { "name": "NIST AI Risk Management Framework", "jurisdiction": "US", "year": 2023, "source": "https://www.nist.gov/itl/ai-risk-management-framework" }, { "name": "DTA pilots new AI assurance framework", "jurisdiction": "AU", "source": "https://www.dta.gov.au/articles/dta-pilots-new-ai-assurance-framework" }, { "name": "digital.gov.au — APS AI Plan 2025: Trust", "jurisdiction": "AU", "year": 2025, "source": "https://www.digital.gov.au/policy/ai/australian-public-service-ai-plan-2025/trust" } ], "assurance": "Government needs the properties it claims for an AI service (human review before effect, tested for bias, no personal records in training data) to be auditable rather than merely asserted, so a citizen can rely on a standards claim without re-establishing trust from scratch at each interaction.", "access": "A mark a sighted user reads as a symbol needs a text alternative stating in plain language what it certifies. Marks must not proliferate to the point of seal blindness, where a user stops reading them, and certification cost must not create a two-tier system where only well-funded agencies can afford the mark, leaving smaller agencies' services to look untrustworthy by comparison.", "surface": { "summary": "A service-page trust mark whose every claim is a tap-through to the algorithmic transparency record, audit report, or bias-testing result that substantiates it.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "The certification claim 'decisions reviewed by a human before effect' is shown as a mark that links directly to the audit evidence behind it, rather than as a free-standing badge." } ] }, "whereThingsGoWrong": "Without certified, auditable evidence of genuine human review, its absence stays invisible, so a determination can imply oversight that never happened. A trust mark backed by auditable evidence turns that absence into a visible certification gap rather than a hidden policy failure.", "challenge": "As more government services run on AI, and the tools to build and certify them\nare now widely available, a citizen has no repeatable, verifiable signal that a\ngiven service meets a defined standard for privacy, security, accuracy, and\nfairness. Without one, each interaction forces an individual trust judgment from\nscratch, a burden that scales with the number of agent-run services and depresses\nadoption of the ones that are in fact well-governed.\n", "precedentsNote": "**E-commerce trust seals (Norton, TRUSTe, BBB).** Baymard Institute's site-seal\nsurveys (2013/2016) found the Norton Secured Seal was the most-trusted of the\nseals tested, with 35.6% of users saying it gave them the best sense of trust. But\nthat trust is perceptual rather than technical: users have little understanding of\nTLS/SSL and respond to brand association rather than a verified security property.\n\n**ISO/IEC 42001:2023.** The international AI management-system standard provides a\ncertifiable framework covering trustworthiness, transparency, explainability, and\naccountability, demonstrated through model cards and explainability records.\n\n**NIST AI Risk Management Framework.** The voluntary framework (Jan 2023)\norganizes trustworthy AI around seven characteristics and four functions; the\n2024 Generative AI Profile extended it to GenAI risks. Conformance can serve as a\ntrust signal though it is not a certification scheme.\n\n**Australian DTA AI Assurance Framework.** The DTA is piloting an AI assurance\nframework and has set a Standard for AI Transparency Statements; the APS AI Plan\n2025 names trust as a pillar.\n", "transferability": "**Medium transferability with significant caveats.** The trust-seal pattern is\nwell-proven for reducing purchase abandonment, but government differs: citizens\noften have no alternative provider, so the seal functions less as a competitive\ndifferentiator and more as an accountability signal. The e-commerce research also\nexposes a core weakness: seals create *perceived* security, not necessarily\n*actual* security.\n\nFor government AI agents, trust marks should certify verifiable properties\n(\"decisions are reviewed by a human before taking effect\"; \"tested for bias\nagainst [protected attributes]\"; \"training data does not include your personal\nrecords\"). Each claim must be auditable, not merely asserted.\n\n**Key adaptation:** government trust marks should link directly to the underlying\nevidence (algorithmic transparency records, audit reports, bias-testing results),\ntransforming them from passive symbols into active transparency instruments.\nThis makes the pattern dependent on a certification regime to certify against.\n" }, { "id": "4.3", "title": "Graduated delegation", "territory": 4, "slug": "graduated-delegation", "maturity": "emerging", "maturityLevels": [ { "level": "established", "note": "The theory behind graduated, non-binary delegation is fully established, and enterprise-grade autonomy frameworks exist." }, { "level": "emerging", "note": "Overall it sits between the two — proven components are being adapted toward citizen-facing use, but no production deployment exists yet." }, { "level": "frontier", "note": "As a citizen-facing response in government services — no government has yet put a production-grade, user-controlled autonomy dial in front of the public for AI agents." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "CSA — Autonomy Levels for Agentic AI", "year": 2026, "source": "https://cloudsecurityalliance.org/blog/2026/01/28/levels-of-autonomy" }, { "name": "SAE J3016 — Taxonomy and Definitions for Terms Related to Driving Automation Systems", "jurisdiction": "Global", "year": 2021, "source": "https://www.sae.org/standards/content/j3016_202104/" }, { "name": "Parasuraman, Sheridan & Wickens — A model for types and levels of human interaction with automation", "year": 2000, "source": "https://www.scirp.org/reference/referencespapers?referenceid=3179540" }, { "name": "CSA — The Agentic Trust Framework: Zero Trust Governance for AI Agents", "year": 2026, "source": "https://cloudsecurityalliance.org/blog/2026/02/02/the-agentic-trust-framework-zero-trust-governance-for-ai-agents" }, { "name": "Agentic Trust Framework specification (GitHub)", "source": "https://github.com/massivescale-ai/agentic-trust-framework" }, { "name": "Agentic Design Patterns — Progressive Disclosure UI Patterns", "source": "https://agentic-design.ai/patterns/ui-ux-patterns/progressive-disclosure-patterns" }, { "name": "Yocco, V. — Designing For Agentic AI: Practical UX Patterns (Smashing Magazine)", "year": 2026, "source": "https://www.smashingmagazine.com/2026/02/designing-agentic-ai-practical-ux-patterns/" } ], "assurance": "Government needs an agent's autonomy over a citizen's affairs to be bounded and earned rather than granted wholesale: a citizen should be able to start with minimal involvement and expand it on demonstrated use, with the capability boundaries enforced at the platform layer rather than left to each deployment.", "access": "Cautious users, and anyone who distrusts agent automation, lose out if the design pushes them toward more delegation than they want, so the level defaults to the most conservative option rather than requiring them to opt down, and every level carries a 'just do it the normal way' escape hatch routing to existing non-agent channels. Progression must not be gamified, which would pressure those users into more automation than they want by dressing delegation as achievement.", "surface": { "summary": "An autonomy dial with a ladder of delegation levels (informational, guided, supervised, delegated) that exposes one level at a time with a conservative default, a per-level escape hatch, and capability boundaries the citizen cannot be silently moved past.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "The risk tier of a service action (checking a payment date is low, lodging an appeal is high) sets the delegation level offered, and that level defaults to the most conservative option." } ] }, "whereThingsGoWrong": "The failure to prevent is unsupervised, fully automated issuance of high-consequence decisions. Capping public-facing agents at supervised levels with technically enforced boundaries keeps a human in the loop where it matters.", "challenge": "Agents capable of acting across a whole government service, not just answering questions, are\nnow widely available. As they take on more of a service, government has to decide how much\nautonomy to grant one over a citizen's affairs, and how a citizen earns or contracts that\nautonomy.\n\nGranting the full range at once overwhelms cautious users and exposes everyone to\nhigh-consequence actions before trust is established, while granting too little under-serves\nconfident ones.\n", "precedentsNote": "**SAE J3016 automation levels.** The six-level framework (Level 0 to Level 5)\ncreated a shared vocabulary across regulators, manufacturers, insurers, and\nconsumers, and has been explicitly adapted for AI-agent autonomy.\n\n**Parasuraman, Sheridan & Wickens (2000).** Identified four classes of\nautomatable function (information acquisition, analysis, decision selection,\naction implementation) and established that automation is \"not all or nothing\".\nThat is the theoretical basis for granular rather than binary delegation.\n\n**CSA Agentic Trust Framework (2026).** Applies zero-trust principles via a\nfour-level maturity model with human role titles (Intern, Junior, Senior,\nPrincipal), where \"agent autonomy must be earned through demonstrated\ntrustworthiness.\"\n\n**Progressive disclosure UX.** Revealing complexity incrementally, whether\nstep-by-step, conditional, or contextual, has been adapted for AI agents, with\neach step reaffirming trust before the user proceeds. Yocco's \"Autonomy Dial\" lets users\ntrust agents for low-stakes tasks while demanding confirmation for high-stakes\nones.\n", "transferability": "**High transferability; among the most directly applicable patterns here.**\nGovernment services naturally decompose into risk tiers: checking a payment date\nis low-stakes, updating bank details is medium, lodging an appeal is high. A\ngraduated delegation model maps cleanly onto this existing risk architecture.\n\n**Proposed government adaptation:**\n\n| Level | Agent capability | Human involvement | Example |\n|-------|-----------------|-------------------|---------|\n| Level 0: Informational | Answer factual questions from published guidance | None required | \"When is the next payment date?\" |\n| Level 1: Guided | Pre-fill forms, suggest next steps | User reviews and confirms every action | \"You may be eligible for X. Shall I start the application?\" |\n| Level 2: Supervised | Execute multi-step workflows | User approves at defined checkpoints | Change-of-address across linked services, confirming each service |\n| Level 3: Delegated | Act within defined parameters without per-action approval | Exception-based review; audit trail | Adjust payment schedule within legislated parameters |\n| Level 4: Autonomous | Initiate and complete complex transactions | Post-hoc audit; override available | Not recommended for government services at current maturity |\n\n**Critical constraint:** full delegation remains feasible for only a small minority\nof tasks. Most government AI-agent interactions should operate at Levels 0–2.\n" }, { "id": "4.4", "title": "Transparency-by-default disclosure", "territory": 4, "slug": "transparency-by-default-disclosure", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For algorithmic transparency recording, where the UK ATRS is production-grade and mandatory." }, { "level": "emerging", "note": "For real-time agent transparency." }, { "level": "frontier", "note": "For adaptive, user-preference-driven disclosure." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "EU AI Act, Article 50 — Transparency obligations", "jurisdiction": "EU", "source": "https://artificialintelligenceact.eu/article/50/" }, { "name": "EU AI Act, Article 13", "jurisdiction": "EU", "source": "https://artificialintelligenceact.eu/article/13/" }, { "name": "GOV.UK — Algorithmic Transparency Recording Standard Hub", "jurisdiction": "UK", "source": "https://www.gov.uk/government/collections/algorithmic-transparency-recording-standard-hub" }, { "name": "OECD.AI — Designing transparency for government AI (UK ATRS)", "source": "https://oecd.ai/en/wonk/uk-algorithmic-transparency-recording-standard" }, { "name": "digital.gov.au — Standard for AI transparency statements", "jurisdiction": "AU", "source": "https://www.digital.gov.au/ai/ai-in-government-policy/standard-ai-transparency-statements" }, { "name": "DTA — AI Adoption: Built on trust, people, and tools", "jurisdiction": "AU", "source": "https://www.dta.gov.au/articles/ai-adoption-built-trust-people-and-tools" }, { "name": "Yocco, V. — Identifying Necessary Transparency Moments In Agentic AI (Part 1)", "year": 2026, "source": "https://www.smashingmagazine.com/2026/04/identifying-necessary-transparency-moments-agentic-ai-part1/" } ], "assurance": "Government needs a citizen to be able to tell, at the time it matters and not after the fact, that they are dealing with AI, what it can and cannot do, what data it uses, how it reaches a determination, and what recourse exists, so they can calibrate trust in what the agent is doing while it does it.", "access": "Make disclosures scannable and skippable without penalty, and never gate service access behind acknowledgment. Provide multiple formats (text, audio, simplified visual), and let users set a transparency level (brief/standard/detailed). Transparency must not become a liability shield: \"we told you it was AI\" cannot diminish the agency's duty of care.", "surface": { "summary": "An interaction that opens by stating it is AI, links to a two-tier transparency record (a public-summary tier and a technical-detail tier), and raises real-time moments (\"I am about to submit this form on your behalf; this cannot be undone\") at the points that matter.", "instances": [ { "domain": "experience", "kind": "mockup", "annotation": "A static algorithmic-transparency record is paired with event-driven 'transparency moments' that surface at decision points and irreversible actions." } ] }, "whereThingsGoWrong": "Where this goes wrong is an invalid determination method kept out of sight from the people it bills. Mandatory upfront and event-driven disclosure of how a determination was reached exposes flawed logic instead of burying it.", "challenge": "Citizens cannot calibrate trust in what they cannot see. When an AI agent acts on a\ngovernment service, users need to know: that they are interacting with AI (not a human), what\nthe agent can and cannot do, what data it accesses, how it reaches decisions, and what\nrecourse exists if something goes wrong.\n\nThis disclosure must be proactive (not buried in terms and conditions) and comprehensible\n(not a technical data sheet).\n", "precedentsNote": "**EU AI Act, Article 50 (effective 2 August 2026).** AI systems interacting\ndirectly with people must disclose the AI nature \"at the start of every\ninteraction,\" and the disclosure must be \"clear and not buried in the interface\ndesign.\" High-risk systems must be sufficiently transparent for deployers to\ninterpret outputs appropriately (Article 13).\n\n**UK Algorithmic Transparency Recording Standard (ATRS).** A two-tier template:\nTier 1 is a plain-language summary for the public, Tier 2 is technical detail for\nspecialists. Mandatory for central government since 2025 with 125+ records\npublished, co-designed with UK citizens, internationally recognized as best\npractice.\n\n**Australian Standard for AI Transparency Statements.** Agencies must publish\ntheir approach to AI adoption in a consistent format; the DTA is planning an\nAgentic Addendum addressing agents that initiate actions.\n\n**Transparency moments framework (2026).** Yocco argues transparency should be\nevent-driven, surfaced at decision points, capability boundaries, and error\nconditions rather than on a static disclosure page, which prevents both\ninformation overload and informed-consent theatre.\n", "transferability": "**High transferability for the mechanism.** Proactive, comprehensible disclosure\nof an agent's nature and reach maps onto any government service, and a direct\ngovernment precedent already exists: the UK's two-tier transparency record (public\nsummary plus technical detail) is immediately adaptable elsewhere. A requirement\nfor upfront AI disclosure at the start of every interaction sets a regulatory\nbaseline that services should meet or exceed.\n\n**Key adaptation for agents specifically:** static transparency records\n(ATRS-style) are necessary but insufficient for agents, which act dynamically.\nAgent transparency requires real-time disclosure: \"I am now accessing your tax\nrecords to check eligibility\" or \"I am about to submit this form on your behalf;\nthis action cannot be undone.\" The \"transparency moments\" framework provides the\ndesign vocabulary for this.\n" }, { "id": "4.5", "title": "Automation level communication", "territory": 4, "slug": "automation-level-communication", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "The labeling response is established in theory and proven in adjacent domains (automotive autonomy levels, open-banking consent)." }, { "level": "emerging", "note": "As a public-facing scheme for government AI services." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "Parasuraman, R. & Riley, V. — Humans and Automation: Use, Misuse, Disuse, Abuse", "year": 1997, "source": "https://journals.sagepub.com/doi/10.1518/001872097778543886" }, { "name": "Open Banking Standards — Authentication Methods", "jurisdiction": "UK", "source": "https://standards.openbanking.org.uk/customer-experience-guidelines/authentication-methods/latest/" }, { "name": "ArXiv — Identity Management for Agentic AI", "source": "https://arxiv.org/pdf/2510.25819" } ], "assurance": "Government needs a citizen to be able to tell how much of a given action a human decides versus a machine, in terms they can grasp without technical literacy, so the same behavior is not read as helpful by one person and as opacity by another, and so it addresses both misuse (over-reliance) and disuse (under-use).", "access": "Use concrete, action-oriented language rather than abstract levels (\"A person will check this before it's final\" rather than \"Level 2 supervised automation\"). Test comprehension with diverse groups including low digital literacy, cognitive disability, and limited English. Provide worked examples of what each level means for the specific service.", "surface": { "summary": "A consent-style screen that labels the interaction with one of three plain automation levels and, before any consequential action, shows what the agent will do and what data it will access.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "The automation degree of this action is shown as one of three concrete labels (AI-assisted, AI-recommended, AI-decided) alongside an open-banking-style pre-action consent panel." } ] }, "whereThingsGoWrong": "The failure mode is an automated decision presented as if a human exercised judgment, hiding the absence of meaningful review. Labeling determinations honestly as 'AI-decided' makes that absence legible to the people affected.", "challenge": "As agents capable of varying degrees of automation are deployed across government\nservices, the degree will differ from one service and action to the next, and the\ntools to build them are now widely available. Without a shared frame for naming\nthat degree, the same agent behavior reads as helpful efficiency to one citizen\nand as threatening opacity to another, and neither can tell how much a human\nactually decides.\n", "precedentsNote": "**Parasuraman & Riley (1997) — Use, Misuse, Disuse, Abuse.** Identified four\nfailure modes of human-automation interaction. Misuse (over-reliance) follows from\ninsufficient transparency about limitations; disuse (under-utilization) follows\nfrom excessive false alarms or unclear capability communication. Both are\naddressable through clear automation-level signaling.\n\n**SAE J3016 as a communication device.** Beyond its technical function, the SAE\nlevels framework succeeded as a *communication* tool: \"Level 2\" or \"Level 4\"\nconveys meaningful information to non-experts. \"Level 1: AI assists, you decide\" is\nmore comprehensible than \"supervised machine-learning-augmented decision support.\"\n\n**Open banking consent screens (PSD2/SCA).** PSD2 established a pattern for\ncommunicating automated actions in financial services: explicit consent screens\nstating what data will be accessed, by whom, and for what purpose, with the right\nto revoke at any time. The three-factor model (knowledge, possession, inherence)\ngives graduated assurance proportional to transaction risk.\n\n**Graduated scope reduction with temporal decay.** In delegated-authority systems,\nauthorization scope can be tied to a risk-tiered expiry — a short window for\nhigh-risk actions, a longer one for low-risk — so delegated authority does not persist\nbeyond its justified window.\n", "transferability": "**High transferability.** Government services suit a simple, public-facing\nautomation-level vocabulary. A three-level scheme is likely sufficient:\n\n- **\"AI-assisted\":** a human makes the decision; the AI helps gather and organize information.\n- **\"AI-recommended\":** the AI proposes a decision; a human reviews and approves it.\n- **\"AI-decided\":** the AI decides within defined rules; a human is available for review on request.\n\nThe open-banking consent pattern transfers well: before any agent action with\nconsequences, show the citizen what the agent will do, what data it will access,\nand offer explicit consent or decline.\n" }, { "id": "4.6", "title": "Human-in-the-loop oversight signaling", "territory": 4, "slug": "human-in-the-loop-oversight-signaling", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "The signaling response is well-grounded in regulatory intent (EU AI Act Article 14; Australian ADM consultation)." }, { "level": "emerging", "note": "In implementation, where the open question is how to signal oversight credibly so the signal reflects real review rather than assurance theater." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "University of Queensland — How to avoid algorithmic decision-making mistakes: lessons from Robodebt", "jurisdiction": "AU", "source": "https://stories.uq.edu.au/momentum-magazine/robodebt-algorithmic-decision-making-mistakes/index.html" }, { "name": "Oxford Blavatnik School — Australia's Robodebt scheme: A tragic case of public policy failure", "jurisdiction": "AU", "source": "https://www.bsg.ox.ac.uk/blog/australias-robodebt-scheme-tragic-case-public-policy-failure" }, { "name": "Attorney-General's Department — Consultation paper: Use of automated decision-making by government", "jurisdiction": "AU", "source": "https://consultations.ag.gov.au/integrity/adm/user_uploads/consultation-paper-use-of-automated-decision-making-by-government.pdf" }, { "name": "IJRIAS — Agentic AI and Autonomous Decision-Making: A Review of Human-in-the-Loop Frameworks", "year": 2026, "source": "https://rsisinternational.org/journals/ijrias/view/agentic-ai-and-autonomous-decision-making-a-review-of-human-in-the-loop-frameworks-oversight-mechanisms-and-trust-calibration" }, { "name": "Cloud Security Alliance — survey: 82% of enterprises have unknown AI agents", "jurisdiction": "Global", "year": 2026, "source": "https://cloudsecurityalliance.org/press-releases/2026/04/21/new-cloud-security-alliance-survey-reveals-82-of-enterprises-have-unknown-ai-agents-in-their-environments" } ], "assurance": "Government needs a named human to remain answerable for a decision that affects a citizen, and needs that fact to be verifiable rather than assumed, so a citizen can see that the oversight is genuine review and not a rubber stamp.", "access": "Disclose review-quality metrics, not just the fact of review (\"decisions of this type receive an average of X minutes of officer review\"). Make the human override pathway as accessible as the automated one. Provide escalation paths that do not require digital literacy (telephone, in-person service centers).", "surface": { "summary": "An interaction that states, at each stage, which named human role will review the outcome and how to reach a person, with the override pathway no harder than accepting the agent's output.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Accountable human review is shown as a before, during, and after signaling sequence that names the reviewing role and surfaces review-quality metrics." } ] }, "whereThingsGoWrong": "The harm to guard against flows from removing meaningful human review from automated decisions. Credible human-oversight signaling, with genuine metric-disclosed review and an accessible override, counters that harm directly, provided the signal reflects real oversight rather than theater.", "challenge": "Agents that can make a determination, or feed one to a caseworker, are now widely available,\nand as government runs high-stakes decisions through them the share of decisions touched by\nautomation grows. Whether a human still genuinely oversees each one, and who that human is,\nbecomes hard to tell from the outside.\n\nWhen that oversight is assumed rather than made legible, a rubber stamp looks the same as\nreal review to the citizen it affects.\n", "precedentsNote": "**EU AI Act, Article 14.** Mandates that high-risk AI systems \"be designed with\nhuman-machine interface tools enabling effective oversight.\" The 2 August 2026\ncompliance deadline creates a near-term forcing function.\n\n**Robodebt Royal Commission findings (Australia).** The scheme demonstrated the\ncatastrophic consequences of removing meaningful human oversight: its\nincome-averaging algorithm was legally invalid, but the absence of human review\nmeant illegal debts were issued at scale to vulnerable recipients. The Commission\nfound \"the trouble arises when data and automation are used as a silver bullet\n… without appropriate human oversight and intervention.\"\n\n**Australian consultation on automated decision-making.** Post-Robodebt, the\nAttorney-General's Department consulted on a framework requiring risk assessments\nbefore deployment, stronger safeguards for impactful decisions, a named human\naccountable with power to review and override, and citizen entitlement to timely\nreview of high-risk automated decisions.\n\n**Agentic AI oversight research (2026).** Full delegation without human oversight\nremains feasible for only a minority of tasks, which establishes human-AI\ncollaboration rather than full automation as the appropriate model — yet oversight\ntooling lags behind deployment: a 2026 Cloud Security Alliance survey found 82% of\nenterprises already have unmanaged or unknown AI agents in their environments.\n", "transferability": "**Directly applicable, and treated as a requirement rather than an option where\nautomated decisions have caused documented harm.** Any government AI agent that\nmakes or contributes to decisions affecting citizens has to communicate the nature\nand extent of human oversight. In several jurisdictions this is a legal and\nethical requirement, not merely a UX pattern.\n\n**Proposed signaling pattern:**\n\n- **Before agent action:** \"This recommendation will be reviewed by [role] before any decision takes effect.\"\n- **During agent action:** \"Processing your information now. A [role] will review the outcome.\"\n- **After agent action:** \"Your [application/claim/request] has been reviewed by [named officer/role]. Here is the outcome and how to request further review.\"\n\nThe key principle is that intervention \"should not feel like an emergency\nfeature\": pause, edit, undo, and override should be integrated into primary\nworkflows, not hidden behind escalation procedures.\n" }, { "id": "4.7", "title": "Earned trust and reversible delegation", "territory": 4, "slug": "earned-trust-reversible-delegation", "maturity": "emerging", "maturityLevels": [ { "level": "emerging", "note": "Structured earned-trust frameworks exist, but they are built for enterprise contexts (agents operating within organizations), not citizen-facing services." }, { "level": "frontier", "note": "Adapting them for government-citizen interactions, where the power asymmetry differs from employer-employee or business-customer relationships." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "CSA — Agentic Trust Framework", "year": 2026, "source": "https://cloudsecurityalliance.org/blog/2026/02/02/the-agentic-trust-framework-zero-trust-governance-for-ai-agents" }, { "name": "ArXiv — Identity Management for Agentic AI", "source": "https://arxiv.org/pdf/2510.25819" } ], "assurance": "Government needs delegation to an agent to expand only on demonstrated use and to contract the moment a citizen wants it to, with the agent demoted when it crosses a boundary, revocation at least as easy as granting it, and no service degradation for the citizen who pulls it back.", "access": "A trust history must never be a precondition for service access, and every user starts at the most conservative delegation level regardless of any system-side trust assessment. Users set their own delegation preferences independently of system recommendations. The non-agent pathway has to carry genuine parity rather than a degraded 'fallback' experience, since a slower or thinner exit turns the right to revoke into a penalty for revoking.", "surface": { "summary": "A delegation control where successful use can expand scope and a single action contracts it instantly, with the non-agent channel always available at equal service quality.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Earned trust and always-revocable consent are shown as an expand-and-contract delegation control with a guaranteed-parity exit." } ] }, "whereThingsGoWrong": "Where this goes wrong is a person caught in an erroneous automated process with no exit. Instant, penalty-free revocability and conservative defaults give that person a way to withdraw the agent and reach a human without losing service.", "challenge": "Agents that can hold standing delegation and act over time are now widely\navailable, and as government lets citizens delegate more to them, the amount of\nauthority a citizen has handed over deepens. That authority has to track the\ncitizen's actual experience: expanding on demonstrated good use, and contracting\nthe instant they have a bad experience or simply change their mind, without\npenalty or loss of service.\n", "precedentsNote": "**CSA Agentic Trust Framework maturity model (2026).** The\nIntern/Junior/Senior/Principal model treats trust as progressive and\nevidence-based: agents earn greater autonomy through demonstrated trustworthiness,\nnot time served, and can be demoted when they violate trust boundaries.\n\n**Open banking consent revocation.** Under PSD2, consumers retain \"full control\nover that consent, including the right to revoke it at any time,\" establishing\nthat delegated authority is always revocable and revocation must be at least as\neasy as granting it.\n\n**OAuth / delegated-authority patterns.** Software delegation models use graduated\nscope reduction with temporal decay; least privilege keeps agents at minimum\nnecessary permissions; the On-Behalf-Of pattern maintains explicit chains of\ndelegated authority rather than opaque impersonation.\n", "transferability": "**High transferability.** Pairing trust that an agent earns through use with\ndelegation a citizen can revoke instantly maps directly to government AI agents,\nand both halves have precedent (earned-trust maturity models in enterprise\ngovernance, instant revocability in open banking). A citizen who has successfully\nused an agent to check payment dates might let it pre-fill a renewal form. If the\npre-fill contains errors, they should be able to narrow the agent's scope at once\nor exit to a non-agent channel entirely.\n\n**Key design requirement:** revoking delegation must never result in service\ndegradation. A citizen who chooses not to use the AI agent must receive the same\nservice quality and timeliness as one who does. Otherwise, graduated delegation\nbecomes graduated coercion.\n" }, { "id": "5.1", "title": "Per-verified-human rate limits", "territory": 5, "slug": "per-verified-human-rate-limits", "maturity": "emerging", "maturityNote": "Emerging", "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "NIH application cap (NOT-OD-25-132)", "jurisdiction": "US (NIH)", "year": 2025, "source": "https://grants.nih.gov/grants/guide/notice-files/NOT-OD-25-132.html", "note": "Limits each PI to six applications per calendar year (effective 25 September 2025); cites evidence of PIs filing more than 40 in a single round.", "tier": "primary" }, { "name": "NIH Grant Support Index (proposed 2017)", "jurisdiction": "US (NIH)", "year": 2017, "source": "https://nexus.od.nih.gov/all/2017/05/02/nih-grant-support-index/", "note": "Proposed May 2017 and withdrawn within weeks, replaced by the Next Generation Researchers Initiative; never implemented.", "tier": "evidence" } ], "assurance": "Government needs submission volume to reflect distinct people rather than agent throughput, so that a count of applications, objections, or requests measures genuine demand and not how many an agent filed on one person's behalf.", "access": "Caps must be calibrated against legitimate need distributions, with exemption pathways for documented circumstances (e.g. multiple concurrent eligibility categories). Caps must never apply to appeals or complaints, where limiting access to redress raises natural justice concerns.", "surface": { "summary": "A submission portal that checks a per-person counter against a verified identity before accepting a new application, showing the citizen how many submissions remain in the current period.", "instances": [ { "domain": "policy", "kind": "mockup", "annotation": "A quota meter bound to the citizen's verified identity, rather than to a device or session, that shows how many submissions remain in the current period, with a visible 'request an exemption' link for documented circumstances." } ] }, "whereThingsGoWrong": "A per-human cap is a volume-control mechanism, not an adjudication shortcut. The failure to avoid is throttling the very redress channel that surfaces wrongful decisions, which is why appeals and complaints must be exempt from the cap.", "challenge": "When AI tools reduce the marginal cost of producing applications, submissions, or\nrequests to near zero, systems designed for human-effort-constrained throughput are\noverwhelmed. Traditional throttling mechanisms (IP-based rate limits, CAPTCHAs) cannot\ndistinguish between a human who files one high-quality application and an agent that\nfiles forty on behalf of the same person.\n", "precedentsNote": "**NIH grant application cap (United States, 2025).** Effective 25 September 2025, the\nNational Institutes of Health limits each Principal Investigator to six new, renewal,\nresubmission, or revision applications per calendar year. The policy was explicitly\nmotivated by AI-generated proposals: NIH observed PIs submitting large numbers of\napplications, some exceeding 40 in a single round. The cap applies across all activity\ncodes except T-series training grants and R13 conference grants, and NIH declared that\napplications \"substantially developed by AI\" would not be considered original. The cap\naffects only ~1.3% of applicants who submitted more than six proposals in 2024, but it\nsignals a structural shift in how institutions manage AI-enabled volume.\n\n**NIH Grant Support Index (proposed 2017).** Before the application cap, NIH proposed a\nGrant Support Index (GSI) that assigned points to grant types (an R01 received seven points)\nwith a ceiling of 21 points, equivalent to three concurrent R01 grants. The rationale was\ndistributional: a small share of researchers held the bulk of NIH funding. NIH withdrew the\nproposal within weeks and replaced it with the Next Generation Researchers Initiative, so the\nGSI never took effect — but its per-investigator ceiling on a finite public resource remains\na useful reference design.\n", "transferability": "The NIH cap is directly transferable to government digital services where per-person\nsubmission volume matters: planning objections, freedom-of-information requests, public\nconsultation responses, grant or subsidy applications. The key design variables are:\n\n- **Identity binding:** Caps require verified identity to prevent circumvention via\n multiple accounts. Government digital identity infrastructure (e.g. Australia's myGovID,\n UK's GOV.UK One Login) provides a foundation.\n- **Threshold calibration:** The NIH cap at six per year affects only 1.3% of applicants,\n preserving access for legitimate heavy users while curtailing outliers. Calibrating\n thresholds requires empirical analysis of pre-AI submission distributions.\n- **Equity considerations:** Caps may disadvantage people who are prolific for legitimate\n reasons. Government equivalents must consider whether caps inadvertently penalize\n vulnerable groups with more frequent legitimate needs (e.g. people with multiple\n disabilities applying across programs).\n" }, { "id": "5.2", "title": "Structured intake that resists volume-padding", "territory": 5, "slug": "structured-intake-resisting-volume-padding", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "As a form design principle." }, { "level": "emerging", "note": "As a deliberate anti-AI-padding strategy." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "ATO Business Activity Statement (GST reporting)", "jurisdiction": "AU", "year": 2025, "source": "https://www.ato.gov.au/businesses-and-organisations/preparing-lodging-and-paying/business-activity-statements-bas/goods-and-services-tax-gst/gst-reporting-methods", "note": "Reports tax via defined numeric labels (G1 total sales, 1A GST on sales, 1B GST on purchases) tied to verifiable records rather than narrative.", "tier": "primary" } ], "assurance": "Government needs to assess an application on verifiable data tied to external sources, not on the volume or fluency of supporting narrative, so that an agent's ability to generate plausible prose does not raise an applicant's apparent merit.", "access": "Every structured intake must include a 'my situation doesn't fit these options' free-text escape hatch, preferably routed to a human rather than rejected, so that over-structuring does not itself become sludge for people whose circumstances do not fit predefined categories.", "surface": { "summary": "An intake form built from constrained fields (drop-downs, date pickers, document-upload requirements) with conditional branching, ending in an explicit escape pathway to human review.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Constrained field types and external-record links (tax file number, Medicare) carry the assessment instead of free-text narrative, with a mandatory 'this doesn't capture my situation' field that triggers human review." } ] }, "whereThingsGoWrong": "The failure mode is an automated process drawing adverse inferences from data the person could not contest. Anchoring assessment to verified external data and providing a human-review escape hatch prevents that.", "challenge": "Free-text forms are trivially padded by AI agents. An agent can generate lengthy,\nplausible-sounding narratives that meet surface-level quality thresholds without\nreflecting genuine human circumstances. Systems that assess applications partly on volume\nor detail of supporting narrative become vulnerable.\n", "precedentsNote": "**Structured data intake in regulatory submissions.** Financial regulators and planning\nauthorities have long used structured forms with constrained fields (drop-downs, bounded\nnumeric ranges, mandatory document attachments) precisely because they are harder to\nfabricate. The Australian Taxation Office's business activity statement, for instance,\nrequires specific numeric fields tied to verifiable data sources rather than narrative\nexplanations.\n\n**AI-conversational intake (early).** A newer approach replaces static forms with\nAI-guided conversational intake: structured dialogues that adapt questioning based on\nprior answers, probe inconsistencies in real time, and create a structured data record\nrather than a free-text narrative. The distinction matters: this uses AI on the agency\nside to resist AI-generated padding on the applicant side. It is so far demonstrated mainly\nin research settings rather than deployed government intake, so treat it as a direction, not\na proven control.\n", "transferability": "Structured intake is highly transferable but requires careful design:\n\n- **Field constraints** (drop-downs, date pickers, document-upload requirements) create\n verifiable data points that are harder to fabricate than free text.\n- **Conditional logic** (showing questions based on prior answers) makes bulk template\n generation harder because the path through the form varies.\n- **Evidence requirements** tied to external data sources (tax file number, Medicare\n record, employer) shift verification from narrative to data.\n- **Risk:** Over-structuring intake can itself become sludge for people whose\n circumstances do not fit neatly into pre-defined categories. Good design requires an\n escape hatch, a way to flag that structured fields do not capture a person's situation,\n triggering human review.\n" }, { "id": "5.3", "title": "Proof of personhood without challenge tests", "territory": 5, "slug": "proof-of-personhood-alternatives-to-captcha", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For biometric approaches, though these remain contested." }, { "level": "emerging", "note": "For the cryptographic, privacy-preserving response this pattern proposes — workable today but not yet a settled government practice." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "W3C — Inaccessibility of CAPTCHA", "jurisdiction": "W3C", "year": 2021, "source": "https://www.w3.org/TR/turingtest/", "note": "W3C Group Draft Note (16 December 2021): the interactive task 'inherently excludes many people with disabilities, resulting in a denial of service.'", "tier": "primary" }, { "name": "World ID / Worldcoin", "jurisdiction": "Global", "year": 2025, "source": "https://world.org/world-id", "note": "Operator's description: iris images via the Orb prove unique humanness; zero-knowledge proofs reveal only a valid World ID, not identity.", "tier": "evidence" }, { "name": "Vitalik Buterin — biometric proof of personhood", "year": 2023, "source": "https://vitalik.eth.limo/general/2023/07/24/biometric.html", "note": "Argues one-person-one-ID erodes online pseudonymity and can be defeated by fakes that fool the Orb or by coerced scans.", "tier": "evidence" }, { "name": "Kenya High Court — Worldcoin biometric data ruling", "jurisdiction": "Kenya", "year": 2025, "source": "https://cipit.strathmore.edu/kenya-high-courts-worldcoin-determination-upholding-consent-accountability-and-data-sovereignty-in-biometric-data-processing/", "note": "5 May 2025: collection of biometric data found unlawful; deletion ordered within seven days.", "tier": "evidence" }, { "name": "Spain AEPD — Worldcoin precautionary measure", "jurisdiction": "Spain", "year": 2024, "source": "https://www.aepd.es/en/press-and-communication/press-releases/agency-orders-precautionary-measure-which-prevents-Worldcoin-from-continuing-toprocess-personal-data-in-spain", "note": "6 March 2024: ordered Tools for Humanity to cease collecting and processing personal data in Spain and block data already collected.", "tier": "primary" }, { "name": "Privacy Pass (RFC 9578 / RFC 9577)", "jurisdiction": "IETF", "year": 2024, "source": "https://www.rfc-editor.org/rfc/rfc9578.html", "note": "IETF-standardized issuance protocol behind device-attested, privacy-preserving tokens (Cloudflare, Apple, Google, Fastly).", "tier": "primary" }, { "name": "IETF — Rate-Limited Token Issuance Protocol (draft)", "jurisdiction": "IETF", "year": 2024, "source": "https://datatracker.ietf.org/doc/draft-ietf-privacypass-rate-limit-tokens/", "note": "April 2024 Internet-Draft specifying per-origin rate-limited tokens; has since expired.", "tier": "evidence" }, { "name": "New Zealand Government — CAPTCHA and accessibility", "jurisdiction": "NZ", "year": 2025, "source": "https://www.digital.govt.nz/standards-and-guidance/design-and-ux/accessibility/captcha-and-accessibility", "note": "Government guidance to avoid CAPTCHAs where possible and use accessible alternatives.", "tier": "primary" } ], "assurance": "Government needs to confirm that a request comes from a real, distinct human without running an identity dragnet or collecting biometric data, so that bot abuse is curbed while the person keeps their pseudonymity.", "access": "Device-bound attestation excludes people without compatible devices. Government implementations must provide a non-device-dependent pathway (e.g. in-person identity verification that generates a time-limited token), and never rely on a CAPTCHA modality that denies service to people with disabilities.", "surface": { "summary": "A human-verification step that issues a privacy-preserving, rate-limited token via device attestation, with an in-person fallback that mints an equivalent time-limited token.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "A silent device-attestation check confirms human presence and issues a privacy-preserving, rate-limited token, with an explicit 'verify in person instead' route, in place of the visual CAPTCHA that denies service to people with disabilities." } ] }, "whereThingsGoWrong": "This is an access-gating pattern; the failure to avoid is an automated personhood check silently excluding people who cannot pass it. A mandatory non-device fallback is the safeguard against that exclusion.", "challenge": "As agents defeat the challenge tests that once both blocked bots and rationed access by\nfriction, government has to confirm a real, distinct human at the door without falling back\non a method that shuts people out.\n\nThe old test fails on both sides: AI has defeated most CAPTCHA types, and the test itself\nexcludes people with disabilities. The W3C's \"Inaccessibility of CAPTCHA\" working note\nrecords that \"the very nature of the interactive task inherently excludes many people with\ndisabilities, resulting in a denial of service to these users.\"\n\nThe condition to design for is proportionate proof of personhood: confirming a real human\nwithout an identity dragnet and without an accessibility barrier.\n", "precedentsNote": "**World ID / Worldcoin (biometric proof-of-personhood).** World ID uses iris scans via a\nproprietary device (the Orb) to generate cryptographic proof that a user is a unique human,\nusing zero-knowledge proofs to verify personhood without revealing identity. The approach\nhas drawn serious criticism and regulatory action: Vitalik Buterin warned in 2023 that\nstrict one-person-one-ID systems threaten online pseudonymity and could be defeated by fakes\nbuilt to fool the Orb or by coerced scans; Kenya's High Court found Worldcoin's collection of\nbiometric data unlawful in May 2025 and ordered the data deleted; Spain's AEPD ordered a halt\nto data collection in early 2024; Brazil's ANPD ordered an end to paying people in\ncryptocurrency for their biometric data in January 2025; and at least eight countries have\nbanned, suspended, or restricted operations. The critique is structural: biometric\nproof-of-personhood creates a centralized registry of the most sensitive possible data.\n\n**Privacy Pass / Private Access Tokens (cryptographic proof-of-personhood).** Privacy Pass\nis an IETF-standardized protocol (Cloudflare, Apple, Google, Fastly) that lets users prove\nthey are human without revealing identity. Apple's Private Access Tokens use the device's\nsecure enclave to attest legitimacy. The protocol supports rate-limited tokens (per-origin\nrate limiting, specified in an April 2024 IETF draft that has since expired) and Anonymous\nRate-Limited Credentials (ARC), an IETF draft for credentials that can be presented up to a\nfixed number of times per context. This\navoids the biometric and centralization problems of World ID, but introduces device-binding\nand platform dependency.\n\n**W3C recommendations and accessible alternatives.** The W3C Accessible Platform\nArchitectures Working Group recommends non-interactive approaches where possible, and a\nchoice of modalities where interactive verification is required. The New Zealand\nGovernment's Web Accessibility Guide specifically addresses CAPTCHA accessibility in\ngovernment contexts.\n", "transferability": "The transferable principle for government digital services is to verify human presence with\na privacy-preserving, rate-limited token rather than a challenge test or a biometric\nregistry. The rate-limited token model (Privacy Pass and related schemes) carries that\nprinciple:\n\n- It does not require biometric data collection.\n- It builds on existing device attestation infrastructure.\n- It can be layered onto existing government identity systems (myGovID, GOV.UK One Login)\n to provide rate-limited but privacy-preserving access.\n- The IETF (Internet Engineering Task Force) standardization provides an interoperable\n foundation.\n\nBiometric proof-of-personhood is unlikely to be appropriate for government services in\ndemocratic jurisdictions, given regulatory hostility and the surveillance implications.\n" }, { "id": "5.4", "title": "Participatory-budgeting platforms as rationing alternatives", "territory": 5, "slug": "participatory-budgeting-platforms-as-rationing-alternatives", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For allocating by deliberated community priority." }, { "level": "emerging", "note": "Using that allocation as a deliberate response to AI-enabled gaming of effort- or quality-based rationing." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Decidim (Barcelona)", "jurisdiction": "ES", "year": 2016, "source": "https://participedia.net/case/decidim-participatory-budgeting-in-barcelona", "note": "Launched January 2016; up to EUR 75 million (5% of the budget) earmarked for participatory processes 2020-2023 (later reduced during the pandemic).", "tier": "evidence" }, { "name": "Decidim (open-source framework)", "jurisdiction": "ES", "year": 2016, "source": "https://github.com/decidim/decidim", "note": "Open-source participatory-democracy framework built on Ruby on Rails (AGPL-3.0).", "tier": "primary" }, { "name": "Consul Democracy (Decide Madrid)", "jurisdiction": "ES", "year": 2015, "source": "https://consuldemocracy.org/about-us/", "note": "Launched 2015; now used by more than 200 public institutions across over 35 countries.", "tier": "evidence" }, { "name": "Consul — UN Public Service Award", "jurisdiction": "ES", "year": 2018, "source": "https://oecd-opsi.org/innovations/consul-project/", "note": "OECD OPSI records Consul's 2018 UN Public Service Award.", "tier": "primary" }, { "name": "Consul Democracy Foundation", "jurisdiction": "NL", "year": 2019, "source": "https://www.access-info.org/2019-04-17/access-info-europe-helps-create-the-consul-democracy-foundation/", "note": "Independent foundation maintaining Consul since 2019; deployments include Paris, New York, and Porto Alegre.", "tier": "evidence" } ], "assurance": "Government needs a way to ration a scarce resource that an agent cannot out-produce, so that allocation turns on what the affected community collectively prioritizes rather than on who can generate the most polished or most numerous applications.", "access": "A digital-only platform excludes people without digital access or literacy, who then have no voice in how the resource is allocated and are governed by the priorities others set. Keep the path open by running an in-person and assisted channel at parity with the digital one, so participation does not depend on getting online (the original in-person participatory budgeting in Porto Alegre is one precedent for this).", "surface": { "summary": "A municipal budgeting platform where residents propose, deliberate on, and vote for projects under a published spending envelope, with an accountability dashboard tracking delivery.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "A proposal-and-vote interface bound to verified-identity voting, where residents rank projects by collective priority under a published spending envelope, paired with an in-person participation channel." } ] }, "whereThingsGoWrong": "Participatory budgeting allocates contested public resources by visible community consent rather than opaque automated scoring, so it does not produce an unexplained automated decision against an individual that they cannot see or contest.", "challenge": "When AI agents let anyone produce a polished application or flood a process at will, the\nusual ways of rationing scarce public resources, official discretion, price, or queue, start\nto reward whoever has the best agent rather than the strongest claim. Allocating by the\ndeliberated priorities of the community affected sidesteps that, shifting the question from\nwho can produce the best application to what the community collectively prioritizes.\n\nThe challenge is to run that deliberation at scale without it becoming the next thing agents\ngame.\n", "precedentsNote": "**Decidim (Barcelona, 2016–present).** Decidim (\"we decide\" in Catalan) is Barcelona's\ndigital democracy platform, launched January 2016, which allocated up to EUR 75 million\n(5% of the overall budget) through participatory processes between 2020 and 2023. Features\ninclude resident proposals with comments and endorsements, phased deliberative processes,\nparticipatory budgeting with project sheets and public voting, and accountability\ndashboards tracking implementation. It is built on open-source software (Ruby on Rails),\nenabling reuse by other jurisdictions.\n\n**Consul Democracy (Madrid, 2015–present).** Consul (now Consul Democracy) was developed\nby Madrid City Council and launched as Decide Madrid in 2015. It is used by more than 200\npublic institutions across over 35 countries; supports proposals, consultations, voting,\nparticipatory budgets, and collaborative legislation; received the UN Public Service Award\nin 2018; and has been maintained since 2019 by the independent Consul Democracy Foundation,\nreducing single-municipality dependency. It is deployed in cities including Paris, New York,\nand Porto Alegre.\n", "transferability": "Participatory budgeting platforms are transferable as rationing mechanisms where:\n\n- Resources are geographically bounded (local infrastructure, community grants).\n- Trade-offs are value-laden rather than purely technical (where to build a park, which\n programs to fund).\n- Legitimacy requires visible community consent.\n\nIn an AI-agent context, these platforms face a specific risk: agents could generate\nsynthetic support for proposals (astroturfing via participatory budgeting). Both Decidim\nand Consul require identity verification for voting, but the quality of that verification\nvaries by deployment. The platforms' strength is that they shift the rationing question\nfrom \"who can produce the best application\" to \"what does the community collectively\nprioritize\", which is less susceptible to AI gaming than narrative quality.\n" }, { "id": "5.5", "title": "E-petition threshold design", "territory": 5, "slug": "e-petition-threshold-design", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For threshold mechanisms." }, { "level": "emerging", "note": "For adaptation toward AI-resistant design." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "UK Parliament e-petitions", "jurisdiction": "UK", "year": 2026, "source": "https://petition.parliament.uk/help", "note": "10,000 signatures trigger a Government response; 100,000 are considered for a debate by the Petitions Committee.", "tier": "primary" }, { "name": "We the People (US)", "jurisdiction": "US", "year": 2016, "source": "https://www.pewresearch.org/internet/2016/12/28/the-background-of-the-we-the-people-website/", "note": "Launched September 2011; response threshold rose 5,000 -> 25,000 -> 100,000 signatures (within 30 days) as petition volume grew.", "tier": "evidence" }, { "name": "We the People (source code)", "jurisdiction": "US", "year": 2013, "source": "https://github.com/WhiteHouse/petitions", "note": "Drupal installation profile, open-sourced in 2012; a write API for third-party signature submission was in development.", "tier": "evidence" } ], "assurance": "Government needs a petition's signal to reflect real collective concern among distinct people, so that the support behind it reads as genuine and not as volume an agent manufactured or a faction automated.", "access": "A high signature threshold excludes small or marginalized communities, whose concerns can be real and intense but will never reach a count set for the national population, so their petitions are dismissed for want of breadth. Keep the path open with an alternative route that qualifies a petition on the intensity and coherence of concern within a defined affected population, for example a lower threshold scoped to that population or a committee referral on demonstrated local impact, rather than on raw signature volume alone.", "surface": { "summary": "A petitions site with tiered response commitments (e.g. a written response at one threshold, debate consideration at another), where signing is gated by verified identity and the page surfaces quality signals alongside the raw count.", "instances": [ { "domain": "policy", "kind": "mockup", "annotation": "A signing counter that displays geographic spread and verification status alongside the total, treating the threshold as a dynamic, multi-signal proxy for legitimacy rather than as a single inflating number." } ] }, "whereThingsGoWrong": "Threshold design governs collective attention, not individual entitlements, so it is largely orthogonal to an adverse-decision failure. The relevant safeguard is verified-identity signing, which stops synthetic support from distorting which concerns receive a response.", "challenge": "As agents can manufacture signatures at scale, a signature threshold stops standing for\nreal collective concern and starts measuring how much support a faction can automate. The\ncount that was meant to ration government attention toward issues that genuinely move many\npeople becomes something an agent can pad, so government can no longer read a crossed\nthreshold as evidence that distinct people care.\n", "precedentsNote": "**UK Parliament e-petitions (2011–present).** The UK Parliament operates a two-tier\nthreshold system: 10,000 signatures triggers a written Government response; 100,000\nsignatures leads the Petitions Committee to consider scheduling a debate. The system has\nbeen criticized because arbitrary numerical thresholds suggest the importance of an issue\ncan be quantified by signature count, issues of national importance may not attract enough\nsignatures, and the focus on volume rewards mobilization capacity over argument quality.\n\n**We the People (United States, 2011–2017).** The Obama White House launched We the People\nin September 2011. Its response threshold rose from 5,000 signatures (within 30 days) to\n25,000 and then to 100,000, a 20-fold increase driven by the volume of petitions reaching\nthe lower threshold, many frivolous, creating an unsustainable response burden. The platform\nwas open-sourced (Drupal-based), and a write API to let third-party sites submit signatures\nwas under development.\nThe key lesson: threshold inflation is the natural consequence of reducing friction in\npetition creation, a dynamic AI agents would dramatically accelerate.\n", "transferability": "E-petition threshold design is directly relevant to any government intake system that uses\nvolume as a proxy for legitimacy or priority:\n\n- **Thresholds must be dynamic**, adjusting to submission volumes and the prevailing cost\n of generating support.\n- **Signature verification** must be tied to verified identity, not just email addresses.\n The UK system requires a name, email, and postcode; AI agents could trivially generate\n plausible combinations.\n- **Quality signals** should complement volume signals: geographic distribution of\n support, diversity of supporting arguments, or evidence of deliberation.\n- **Response commitments** create accountability but also create an attack surface: a\n committed response at a threshold lets adversaries use agents to force responses on\n chosen topics.\n" }, { "id": "5.6", "title": "Sludge audit frameworks and their inversion", "territory": 5, "slug": "sludge-audit-frameworks-and-their-inversion", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For auditing administrative friction." }, { "level": "frontier", "note": "For the inversion — deciding, before friction is removed, whether it rations or merely excludes, in a context where AI removes friction unilaterally." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Sunstein — 'Sludge and Ordeals'", "jurisdiction": "US", "year": 2019, "source": "https://scholarship.law.duke.edu/dlj/vol68/iss8/6/", "note": "Duke Law Journal 68(8), 2019 (SSRN preprint 2018); source of the SNAP friction figures (85% participation; application over five hours; over USD 10 out-of-pocket).", "tier": "primary" }, { "name": "Sunstein — 'Sludge' (book)", "jurisdiction": "US", "year": 2021, "source": "https://mitpress.mit.edu/9780262045082/sludge/", "note": "Book-length development of the sludge-audit argument (MIT Press, 2021).", "tier": "evidence" }, { "name": "OECD / NSW — 'Fixing Frictions: Sludge Audits Around the World'", "jurisdiction": "OECD", "year": 2024, "source": "https://oecd-opsi.org/publications/fixing-frictions-sludge-audits-around-the-world/", "note": "International Sludge Academy (launched 2023): 16 teams from 14 countries; methodology developed with an expert panel chaired by Sunstein.", "tier": "primary" }, { "name": "Herd & Moynihan — 'Administrative Burden'", "jurisdiction": "US", "year": 2019, "source": "https://www.russellsage.org/publications/book/administrative-burden", "note": "Russell Sage, 2019 (building on a 2015 JPART article): learning, compliance, and psychological costs; burdens are 'the result of deliberate policy choices.'", "tier": "primary" }, { "name": "UK Behavioural Insights Team", "jurisdiction": "UK", "year": 2010, "source": "https://www.bi.team/about-us/our-history/", "note": "Established 2010; widely regarded as the first government-affiliated behavioral insights unit; informed the OECD sludge-audit method.", "tier": "evidence" }, { "name": "myGov (Australia)", "jurisdiction": "AU", "year": 2024, "source": "https://architecture.digital.gov.au/design/mygov", "note": "Australia's digital 'front door', with over 20 million linked active accounts; 'tell us once' data sharing across agencies.", "tier": "primary" } ], "assurance": "Government needs to know, for each point of administrative friction, whether it was excluding people or quietly rationing scarce capacity before an agent strips it out, so that removing friction clears a barrier rather than breaking a function nothing replaces.", "access": "The people who lose if this goes wrong are those a removed verification was meant to protect, and those a blunt overcorrection then shuts out when an overwhelmed system reaches for blanket caps or new barriers. Keep the path open by replacing a rationing friction with a fairer mechanism rather than nothing, and never with a cap on appeals or complaints, so clearing exclusionary friction does not just relocate the exclusion.", "surface": { "summary": "An audit tool that maps a service's behavioral journey, scores each friction point, and tags it as exclusionary (remove), rationing (replace with a purpose-built mechanism), or reflective (preserve but redesign for agents).", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "An audit that classifies each cataloged friction point as remove, replace, or preserve, so a friction performing a rationing or reflective function is given a purpose-built substitute rather than just flagged for removal." } ] }, "whereThingsGoWrong": "The failure mode is friction imposed without anyone asking whether it performs a legitimate function before being automated. The sludge-audit inversion forces that burden analysis, whose absence lets a system impose an unexplained, unaccountable compliance burden on claimants.", "challenge": "AI agents can now strip administrative friction out of a service unilaterally, faster than\nanyone decides whether that friction was doing a job. Some of it only excluded people and\nshould go; some of it was quietly rationing scarce capacity or verifying eligibility, and\nremoving it without a replacement breaks something.\n\nThe challenge is to tell those apart before the friction is gone: to audit each point of\nfriction not just for what it costs, but for what it was holding in place.\n", "precedentsNote": "**Sunstein's \"Sludge\" framework (2018–present).** Cass Sunstein introduced the sludge\nconcept in \"Sludge and Ordeals\" (2018) and developed it in \"Sludge: What Stops Us From\nGetting Things Done and What to Do About It\" (2021). The framework argues that agencies\nshould conduct regular sludge audits to catalog the costs of administrative friction. A\nkey example: participation in the US Supplemental Nutrition Assistance Program (SNAP) is\n85%, meaning 15% of eligible people do not receive support due to administrative obstacles;\nthe application process takes over five hours, including two trips to local offices and\nout-of-pocket costs averaging more than USD 10.\n\n**OECD International Sludge Academy (2023–2024).** The OECD, with the Government of New\nSouth Wales, established the International Sludge Academy in 2023. Over five months, 16\nteams from 14 countries completed sludge audits on government processes. The 2024 report\n\"Fixing Frictions: 'Sludge Audits' Around the World\" derived good-practice principles. The\nmethodology, developed with an expert panel chaired by Sunstein, includes behavioral\njourney mapping, experience scoring, public engagement, and evaluation (RCTs, A/B tests,\nbefore-and-after comparisons), and explicitly measures equity, psychological costs, and\ntemporal costs.\n\n**Herd and Moynihan's Administrative Burden taxonomy.** Pamela Herd and Donald Moynihan's\n2019 book \"Administrative Burden: Policymaking by Other Means,\" building on a 2015 article\n(Moynihan, Herd, and Harvey), provides the framework underlying sludge audits, identifying\nlearning costs, compliance costs, and psychological costs. Crucially, they demonstrate that administrative\nburdens are not accidental: they are \"the result of deliberate policy choices.\" If burdens\nare intentional rationing tools, removing them via AI agents may provoke a policy backlash\n(new, harder-to-automate burdens) rather than genuine access improvements.\n\n**Behavioural Insights Team (UK, 2010–present).** The UK's Behavioural Insights Team,\nestablished in 2010 and widely regarded as the first government-affiliated behavioral\ninsights unit, pioneered applying behavioral science to government service design and\ninformed the OECD sludge audit methodology.\n\n**Australia: Services Australia and myGov.** Australia's experience illustrates both sludge\nreduction and its limits. The myGov platform, with more than 20 million linked active\naccounts, serves as the \"digital front door.\" A \"tell us once\" approach shares information\nacross agencies, yet people still report having to provide the same information to different\nservices more than once. The Government acknowledges the need to balance usability \"with\nan appropriate level of friction to safeguard against security and fraud risks.\"\n", "transferability": "The sludge audit framework is highly transferable and already being adopted\ninternationally. The critical adaptation for AI-agent contexts requires a new analytical\nstep, the sludge inversion question. For each friction point identified in an audit, ask:\n\n1. Is this friction purely exclusionary (sludge)? If so, remove it, and note that AI\n agents will remove it regardless.\n2. Does this friction perform a legitimate rationing or verification function? If so,\n replace it with a purpose-built mechanism (rate limit, structured intake, identity\n verification) before AI agents render it moot.\n3. Does this friction create a beneficial \"pause for reflection\" (cooling-off periods,\n mandatory consideration periods)? If so, preserve the pause but redesign it for an\n agent-mediated context.\n" }, { "id": "5.7", "title": "Appeal volume and overturn rate as early warning", "territory": 5, "slug": "uk-benefit-appeals-canary-in-the-coal-mine", "maturity": "emerging", "maturityLevels": [ { "level": "emerging", "note": "As a documented phenomenon." }, { "level": "frontier", "note": "As a deliberate design pattern that reads appeal volume and overturn rate together as an early-warning signal." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "MoJ Tribunal Statistics Quarterly (Oct-Dec 2025)", "jurisdiction": "UK", "year": 2025, "source": "https://www.gov.uk/government/statistics/tribunals-statistics-quarterly-october-to-december-2025/tribunal-statistics-quarterly-october-to-december-2025--2", "note": "SSCS appeals: Universal Credit receipts up 35%, DLA up 64%, PIP up 4% year-on-year; 58% of appeals cleared at hearing overturned in the claimant's favor.", "tier": "primary" }, { "name": "DWP fairness analysis (Universal Credit, Feb 2024)", "jurisdiction": "UK", "year": 2024, "source": "https://www.computerweekly.com/news/366616983/DWP-fairness-analysis-reveals-bias-in-AI-fraud-detection-system", "note": "DWP's own fairness analysis (FOI-released) found statistically significant disparities across protected characteristics in an automated fraud-detection process.", "tier": "evidence" }, { "name": "Amnesty International — 'Too Much Technology, Not Enough Empathy'", "jurisdiction": "UK", "year": 2025, "source": "https://www.amnesty.org/en/latest/news/2025/07/uk-governments-unchecked-use-of-tech-and-ai-systems-leading-to-exclusion-of-people-with-disabilities-and-other-marginalized-groups/", "note": "Drawing on 782 people via questionnaires, focus groups and interviews (2024-25): 'pre-existing flaws are being exacerbated, and new problems ... are being created.'", "tier": "evidence" } ], "assurance": "Government needs to tell a genuine access correction from gaming or overload as appeal volume climbs, early enough to act on the cause rather than the symptom, so that a rise driven by people exercising a right friction once suppressed is not mistaken for abuse.", "access": "Never restrict access to appeals or complaints as a response to volume. Instead, address root causes (decision quality) and build capacity for the true demand level.", "surface": { "summary": "A published adjudication dashboard tracking appeal receipts, disposals, backlog, and the proportion overturned in the claimant's favor, used to size tribunal capacity to true demand.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "An overturn-rate panel placed next to the volume chart, so capacity decisions read rising appeals and the share decided in the claimant's favor together rather than treating a volume rise on its own as abuse." } ] }, "whereThingsGoWrong": "A high overturn rate is exactly the signal an opaque automated decision suppresses. Publishing it turns a decision-quality failure into a visible, accountable metric, and a no-cap-on-appeals rule keeps the redress channel open.", "challenge": "When AI tools make it easy to draft and lodge an appeal, the volume of appeals to a\ngovernment adjudicator can climb sharply. That can be a good thing, people exercising a right\nthat friction used to suppress, or a sign the underlying decisions are bad, or a load the\nsystem cannot meet.\n\nThe challenge is to read which it is, early, from the signals an adjudicator already has,\nrather than treating a rise in appeals as abuse to be capped.\n", "precedentsNote": "**UK Social Security and Child Support (SSCS) Tribunal statistics (2024–2025).** Data from\nthe UK Ministry of Justice's Tribunal Statistics Quarterly reports show that in\nOctober–December 2025, Universal Credit appeal receipts were up 35% year-on-year, Disability\nLiving Allowance receipts up 64%, and Personal Independence Payment receipts up 4%. Receipts\nhave exceeded disposals over the latest 12 months, the SSCS open caseload has risen about a\nquarter year-on-year (the overall tribunal backlog is at its highest since 2013-14), and 58%\nof appeals cleared at hearing were overturned in the claimant's favor (down from 60% a year\nearlier), which suggests systemic problems with initial decision-making rather than frivolous\nappeals. The high overturn rate indicates friction was previously suppressing legitimate\nappeals. What is driving the current rise has not been established — AI-assisted drafting is a\nplausible hypothesis, not a measured cause — but on this evidence it would be correcting an\naccess deficit rather than creating a volume problem.\n\n**AI in the UK benefits system.** Separately, a UK Government (DWP) fairness analysis of\nUniversal Credit claimants in February 2024 found statistically significant disparities\nacross protected characteristics in an automated benefit-fraud detection process. Research\ndrawing on the views of 782 people — claimants, welfare advisers, and others, gathered\nthrough questionnaires, focus groups, and interviews — found that with these digital systems\n\"pre-existing flaws are being exacerbated, and new problems ... are being created.\"\n", "transferability": "The UK benefit appeals pattern is a leading indicator for all government adjudication\nsystems. The transferable insights are:\n\n- **High overturn rates reframe the \"volume problem.\"** If the majority of appeals succeed,\n the problem is not too many appeals but too many poor initial decisions. The policy\n response should focus on improving first-instance decision quality, not limiting appeal\n access.\n- **AI drafting tools as access equalizer.** Where professional representatives previously\n helped some claimants draft effective appeals, AI tools may extend similar capability to\n all claimants, a distributional improvement.\n- **Tribunal capacity planning.** Systems must be designed for the post-friction volume\n baseline, not the artificially suppressed pre-AI baseline.\n" }, { "id": "6.1", "title": "Clustering and deduplication views for high-volume submissions", "territory": 6, "slug": "clustering-deduplication-views", "maturity": "emerging", "maturityNote": "Emerging", "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "CDO Council Public Comment Analysis Pilot", "jurisdiction": "US", "year": 2020, "source": "https://www.cdo.gov/news/comment-analysis/" }, { "name": "resources.data.gov CDO comment analysis implementation guide", "jurisdiction": "US", "source": "https://resources.data.gov/resources/cdoc_comment_analysis/" }, { "name": "ICF / Regulations.gov Gen AI Comment Processing", "jurisdiction": "US", "year": 2024, "source": "https://www.icf.com/clients/technology/regulations-gov-gen-ai-public-comment-analysis" }, { "name": "Delib Citizen Space — Analyse Responses", "jurisdiction": "UK", "source": "https://help.delib.net/article/429-analysis-the-analyse-responses-page" }, { "name": "Delib Citizen Space tour", "jurisdiction": "UK", "source": "https://www.delib.net/citizen_space/tour" } ], "assurance": "Government needs to read every distinct argument in a body of submissions without re-reading the duplicates that mass campaigns produce, so a reviewer can be confident no unique position was missed when the volume is too high to read each one. The confidence comes from grouping submissions by what they argue, not from judging which were machine-written.", "access": "Deduplicate for analysis, never for exclusion: clustering helps reviewers find distinct arguments efficiently but never removes a submission from the record. Participants and the public can see how clustering was performed and verify no substantive argument was lost.", "surface": { "summary": "A reviewer console that groups semantically similar submissions into argument clusters with a visible distinctness ratio, each cluster expandable to the underlying submissions.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "A clustered submission view that groups submissions by natural-language similarity and collapses near-identical ones into a single distinct comment, so a reviewer reads each unique argument once. In the CDO Council worked example it reduced 267 near-identical submissions to 9 distinct comments, with no submission deleted from the record." } ] }, "whereThingsGoWrong": "Deduplication is analytical, not exclusionary, so on its own it creates no large-scale adverse harm. The safeguard is that clustering surfaces arguments for human review rather than substituting an automated decision for it.", "challenge": "Agencies receiving hundreds of thousands or millions of written submissions\n(public comments, but equally consultation responses, grant applications, or\nplanning objections) cannot meaningfully review each one individually. Mass\nsubmission campaigns (historically postcard campaigns, now orchestrated online)\nproduce near-identical submissions that inflate raw counts without adding\nsubstantive argumentation. Reviewers need tools that surface distinct arguments\nrather than re-reading the same template thousands of times.\n", "precedentsNote": "**CDO Council Public Comment Analysis Pilot (US, 2020–present).** The Federal\nChief Data Officers Council, working with OIRA and GSA, developed and piloted\nNLP-based tools that cluster duplicate and semantically similar comments for\nexpert review. The tool recognises topics and themes, groups semantically similar\nsubmissions, and surfaces them for subject-matter expert review; the report's\nworked example collapsed 267 near-identical submissions to 9 distinct comments.\nThe CDO Council subsequently published recommendations for implementing these\ntools federal-wide.\n\n**ICF / Regulations.gov Gen AI Comment Processing (US, 2024–present).** ICF,\nworking with GSA on Regulations.gov, has deployed generative AI to accelerate\npublic comment analysis, moving beyond spreadsheet-based manual review toward\nautomated clustering and theme extraction.\n\n**Citizen Space / Delib (UK, Australia, NZ).** Delib's Citizen Space platform\noffers tagging and coding of qualitative responses, cross-referencing across\nquestions, and AI-powered first-pass analysis that identifies themes and\nsentiment. The platform is widely used across UK, Australian, and New Zealand\ngovernment consultations.\n", "transferability": "High. Clustering and deduplication are infrastructure-level capabilities that any digital\nsubmission or consultation system should offer (the comment-analysis precedents transfer\ndirectly to grant, objection and petition intake). The CDO Council's approach is designed as\na reusable, federal-wide toolset and could be adapted by other jurisdictions.\n\nThe key design question is transparency: participants and the public should be able to see\nhow clustering was performed and verify that no substantive arguments were lost.\n" }, { "id": "6.2", "title": "Provenance and attribution for mass submissions", "territory": 6, "slug": "mass-comment-integrity-frameworks", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Problem recognition, representative-version reporting, and verified-source intake are already in practice." }, { "level": "emerging", "note": "Attribution of agent-assisted submissions at scale is still taking shape." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "ACUS Recommendation 2021-1: Mass, Computer-Generated, and Fraudulent Comments", "jurisdiction": "US", "year": 2021, "source": "https://www.acus.gov/sites/default/files/documents/Final%20Report%20on%20Mass,%20Computer-Generated,%20and%20Fraudulent%20Comments%20(Final%2006-01-2021)_0.pdf", "note": "The Administrative Conference of the United States addressed three categories of problematic comments — mass comments orchestrated by campaign organizations, computer-generated comments, and \"malattributed\" comments filed using stolen or fabricated identities — and recommended best practices for managing each category while preserving the right to participate.", "tier": "primary" }, { "name": "ACUS Public Participation", "jurisdiction": "US", "source": "https://www.acus.gov/page/public-participation", "note": "ACUS's standing resource on public participation in rulemaking, collecting the recommendations and guidance behind its comment-integrity work.", "tier": "primary" }, { "name": "ACUS Responding to Rulemaking Comments", "jurisdiction": "US", "year": 2025, "source": "https://www.acus.gov/sites/default/files/documents/40_Responding%20to%20Rulemaking%20Comments.pdf", "note": "A follow-up recommendation adopted at the 74th Plenary in April 2025, updating guidance on how agencies should respond to and manage the full range of comment types in the modern rulemaking environment.", "tier": "primary" }, { "name": "Nextgov: House bill targets AI-generated comments (Comment Integrity and Management Act)", "jurisdiction": "US", "year": 2024, "source": "https://www.nextgov.com/artificial-intelligence/2024/05/house-bill-targets-ai-generated-comments-rulemaking/396419/", "note": "A House-passed bill — not enacted law; it lapsed with the 118th Congress — that would have required agencies to publish a single representative version of mass comments, publicly state the number of computer-generated submissions, and tasked OMB with guidance and GAO with reporting on AI-generated comment prevalence.", "tier": "primary" }, { "name": "GSA: Regulations.gov integrity updates", "jurisdiction": "US", "year": 2021, "source": "https://www.gsa.gov/about-us/newsroom/news-releases/gsa-launches-updated-regulationsgov-to-improve-the-integrity-of-public-commenting-02172021", "note": "GSA relaunched Regulations.gov with a verified Bulk Comment API requiring identity validation, building transparency and accountability into the source of automated comments.", "tier": "primary" }, { "name": "Pew Research Center: FCC net neutrality comment analysis", "jurisdiction": "US", "year": 2017, "source": "https://www.pewresearch.org/internet/2017/11/29/public-comments-to-the-federal-communications-commission-about-net-neutrality-contain-many-inaccuracies-and-duplicates/", "note": "The paradigmatic failure case. Pew found 94% of the 22 million comments in the FCC's net-neutrality docket were submitted multiple times; independent analysis (Jeff Kao) estimated only ~800,000 were likely original.", "tier": "evidence" }, { "name": "NY Attorney General report on fake net neutrality comments", "jurisdiction": "US", "year": 2021, "source": "https://ag.ny.gov/press-release/2021/attorney-general-james-issues-report-detailing-millions-fake-comments-revealing", "note": "The New York Attorney General's investigation found nearly 18 million of the 22 million FCC comments were fake: roughly 8.5 million used the names and addresses of real people without their consent (a broadband-industry-funded campaign), and about 9.3 million used fabricated identities, most from a single 19-year-old using automated software. Three firms later paid US$615,000 in penalties.", "tier": "evidence" }, { "name": "TechCrunch: 80% of net neutrality comments were fake", "jurisdiction": "US", "year": 2021, "source": "https://techcrunch.com/2021/05/06/80-of-the-22-million-comments-on-net-neutrality-rollback-were-fake-investigation-finds", "note": "Reporting on the finding that roughly 80% of the 22 million net-neutrality comments were fake — the FCC's system validated only 3% of comments by email, leaving it open to mass fabrication.", "tier": "evidence" }, { "name": "GAO-19-483: identity information in the comment process", "jurisdiction": "US", "year": 2019, "source": "https://www.gao.gov/products/gao-19-483", "note": "GAO found that the law does not require agencies to collect or verify commenter identity, and recommended that selected agencies clearly communicate their practices for handling identity information in the public comment process.", "tier": "evidence" }, { "name": "GAO-21-103181: comment integrity", "jurisdiction": "US", "year": 2021, "source": "https://www.gao.gov/products/gao-21-103181", "note": "In a survey across ten agencies, GAO estimated that the share of commenters whose email addresses confirmed their submissions ranged from 48% to 87%, and that 5–30% of email addresses on the record were attached to comments their owners said they did not make — and recommended agencies and GSA fully describe these limitations publicly.", "tier": "evidence" } ], "assurance": "Government needs enough confidence in a body of submissions to act on it and stand behind the decision: that organized campaigns are identified and collapsed to a single representative entry with their size and organizer disclosed, that submissions filed through a verified route can be told apart from unverified ones, and that duplicates and automated filings are visible as such. The confidence comes from provenance and source validation, not from judging whether a given submission was machine-written.", "access": "The people most at risk are legitimate coordinated advocates: if an integrity measure treats campaign volume itself as suspect, a real constituency's submissions can be discounted or collapsed out of the record the agency reads. Keep the path open by attributing a campaign rather than discarding it, counting its participants alongside the single representative entry, and giving an organizer a route to confirm authorship. A submission filed without the verified route must be treated as data for follow-up, not grounds for rejection, so source validation never becomes an identity barrier.", "surface": { "summary": "A submission-record view that collapses each campaign to a single representative entry, discloses how many submissions it represented and who organized it, and marks whether each submission arrived through a verified route. It reports provenance and size; it does not try to classify which submissions were machine-written.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "Publish one representative entry for a campaign and disclose its size, organizer, and verification status, so the record shows a campaign as a single attributed entry rather than thousands of separate-looking submissions." } ] }, "whereThingsGoWrong": "Stating the limits of the submission data publicly, and verifying provenance before acting, is the discipline that catches a flawed count. Absent it, an automated calculation stands unchallenged.", "challenge": "When submissions to a consultation, grant round, or petition can be drafted and filed by AI\nagents at scale, an agency has to weigh a body of input it cannot authenticate at the source.\nIt cannot assume a submission was written by the person who filed it, that distinct-looking\nsubmissions came from distinct people, or that a high count reflects wide support.\n\nThe challenge is to recover enough provenance and attribution from mass submissions (which\ncampaign, whose, and filed how) that the agency can report the record honestly and defend the\nweight it gives it, without discounting legitimate coordinated advocacy.\n\nThe forward problem is attribution at scale, not detecting which submissions a machine wrote.\n", "transferability": "High, with jurisdictional adaptation. The APA's notice-and-comment framework is\nUS-specific, but every jurisdiction running public consultations faces the same\nstructural challenge. The UK, Australian, and Canadian governments all encounter\ncampaign responses and must decide how to report and weight them. The FCC case is\na cautionary tale with universal applicability: any system that accepts\nunverified submissions at scale is vulnerable to manipulation.\n" }, { "id": "6.3", "title": "Consensus-and-clustering opinion mapping", "territory": 6, "slug": "polis-consensus-clustering", "maturity": "emerging", "maturityNote": "Emerging (proven in multiple jurisdictions but not yet mainstream government practice)", "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "MIT Technology Review: Taiwan's crowdsourcing system", "jurisdiction": "Taiwan", "year": 2018, "source": "https://www.technologyreview.com/2018/08/21/240284/the-simple-but-ingenious-system-taiwan-uses-to-crowdsource-its-laws/" }, { "name": "Pol.is (Wikipedia)", "source": "https://en.wikipedia.org/wiki/Pol.is" }, { "name": "vTaiwan case study (CrowdLaw)", "jurisdiction": "Taiwan", "source": "https://congress.crowd.law/case-vtaiwan.html" }, { "name": "People Powered: vTaiwan's hybrid approach", "jurisdiction": "Taiwan", "source": "https://www.peoplepowered.org/news-content/digital-participation-case-study-taiwan" }, { "name": "OECD OPSI: Pol.is, Official Languages and people-first policy (Canada pilot)", "jurisdiction": "Canada", "year": 2018, "source": "https://oecd-opsi.org/innovations/pol-is-official-languages-and-a-shift-towards-people-first-policy-development/" } ], "assurance": "Government needs confidence that what it reads as agreement reflects genuine breadth across participants, not the volume a well-organized or agent-assisted faction can produce. That means weighting positions by how widely they are shared across distinct groups, and being able to show that distinction when it explains a decision.", "access": "Structured deliberation can shut out people who need to express themselves in their own words, or who lack the language or digital access the format assumes. Keep the path open by offering a free-text route alongside the structured one, and by meeting language and accessibility needs (as the Canadian bilingual pilot did) so the method widens participation rather than narrowing it.", "surface": { "summary": "A real-time opinion map that plots participants into clusters and surfaces consensus statements (broad agreement across clusters) separately from divisive ones.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "A clustered opinion map that ranks statements by how widely they are shared across distinct groups, so a position that bridges divides sits above one that accumulates votes within a single faction, however loud that faction is." } ] }, "whereThingsGoWrong": "Pol.is is a deliberation surface, not a decision engine, but by structuring opinion around shared consensus it counters the volume-as-mandate reasoning that lets a single loud signal stand in for genuine public support.", "challenge": "When AI agents can generate large volumes of distinct-looking submissions, raw counts and\nfree-text piles stop telling an agency where genuine agreement lies. It needs to see the\nstructure of opinion across a consultation: which positions are broadly shared, and where\nreal disagreement sits, without a loud or heavily mobilized faction reading as the public.\n\nThe challenge is to surface that breadth from high-volume input in a way the agency can act\non and defend.\n", "precedentsNote": "**Pol.is Platform.** An open-source platform for large-scale deliberation that\nuses real-time clustering to reveal opinion groups. Participants write short\nstatements and vote agree/disagree/pass on others' statements. Participants cannot\nreply to each other, which eliminates trolling incentives and thread derailment.\nThe platform groups participants by voting-pattern similarity using dimensionality\nreduction (PCA) followed by K-means clustering, with the number of opinion groups\nchosen by silhouette analysis. The resulting\nvisualization shows opinion clusters as spatial groups, consensus statements (high\napproval across all clusters), divisive statements, and the relative size of each\ngroup. This directly addresses the volume-vs-breadth problem: the system elevates\nstatements that bridge divides (breadth) rather than statements that simply\naccumulate votes within one cluster (volume).\n\n**vTaiwan (Taiwan, 2014–present).** The most prominent Pol.is deployment, used by\nTaiwan's government for multi-stakeholder deliberation on Uber regulation, online\nalcohol sales, and telemedicine. vTaiwan combines online Pol.is deliberation with\nface-to-face stakeholder meetings, using the clustering output to structure\nin-person discussion around identified areas of consensus and disagreement.\n\n**Canadian Government Pol.is Pilot (Canada, 2018).** The Government of Canada\ndeployed Pol.is six times in 2018, adapting it for bilingual (English/French) use\nand compliance with federal data privacy, security, and accessibility\nrequirements. Deployments engaged 25 stakeholder groups, including a national\nengagement on digital disruption's impact on visual artists.\n\n**Additional Deployments.** Pol.is has been used by governments in the United\nStates, Singapore, Philippines, Finland, and Spain, as well as by civil society\norganizations globally.\n", "transferability": "High. Pol.is is open-source and has been successfully adapted to multiple\njurisdictional contexts, including bilingual deployments; its clustering approach\nis language-agnostic in principle. The main barriers are cultural (governments\naccustomed to free-text submissions may resist structured deliberation) and\ninstitutional (Pol.is works best when its outputs feed into a defined\ndecision-making process, as in vTaiwan).\n" }, { "id": "6.4", "title": "Distinct-voice weighting", "territory": 6, "slug": "distinct-voice-weighting-ui", "maturity": "emerging", "maturityLevels": [ { "level": "emerging", "note": "Reporting practices that separate campaign from distinct responses already exist." }, { "level": "frontier", "note": "A dedicated interface that shows volume and breadth side by side has no established precedent." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "GOV.UK: Growing Up in the Online World — consultation response totals", "jurisdiction": "UK", "source": "https://www.gov.uk/government/publications/growing-up-in-the-online-world-consultation-response-totals/growing-up-in-the-online-world-consultation-response-totals" }, { "name": "GOV.UK: Report on Copyright and Artificial Intelligence", "jurisdiction": "UK", "year": 2025, "source": "https://www.gov.uk/government/publications/report-and-impact-assessment-on-copyright-and-artificial-intelligence/report-on-copyright-and-artificial-intelligence" }, { "name": "CDO Council Comment Analysis (deduplication metrics)", "jurisdiction": "US", "source": "https://www.cdo.gov/news/comment-analysis/" }, { "name": "Coglianese: E-Rulemaking", "source": "https://doi.org/10.2139/ssrn.500122" }, { "name": "Balla: Lost in the flood?", "source": "https://onlinelibrary.wiley.com/doi/abs/10.1111/rego.12318" } ], "assurance": "When results are reported, government needs to read breadth of support rather than raw volume, so a campaign that mobilizes many people behind one position is not mistaken for many independent positions. That means the report has to distinguish how many submissions arrived, how many distinct arguments they carry, and how many verified distinct people stand behind them.", "access": "The people most at risk are legitimate mass participants: if the interface foregrounds a distinctness metric in place of the raw count, a real constituency that mobilized behind one position can be made to look illegitimate, as though its numbers did not count. Keep the path open by reporting raw counts and distinct-argument counts together, never one instead of the other, and by labeling campaign responses rather than hiding them, so breadth is shown without erasing the people who turned out.", "surface": { "summary": "A consultation results dashboard that renders three side-by-side figures (raw submissions, distinct arguments, and verified distinct submitters), with campaign responses labeled rather than hidden.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "A results dashboard that shows three figures together: raw submissions, distinct arguments, and verified distinct submitters. It presents breadth as distinct positions from independent sources rather than as a single count, with campaign responses tagged rather than removed." } ] }, "whereThingsGoWrong": "Presenting distinct-submitter and distinct-argument counts alongside raw volume guards against the volume-as-evidence shortcut that, generalized, lets a single inflated signal drive a high-stakes decision.", "challenge": "As AI agents make it cheap to mobilize or generate submissions in bulk, a raw count of how\nmany arrived stops telling an agency how widely a position is held. The same total can mean a\nbroad, independent constituency or a single campaign amplified at scale, and a report that\nshows only the count cannot tell the two apart.\n\nThe challenge is to present results so that volume (how many submissions) and breadth (how\nmany distinct positions, from how many independent sources) can be read separately, without\nmaking mass participation look illegitimate.\n", "precedentsNote": "**UK Government Consultation Response Reporting.** UK consultations routinely\ndistinguish \"campaign responses\" (template-based, often facilitated by advocacy\norganizations) from \"detailed responses\" (unique, substantive submissions). The\n\"Growing Up in the Online World\" consultation explicitly noted that campaign\nresponses \"reflect the reach and mobilization capacity of organizing groups rather\nthan independent views\" and reported campaign and non-campaign responses\nseparately.\n\n**UK Copyright and AI Consultation (2025–2026).** The report acknowledged that\nmany responses \"either repeated or built upon a set of template letters or\ntemplate survey responses that were created and distributed by interested\norganizations or individuals,\" and reported these separately from original\nresponses.\n\n**CDO Council Deduplication Metrics.** The CDO Council's pilot produced a\n\"distinctness ratio\" of raw submissions to distinct comments (its worked example\ncollapsed 267 near-identical submissions to 9 distinct comments) that could be\nsurfaced in dashboards.\n\n**Coglianese / Balla Academic Research.** Cary Coglianese's research on\ne-rulemaking documents that in high-volume dockets the great majority of mass-campaign\ncomments are near-identical and add little distinct substantive content, so raw volume\nis a poor proxy for the breadth of views expressed. Steven Balla's analysis of 1,049\nmass comment campaigns across 22 EPA\nrulemakings (2012–2017) found that the EPA references mass campaigns in its\nresponses but cites them at lower rates than unique comments, an implicit form of\nbreadth weighting.\n", "transferability": "Moderate to high. The UK's practice of reporting campaign vs non-campaign\nresponses is immediately transferable. The harder design challenge is building\ndashboards that show distinctness metrics without appearing to dismiss mass\nparticipation. Any \"distinct voice\" metric must be presented alongside raw counts,\nnot instead of them.\n" }, { "id": "6.5", "title": "Submitter nudges on template matches", "territory": 6, "slug": "template-match-submitter-nudges", "maturity": "frontier", "maturityNote": "Frontier (no production implementation of a submitter-facing template-match nudge found; the conceptual basis is strong)", "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "GOV.UK: Growing Up in the Online World — consultation response totals (duplicate-entry prevention)", "jurisdiction": "UK", "source": "https://www.gov.uk/government/publications/growing-up-in-the-online-world-consultation-response-totals/growing-up-in-the-online-world-consultation-response-totals" }, { "name": "GSA: Regulations.gov Bulk Comment API transparency update", "jurisdiction": "US", "year": 2021, "source": "https://www.gsa.gov/about-us/newsroom/news-releases/gsa-launches-updated-regulationsgov-to-improve-the-integrity-of-public-commenting-02172021" }, { "name": "Beth Noveck: Congressional testimony", "jurisdiction": "US", "year": 2020, "source": "https://www.congress.gov/116/meeting/house/110461/witnesses/HHRG-116-BA09-Wstate-NoveckB-20200206.pdf" } ], "assurance": "Government needs the submissions it receives to carry distinct argument rather than repeated template text, so a reviewer can weigh what a person actually contributes, while a participant keeps the right to send a template unchanged. That means a submitter should learn, before filing, that their comment matches a known template and that a unique argument carries more analytical weight, without being prevented from submitting as written.", "access": "Template-match nudges risk deterring low-literacy participants, so the nudge must never be coercive: it explains why a personal perspective helps, applies plain-language and accessibility standards, and always preserves the right to submit the template as-is.", "surface": { "summary": "An inline submission-flow nudge that detects template similarity and offers to help the submitter add a personal perspective, with a clear, non-blocking 'submit as written' path.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "A soft inline banner that detects a template match and tells the submitter their own experience adds weight ('this matches a known template; adding your own experience adds weight'), with the primary submit action still fully available. It informs the submitter without preventing a template submission." } ] }, "whereThingsGoWrong": "By nudging toward substance over volume at the point of submission, the pattern works against the volume-as-mandate dynamic; its central safeguard is that it never gates participation behind a literacy or effort threshold.", "challenge": "As AI agents make it easy to file a campaign template at scale, more participants will submit\ntext identical to thousands of others without knowing it will be grouped and weighed as a\nsingle argument rather than counted one by one. A person who would have added their own\nexperience, had they understood how submissions are read, instead files volume that carries\nlittle distinct weight.\n\nThe challenge is to let a submitter learn this at the point of submission, so they can choose\nto add a personal perspective, without pressuring anyone or blocking the template route.\n", "precedentsNote": "**UK Government Duplicate-Entry Prevention.** The \"Growing Up in the Online World\"\nconsultation survey included \"duplicate-entry prevention and questions designed to\ndetect and deter automated (bot) responses.\" While primarily aimed at bots, this\nrepresents a submitter-facing intervention in the submission flow.\n\n**Regulations.gov Bulk Comment API Transparency.** GSA's updated API requires\nidentity verification for bulk submitters and introduces transparency about the\nsource of automated comments. While organization-facing rather than\nindividual-facing, it establishes the principle that the system should signal when\nsubmissions are part of a coordinated campaign.\n\n**Beth Noveck / Transparency Advocacy.** Noveck has argued that data science tools\nand methods have evolved to deal with voluminous, duplicative, and fake comments,\n\"yet neither agencies nor the regulations.gov administrator are using them in a\nsubstantial way,\" pointing to a gap in submitter-facing feedback mechanisms.\n\n**Concept: Real-Time Template Detection.** No major consultation platform\ncurrently provides real-time feedback to submitters saying \"your comment matches a\nknown template — consider adding your own perspective.\" This is an open design\nproblem. The pattern would combine NLP similarity matching with a nudge\ninterface, preserving the submitter's right to submit the template unchanged while\ninforming them that doing so adds volume but not breadth.\n", "transferability": "High in principle; the design is jurisdiction-agnostic. Implementation requires\ncare: the nudge must not be coercive or discourage participation. Accessibility\nand plain-language requirements apply. The nudge should explain *why* adding a\npersonal perspective matters, because agencies weigh unique arguments, not counts.\n" }, { "id": "6.6", "title": "Alternative weighting mechanisms", "territory": 6, "slug": "alternative-weighting-mechanisms", "maturity": "emerging", "maturityLevels": [ { "level": "established", "note": "Wikipedia's consensus norms are well-established, though not in government contexts." }, { "level": "emerging", "note": "Quadratic voting has appeared in legislative use." }, { "level": "frontier", "note": "Conviction voting in government remains unproven." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Weyl & Lalley: Quadratic Voting", "source": "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2003531" }, { "name": "RadicalxChange: Quadratic Voting wiki", "source": "https://www.radicalxchange.org/wiki/quadratic-voting/" }, { "name": "Colorado Sun: Quadratic voting in the Colorado House", "jurisdiction": "US", "year": 2019, "source": "https://coloradosun.com/2019/05/28/quadratic-voting-colorado-house-budget/" }, { "name": "RadicalxChange: Colorado QV", "jurisdiction": "US", "source": "https://www.radicalxchange.org/wiki/colorado-qv/" }, { "name": "Colorado FOIC: anonymous QV violates open meetings law", "jurisdiction": "US", "source": "https://coloradofoic.org/lawmakers-use-of-anonymous-quadratic-voting-system-violates-colorados-open-meetings-law-judge-rules/" }, { "name": "Commons Stack: Conviction Voting", "source": "https://medium.com/commonsstack/conviction-voting-a-novel-continuous-decision-making-alternative-to-governance-62e215ad2b3d" }, { "name": "Block Science: A Brief History of Conviction Voting", "source": "https://blog.block.science/a-brief-history-of-conviction-voting/" }, { "name": "Wikipedia: Polling is not a substitute for discussion", "source": "https://en.wikipedia.org/wiki/Wikipedia:!VOTE" }, { "name": "Wikipedia: Arguments to avoid in deletion discussions", "source": "https://en.wikipedia.org/wiki/Wikipedia:Arguments_to_avoid_in_deletion_discussions" } ], "assurance": "Government needs a way to register how strongly a position is held, and how sustained the support behind it is, so a result reflects considered weight rather than mobilization capacity. The weighting it uses has to be defensible: explainable to participants and to anyone challenging the outcome.", "access": "An opaque weighting scheme excludes the people who cannot tell how their input was counted, who then have little reason to trust or engage with the process. Keep the path open by explaining the weighting in plain language at the point of participation, and, as the Colorado open-meetings ruling showed, by not trading that legibility away for anonymity at the cost of public accountability.", "surface": { "summary": "A prioritization interface that gives each participant a credit budget and shows the intensity-weighted result, with a plain-language explanation of how votes are weighted.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "A credit-allocation screen that shows the rising cost of concentrating votes on one position and explains, inline, how the final weighting is computed, so a participant can see how their input is counted rather than taking the result on trust." } ] }, "whereThingsGoWrong": "These mechanisms reframe participation as arguments and intensity rather than raw numbers, countering volume-as-mandate logic. The Colorado case is a reminder that an opaque weighting algorithm can itself become the accountability failure.", "challenge": "When AI agents make it cheap to produce submissions in bulk, a process that counts each one\nequally rewards whoever can mobilize or automate the most volume, not whoever is most\naffected or has the strongest case. An intensely affected minority can be outweighed by a\nlarge, lightly engaged majority, or by a campaign an agent ran at scale.\n\nThe challenge is to weigh participation by something other than raw count, in a way\nparticipants can understand and the agency can defend.\n", "precedentsNote": "**Quadratic Voting (QV).** Developed by Glen Weyl and Steven Lalley, QV gives\nparticipants a budget of \"voice credits\" that convert to votes at the square root:\n1 credit = 1 vote, 4 credits = 2 votes, 9 credits = 3 votes. This lets\nparticipants signal intensity while making extreme concentration progressively\nmore expensive, mitigating both tyranny-of-the-majority and vote-buying.\n\n**Colorado Legislature QV Pilot (US, 2019–present).** The Democratic Caucus of the\nColorado House adopted QV in 2019 to prioritize spending bills when the backlog\nexceeded available budget. Each lawmaker received 100 credits to allocate across\n100+ bills, with leaders receiving a bar chart of intensity-weighted priorities.\nThe system has continued since 2019, though a judge ruled the anonymous ballot\nprocess violated Colorado's open meetings law, highlighting transparency tensions.\n\n**Conviction Voting.** Developed by Michael Zargham and implemented by Commons\nStack and 1Hive, conviction voting integrates time as a core dimension: the longer\na participant supports a proposal, the more their conviction accumulates (a\nhalf-life decay curve). This rewards sustained commitment over flash-mob\nmobilization and makes last-minute manipulation costly. 1Hive's Gardens is the\nfirst production deployment, allocating funds from a common pool on Gnosis Chain.\n\n**Wikipedia's \"!vote\" Culture.** Wikipedia's consensus culture explicitly rejects\nvote-counting in favor of argument quality. The \"!vote\" notation (read\n\"not-vote\") reminds editors that polls gauge opinion, not bind referendums. In\ndeletion discussions, a single well-argued, policy-citing position can outweigh\nten unsupported votes. This is the most mature example of a community explicitly\ndistinguishing volume from quality of argument.\n", "transferability": "Mixed. QV has proven transferable to legislative settings (Colorado) and could be adapted for\nprioritization exercises in public consultation. Conviction voting's blockchain origins make\nit culturally distant from government contexts, where it has no production use yet, but the\ntime-weighting principle is relevant. Wikipedia's !vote culture is a governance norm rather\nthan a technical mechanism, but offers a sharp framing: \"arguments, not numbers.\"\n\nFor government digital services, the most transferable insight is that weighting mechanisms\nshould be legible to participants: any system that weights contributions must explain its\nlogic transparently.\n" }, { "id": "7.1", "title": "Public-option agency-provided agents", "territory": 7, "slug": "public-option-agency-provided-agents", "maturity": "emerging", "maturityNote": "Emerging. Direct File and Apertus are real implementations. The \"public option agent\" concept specifically for government services is a natural extension but has no known production deployment.", "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "IRS Free File / Direct File", "jurisdiction": "US", "source": "https://en.wikipedia.org/wiki/Free_File" }, { "name": "Code for America IRS free tax filing survey guide", "jurisdiction": "US", "source": "https://codeforamerica.org/news/code-for-americas-guide-to-the-irs-free-tax-filing-survey/" }, { "name": "Schneier, \"Public AI as an Alternative to Corporate AI\"", "year": 2024, "source": "https://www.schneier.com/blog/archives/2024/03/public-ai-as-an-alternative-to-corporate-ai.html" }, { "name": "Schneier, \"Canada Needs Nationalized, Public AI\"", "year": 2026, "source": "https://www.schneier.com/blog/archives/2026/03/canada-needs-nationalized-public-ai.html" }, { "name": "Eric Friedman, \"Universal Basic Agents\"", "source": "https://ericfriedman.substack.com/p/universal-basic-agents" } ], "assurance": "Government needs every citizen to be able to reach agentic services through an agent that answers to the citizen, not to a commercial intermediary. Meeting that requires a publicly accountable baseline agent whose alignment, training data and decision logic can be audited, so the citizen and the agency can both trust whose interests it serves.", "access": "Citizens with no bank, employer, insurer or subscription relationship are excluded when the only agents available come bundled with those relationships, and they are the people most likely to need government services. The keep-open response is a free public agent at every service entry point, so reaching agentic government is never conditioned on wealth or an existing institutional relationship.", "surface": { "summary": "A service entry point that offers the citizen a free, government-aligned agent alongside (or instead of) any commercial agent they already hold.", "instances": [ { "domain": "strategy", "kind": "mockup", "annotation": "Every service entry point offers a free, government-aligned agent the citizen can use without holding any commercial relationship, presented alongside whatever agent they already have." } ] }, "whereThingsGoWrong": "The failure mode is a system that systematically acts against the people it serves because the agent in front of them answers to a commercial intermediary optimizing for its own products. A publicly auditable baseline agent aligned to the citizen reduces that chance.", "challenge": "If AI agents are only available through banks, employers, insurers or subscription\nplatforms, access to agentic government services becomes a function of wealth and\nexisting institutional relationships. The agent a bank provides will optimize for\nthe bank's interests, not the citizen's. Citizens without commercial relationships,\nthe very people most likely to need government services, are excluded entirely.\n", "precedentsNote": "**IRS Direct File.** The US Internal Revenue Service built Direct File, a\ngovernment-provided free tax filing tool, as an alternative to commercial tax\npreparation software offered through the Free File Alliance. 94% of Direct File\nusers rated their experience \"excellent\" or \"above average\" (Net Promoter Score\n+80). In a 2023 IRS survey, 72% of respondents said they would prefer a free\nIRS-provided filing tool over free commercial software, citing trust that the IRS\nwould keep their data more secure. An audit also found computing errors in\ncommercial Free File software.\n\n**Schneier's \"Public AI\" proposal.** Bruce Schneier has argued for federally\nfunded foundation AI models as a public service, analogous to public roads or the\npostal system, providing a competitive baseline that private offerings must meet\nor exceed. Switzerland has pioneered this with Apertus, a large language model\nbuilt by Swiss public servants and university researchers using appropriately\nlicensed training data and public supercomputing infrastructure.\n\n**Universal Basic Agents concept.** The concept of \"Universal Basic Agents\" (UBA),\nanalogous to universal basic income, proposes that each person be provided a\npersonal AI agent, with tailored support across health, finances and civic\nengagement.\n", "transferability": "High. The IRS Direct File precedent demonstrates that government-provided tools can\noutperform commercial alternatives on user satisfaction and trust, and that citizens actively\nprefer the government option when offered.\n\nFor an agent-mediated government services context, this translates to a pattern where the\ngovernment provides a baseline agent whose alignment is to the citizen rather than to a\ncommercial intermediary, even where it is not the most capable agent on the market. The Swiss\nApertus model shows this is technically feasible at the foundation-model level. Commercial\nagents may connect to the same service APIs, but the public option ensures universal access.\n" }, { "id": "7.2", "title": "Voice-fidelity preservation", "territory": 7, "slug": "voice-fidelity-preservation", "maturity": "frontier", "maturityLevels": [ { "level": "frontier", "note": "The research documenting the problem is recent (2025-2026), with the CHI 2026 paper quantifying cultural-marker erasure providing the empirical foundation; no known system implements voice-fidelity preservation as a design requirement, and the interaction design that surfaces and flags substantive rewrites to the citizen has no established precedent." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "CHI 2026, \"When AI Writes, Whose Voice Remains?\"", "year": 2026, "source": "https://dl.acm.org/doi/full/10.1145/3772363.3799085" }, { "name": "Stanford, \"How AI is leaving non-English speakers behind\"", "jurisdiction": "US", "year": 2025, "source": "https://news.stanford.edu/stories/2025/05/digital-divide-ai-llms-exclusion-non-english-speakers-research" }, { "name": "WEF, \"How can we design AI agents for a world of many voices?\"", "year": 2026, "source": "https://www.weforum.org/stories/2026/01/how-can-we-design-ai-agents-for-a-world-of-many-voices/" }, { "name": "Sharma et al., \"Towards Understanding Sycophancy in Language Models\" (ICLR 2024) (preprint)", "year": 2024, "source": "https://arxiv.org/abs/2310.13548" }, { "name": "Predicting user behaviour with GPT (arXiv) (preprint)", "source": "https://arxiv.org/abs/2605.18302" }, { "name": "Gender bias in AI-generated reference letters (arXiv)", "source": "https://arxiv.org/pdf/2310.09219" } ], "assurance": "Government needs confidence that a submission reaching an agency still represents what the citizen actually said, not a version the agent reshaped on the way. Meeting that requires the agent to carry the citizen's original input alongside its structured version and to flag when a rewrite has changed the substantive position, so neither the citizen nor the agency loses sight of the original voice.", "access": "Voice-fidelity preservation requires the citizen to review agent changes, itself a literacy-dependent task. A diff display assumes reading competence and an audio summary assumes hearing, so review must be offered across modalities (text, audio, plain language, interpreter) rather than a single channel.", "surface": { "summary": "A pre-submission review screen that shows the citizen, in plain language, exactly what their agent changed, including any change to the substance of what they said, before anything is sent.", "instances": [ { "domain": "interaction", "kind": "interactive", "component": "VoiceDiff", "annotation": "An inline diff highlights meaning-changing edits before the citizen submits, marking a rewrite like 'I demand' to 'I request' so the citizen sees the substantive change and can keep their own wording." } ] }, "whereThingsGoWrong": "The failure mode is an agent silently reframing a complaint or appeal in a way that misrepresents the person to the agency. Surfacing what the agent changed, and flagging when a rewrite alters the citizen's substantive position, prevents it.", "challenge": "When an AI agent rewrites a citizen's complaint, submission or application, it smooths,\nformalizes and homogenizes.\n\nResearch demonstrates this is not neutral: LLMs privilege majority statistical regularities\nat the expense of minoritized forms through a process described as \"dimensional collapse,\" an\nattractive force toward dominant modes within the latent space. A 2026 CHI paper, \"When AI\nWrites, Whose Voice Remains?\", quantified cultural marker erasure across World English\nvarieties.\n\nLLM rewriting reduces lexical diversity, strips dialectal markers, and imposes a formal\nregister that may change the substance of what was said. Minoritized linguistic features\n(such as AAVE syntax) are often flagged as requiring \"correction.\"\n", "precedentsNote": "**LLM sycophancy research.** The documented tendency of LLMs toward sycophancy\n(tailoring responses to what they predict the user wants to hear rather than what is\naccurate) compounds the voice-fidelity problem. An agent that rewrites a complaint\nto sound more \"professional\" may also moderate its force, remove emotional content\nthat conveys urgency, or reframe a demand as a request. Research on GPT's ability to\npredict user behavior found \"critical failures to reflect user patterns, with\nsignificantly different distributions from real data in 53% of tasks.\"\n\n**Gender bias in AI-generated professional documents.** Research has found that\nAI-generated reference letters exhibit gender biases in language professionalism,\nexcellency and agency: male candidates are described with more \"professional\"\nlanguage. This demonstrates that AI \"improvement\" of text is not ideologically\nneutral; it encodes existing hierarchies.\n", "transferability": "Direct, though few working examples exist yet. In a government services context, the\nvoice-fidelity problem appears when a citizen's complaint about housing conditions is\nrewritten into bureaucratic language that strips the lived urgency, or when an appeal is\n\"improved\" into a form that changes its legal character. The citizen may not understand what\nwas changed, and the receiving agency may not know the submission was agent-mediated.\n\nA voice-fidelity protocol would carry both the structured version and the citizen's original\ninput, let the receiving system surface the original when the structured version is\nambiguous, show citizens a plain-language diff before submission, and require agents to flag\nwhen a rewrite changes the substantive position.\n\nShowing a citizen with low literacy, or whose first language is not English, that their agent\nchanged the meaning is the hardest part, because a diff display assumes reading competence\nand an audio summary assumes hearing. This is where the stronger the assurance a pattern\ndemands, the more people it risks excluding.\n" }, { "id": "7.3", "title": "First-class non-agent fallback channels", "territory": 7, "slug": "first-class-non-agent-fallback-channels", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For the digital/non-digital divide, fallback channels are well-established practice." }, { "level": "emerging", "note": "For the agent/non-agent divide, equivalent fallback channels are still taking shape." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "GDS blog, \"An introduction to assisted digital\"", "jurisdiction": "UK", "year": 2011, "source": "https://gds.blog.gov.uk/2011/07/28/an-introduction-to-assisted-digital/" }, { "name": "GDS blog, \"Designing public services that work for everyone\"", "jurisdiction": "UK", "year": 2025, "source": "https://gds.blog.gov.uk/2025/12/10/designing-public-services-that-work-for-everyone/" }, { "name": "Services Australia self-service", "jurisdiction": "AU", "source": "https://www.servicesaustralia.gov.au/self-service?context=64107" }, { "name": "Services Australia 2030 Strategy", "jurisdiction": "AU", "source": "https://www.servicesaustralia.gov.au/services-australia-2030-strategy?context=22" }, { "name": "Data and Digital, Connected service delivery", "jurisdiction": "AU", "year": 2025, "source": "https://www.dataanddigital.gov.au/implementation-plan/2025/connected-service-delivery" } ], "assurance": "Government needs to be able to guarantee that the non-agent channel delivers the same outcome, not just the same access, as the agent-mediated one, so a citizen who uses it is not quietly placed on a slower or worse path. That requires service-level commitments pitched at equivalent results across channels, with the agency carrying the obligation to hold them.", "access": "Citizens who cannot use an agent, or who choose not to, are the ones at risk of being routed to a second-tier service once agent mediation becomes the default. The keep-open response is an explicit channel choice at every service entry point and an enforceable guarantee of equivalent service quality and timeliness, so opting out of agents does not cost a citizen the outcome.", "surface": { "summary": "An explicit channel-choice control at each service entry point, with the equivalence commitment held to account through reported processing times and success rates for non-agent users.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "A channel-choice selector lets the citizen pick the non-agent route, and reported processing times and outcomes for that route hold the agency to its equivalence commitment." } ] }, "whereThingsGoWrong": "Where this goes wrong is a person who opts out of agent mediation being funneled into a faster but worse path. Guaranteeing equivalent outcomes through a non-agent channel, and monitoring for divergence, holds that line.", "challenge": "As agent-mediated interaction becomes the default pathway, agent channels can process faster\nand more cheaply than the human ones behind them, so the non-agent channel drifts toward\nlonger waits and worse outcomes even when it still formally exists.\n\nThe challenge is to keep the non-agent route at parity with the agent route, so a citizen who\ncannot or chooses not to use an agent reaches the same outcome rather than a slower,\nlower-quality version of the service.\n", "precedentsNote": "**GOV.UK assisted digital.** The UK Government Digital Service established \"assisted\ndigital\" as a formal policy category: help and support for people who cannot use\ndigital services independently. The Service Standard requires services to maintain\nnon-digital channels, with a tiered program: click-and-print services for paper\nforms; interface layers where non-digital elements are required (e.g. identity\nverification); physical access through internet terminals and face-to-face support;\nand alternative delivery through Post Offices and other partners. GDS explicitly\nmoved from \"digital by default\" to designing \"public services that work for\neveryone.\"\n\n**Services Australia multichannel delivery.** Services Australia maintains\nface-to-face service centers, self-service terminals (including in rural, regional\nand remote locations through Agents and Access Points), phone services, and digital\nchannels. The Services Australia 2030 Strategy acknowledges that \"many people with\ncomplex needs and particularly vulnerable circumstances can't engage online, ring\nServices Australia, or visit a service center.\"\n", "transferability": "Direct. The GOV.UK model is the most mature expression of this principle. For agent-mediated\nservices, the pattern extends from \"non-digital\" to \"non-agent.\" A citizen must be able to\ninteract with government services without any AI intermediary and receive equivalent service\nquality and timeliness. This is harder than the digital/non-digital divide because\nagent-mediated services may process faster, creating a two-tier system even if both channels\nexist.\n\nThe pattern therefore requires service-level agreements that guarantee equivalent outcomes\n(not just equivalent access) across channels, monitoring dashboards that track whether\nnon-agent users experience longer processing times or worse outcomes, and explicit\nchannel-choice at every service entry point.\n" }, { "id": "7.4", "title": "Accessibility baseline and beyond", "territory": 7, "slug": "accessibility-baseline-wcag-and-beyond", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "WCAG conformance for web services is a recognized, mandated floor." }, { "level": "frontier", "note": "Conversational accessibility standards specific to agent interactions have no established precedent." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "UNC SOG, \"Understanding the New ADA Web Accessibility Requirements\"", "jurisdiction": "US", "year": 2026, "source": "https://canons.sog.unc.edu/blog/2026/01/14/understanding-the-new-ada-web-accessibility-requirements-for-state-and-local-governments/" }, { "name": "Segal, \"Government Entities Must Meet Web Accessibility Rules\"", "jurisdiction": "US", "source": "https://www.segalco.com/consulting-insights/government-entities-must-meet-website-accessibility-rules/" }, { "name": "DTA, \"Accessibility and the Digital Service Standard\"", "jurisdiction": "AU", "source": "https://www.dta.gov.au/blogs/accessibility-and-digital-service-standard" } ], "assurance": "Government needs every citizen to be able to use the agent interface itself, not only the service behind it, before it can rely on agent-mediated delivery. Meeting that requires the recognized web-accessibility floor for the interface components and a parallel commitment on how the agent converses, covering pace, plain language, the ability to pause and review, and a transcript the citizen can check.", "access": "Citizens with cognitive or processing differences, low literacy, or limited working memory can clear a technically conformant interface and still be unable to follow a conversation that moves too fast, assumes domain knowledge, or vanishes as it scrolls, and they are excluded from a consequential action they cannot track. The keep-open response is interactions that are reviewable rather than ephemeral, paced to the citizen, and plain by default, so neither the interface nor the cognitive load shuts anyone out.", "surface": { "summary": "An agent interface that ships recognized accessibility-standard compliance plus conversational-accessibility affordances: adjustable pace, plain language by default, pause/resume, and a reviewable transcript.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "The agent interface gives the citizen direct control over the conversation: a pace control, plain language by default, pause and resume, and a persistent transcript they can review." } ] }, "whereThingsGoWrong": "The failure mode is a person swept through an inaccessible automated flow they cannot follow or check. Requiring reviewable, plain-language, pace-adjustable interactions ensures they can actually follow and verify a consequential action.", "challenge": "When a government service is reached through an AI agent, the agent's own interface becomes\nthe thing a citizen has to be able to use, and if it is not accessible the agent is just a\nnew barrier in front of the service. Web-accessibility standards cover the visual and\ninteraction layer, but a back-and-forth conversation adds a cognitive dimension, pace, plain\nlanguage, the ability to pause and review, that no current standard covers.\n\nThe challenge is to hold agents to the established accessibility floor and extend it to how\nthey converse.\n", "precedentsNote": "**WCAG 2.1 AA as legal baseline.** The US DOJ's ADA Title II Final Rule requires\nstate and local government entities to ensure web content and mobile applications\nconform to WCAG 2.1 Level AA. A DOJ interim final rule (April 2026) extended the\ncompliance deadlines to 26 April 2027 for larger public entities (population 50,000\nor more) and 26 April 2028 for smaller entities and special districts. Section 508\nof the Rehabilitation Act\nrequires the same for federal agencies and contractors. Australia's Digital Service\nStandard incorporates WCAG compliance. These are cumulative: Level AA requires\nmeeting all Level A and Level AA success criteria.\n", "transferability": "WCAG compliance is necessary but not sufficient for agent-mediated services. WCAG addresses\nthe interface layer (screen readers, color contrast, keyboard navigation) but not the\ncognitive accessibility of agent interactions. An agent conversation that meets WCAG\ntechnically may still be cognitively inaccessible if it uses complex language, assumes domain\nknowledge, or moves too fast.\n\nThe pattern needs extension to cover conversational accessibility: agents must support\nadjustable pace, plain language by default, the ability to pause and resume, and explicit\nconfirmation before consequential actions, and interactions must be reviewable rather than\nephemeral. The recognized web-accessibility standards do not yet cover how an agent\nconverses, so this part of the floor has to be defined rather than adopted.\n" }, { "id": "7.5", "title": "Plain language and multilingual intake", "territory": 7, "slug": "plain-language-and-multilingual-intake", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Plain-language requirements are codified and in force." }, { "level": "emerging", "note": "Multilingual AI with quality transparency is beginning to appear." }, { "level": "frontier", "note": "Language-quality disclosure patterns for agents have no established precedent." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Digital.gov, \"Requirements for plain writing\" (Plain Writing Act 2010)", "jurisdiction": "US", "year": 2010, "source": "https://digital.gov/resources/plain-writing-act" }, { "name": "DOI, \"Plain Language\"", "jurisdiction": "US", "source": "https://www.doi.gov/plainlanguage" }, { "name": "Digital.gov, \"Requirements for improving access to services for LEP\"", "jurisdiction": "US", "source": "https://digital.gov/resources/requirements-for-improving-access-to-services-for-people-with-limited-english-proficiency-lep" }, { "name": "TIS National (Translating and Interpreting Service)", "jurisdiction": "AU", "source": "https://www.tisnational.gov.au/" }, { "name": "Australian Academy of the Humanities, \"Enshrining multilingualism\"", "jurisdiction": "AU", "source": "https://humanities.org.au/power-of-the-humanities/enshrining-multilingualism-how-a-landmark-languages-policy-changed-australia/" } ], "assurance": "Government needs confidence that a citizen acting through an agent has understood the service and been understood by it, regardless of their literacy or the language they use. Meeting that requires plain language as the working register, an honest account of how good the agent's command of a given language is, and human-verified translation where legal or medical content makes an error costly.", "access": "Plain language as the default register (not an option the user must find), language detection with confirmation at intake, and disclosure when the agent's competence in a language is limited (with human interpreter fallback), so the 'invisible languages' problem does not silently exclude speakers of under-resourced languages.", "surface": { "summary": "An intake flow that defaults to plain language, detects and confirms the citizen's language, and surfaces an explicit competence indicator (with interpreter fallback) when operating in an under-resourced language.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "At intake, the agent shows how well it handles the citizen's language and offers a 'request a human interpreter' path when its command of that language is limited." } ] }, "whereThingsGoWrong": "Where this goes wrong is a citizen misled by confident-but-wrong agent output into a position that harms their entitlement or compliance. Defaulting to plain language and disclosing when translation quality is low guards against that.", "challenge": "As more government interaction runs through AI agents, the same capability that could open\nbureaucratic language to citizens with lower literacy or limited English proficiency can\ninstead deepen the barrier, rewarding citizens who know how to prompt the agent well and\nunderserving languages with little training data behind them.\n\nThe challenge is to make agent intake reach citizens across literacy levels and languages on\nequal terms, rather than letting the agent's own language competence decide who is\nunderstood.\n", "precedentsNote": "**US Plain Writing Act 2010.** Requires all executive branch agencies to use plain\nlanguage in documents the public needs in order to obtain benefits, access services\nor comply with requirements. Agencies must train employees, establish compliance\noversight, write all new or substantially revised documents in plain language, and\npublish an implementation plan; OMB guidance M-11-15 operationalizes this.\n\n**US Executive Order 13166 (Limited English Proficiency).** Required federal\nagencies to provide meaningful access for LEP persons to federally conducted\nprograms: LEP plans, staff training, multilingual recruitment, qualified\ntranslators and interpreters, and language-assistance technology. Note: EO 14224\n(March 2025) declared English the official language and revoked EO 13166, though\nunderlying legal requirements for language access remain.\n\n**Australia's Translating and Interpreting Service (TIS National).** TIS National\nprovides language services for people with limited English proficiency and the\norganizations that support them, supporting the Multicultural Access and Equity\nPolicy. Australia's language policy framework, developed from the Lo Bianco report,\nis built on \"English-plus multilingualism\" and removing language-based social\ninequalities.\n", "transferability": "High, with one caveat. AI agents can do better than static document translation because they\nadapt to the user's language level. That creates a new dependency, though: the quality of\nmultilingual AI output varies dramatically by language. Stanford research (2025) documents\nhow LLMs leave non-English speakers behind. The \"invisible languages\" problem (languages with\ninsufficient training data) means agent-mediated services could be excellent in English and\nMandarin but unusable in Karen, Dinka or Auslan.\n\nThe pattern therefore requires plain language as the default register, multilingual\ncapability with explicit quality indicators (the agent disclosing limited competence and\noffering human interpreter fallback), language detection with confirmation at intake, and\nhuman-verified translations for critical legal and medical content.\n" }, { "id": "7.6", "title": "Co-design with affected communities", "territory": 7, "slug": "co-design-with-affected-communities", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Co-design methodology is well-established in service design." }, { "level": "emerging", "note": "Co-design applied to conversational AI is beginning to appear." }, { "level": "frontier", "note": "Community oversight of deployed agent behavior has no established precedent." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Services blog, \"From user-centred design to co-design\"", "jurisdiction": "UK", "year": 2021, "source": "https://services.blog.gov.uk/2021/03/23/from-user-centred-design-to-co-design/" }, { "name": "Accessibility blog, \"Accessibility and service design for inclusion\"", "jurisdiction": "UK", "year": 2024, "source": "https://accessibility.blog.gov.uk/2024/02/21/accessibility-and-service-design-for-inclusion/" }, { "name": "GOV.UK Design System community", "jurisdiction": "UK", "source": "https://design-system.service.gov.uk/community/" }, { "name": "DTA Digital Service Standard", "jurisdiction": "AU", "year": 2023, "source": "https://www.digital.gov.au/policy/digital-experience/digital-service-standard" }, { "name": "OECD OPSI, \"Government Digital Service Design Principles\"", "source": "https://oecd-opsi.org/toolkits/government-digital-service-design-principles/" } ], "assurance": "Government needs confidence that an agent serving a marginalized community behaves the way that community understands and expects, not the way its designers assumed people communicate. Meeting that requires the affected community to shape the agent's conversational behavior before it ships and to keep a hand on it once it is live, so the agency can stand behind how the agent treats them.", "access": "Members of the communities a service is built for, especially those with communication needs the designers do not share, are excluded when an agent encodes assumptions about how people talk, and the harm surfaces as misread requests and wrong outcomes they had no part in shaping. The keep-open response is to involve those communities as active participants at every stage and to give them a standing channel to say not just whether the agent helped but whether it said what they meant.", "surface": { "summary": "A community-oversight surface: an anonymized agent-interaction-log review panel for affected communities, plus an in-conversation 'did this say what you meant?' feedback control.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "An affected-community panel reviews anonymized interaction logs to keep oversight of how the agent behaves once it is live, and an in-conversation prompt asks the citizen whether the agent said what they meant." } ] }, "whereThingsGoWrong": "The failure mode is systematic harm to a community baked into the agent's design and only confronted after it has scaled. Building the affected community into the agent's design, and keeping them in a position to direct changes to its live behavior, gives them the standing to correct it rather than leaving them to absorb it.", "challenge": "Services designed for marginalized communities without those communities' input\ntend to encode the assumptions of the designers. This is amplified when the service\nis agent-mediated, because the agent's conversational design embeds assumptions\nabout how people communicate.\n", "precedentsNote": "**GOV.UK co-design approach.** GDS has moved from user-centred design to co-design,\ndesigning with users as active participants. The GOV.UK Design System depends on\ncross-government community contribution, and GDS works with Citizens Advice to\nanalyze users' end-to-end journeys and real-world barriers.\n\n**Australia's Digital Service Standard.** The DTA's Digital Service Standard (v2.0,\nDecember 2023) includes \"Leave no one behind\" alongside \"Know your user,\" requiring\nservices to include users with different needs at all stages of development and\nprototyping.\n\n**Cross-jurisdictional design-principle alignment.** Teams across USDS, Australia's\nDTA, Finland's D9 unit and Canada's Ontario Digital Service have created overlapping\nsets of standards mostly building on GDS' original ten principles, a maturing\ninternational norm.\n", "transferability": "Essential but methodologically harder for agent-mediated services. Co-designing a form or a\nwebsite produces artifacts that are relatively stable and reviewable. Co-designing an agent's\nconversational behavior requires iterating on something that is probabilistic and\ncontext-dependent. Communities need to be involved not just in what the agent says but in how\nit responds to unexpected input, how it handles distress, and what it does when it does not\nunderstand.\n\nThe pattern requires structured co-design sprints before deployment, ongoing community panels\nwith access to anonymized interaction logs, and explicit in-interaction feedback mechanisms.\n\nEstablished co-design methods assume a deterministic artifact, so extending them to govern a\nsystem that responds differently to similar inputs, and keeping the community involved after\ndeployment rather than only before it, is what this pattern asks for.\n" }, { "id": "7.7", "title": "Platform intermediary interests", "territory": 7, "slug": "whose-model-platform-intermediary-interests", "maturity": "emerging", "maturityNote": "Emerging. The agentic inequality framework provides the analytical foundation. The regulatory response is nascent. No government has yet implemented provider-disclosure requirements for AI agents interacting with public services.", "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "\"Vertical tacit collusion in AI-mediated markets\" (arXiv)", "source": "https://arxiv.org/pdf/2601.03061" }, { "name": "\"Regulating AI Agents\" (arXiv)", "source": "https://arxiv.org/pdf/2603.23471" }, { "name": "Sharp, Bilgin & Gabriel, \"Agentic Inequality\"", "year": 2025, "source": "https://arxiv.org/abs/2510.16853" }, { "name": "Rest of World, \"AI agents will exacerbate global economic inequality\"", "year": 2026, "source": "https://restofworld.org/2026/ai-agent-inequality/" } ], "assurance": "When a commercially provided agent acts on a citizen at a government service, government needs to know whose interests are actually steering it, so an undisclosed conflict cannot shape an outcome unseen. Meeting that requires the agent to declare its provider, principal and commercial relationships and to attest whose interests it serves as part of the delegation chain the agency can check.", "access": "Government services must accept agents from any provider (interoperability) but must also offer the public-option agent so citizens are never forced to use a commercially compromised agent. The conflict and its disclosure must be legible to a citizen who would otherwise never know their agent was not acting solely in their interest.", "surface": { "summary": "A provider-and-interest disclosure surface shown when a third-party agent acts on a citizen's behalf, naming the provider, principal and any commercial relationship, with a one-tap switch to the public-option agent.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "When a third-party agent acts for the citizen, the surface names the agent's principal and commercial ties and offers a switch to the public-option agent." } ] }, "whereThingsGoWrong": "The failure mode is a structurally misaligned intermediary quietly steering a citizen's government interaction toward the provider's benefit. Requiring the agent to disclose whose interests it serves, and giving the citizen an uncompromised alternative, addresses the misalignment itself, which case-by-case scrutiny of each interaction cannot reach.", "challenge": "When a citizen's agent is supplied by their bank, employer, or insurer, it may be optimizing\nfor the provider's interests as much as the citizen's, and the citizen usually cannot see it.\nPointed at a government service, that agent might file a tax return in a way that favors the\nprovider's products, or downplay an employer's liability in a claim.\n\nThe challenge is to surface whose interests an agent actually serves when it acts for a\ncitizen with government, and to give the citizen a route that is not compromised.\n", "precedentsNote": "**Agentic inequality framework.** Research from the University of Oxford and the\nCooperative AI Foundation (2025) defines \"agentic inequality\" as \"disparities in\npower, opportunity, and outcomes arising from unequal access to, and capabilities\nof, AI agents,\" analyzed across availability, quality and quantity. It distinguishes\nthis from earlier digital divides: \"agents function as autonomous delegates rather\nthan tools, generating new asymmetries through scalable goal delegation and direct\nagent-to-agent competition.\"\n", "transferability": "Direct. In a government services context, the \"whose model\" problem manifests when a\nbank-provided agent filing a tax return optimizes for the bank's financial products rather\nthan the citizen's tax position; an employer-provided agent applying for a workplace injury\nclaim downplays the employer's liability; or an insurer-provided agent navigating a health\nclaim steers toward lower-cost treatments. The citizen may never know their agent was not\nacting solely in their interest.\n\nThe pattern requires mandatory disclosure of the agent's provider, principal and commercial\nrelationships; interoperable acceptance of any provider's agent alongside a public-option\nagent; and agent attestation of \"whose interests it serves\" as part of the delegation chain.\n\nDisclosure addresses transparency but not the underlying misalignment, which is why the\ncitizen needs an uncompromised alternative as well as a warning. The harder part is\nconnecting a disclosed conflict to a citizen who can actually act on it, and that connection\nis where the pattern is least settled.\n" }, { "id": "7.8", "title": "Government-provided agents for high-stakes interactions", "territory": 7, "slug": "public-defender-analogy", "maturity": "emerging", "maturityLevels": [ { "level": "emerging", "note": "Legal AI tools already exist." }, { "level": "frontier", "note": "A government-provided agent as a right for high-stakes interactions has no established precedent." } ], "status": "reviewed", "threads": [], "dependsOn": [ "7.1" ], "precedents": [ { "name": "\"How Can AI Augment Access to Justice? Public Defenders' Perspectives\" (arXiv 2510.22933) (preprint — not peer-reviewed; source of the 17-professional, five-pillars finding)", "year": 2025, "source": "https://arxiv.org/abs/2510.22933" }, { "name": "OECD, \"AI in justice administration and access to justice\" (separate context)", "year": 2025, "source": "https://www.oecd.org/en/publications/2025/06/governing-with-artificial-intelligence_398fa287/full-report/ai-in-justice-administration-and-access-to-justice_f0cbe651.html" }, { "name": "LawHelp Interactive via Pro Bono Net", "jurisdiction": "US", "source": "https://en.wikipedia.org/wiki/Pro_Bono_Net" }, { "name": "Justice technology", "source": "https://en.wikipedia.org/wiki/Justice_technology" }, { "name": "Sam & Pearson, \"Community Legal Centres in the Digital Era\"", "jurisdiction": "AU", "year": 2019, "source": "https://lthj.qut.edu.au/article/view/1305" }, { "name": "lawcpd.com.au, \"3 Australian Initiatives Using Technology to Improve Access to Justice\"", "jurisdiction": "AU", "source": "https://lawcpd.com.au/blog/technology-access-justice-australia/" }, { "name": "Justice Connect — Pro Bono Portal (network of 10,000+ pro bono lawyers)", "jurisdiction": "AU", "source": "https://justiceconnect.org.au/about/innovation/legal-help-experience/pro-bono-portal/" } ], "assurance": "In a high-stakes interaction, government needs the citizen on the other side to be capably represented whether or not they brought their own agent, because the outcome turns on it. Meeting that requires the state itself to make a capable agent available to those who lack one, with a human escalation path the citizen can reach when the stakes warrant it.", "access": "For high-stakes interactions the government should provide a capable agent to citizens who lack their own, as it provides a lawyer to defendants who cannot afford one, wrapped in human support structures, since the community-legal-center experience shows technology alone alienates vulnerable clients.", "surface": { "summary": "A tiered provision surface: a basic public agent for routine tasks and an enhanced agent for appeals and disputes, with a human-escalation path present throughout rather than added afterward.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "For an appeal or dispute, the surface routes the citizen to an enhanced public agent and keeps a human-escalation path available throughout, so a citizen without their own agent still has capable representation." } ] }, "whereThingsGoWrong": "Where this goes wrong is a citizen left to face a consequential automated decision unaided. Guaranteeing a capable, government-provided agent with human escalation for high-stakes interactions gives them real representation when contesting a debt or benefit decision.", "challenge": "In high-stakes dealings with government, an appeal, a benefit dispute, an enforcement action,\na citizen with a capable agent has a real advantage over one without, and the stakes make\nthat gap matter.\n\nThe challenge is whether government should close it by providing a capable agent to those who\nlack one, the way it provides a lawyer to a defendant who cannot afford one, and how to do\nthat without the technology itself becoming the barrier.\n", "precedentsNote": "**AI in public defense.** A 2025 arXiv preprint (not peer-reviewed), \"How Can AI\nAugment Access to Justice? Public Defenders' Perspectives on AI Adoption,\" involving\n17 public defense professionals, identified five pillars of work amenable to AI\nassistance: evidence investigation, legal research and writing, client communication\nand support, courtroom representation, and defense strategies. Researchers note,\nhowever, that \"legal AI research rarely engages with the everyday\nrealities of public defense work.\" The OECD report below is separate context, not the\nsource of the 17-professional, five-pillars finding.\n\n**Legal self-help and document assembly tools.** The US Legal Services Corporation\nfunds LawHelp Interactive, providing document assembly for self-represented\nlitigants; Justice Connect (Australia) has developed intake and referral tools and a\npro bono portal assisting 10,000 volunteer lawyers. Research finds \"usability\nbarriers and plain-language failures can limit the effectiveness of these tools for\nlow-income users.\"\n\n**Community legal centers.** Australian community legal centers have adopted digital\ntechnologies cautiously, recognizing that as institutions serving vulnerable clients\nthey \"must be cautious not to adopt digital technologies without due thought and,\nconsequently, potentially alienate vulnerable clients.\"\n", "transferability": "Strong conceptual alignment, significant implementation challenges. The public defender\nanalogy suggests that for high-stakes government interactions (benefit appeals, immigration\ndecisions, regulatory enforcement), the government should provide a capable AI agent to\ncitizens who do not have their own, just as it provides a lawyer to defendants who cannot\nafford one. The CLC experience shows the technology alone is insufficient; it must be wrapped\nin human support structures.\n\nThe pattern is tiered: a basic public-option agent for routine interactions, and an enhanced\npublic agent with domain-specific capabilities (closer to a public defender than a\ngeneral-purpose chatbot) for high-stakes interactions, with human escalation pathways present\nthroughout the design from the start.\n" }, { "id": "7.9", "title": "Digital divide and exclusion risk", "territory": 7, "slug": "digital-divide-awareness", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Digital-divide research and measurement are mature." }, { "level": "emerging", "note": "Extending that work to agentic exclusion specifically is still taking shape." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Good Things Foundation, \"Digital Nation\"", "jurisdiction": "UK", "year": 2024, "source": "https://www.goodthingsfoundation.org/policy-and-research/research-and-evidence/research-2024/digital-nation" }, { "name": "Sumsub, \"Addressing the Digital Divide in 2025\" (source of the 627 million figure)", "year": 2024, "source": "https://sumsub.com/blog/digital-divide/" }, { "name": "ISPI, \"The Digital Divide: A Barrier to Social, Economic and Political Equity\" (broader context; ITU ~2.6 billion offline)", "source": "https://www.ispionline.it/en/publication/the-digital-divide-a-barrier-to-social-economic-and-political-equity-204564" }, { "name": "ITU — Measuring Digital Development: Facts and Figures 2024 (rural 48% vs urban 83% internet use)", "jurisdiction": "Global", "year": 2024, "source": "https://www.itu.int/itu-d/reports/statistics/2024/11/10/ff24-internet-use-in-urban-and-rural-areas/" } ], "assurance": "Before and after it deploys an agent-mediated service, government needs to be able to account for who the service will fail and to show that those citizens still have a working route to the outcome. That confidence is what a citizen, an oversight body, or a court would rely on to accept that the move to an agent channel did not quietly exclude anyone.", "access": "Citizens caught by the divide, those without affordable connectivity or a capable agent, without the skills or confidence to direct one, or who distrust AI after past algorithmic harm, are excluded as agent channels become the default, and they tend to be the people who most need the service. The keep-open response is proactive outreach through trusted intermediaries such as libraries, community organizations and community legal centers, plus a non-agent route that delivers the same outcome, so reaching the service never depends on having a capable agent.", "surface": { "summary": "A pre-deployment exclusion-risk assessment that names the populations a service will fail and commits outreach and a non-agent route for each, with disaggregated uptake reporting feeding back to keep those commitments honest.", "instances": [ { "domain": "policy", "kind": "mockup", "annotation": "A structured assessment names the populations the agent channel is likely to fail and records the outreach and alternative route committed for each, with disaggregated uptake reporting checking those commitments are met." } ] }, "whereThingsGoWrong": "The failure mode is a system that serves some populations badly, confronted only after a cohort has been damaged. Naming those populations in a pre-deployment assessment and committing outreach and a working non-agent route for each, with uptake reporting holding the commitment, keeps them inside the service rather than leaving them to be found among the harmed.", "challenge": "As government delivery moves onto agent-mediated channels, the existing divides of access,\nskills, affordability, trust, and relevance compound into an agentic divide between citizens\nwith a capable agent and those without one.\n\nThe challenge is for government to know, before it commits to an agent channel, which\npopulations the service will fail, and to keep a route open for them, rather than discovering\nthe excluded only after a cohort has been left behind.\n", "precedentsNote": "**Quantified exclusion.** An estimated 627 million people are digitally excluded\nglobally (Sumsub, 2024). In the UK, 7.9 million adults lack basic digital skills, and\n21 million cannot complete essential digital tasks for work. 33% of those offline\nreport difficulty accessing council and government services. 243 million people may\nneed help accessing services because their identity documents are non-standard or\noutdated, and identity verification systems fail 96 million people whose appearance\ndiffers from their ID photos. Globally, 48% of rural residents use the internet\nagainst 83% of urban dwellers (ITU, 2024). ISPI supports the broader digital-divide narrative\n(the ITU reports approximately 2.6 billion people remain offline) but is not the\nsource of the 627 million figure.\n", "transferability": "The existing digital divide research provides the demographic and geographic map of who will\nbe excluded from agent-mediated services. Every barrier to digital services is also a barrier\nto agent-mediated services, plus new barriers: the cognitive complexity of agent interaction,\nthe trust deficit for AI among communities harmed by algorithmic systems, and the\naffordability of capable agents.\n\nThe pattern requires a mandatory exclusion-risk assessment before deploying agent-mediated\ngovernment services, proactive outreach through existing trusted intermediaries (libraries,\ncommunity organizations, community legal centers) to populations at risk of agentic\nexclusion, and publication of agent-channel uptake data disaggregated by demographic and\ngeographic factors to make exclusion visible.\n" }, { "id": "8.1", "title": "Certification marks and trust registries", "territory": 8, "slug": "certification-marks-and-trust-registries", "maturity": "emerging", "maturityNote": "Emerging. The public registry and trust-badge response is in operation but narrow: a machine-readable mark an agent can query is legislated under CE marking yet not operationally implemented, FedRAMP-style authorization is mature for cloud but only beginning to cover AI, and the DPGA registry is live but voluntary and limited in scope.", "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "EU AI Act — Article 48, CE Marking for High-Risk AI Systems", "jurisdiction": "EU", "year": 2024, "source": "https://artificialintelligenceact.eu/article/48/" }, { "name": "EU AI Act — Article 43, Conformity Assessment", "jurisdiction": "EU", "year": 2024, "source": "https://artificialintelligenceact.eu/article/43/" }, { "name": "FedRAMP Marketplace", "jurisdiction": "US", "year": 2011, "source": "https://marketplace.fedramp.gov/" }, { "name": "GSA/FedRAMP 20x AI prioritisation announcement", "jurisdiction": "US", "year": 2025, "source": "https://www.gsa.gov/about-gsa/newsroom/news-releases/gsa-fedramp-prioritize-20x-authorizations-for-ai-08252025" }, { "name": "Digital Public Goods Alliance Standard", "jurisdiction": "International", "year": 2019, "source": "https://www.digitalpublicgoods.net/standard" }, { "name": "Digital Public Goods Alliance Registry", "jurisdiction": "International", "year": 2019, "source": "https://www.digitalpublicgoods.net/registry" } ], "assurance": "A widely recognized, independently assured certification mark and public trust registry give a citizen, agency, or agent a rapid signal that a digital tool has been assessed against known standards. In the EU model the mark is machine-readable, so the agent can query it programmatically.", "access": "The small builder is the one priced out: a FedRAMP Moderate authorization runs to roughly US$500K–1.5M upfront (more for High-impact programs), and EU conformity assessment needs a Notified Body, costs a volunteer or single-developer civic tool cannot meet. Keep the registry open to them by tiering certification to risk, so a low-consequence tool earns a place without an enterprise-scale audit.", "surface": { "summary": "A public registry listing that pairs a human-readable trust badge with a standardized machine-readable mark embedded in the tool's interface, filterable by impact level and assessment status.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "A registry entry exposes both a rendered trust badge and a machine-readable code in the product interface, so a citizen reads the badge and an agent queries the code." } ] }, "whereThingsGoWrong": "A trust registry surfaces whether a decision-support tool was ever assessed against a standard. It would not by itself stop a flawed tool, but recording the absence of any conformity assessment makes that gap visible to agencies relying on it.", "challenge": "When a citizen reaches a service through an AI agent, or an agency relies on a tool to\nserve them, both need a fast, reliable signal that the tool has been assessed against\nknown standards. Physical goods have CE marks, electrical safety tags, and food-grade\ncertifications; digital tools have no equivalent that is both widely recognized and\nindependently assured, and an agent has nothing it can check programmatically at all.\n", "precedentsNote": "**EU AI Act CE marking for high-risk AI systems (EU, 2024–2026).** Providers of\nhigh-risk AI systems must undergo conformity assessment and affix a CE marking, the\nsymbol used for physical product safety since 1985. For systems provided digitally,\nArticle 48 requires a \"digital CE marking\" accessible through the software interface\nor via machine-readable code; where a Notified Body conducted the assessment, its\nidentification number must follow the mark. Backed by market surveillance authorities\nwith powers to withdraw non-compliant systems.\n\n**FedRAMP Marketplace (US, 2011–present).** A searchable registry of cloud service\nofferings authorized at Low, Moderate, or High impact levels. Agencies filter by impact\nlevel, status, and business function, then drill into each offering's sponsor, assessor,\nassessment date, and reuse history. The \"authorize once, reuse many times\" model reduces\nduplicated assessment effort; from 2025 FedRAMP began prioritizing AI services under a\n\"20x\" pilot.\n\n**Digital Public Goods Alliance Registry (DPGA, 2019–present).** A registry of verified\ndigital public goods assessed against a nine-indicator standard (SDG relevance, approved\nopen licenses, clear ownership, platform independence, documentation, data extraction,\nprivacy/legal compliance, standards adherence, content safety). Applicants submit evidence\nonline; the DPGA technical team reviews against each indicator.\n", "transferability": "High for the registry pattern; moderate for the CE-marking analogue. The DPGA model (open\nstandard, evidence-based review, public registry) is directly transferable to a national\nregistry of verified civic technology. The FedRAMP \"authorize once, reuse many\" model solves\na real coordination problem, but its cost structure has to be reworked for small builders.\n\nThe EU's digital CE marking is the precedent that matters most for agents: a machine-readable\ntrust signal embedded in the product interface rather than a registry listing alone, which is\nthe form an agent can query programmatically.\n" }, { "id": "8.2", "title": "Nutrition labels for AI tools and datasets", "territory": 8, "slug": "nutrition-labels-for-ai-tools-and-datasets", "maturity": "emerging", "maturityLevels": [ { "level": "emerging", "note": "Model cards and datasheets are common yet unevenly completed even on platforms built around them, with healthcare-specific labels the most advanced sector application." }, { "level": "frontier", "note": "A government-specific nutrition label for civic technology tools has yet to be built." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Model Cards (Mitchell et al.) — systematic analysis of 32,111 cards", "jurisdiction": "International", "year": 2019, "source": "https://www.nature.com/articles/s42256-024-00857-z" }, { "name": "Datasheets for Datasets (Gebru et al.)", "jurisdiction": "International", "year": 2018, "source": "https://arxiv.org/abs/1803.09010" }, { "name": "Dataset Nutrition Labels (Data Nutrition Project)", "jurisdiction": "US", "year": 2018, "source": "https://datanutrition.org/" }, { "name": "CHAI Health AI Nutrition Label", "jurisdiction": "US", "year": 2024, "source": "https://www.chai.org/blog/health-ai-nutrition-label-advances" } ], "assurance": "A structured, glanceable label states what a tool does, what data it uses, who is accountable, and its known limitations. This is the 'ingredient list' that lets a citizen or agent see what they are consuming, not merely that it was approved.", "access": "A disclosure standard that demanded specialist effort would shut out the small builder, the long tail whose tools most often go undocumented. Keep it within reach by making the minimum label small enough to publish without specialist help, and machine-readable so an agent can consume the same label a citizen reads.", "surface": { "summary": "A standardized, dual-rendered label (human-readable for citizens, machine-readable for agents) with a small mandatory field set (data source, last updated, accuracy claim, accountable party, license) and richer fields for higher-risk domains.", "instances": [ { "domain": "policy", "kind": "mockup", "annotation": "A fixed label component carries five required fields, with a sector-specific extension for higher-risk domains, so a tool that processes public data or advises citizens discloses a minimum field set." } ] }, "whereThingsGoWrong": "The failure mode is a tool whose accuracy claims and currency are left implicit. A nutrition label mandating an 'accuracy claim' and 'last updated' field forces an explicit, checkable statement of what the tool can and cannot reliably compute.", "challenge": "A registry entry tells a citizen or their agent that a tool was approved, not what it\nactually is. Before relying on a tool, a citizen needs to see at a glance what it does, what\ndata it uses, who is accountable, and where it is known to fall short, and an agent needs the\nsame facts in a form it can read.\n\nThe challenge is a standard, glanceable disclosure that serves both.\n", "precedentsNote": "**Model Cards (Mitchell et al., 2019).** Nine sections: model details, intended use,\nfactors, metrics, evaluation data, training data, quantitative analyses, ethical\nconsiderations, caveats. Adoption on Hugging Face is concentrated rather than universal:\none analysis found that the models carrying a card accounted for roughly 90% of download\ntraffic even though well under half of all repositories had one, and coverage is uneven —\na systematic analysis of 32,111 cards found training details\nmost consistently completed and environmental impact, limitations, and evaluation lowest;\na 2025 study of 100 cards found >90% covered architecture and metrics but only ~20%\naddressed interpretability.\n\n**Datasheets for Datasets (Gebru et al., 2018/2021).** By analogy to electronics\ndatasheets: motivation, creation, composition, intended uses, distribution, maintenance.\nA Version 2 template (July 2025) focuses on interoperability and reuse; Europeana has\nadapted the format for cultural heritage datasets.\n\n**Dataset Nutrition Labels (Data Nutrition Project, 2018–present).** A free, public-facing,\nvoluntarily disclosed standard modeled on food labels, covering provenance, quality, and\nintended use; partnered with Consumer Reports' Digital Lab.\n\n**CHAI Health AI Nutrition Labels (US, 2024–2025).** An open-source Applied Model Card for\nhealthcare AI structured as an \"AI nutrition label\": developer identity, intended uses,\ntarget populations, model type, data types, performance, security accreditations,\nmaintenance, known risks, bias, and third-party clinical studies.\n", "transferability": "The nutrition label metaphor reads clearly to citizens and suits government digital\nservices. The design challenge is making the label machine-readable for agents as well as\nhuman-readable. A government pattern library can specify a minimum label schema for any\ntool that processes public data or advises citizens. The CHAI model, sector-specific\nlabels with mandatory fields tailored to the risk domain, is a workable template for\ngovernment adaptation.\n" }, { "id": "8.3", "title": "Supply-chain provenance for citizen-facing tools", "territory": 8, "slug": "software-bills-of-materials", "maturity": "emerging", "maturityLevels": [ { "level": "emerging", "note": "A software bill of materials (SBOM) is discretionary and agency risk-based in US federal procurement, increasingly mandated in EU regulation, with tooling to consume and visualize it maturing fast." }, { "level": "frontier", "note": "Folding an SBOM into civic technology certification has no working precedent." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "CISA SBOM (US Executive Order 14028)", "jurisdiction": "US", "year": 2021, "source": "https://www.cisa.gov/sbom" }, { "name": "CISA SBOM Resources Library", "jurisdiction": "US", "year": 2025, "source": "https://www.cisa.gov/topics/cyber-threats-and-advisories/sbom/sbomresourceslibrary" }, { "name": "White House — EO 14306 (rescinds EO 14144 SBOM/attestation enhancements)", "jurisdiction": "US", "year": 2025, "source": "https://www.whitehouse.gov/presidential-actions/2025/06/sustaining-select-efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive-order-13694-and-executive-order-14144/" }, { "name": "OpenSSF — Global alignment on SBOM standards in the era of the CRA", "jurisdiction": "EU", "year": 2025, "source": "https://openssf.org/blog/2025/10/22/sboms-in-the-era-of-the-cra-toward-a-unified-and-actionable-framework/" }, { "name": "FDA AI/ML Software as a Medical Device guidance (SBOM requirement)", "jurisdiction": "US", "year": 2025, "source": "https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-software-medical-device" }, { "name": "OWASP Dependency-Track", "jurisdiction": "International", "year": 2024, "source": "https://dependencytrack.org/" } ], "assurance": "Government needs trust in a tool to track the tool's actual state, not a one-time approval: a current, queryable record of what it depends on, so a new vulnerability upstream shows up in the trust signal rather than going unseen. An agent deciding whether to rely on the tool needs that record in a form it can read.", "access": "The builders most at risk of being shut out are the small ones, the volunteer or single-developer civic tools that cannot run a manual supply-chain audit for every release. Keep the path open by making the dependency record something a tool can generate and keep updated automatically, so producing it is a build step, not a compliance project. A tool that cannot yet produce one should be marked unverified, not excluded.", "surface": { "summary": "A citizen-facing supply-chain status indicator that translates raw bill-of-materials data into a single meaningful signal ('all dependencies current, no known vulnerabilities' vs '3 critical vulnerabilities upstream'), backed by a machine-readable document for agents.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "A live status badge is driven by continuous SBOM evaluation rather than a static certificate, so the trust signal reflects current supply-chain risk instead of approval-day state." } ] }, "whereThingsGoWrong": "An SBOM addresses component-level supply-chain integrity, not algorithmic correctness. It would not catch a flawed calculation method, which is a methodology failure rather than a compromised dependency.", "challenge": "A citizen reaching a service through an agent, or an agency standing behind a tool, is\ntrusting not just the tool but everything it is built from: its libraries, the models it\ncalls, the data it draws on. Approval on the day it is certified says nothing about whether\none of those parts has since become vulnerable or changed underneath it.\n\nThe challenge is to know what a tool depends on, and to keep that knowledge current, so trust\nreflects the tool's state now rather than on approval day.\n", "precedentsNote": "**US Executive Order 14028 and CISA SBOM requirements (US, 2021–present).** EO 14028 (May\n2021), which remains in force, directed work toward software supply-chain security including\nSBOMs. CISA published minimum-elements guidance (updated draft June 2025) and maintains an\nSBOM Resources Library. The federal SBOM mandate has since been rolled back: EO 14306 (June\n2025) rescinded EO 14144's SBOM and attestation enhancements, and OMB Memorandum M-26-05\n(23 January 2026) makes vendor SBOMs and security attestations discretionary — a matter for\nagency risk-based assessment — rather than mandatory.\n\n**EU Cyber Resilience Act and SBOM alignment (EU, 2024–2025).** The CRA mandates SBOMs for\nproducts with digital elements sold in the European market; OpenSSF and others are aligning\nSBOM standards globally (SPDX, CycloneDX) between US and EU requirements.\n\n**FDA SBOM requirements for AI medical devices (US, 2025).** The FDA's 2025 premarket\nguidance for AI-enabled device software functions requires an SBOM to enable vulnerability\ntracking, extending SBOM requirements from general IT procurement into domain-specific\nsafety regulation.\n\n**SBOM visualization tools (2024–2025).** A growing ecosystem makes SBOMs consumable beyond\nsecurity teams: SBOM Play (browser-based, privacy-first) for dependency graphs, license\nbreakdowns, and vulnerability mapping; CycloneDX Sunshine for interactive radial dependency\nvisualization; OWASP Dependency-Track for API ingestion and evaluation against live\nvulnerability intelligence.\n", "transferability": "High for supply-chain transparency; moderate for citizen-facing UX. SBOMs are essential\ninfrastructure for any trust registry or certification regime: they enable ongoing\nmonitoring, not just point-in-time approval. The citizen-facing design challenge is\ntranslating SBOM data into a meaningful signal. For AI agents, SBOMs provide structured,\nqueryable metadata that can ground decisions about whether to rely on a tool.\n" }, { "id": "8.4", "title": "Risk-proportionate review of civic tools", "territory": 8, "slug": "app-store-verification-as-precedent", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "As a consumer-app review precedent." }, { "level": "frontier", "note": "As a tiered-review model for civic technology, which no jurisdiction has built." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Apple App Store review (fraud prevention 2025)", "jurisdiction": "US", "year": 2025, "source": "https://www.apple.com/bh/newsroom/2026/05/the-app-store-stopped-over-2-point-2-billion-usd-in-fraudulent-transactions-in-2025/" }, { "name": "SecurityWeek — Apple rejected 2 million App Store submissions in 2025", "jurisdiction": "US", "year": 2025, "source": "https://www.securityweek.com/apple-rejected-2-million-app-store-submissions-in-2025-for-security-and-fraud-prevention/" }, { "name": "NowSecure — App store security myths (Google Play Protect)", "jurisdiction": "US", "year": 2025, "source": "https://www.nowsecure.com/blog/2025/03/26/app-store-security-myths-why-enterprises-cant-solely-rely-on-apple-and-google-for-security-reviews/" }, { "name": "Security Boulevard — App store security threats in 2025", "jurisdiction": "US", "year": 2025, "source": "https://securityboulevard.com/2025/06/app-store-security-threats-in-2025-why-hackers-target-mobile-ecosystems/" } ], "assurance": "Government needs a level of review that scales: a light automated check every tool can pass quickly, deeper human review reserved for the tools that can do real harm, and a way to act after publication when something slips through. The aim is a credible minimum bar, not an exhaustive audit of every tool.", "access": "Concentrated, opaque review shuts out the small builder who cannot read the rules they are judged against, or appeal a rejection. Keep the path open by publishing the review criteria so anyone can see what is checked, by keeping the lightest tier cheap enough for a solo builder, and by not vesting the gate in a single entity that can exclude without recourse.", "surface": { "summary": "A tiered submission-and-review flow (automated scan for all tools, human review for high-risk categories) paired with a mandatory structured disclosure section and a public, auditable statement of the review criteria.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "A submission pipeline routes informational tools through automated checks and decision-support tools through additional human review, so review burden scales with consequence." } ] }, "whereThingsGoWrong": "App-store review checks behavior against stated policies, not the ground-truth accuracy of outputs. A binary approved/rejected gate of this kind would not catch a method that produces plausible-looking but incorrect results, which pass any behavioral check.", "challenge": "The tools and agents a citizen might use to deal with government range from a harmless\ninformation lookup to something that files a claim or shapes a decision. Reviewing every one\nto the same depth is neither affordable nor useful, but reviewing none leaves citizens\nrelying on tools no one has checked.\n\nThe challenge is to match the depth of review to what a tool can affect, across a large and\nconstantly changing population of tools.\n", "precedentsNote": "**Apple App Store review.** Apple combines automated scanning (crashes, private API use,\nmissing assets) with manual human review of app flows, permissions, and usability. In 2025\nApple rejected over 2 million submissions and blocked US$2.2 billion in fraudulent\ntransactions; review averages 1–2 days. The Data Safety section requires developers to\ndisclose data collection, storage, and sharing.\n\n**Google Play Protect.** Google relies more heavily on automated machine-learning checks,\ntriggering human review for flagged or sensitive categories; its Data Safety section mirrors\nApple's disclosure requirements.\n\n**Known limitations.** Despite review, malware regularly bypasses checks through code\nobfuscation, delayed execution, and compromised third-party SDKs; in 2025 multiple incidents\ntraced to vulnerable advertising SDKs. App-store review is a minimum-bar filter, not an\nexhaustive security audit, and enterprises are advised not to treat presence as sufficient\nassurance.\n", "transferability": "The app-store model shows that centralized review at scale is feasible but imperfect.\nTransferable elements: structured disclosure requirements (the Data Safety section is a\nnutrition label by another name); tiered review (automated first pass, human review for\nhigh-risk categories); post-publication monitoring and takedown. Limitations: review checks\nbehavior against stated policies, not ground-truth accuracy; it concentrates gatekeeping in a\nsingle entity; and it is binary rather than graded.\n\nA civic registry should adopt the tiered review model but add domain-specific accuracy checks\nand make criteria publicly auditable.\n" }, { "id": "8.5", "title": "Lifecycle certification for tools that advise citizens", "territory": 8, "slug": "medical-device-certification-as-analogue", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "As a medical-device regime." }, { "level": "frontier", "note": "As a lifecycle-certification model adapted for civic technology, which has no working precedent." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "FDA AI/ML Software as a Medical Device", "jurisdiction": "US", "year": 2025, "source": "https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-software-medical-device" }, { "name": "Ballard Spahr — FDA AI guidance, August 2025", "jurisdiction": "US", "year": 2025, "source": "https://www.ballardspahr.com/insights/alerts-and-articles/2025/08/fda-issues-guidance-on-ai-for-medical-devices" }, { "name": "TGA AI and Medical Device Software", "jurisdiction": "Australia", "year": 2026, "source": "https://www.tga.gov.au/products/medical-devices/software-and-artificial-intelligence/manufacturing/artificial-intelligence-ai-and-medical-device-software" }, { "name": "TGA consultation report — clarifying and strengthening regulation of medical device software including AI", "jurisdiction": "Australia", "year": 2025, "source": "https://consultations.tga.gov.au/tga/clarifying-and-strengthening-the-regulation-of-ai/supporting_documents/tga-report-clarifying-and-strengthening-the-regulation-of-medical-device-software-including-artificial-intelligence-aipdf" } ], "assurance": "Government needs assurance that scales with consequence and lasts: a tool is classified by what it claims to do and what its output can affect, the higher-consequence ones carry ongoing obligations (monitoring for drift, checking for bias), and certification is treated as a standing commitment rather than a one-time stamp.", "access": "Lifecycle obligations fall hardest on the smallest builders, who have no regulatory-affairs team to run continuous monitoring and reporting. Pitched at the medical-device level, those duties would shut volunteer-built civic tools out entirely. Keep the path open by scaling the obligation to risk, so a low-consequence tool carries almost none, and reserving the demanding lifecycle duties for the high-consequence tools that warrant them.", "surface": { "summary": "A risk-classification gate that routes a tool into a certification tier based on its intended purpose and the consequence of its outputs, with lifecycle obligations (post-market monitoring, bias assessment) attached to higher tiers.", "instances": [ { "domain": "policy", "kind": "mockup", "annotation": "An intake step classifies a tool by its intended purpose and the consequence of its outputs, setting its certification obligations from what the tool claims to do rather than whether it contains AI." } ] }, "whereThingsGoWrong": "A medical-device-style regime would classify an automated decision tool as high-consequence and require lifecycle monitoring and accuracy validation against reference data, exactly the scrutiny a high-stakes calculation often never receives.", "challenge": "Some of the tools and agents citizens use give advice that changes their lives: what benefit\nthey are owed, whether a plan will be approved, what their legal rights are. A tool like that\nneeds to be held to its claim not once but for as long as it is in use, because its accuracy\ncan drift as data, rules, and models change.\n\nThe challenge is to certify a tool by what it can affect, and to keep certifying it over its\nlife rather than at a single point.\n", "precedentsNote": "**FDA AI/ML Software as a Medical Device (US, 2017–present).** As of July 2025 the FDA's\npublic database lists over 1,250 authorized AI-enabled medical devices, up from 950 in August\n2024. The January 2025 draft guidance recommends lifecycle management including post-market\nperformance monitoring, algorithmic bias assessment, and transparency; manufacturers must\ndemonstrate \"secure by design\" and provide an SBOM. A rule effective February 2026 incorporates\nISO 13485 by reference, replacing Part 820.\n\n**TGA AI and Medical Device Software (Australia, 2025–2026).** The Therapeutic Goods\nAdministration published its final report on AI in healthcare in 2025, followed by February\n2026 guidance on when AI-based SaMD is regulated. The framework is technology-agnostic and\nrisk-based: regulation is triggered by the manufacturer's intended purpose, not by the presence\nof AI features.\n", "transferability": "High for principles; moderate for direct adoption. Transferable principles:\nrisk-proportionate classification (not all tools need the same scrutiny); lifecycle\nmanagement (certification is ongoing, not one-time); intended-purpose triggers (regulate by\nwhat the tool claims to do, not the technology it uses); SBOM and \"secure by design\" as\nbaseline. The TGA's technology-agnostic, risk-based approach is especially relevant: it\navoids regulating \"AI\" as a category and focuses on the consequences of outputs.\n\nThe main limitation is scale. Medical device certification is resource-intensive and assumes\na commercial manufacturer with regulatory-affairs capacity, which volunteer-built civic tools\ncannot match.\n" }, { "id": "8.6", "title": "From voluntary framework to certifiable standard", "territory": 8, "slug": "nist-ai-rmf-and-certification-infrastructure", "maturity": "emerging", "maturityNote": "Emerging. Frameworks exist and are referenced by regulators, but no jurisdiction has yet implemented a mandatory, auditable certification regime for general-purpose civic technology tools based on these frameworks.", "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "NIST AI Risk Management Framework", "jurisdiction": "US", "year": 2023, "source": "https://www.nist.gov/itl/ai-risk-management-framework" }, { "name": "NIST AI 600-1 — Generative AI Profile", "jurisdiction": "US", "year": 2024, "source": "https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf" }, { "name": "IS Partners — NIST AI RMF 2025–2026 updates", "jurisdiction": "US", "year": 2025, "source": "https://www.ispartnersllc.com/blog/nist-ai-rmf-2025-2026-updates-what-you-need-to-know-about-the-latest-framework-changes/" }, { "name": "GAICC — NIST AI RMF guide (regulatory cross-references)", "jurisdiction": "US", "year": 2024, "source": "https://gaicc.org/blog/nist-ai-risk-management-framework/" }, { "name": "Australian Public Service AI Plan 2025", "jurisdiction": "Australia", "year": 2025, "source": "https://www.digital.gov.au/policy/ai/australian-public-service-ai-plan-2025" }, { "name": "Pilot AI Assurance Framework (Australia)", "jurisdiction": "Australia", "year": 2024, "source": "https://www.digital.gov.au/policy/ai/pilot-ai-assurance-framework" }, { "name": "National Framework for the Assurance of AI in Government (Australia)", "jurisdiction": "Australia", "year": 2024, "source": "https://www.finance.gov.au/government/public-data/data-and-digital-ministers-meeting/national-framework-assurance-artificial-intelligence-government" } ], "assurance": "Government needs a certification regime that rests on a recognized risk-management structure but goes beyond it: defined pass/fail thresholds, an auditable record of how a tool was assessed, and a path that lines up with international standards so a certified tool is not certified only locally.", "access": "An all-or-nothing standard shuts out the small builder for whom full assurance is out of reach, leaving their tool uncertified and so unused even when it is sound. Keep the path open with graduated tiers built on the same framework, so a low-risk tool can reach a meaningful, achievable level of certification rather than failing the only bar on offer.", "surface": { "summary": "A self-assessment workflow structured around four risk-management functions that maps a tool's answers onto defined certification tiers.", "instances": [ { "domain": "policy", "kind": "mockup", "annotation": "A tiered self-assessment converts a tool's coverage of a regulator-referenced risk-management framework into a certification level, supplying the pass/fail tiers the framework itself leaves undefined." } ] }, "whereThingsGoWrong": "The RMF's Govern/Map/Measure/Manage discipline (accountability for each AI use case and risk-based action) is exactly the assurance process a flawed automated decision lacks. Applied as a mandatory, auditable regime, it forces explicit ownership and measurement of the risk.", "challenge": "Certifying a citizen-facing tool or agent requires a standard to certify against, and the\nstandard has to say what passes and what does not. The risk-management frameworks that exist\ngive a shared vocabulary and a sensible structure, but they are voluntary and set no\nthreshold, so two builders can both claim to follow one and mean very different things.\n\nThe challenge is to turn a framework into a defined, auditable standard a tool can actually\nbe certified against.\n", "precedentsNote": "**NIST AI RMF 1.0 and subsequent updates (US, 2023–2026).** The framework organizes AI risk\nmanagement around four functions: Govern, Map, Measure, Manage. Generative AI risks,\nsupply-chain vulnerabilities, and third-party model assessment are addressed in the Generative\nAI Profile (NIST AI 600-1, released July 2024), which gives LLM-specific guidance. Further\ndeliverables announced by NIST — including the Cyber AI Profile and SP 800-53 Control Overlays\nfor AI — are provisional and expected in 2026.\n\n**Regulatory cross-references.** The FTC, CFPB, FDA, SEC, and EEOC all reference NIST AI RMF\nprinciples in enforcement guidance, and the framework's crosswalk to ISO/IEC 42001 means\nadopters are simultaneously building toward international AI management system certification.\n\n**Australian Government AI Assurance Framework (2024–2025).** Australia's national framework for\nAI assurance in government was agreed by Data and Digital Ministers in June 2024. The APS AI Plan\n2025 requires agencies to develop strategic AI adoption approaches, establish accountability for\nAI use cases, and undertake risk-based actions.\n", "transferability": "High for risk-management structure; moderate as certification basis. The NIST RMF provides\nthe vocabulary and structure a certification regime would assess against, but it is voluntary\nand defines no pass/fail thresholds.\n\nA government pattern library should treat the RMF (or its Australian equivalent) as the\nreference framework and define certification tiers on top of it. The Australian AI Assurance\nFramework is a useful precedent, having taken a government assurance framework toward exactly\nthis kind of structured, accountable use.\n" }, { "id": "8.7", "title": "Grounding patterns and source attribution in AI outputs", "territory": 8, "slug": "grounding-and-source-attribution-in-ai-outputs", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "For retrieval-augmented generation architecture." }, { "level": "emerging", "note": "For citation interface design." }, { "level": "frontier", "note": "For typed-function grounding in government services, which has no working precedent." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "TREC 2025 RAG Track (preprint — not peer-reviewed)", "jurisdiction": "International", "year": 2025, "source": "https://arxiv.org/abs/2603.09891" }, { "name": "Moveworks — Agentic RAG and AI grounding", "jurisdiction": "International", "year": 2025, "source": "https://www.moveworks.com/us/en/resources/blog/improved-ai-grounding-with-agentic-rag" }, { "name": "Whitehat SEO — AI engines citation comparison", "jurisdiction": "International", "year": 2025, "source": "https://whitehat-seo.co.uk/blog/ai-engines-comparison-citations" }, { "name": "Leapd — How ChatGPT, Google AI Overviews and Perplexity source information", "jurisdiction": "International", "year": 2026, "source": "https://www.leapd.ai/blog/ai-visibility/how-chatgpt-google-ai-overviews-and-perplexity-source-information-in-2026" }, { "name": "Discovered Labs — How each platform cites sources differently", "jurisdiction": "International", "year": 2025, "source": "https://discoveredlabs.com/blog/chatgpt-claude-perplexity-and-google-ai-overviews-how-each-platform-cites-sources-differently" } ], "assurance": "Government needs every substantive claim an agent presents to be traceable to an authoritative source a citizen or agent can check, so a figure or a rule the agent states can be confirmed against the record it came from rather than taken on the model's word. For high-consequence answers it needs assurance that the content was retrieved from that record at all, not produced by the model.", "access": "A mandatory per-claim citation and typed-function grounding bar shuts out the small builder, the long tail with no budget to build bespoke retrieval infrastructure, whose tool then cannot be published even when its answers are sound. Keep the path open with shared, reusable grounding and citation components a small builder can adopt, so meeting the attribution bar does not require building the retrieval layer from scratch.", "surface": { "summary": "An answer surface with mandatory inline per-claim citations and an expandable source panel showing the authoritative source, its date, and institutional provenance, with machine-readable provenance metadata for downstream agents.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "Each factual claim in the answer carries an inline citation backed by a typed read-only function call, so a substantive answer about government data is retrieved from the source rather than generated." } ] }, "whereThingsGoWrong": "The failure mode is a system generating a figure from inference rather than reading the authoritative record. Typed, read-only grounding against that record means it reports the actual value rather than an invented one, eliminating the class of fabricated numbers that drive wrongful determinations.", "challenge": "When an AI agent retrieves information from a public-data tool and presents it to a citizen,\nthe citizen needs to be able to trace where each claim came from and check it against the\nsource.\n\nThe grounding problem is to anchor what the agent generates to retrievable records and\nsurface those records in the interface. It is narrower than certifying the tool as a whole:\nthe question is whether this specific output is traceable to a specific source.\n", "precedentsNote": "**Retrieval-Augmented Generation (RAG) with source attribution (2020–present).** RAG systems\nretrieve documents from a corpus, inject them into context, and generate answers grounded in\nretrieved content; RAG-based grounding substantially reduces hallucinations versus ungrounded\ngeneration (reported reductions vary by study and setting). The TREC 2025 RAG Track formalizes\nevaluation across relevance, completeness, attribution verification, and agreement analysis.\n\n**Citation UX across AI assistants (2024–2026).** Patterns vary substantially: Perplexity gives\ninline per-claim attribution with a persistent source panel (~22 citations/response); ChatGPT\ngives inline numbered references with expandable source cards; Google AI Overviews shows a source\nlist without guaranteed inline numbers (~8 citations/response). Cross-platform divergence is high:\nonly 11% of domains are cited by both ChatGPT and Perplexity for the same query.\n\n**Typed, read-only functions (design pattern).** The strongest grounding pattern constrains the\nagent to call typed, read-only functions against authoritative data sources rather than\ngenerating from parametric memory. A query about, say, a zoning classification triggers a\nfunction call to the planning authority's API, which returns a structured result the agent can\npresent but not modify. Source provenance is inherent in the architecture: the answer came from\nthe API, not the model's training data, which eliminates the class of errors where document\nretrieval invites invented figures.\n", "transferability": "Source attribution transfers directly and is a requirement for government AI services. The\npattern library can specify a set of components.\n\nInline citation is mandatory for any claim derived from a specific source, attributed per\nclaim as in the Perplexity model rather than gathered into an end-of-response list. A source\npanel shows the authoritative source, its date, and institutional provenance. Typed function\ngrounding is the preferred architecture for factual questions about government data: it is\nstronger than retrieval-augmented generation (RAG) alone because it removes the generation\nstep for substantive content. Machine-readable provenance metadata lets downstream agents\nverify source chains programmatically.\n" }, { "id": "8.8", "title": "Lightweight certification for the long tail", "territory": 8, "slug": "lightweight-certification-for-the-long-tail", "maturity": "frontier", "maturityNote": "Frontier. No jurisdiction has implemented a tiered, proportionate certification regime for civic technology tools. The components exist (nutrition labels, software bill of materials tooling, peer review networks) but have not been assembled into a coherent program.", "status": "reviewed", "threads": [], "dependsOn": [ "8.2", "8.3" ], "precedents": [ { "name": "EU AI Act small-business guide (SME proportionality measures)", "jurisdiction": "EU", "year": 2024, "source": "https://artificialintelligenceact.eu/small-businesses-guide-to-the-ai-act/" }, { "name": "EU AI regulatory sandbox approaches — member-state overview", "jurisdiction": "EU", "year": 2025, "source": "https://artificialintelligenceact.eu/ai-regulatory-sandbox-approaches-eu-member-state-overview/" }, { "name": "Digital Public Goods Alliance Standard (lightweight model)", "jurisdiction": "International", "year": 2019, "source": "https://www.digitalpublicgoods.net/standard" }, { "name": "OWASP Dependency-Track (automated assurance tooling)", "jurisdiction": "International", "year": 2024, "source": "https://dependencytrack.org/" }, { "name": "Hugging Face model card automation research", "jurisdiction": "International", "year": 2023, "source": "https://arxiv.org/pdf/2309.12616" } ], "assurance": "A tiered certification model matches assurance burden to risk: self-declaration for informational tools, peer review for decision-support tools, independent assurance for consequential tools. The long tail of civic technology can then earn a meaningful trust signal without enterprise-scale compliance cost.", "access": "If the only certification on offer costs millions and needs a Notified Body, the long tail does not comply, it opts out, and citizens are left with tools carrying no signal at all. Keep the path open by tiering certification to risk, so the lowest tier (a self-declared nutrition label) is achievable by a solo developer in a weekend.", "surface": { "summary": "A self-service certification wizard that classifies a tool by consequence and routes it to Tier 1 (publish a standardized nutrition label, no review), Tier 2 (peer review against published criteria), or Tier 3 (independent conformity assessment with accuracy testing).", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "A single-screen self-declaration flow emits a standardized nutrition label and registry entry with no third-party gate, so the lowest tier is achievable by a solo developer in a weekend." } ] }, "whereThingsGoWrong": "A tiered regime would classify an automated decision tool with legal and financial consequence at its highest tier and require independent accuracy testing against reference data (assurance such tools often never undergo) while still leaving low-risk informational tools a weekend-scale path.", "challenge": "Established certification routes all assume a well-resourced provider: a FedRAMP\nauthorization runs into the millions, an FDA submission needs a regulatory-affairs team, and\nEU conformity assessment needs extensive documentation or a Notified Body. None of that is\nfeasible for a volunteer-built benefits calculator or a community planning-data explorer, yet\nthose are the tools citizens meet most often and most need a trust signal for.\n\nThe challenge is a certification path light enough for the long tail to actually use.\n", "precedentsNote": "**EU AI Act proportionality measures for SMEs (EU, 2024–2026).** Conformity assessment fees must\nbe proportional to SME size, simplified documentation templates are permitted, and regulatory\nsandboxes must offer SMEs and startups priority access free of charge. However, the SME provisions\napply to commercial providers; volunteer-built open-source tools fall outside the commercial\nregulatory perimeter entirely.\n\n**DPGA Standard as a lightweight model.** The nine-indicator Digital Public Goods Standard offers\na template: open criteria, evidence-based self-assessment, technical review by the registry\noperator, and public listing. The cost to the applicant is primarily assembling documentation, not\nfees or third-party audits. The limitation is that the DPGA assesses openness and governance, not\naccuracy or fitness-for-purpose.\n\n**Tiered certification (proposed pattern).** Drawing on medical device risk classes (I/II/III) and\nFedRAMP impact levels (Low/Moderate/High):\n\n- *Tier 1 (Self-declaration)*: the tool publishes a standardized nutrition label\n covering data sources, last updated, accuracy claims, accountable party, open-source license. No\n third-party review. Suitable for informational tools with no decision consequence.\n- *Tier 2 (Peer review)*: review by a recognized peer body against published review\n criteria. Suitable for tools that inform citizen decisions (benefits calculators, planning tools).\n- *Tier 3 (Independent assurance)*: independent conformity assessment by an accredited body,\n including accuracy testing against reference data. Suitable for tools with legal, financial, or\n safety consequences.\n\nThis tiered model does not yet exist as a formal program in any jurisdiction.\n\n**Automated assurance tooling.** Several approaches could reduce certification cost: automated model\ncard generation using LLMs; continuous SBOM monitoring via OWASP Dependency-Track against live\nvulnerability intelligence; and automated accuracy testing against reference datasets, analogous to\nCI/CD test suites but for data accuracy.\n", "transferability": "The tiered model is the most workable approach but needs an institutional sponsor to run it.\nA national digital services agency could establish and maintain a lightweight registry with\ntiered certification, using the DPGA Standard as a starting point and adding accuracy and\nfitness-for-purpose indicators; the Australian Digital Transformation Agency is one body of\nthat kind.\n\nThe binding design constraint is that Tier 1 has to be achievable by a solo developer in a\nweekend, or the long tail bypasses certification entirely.\n" }, { "id": "9.1", "title": "Jurisdiction disclosure at point of data processing", "territory": 9, "slug": "jurisdiction-disclosure-at-point-of-data-processing", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "The obligation to disclose data transfers exists in law." }, { "level": "emerging", "note": "Visual jurisdiction indicators appear in consumer products." }, { "level": "frontier", "note": "Three-part jurisdiction-plus-legal-exposure disclosure for AI-powered government services." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "European Commission — Standard Contractual Clauses", "jurisdiction": "EU", "source": "https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en" }, { "name": "Kiteworks — EU Tech Sovereignty", "jurisdiction": "EU", "source": "https://www.kiteworks.com/cybersecurity-risk-management/eu-tech-sovereignty-package-cloud-act/" }, { "name": "AI Magicx — AI and Data Sovereignty in 2026", "year": 2026, "source": "https://www.aimagicx.com/blog/ai-data-sovereignty-cloud-strategy-legal-risks-2026" }, { "name": "UXmatters — UX Design in VPN Development", "year": 2023, "source": "https://www.uxmatters.com/mt/archives/2023/11/ux-design-in-vpn-development-balancing-security-and-the-user-experience.php" } ], "assurance": "Government must disclose, at the point a citizen's data is processed, three facts that determine its legal exposure: where the data is physically hosted, which legal jurisdiction the operating entity answers to, and whether the data stays onshore for data-protection purposes. The transfer-disclosure duty in law is satisfied only when these reach the citizen at the moment of processing, not when they sit in a privacy policy.", "access": "A disclosure that fires on every interaction, or that demands the citizen read dense legal text, excludes those least able to parse it: people with low reading confidence, limited time, or no legal background, who learn to dismiss it and so lose the protection it carries. Keep the path open by triggering disclosure only when a citizen's data crosses a jurisdictional boundary that changes their legal protections, and by presenting the signal as a glanceable label rather than a screen the citizen must clear to proceed.", "surface": { "summary": "A point-of-submission jurisdiction badge that names where the data is processed, whose law can reach it, and whether it stays onshore.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "At the submit step, a three-part flag and label names where the data is processed, whose law can reach it, and whether it stays onshore, in place of text buried in a privacy policy." } ] }, "whereThingsGoWrong": "Surfacing legal exposure at the point of processing does not by itself stop a bad decision, but it embodies the same anti-pattern lesson: a material legal consequence buried out of sight rather than disclosed at the moment the citizen acts on it.", "challenge": "A citizen interacting with a government service may not know that their personal data is\nbeing processed by an AI model hosted in a different legal jurisdiction. That matters because\nthe hosting jurisdiction's laws, particularly around law-enforcement access, data retention,\nand surveillance, can differ materially from the citizen's own, and a cross-border transfer\nframework being in force does not make the underlying exposure go away.\n\nThe challenge is to surface that exposure where the citizen, or their agent, is about to act\non it, rather than bury it in a privacy policy.\n", "precedentsNote": "**GDPR Articles 13-14 — Data transfer disclosure.** Data controllers must inform\ndata subjects at the point of collection whether personal data will be transferred\nto a third country and on what legal basis (adequacy decision, standard\ncontractual clauses, or binding corporate rules). The obligation is to tell people\n*before* their data moves. In practice this information is typically buried in\nprivacy policies rather than surfaced at the point of interaction.\n\n**Schrems II and the DPF challenge.** The CJEU's Schrems II ruling (2020)\ninvalidated the EU-US Privacy Shield, finding that US surveillance law could reach\ndata processed by US-owned entities even within European facilities. The\nsubsequent EU-US Data Privacy Framework, adopted in 2023, was challenged but\nupheld by the European General Court on 3 September 2025 (Latombe, Case\nT-553/23); an appeal (C-703/25 P) is pending and the DPF remains valid as of\nmid-2026. Microsoft's Director of Public and Legal Affairs stated under oath\nbefore the French Senate that Microsoft cannot guarantee that data stored by\nFrench public-sector customers in Microsoft's French data centers would never be\ntransmitted to US authorities without French government consent. This testimony\nmakes the disclosure problem concrete: \"hosted in France\" does not mean \"subject\nonly to French law.\"\n\n**VPN jurisdiction indicators.** Consumer VPN applications routinely display\ncountry flags to indicate where a user's data will transit. NordVPN, ExpressVPN\nand similar services show the selected server country with a flag icon and map\npin, giving users a glanceable indicator of legal jurisdiction. The pattern is\nsimple, visual, and widely understood. Its limitation is that it shows routing,\nnot legal exposure: a server in Germany operated by a US company may still be\nsubject to US legal compulsion.\n", "transferability": "The GDPR disclosure obligation is directly relevant, but its current implementation, buried\nin privacy policies, is not fit for purpose in an agent-mediated interaction. A citizen's\nagent making a submission to government needs a machine-readable signal indicating where the\ndata will be processed and under what legal framework.\n\nThe VPN flag pattern provides a visual precedent for glanceable jurisdiction disclosure but\nneeds to be extended from \"where the server is\" to \"what laws apply to your data here.\" The\nSchrems II precedent demonstrates that physical hosting location is necessary but not\nsufficient; legal jurisdiction of the operating entity must also be disclosed.\n\nFor government services powered by AI, the disclosure pattern should indicate: (a) where the\nmodel processes the citizen's data (physical hosting), (b) what legal jurisdiction the model\noperator is subject to (legal exposure), and (c) whether the data remains onshore for the\npurposes of applicable data-protection law. This three-part signal has no established pattern\nyet.\n" }, { "id": "9.2", "title": "Sovereignty tiering for sensitive interactions", "territory": 9, "slug": "sovereignty-tiering-for-sensitive-interactions", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Tiered sovereignty frameworks for government procurement." }, { "level": "emerging", "note": "GAIA-X labeling as a visible trust signal." }, { "level": "frontier", "note": "Citizen-facing sovereignty-tier indicators in real-time AI interactions." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Hosting Certification Framework", "jurisdiction": "Australia", "source": "https://www.hostingcertification.gov.au/framework" }, { "name": "iTnews — Govt certifies first four strategic cloud providers", "jurisdiction": "Australia", "source": "https://www.itnews.com.au/news/govt-certifies-first-four-strategic-cloud-providers-570922" }, { "name": "GAIA-X — Trust Framework", "jurisdiction": "EU", "source": "https://gaia-x.eu/gaia-x-welcomes-the-eu-cloud-and-ai-development-act-and-calls-for-a-practical-trusted-path-to-european-digital-sovereignty/" }, { "name": "Cloud Temple — first European player certified Gaia-X Label Level 3", "jurisdiction": "EU", "year": 2025, "source": "https://www.cloud-temple.com/en/press-releases/digital-sovereignty-cloud-temple-becomes-the-first-european-player-to-be-certified-gaia-x-label-level-3/" }, { "name": "GAIA-X Trust Framework 3.0 'Danube' release (Summit 2025)", "jurisdiction": "EU", "year": 2025, "source": "https://gaia-x.eu/gaia-x-enters-season-two-of-dataspaces-and-digital-ecosystems-with-summit-2025/" }, { "name": "Computer Weekly — G-Cloud 15 framework", "jurisdiction": "UK", "source": "https://www.computerweekly.com/feature/UK-governments-G-Cloud-15-framework-Everything-you-need-to-know" }, { "name": "Burges Salmon — Hot topics in 2026 for UK public sector cloud contracts", "jurisdiction": "UK", "year": 2026, "source": "https://www.burges-salmon.com/articles/102lzhr/hot-topics-in-2026-for-uk-public-sector-cloud-contracts/" }, { "name": "AGA — Hosting Certification Framework", "jurisdiction": "Australia", "source": "https://architecture.digital.gov.au/standard/hosting-certification-framework" } ], "assurance": "Government must match the sovereignty it requires of the hosting infrastructure to the data classification of the transaction: a low-risk interaction may proceed on foreign-hosted infrastructure with disclosure, while high-sensitivity data must be held to sovereign hosting that no foreign entity can compel. A single requirement applied across all tiers either over-constrains routine interactions or under-protects sensitive ones.", "access": "A tier signal expressed in the language of the data-classification scheme excludes the citizens who never learn that scheme: people without a policy or technical background, who cannot tell whether a tier protects them and so cannot judge whether to proceed. Keep the path open by making the tier legible without requiring the citizen to understand the classification system behind it, and by presenting sovereignty as a graded spectrum of assurance the citizen can read directly.", "surface": { "summary": "At the moment a citizen uses an AI assistant, a plain-language disclosure that the protection already matches what they are doing — which AI handles it, where it runs, who operates it, and whose law can reach it — led by reassurance and a way forward, not a tier number.", "instances": [ { "domain": "interaction", "kind": "interactive", "component": "SovereigntyTier", "annotation": "A \"doorway\" view leads with a plain-language verdict that the protection is already set to match the task, states it as a positive, and demotes whose law can compel the data to an opt-in detail instead of a color-only alarm." } ] }, "whereThingsGoWrong": "Tiering would not change a flawed calculation, but the discipline of matching infrastructure assurance to data sensitivity reflects a proportionality that high-stakes automated processes often lack.", "challenge": "Not all government interactions carry the same sovereignty risk. Filing a general\nfeedback form is different from submitting a tax return, which is different from\ninteracting with defense or intelligence services. A uniform sovereignty\nrequirement across all tiers either over-constrains low-risk interactions or\nunder-protects high-risk ones. The design challenge is graduated sovereignty\nsignaling that matches the sensitivity of the transaction.\n", "precedentsNote": "**Australia's Hosting Certification Framework (HCF).** The HCF establishes a\ntiered certification system for cloud providers hosting Australian Government data.\nAt the highest tier, \"Certified Strategic,\" providers must meet enhanced\nsovereignty, ownership-structure, and supply-chain transparency requirements. This\ntier is required for data classified at PROTECTED level and above. The first four\nCertified Strategic providers, certified in October 2021, were AWS, Vault Cloud,\nSliced Tech, and AUCloud.\n\n**GAIA-X Label levels (EU).** The GAIA-X initiative introduced a three-level\nlabeling scheme for cloud services. Level 1 covers basic transparency and\ninteroperability. Level 2 adds security controls. Level 3, the highest, requires\nEuropean-controlled operations, ensuring that no non-EU entity can compel data\naccess. Cloud Temple became the first provider certified at Level 3. The Trust\nFramework 3.0 \"Danube\" release (November 2025) enabled federated trust structures\nacross domains and geographies.\n\n**UK G-Cloud framework.** G-Cloud 15 (September 2026 to September 2030, valued at\nGBP 14 billion) provides a structured marketplace for public-sector cloud\nprocurement. As UK public-sector buyers respond to geopolitical tensions, demand\nfor sovereign UK cloud environments is increasing. The framework itself does not\nmandate sovereignty tiers, but the procurement guidance increasingly distinguishes\nbetween sovereign and non-sovereign offerings.\n\n**Australian Government data classification.** The Information Security Manual\nestablishes classification levels (OFFICIAL, OFFICIAL: Sensitive, PROTECTED,\nSECRET, TOP SECRET) that directly determine hosting requirements. Below PROTECTED,\nagencies have broader hosting options. At PROTECTED and above, only HCF-certified\nstrategic providers qualify. This creates an implicit sovereignty tier: the more\nsensitive the data, the more constrained the hosting options.\n", "transferability": "The tiering concept transfers directly. When a citizen's agent interacts with a\ngovernment service, the system should signal the sovereignty tier of the\nunderlying infrastructure. For low-sensitivity interactions a foreign-hosted model\nmay be acceptable with appropriate disclosure; for high-sensitivity interactions\n(tax, health, welfare, identity) the system should enforce, and visibly signal,\nsovereign hosting requirements. The design pattern is a \"sovereignty badge\" that\nmaps to the data classification of the transaction, not a blanket requirement.\n\nThe HCF and GAIA-X models provide the policy infrastructure. The citizen-facing\npresentation that surfaces this tiering is the part still to be designed: a visual\nlanguage that makes a sovereignty tier legible without requiring the citizen to\nunderstand the classification system behind it.\n" }, { "id": "9.3", "title": "AI system transparency registers", "territory": 9, "slug": "ai-system-transparency-registers", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Government AI registers in the UK and Netherlands." }, { "level": "emerging", "note": "Mandatory disclosure obligations under the EU AI Act from August 2026." }, { "level": "frontier", "note": "Real-time, contextual AI system disclosure at the point of citizen interaction." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "GOV.UK — Algorithmic Transparency Recording Standard Hub", "jurisdiction": "UK", "source": "https://www.gov.uk/government/collections/algorithmic-transparency-recording-standard-hub" }, { "name": "Data in Government blog — Making ATRS mandatory", "jurisdiction": "UK", "year": 2025, "source": "https://dataingovernment.blog.gov.uk/2025/05/08/making-the-algorithmic-transparency-recording-standard-atrs-mandatory-across-government/" }, { "name": "OECD.AI — Algorithm and AI Register", "jurisdiction": "Netherlands", "source": "https://oecd.ai/en/dashboards/policy-initiatives/algorithm-and-ai-register" }, { "name": "AI Act Blog — Algorithm registry", "jurisdiction": "Netherlands", "source": "https://www.aiactblog.nl/en/posts/algorithm-registry-foundation-responsible-ai-usage" }, { "name": "EU AI Act — Article 50", "jurisdiction": "EU", "source": "https://artificialintelligenceact.eu/article/50/" }, { "name": "EU Digital Strategy — Draft guidelines on transparency obligations", "jurisdiction": "EU", "source": "https://digital-strategy.ec.europa.eu/en/library/draft-guidelines-implementation-transparency-obligations-certain-ai-systems-under-article-50-ai-act" }, { "name": "EU AI Act — Article 13", "jurisdiction": "EU", "source": "https://artificialintelligenceact.eu/article/13/" }, { "name": "euaiact.com — Article 13", "jurisdiction": "EU", "source": "https://www.euaiact.com/article/13" }, { "name": "Raconteur — Mistral bets big on European sovereign AI", "jurisdiction": "France", "source": "https://www.raconteur.net/global-business/mistral-bets-big-on-european-sovereign-ai" }, { "name": "Introl — France's AI Sovereignty Push", "jurisdiction": "France", "source": "https://introl.com/blog/france-ai-sovereignty-mistral-sovereign-cloud-2025" } ], "assurance": "Government must keep a verifiable, machine-readable account of which AI system powers each service, naming its purpose, training data, underlying technology, and risk controls, so that a citizen or an agent can confirm what is handling an interaction and who answers for it. A record that exists only on a register a citizen never reaches does not meet that requirement at the point of use.", "access": "Disclosure that lives only in a separate register reaches the citizens who already know to look for it and excludes everyone else: people who do not know a register exists, or who lack the time or technical confidence to read one, who then act without knowing what system handled them. A disclosure repeated on every interaction excludes them differently, by fatigue. Keep the path open by adapting the register's information into a glanceable, contextual indicator at the point of use, and by triggering fuller disclosure only where the jurisdiction genuinely changes the citizen's position.", "surface": { "summary": "A contextual indicator that names the model, its hosting jurisdiction, and its transparency-register record at the point a citizen interacts with the service.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "At the point of use, a single line names the system, its hosting jurisdiction, and its register record: 'powered by [Model X], hosted in [Jurisdiction Y], registered under [record Z]'." } ] }, "whereThingsGoWrong": "The failure mode is an algorithm whose purpose, training data, and risk controls are never exposed, so a flawed design cannot be contested before it scales. A mandatory, public transparency register makes it contestable in advance.", "challenge": "As AI systems come to power more government services, a citizen, or the agent acting for\nthem, has no way to establish which system is handling an interaction, who built it, where it\nis hosted, or what data it was trained on. Without that account, a decision cannot be checked\nagainst who is accountable for it, and the jurisdiction the system answers to stays invisible\nat the moment it matters.\n\nThe challenge is to make the system behind a service identifiable to a citizen or an agent at\nthe point of use, not only to those who go looking in a register.\n", "precedentsNote": "**UK Algorithmic Transparency Recording Standard (ATRS).** In 2025 the UK made\nATRS reporting mandatory for central government departments and Arms-Length Bodies\nproviding public services. The standard requires disclosure of the algorithmic\ntool's purpose, the data used to train it, the underlying technology, and\nrisk-management strategies. By late 2025, 125 ATRS records had been published.\nThis is the most developed government-mandated AI disclosure register operating at\nscale.\n\n**Netherlands Algorithm Register.** The Netherlands launched a public algorithm\nregister in late 2022 requiring government bodies to disclose their use of\nalgorithms. By 2025, approximately one thousand algorithms were registered, with the\nlarger municipalities among the most active registrants. By end of 2025, all central\ngovernment bodies must have\nhigh-risk AI systems (per the EU AI Act) registered. The Dutch Data Protection\nAuthority published eight concrete guidelines in July 2025 to support\nimplementation.\n\n**EU AI Act Article 50 — Transparency obligations.** From 2 August 2026, providers\nof AI systems intended to interact directly with natural persons must ensure those\npersons are informed they are interacting with an AI system. Providers of systems\ngenerating synthetic content must ensure outputs are marked in a machine-readable\nformat. Non-compliance with these Article 50 transparency obligations carries\nadministrative fines of up to EUR 15 million or 3% of worldwide annual turnover\n(Article 99); the higher EUR 35 million / 7% tier applies to prohibited practices\nunder Article 5, not to transparency breaches.\n\n**EU AI Act Article 13 — Information for deployers.** Providers of high-risk AI\nsystems must deliver \"clear, complete and correct\" instructions to deployers,\nincluding the system's intended purpose, accuracy metrics, and details of training\nand validation data. This creates an information chain: provider to deployer to\ncitizen.\n\n**France — Mistral for government services.** France has committed to deploying\nMistral models in government services, including a framework agreement with the\nMinistry of Armed Forces (2026-2030). This is notable as explicit, public\ndisclosure of which AI model powers government functions, though the disclosure is\nat the policy level, not surfaced to citizens at point of interaction.\n", "transferability": "The ATRS and Dutch register models provide the structural template for AI system disclosure.\nHowever, they are currently registry-based, published on a government website for those who\nseek them out. In an agent-mediated interaction, the disclosure needs to be surfaced at point\nof use, not discovered in a register after the fact.\n\nThe design challenge is adapting registry information into a glanceable, contextual\nindicator. The Article 50 obligation provides the legal mandate and the registries provide\nthe data; the part still to be built is the interaction that carries that data to the citizen\nat the point of use.\n\nThe France/Mistral precedent is significant because it demonstrates a government explicitly\nchoosing, and publicly disclosing, a sovereign AI model for government services. The 2025 AI\nAgent Index finding that fewer than 20% of AI agent developers disclose formal safety\npolicies, and fewer than 10% report external safety evaluations, underscores the gap between\nwhat is needed and what currently exists.\n" }, { "id": "9.4", "title": "Cookie consent as cautionary precedent", "territory": 9, "slug": "cookie-consent-as-cautionary-precedent", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Cookie consent as the cautionary precedent." }, { "level": "emerging", "note": "Disclosure that adapts to the applicable cross-border regime." }, { "level": "frontier", "note": "Jurisdiction-disclosure UX that avoids the cookie-consent failure mode." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "DataGrail — Common Design Mistakes in Cookie Consent", "source": "https://www.datagrail.io/blog/data-privacy/how-to-avoid-these-common-deceptive-design-mistakes-in-your-cookie-consent-banner/" }, { "name": "Cookie Information — Swedish DPA targets dark patterns", "jurisdiction": "Sweden", "year": 2025, "source": "https://cookieinformation.com/blog/blog-swedish-dpa-imy-dark-patterns-april-2025/" }, { "name": "Transcend — Cookie Banner 101", "source": "https://transcend.io/blog/cookie-banner-101" }, { "name": "Webtoffee — Cookie Banner Design", "source": "https://www.webtoffee.com/blog/best-ui-ux-practices-for-cookie-banners/" } ], "assurance": "Government must deliver jurisdiction disclosure the citizen can read and act on rather than a screen they clear reflexively to proceed. A decade of consent-banner enforcement sets the requirements it has to meet: disclosure timed to the moment of the decision, any choices presented symmetrically, no demand the citizen cannot act on, no repetition that breeds fatigue, and a form an agent can read.", "access": "A disclosure that presents a fake choice, where the only path forward is to accept, wears down the citizens least equipped to question it: people with low reading confidence or little time, who click through and so gain nothing the disclosure promised. Keep the path open by triggering disclosure only when personal data crosses a boundary that changes the citizen's legal protections, presenting a no-alternative situation as an informational label that states the position plainly, and offering a genuine, symmetrical choice only where an alternative actually exists.", "surface": { "summary": "A jurisdiction-disclosure component that fires at the data-submission step rather than on page load, presents any alternatives symmetrically, and exposes structured metadata for the citizen's agent.", "instances": [ { "domain": "interaction", "kind": "do-dont", "annotation": "A do/don't pair sets a fatigue-inducing consent wall against a point-of-submission informational label, drawn from the cookie-banner failure modes: asymmetric buttons, page-load timing, and choices the citizen cannot act on." } ] }, "whereThingsGoWrong": "This pattern guards against a screen the citizen cannot realistically read or refuse, which does not by itself prevent an adverse-decision failure. Its insistence on disclosure the citizen can act on, disclosure that informs a real decision, is the same accountability instinct the worst cases violate.", "challenge": "A jurisdiction-disclosure obligation has to inform the citizen without producing a screen\nthey cannot realistically read or refuse. The risk is that it repeats the course cookie\nconsent ran: a transparency requirement that hardened into a screen users learned to dismiss,\nclicking \"accept all\" to clear it, so the disclosure did no work. The large majority of\ncookie banners fail to meet the GDPR standard for free, informed consent: a scrape of the\ntop UK sites found only around 12% met the minimum legal requirements (Nouwens et al., CHI 2020).\n\nThe challenge is to design jurisdiction disclosure the citizen can actually act on, carrying\nthe lessons of that failure rather than reproducing it.\n", "precedentsNote": "**Cookie consent banner evolution (2012-2026).** The EU ePrivacy Directive,\nimplemented through national laws from 2012, required websites to obtain consent\nbefore placing non-essential cookies. The initial implementation was widely\nregarded as useless. Subsequent enforcement pushed toward opt-in models, but the\nresulting interfaces introduced new problems: asymmetric design (bright \"Accept\nAll\" button, grayed-out \"Manage Preferences\"), pre-ticked boxes, and excessive\nfriction on opt-out paths. In its first settlement (March 2025), the California Privacy\nProtection Agency fined Honda USD 632,500 under the CCPA for a cookie banner that made\nopting out harder than opting in. The Swedish DPA (IMY) targeted dark patterns in cookie\nbanners in April 2025.\n\n**Geo-adaptive consent banners.** Modern consent platforms (Usercentrics,\nOneTrust, CookieYes) detect user location and display jurisdiction-appropriate\nconsent interfaces: opt-in for GDPR regions, opt-out for CCPA/CPRA regions. This\ngeo-adaptive approach is the closest precedent for jurisdiction-aware disclosure\nin a cross-border context: the interface adapts to the legal framework that\napplies.\n", "transferability": "**Lessons for sovereignty signaling.**\n\n1. **Timing matters.** Cookie banners fail partly because they appear on page\n load, before the user has any context for the choice. Jurisdiction disclosure\n should appear at the point of data submission, not on initial page load.\n2. **Symmetry of choices.** Regulators now fine asymmetric designs. If\n jurisdiction disclosure offers alternatives, the options must be presented\n symmetrically.\n3. **The citizen must be able to act.** A disclosure the citizen cannot act on is a\n screen they cannot realistically read or refuse. If the citizen has no\n alternative to foreign-hosted processing, the disclosure should be a label that\n states the position, not a consent prompt that implies a choice they do not have.\n4. **Fatigue is the enemy.** If every government interaction begins with a\n jurisdiction disclosure banner, citizens will learn to ignore it.\n5. **Machine-readable signals.** For agent-mediated interactions, jurisdiction\n information should be available as structured metadata the agent can process.\n\nDirectly relevant as an anti-pattern. The pattern library should specify: (a) when\njurisdiction disclosure triggers (only when personal data crosses a jurisdictional\nboundary that changes the citizen's legal protections), (b) how it presents\n(informational label for no-alternative situations, genuine choice where\nalternatives exist), and (c) how agents consume it (as structured metadata, not\nbanner text). The geo-adaptive consent banner provides a useful technical\nprecedent for jurisdiction detection, but the presentation must avoid the\nconsent-fatigue failure mode.\n" }, { "id": "9.5", "title": "Cross-border data transfer as a design obligation", "territory": 9, "slug": "cross-border-data-transfer-mechanisms-as-ux-obligations", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Legal transfer mechanisms." }, { "level": "emerging", "note": "Cloud-switching portability rights." }, { "level": "frontier", "note": "Surfacing transfer-mechanism status in citizen-facing interactions, and agent-queryable transfer-mechanism APIs." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "European Commission — Standard Contractual Clauses", "jurisdiction": "EU", "source": "https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en" }, { "name": "Steptoe — New SCCs 2025", "jurisdiction": "EU", "year": 2025, "source": "https://www.steptoe.com/en/news-publications/steptechtoe-blog/new-standards-contractual-clauses-for-the-international-transfer-of-personal-data-coming-up-in-2025.html" }, { "name": "Hunton — Key Provisions of the EU Data Act", "jurisdiction": "EU", "source": "https://www.hunton.com/privacy-and-cybersecurity-law-blog/key-provisions-of-the-eu-data-act-take-effect" }, { "name": "Garrigues — Data Act and cloud switching", "jurisdiction": "EU", "source": "https://www.garrigues.com/en_GB/garrigues-digital/data-act-and-cloud-switching-keys-new-rules-changing-cloud-service-providers" }, { "name": "K&S Partners — India's New Cross-Border Data Transfer Framework", "jurisdiction": "India", "source": "https://ksandk.com/data-protection-and-data-privacy/indias-new-cross-border-data-transfer-framework/" }, { "name": "DPDPA.com — Rule 15", "jurisdiction": "India", "source": "https://www.dpdpa.com/dpdparules/rule15.html" }, { "name": "China Briefing — Cross-Border Data Transfer Certification", "jurisdiction": "China", "source": "https://www.china-briefing.com/news/china-cross-border-data-transfer-certification/" }, { "name": "Library of Congress — China Certification Measures", "jurisdiction": "China", "year": 2026, "source": "https://www.loc.gov/item/global-legal-monitor/2026-02-19/china-certification-measures-issued-for-cross-border-transfers-of-personal-data/" } ], "assurance": "Government must make the legal basis for a cross-border transfer (an adequacy decision, standard contractual clauses, or negative-list clearance) checkable before a citizen's data moves, so an agent can confirm a valid basis still holds rather than committing data on the assumption that it does. A basis recorded only in a contract between organizations does not meet that requirement at the moment of transfer.", "access": "A status surfaced as the name of a legal instrument reaches only the citizens who can read one: people without a legal background see a term they cannot interpret and cannot tell whether their data is protected. Keep the path open by triggering disclosure only when data actually crosses a boundary that changes legal protections, and, for high-sensitivity transactions, by surfacing the transfer-mechanism status as a plain assurance the citizen can read directly.", "surface": { "summary": "A transfer-mechanism status indicator: a binary or graded signal an agent queries before committing data, surfaced to the citizen only on high-sensitivity transactions.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "An agent-queryable status flag resolves the standard-clauses, adequacy, or negative-list legal basis into a plain 'valid transfer basis exists' assurance at the submit step." } ] }, "whereThingsGoWrong": "Checking that a lawful basis exists before data moves is a procedural safeguard of the kind the worst cases bypass. Encoding it as a pre-processing gate makes the legality of a transfer a precondition, not an afterthought.", "challenge": "When a citizen's data crosses a border, because their agent uses a foreign-hosted model or a\ngovernment service runs on overseas infrastructure, whether that move is lawful turns on\nlegal arrangements made between organizations, out of the citizen's sight. The agent\ncommitting the data usually has no way to check that a valid basis for the transfer still\nholds, and the citizen has no way to see it at all.\n\nThe challenge is to turn that buried legal status into something an agent can check before it\nacts, and surface to the citizen when it matters.\n", "precedentsNote": "**GDPR Standard Contractual Clauses (SCCs).** SCCs are the primary mechanism for\ntransferring personal data from the EU to non-adequate countries. The European\nCommission is revising SCCs for the second time (to cover importers directly\nsubject to GDPR Article 3(2); planned but delayed, and not yet adopted as of\nmid-2026), incorporating lessons from Schrems II. SCCs require enhanced\ntransparency, notification of\ngovernment access requests, and additional safeguards. However, SCCs are a B2B\nlegal instrument: they impose obligations on data exporters and importers, not on\nuser-facing interfaces.\n\n**EU Data Act cloud-switching provisions.** The EU Data Act requires cloud\nproviders to remove all barriers to switching between providers and to prevent\nunlawful non-EU government access to data. Its core provisions, including cloud\nswitching, apply from 12 September 2025 (interoperability requirements from\n12 September 2026; portability standards from 12 September 2027). Cloud providers\nmust take reasonable measures to resist data-access demands that conflict with EU\nlaw. The Data Act leaves penalties to each Member State (Article 40 requires them to\nbe effective, proportionate, and dissuasive); where personal data is involved, GDPR\nfines of up to EUR 20 million or 4% of global annual turnover apply.\n\n**India's DPDP Act negative-list approach.** The Digital Personal Data Protection\nAct 2023 (operationalized November 2025) permits cross-border data transfers by\ndefault, with the central government maintaining a \"negative list\" of countries to\nwhich transfers are restricted. This is a simpler model than the EU's: rather than\nrequiring affirmative legal basis for each transfer, it prohibits transfers to\nblacklisted jurisdictions. Section 16 of the Act is the enabling provision,\noperationalized by Rule 15 of the DPDP Rules 2025; as of mid-2026 no restricted-country\nlist has yet been notified.\n\n**China's three-pathway system.** China completed its cross-border data-transfer\nframework in 2025 with the release of Certification Measures for Cross-Border\nTransfer of Personal Information (effective January 2026). Data processors must\nsatisfy one of three pathways: (a) CAC security assessment, (b)\npersonal-information protection certification, or (c) standard contracts. Approval\nis valid for three years. This is the most restrictive major framework, requiring\naffirmative government approval for sensitive data transfers.\n", "transferability": "These mechanisms are currently invisible to end users by design; they operate\nbetween organizations. In an agent context, this invisibility becomes a problem: a\ncitizen's agent may route data through a model hosted in a jurisdiction where the\ntransfer mechanism has lapsed or been invalidated. The agent should be able to\nquery whether a valid transfer mechanism exists for the citizen's data before\nprocessing it.\n\nThe design pattern needed is a \"transfer-mechanism status indicator\": a\nmachine-readable signal that an agent can check and, for high-sensitivity\ntransactions, surface to the citizen. India's negative-list approach is the\nsimplest to implement as a binary check (\"is this destination blacklisted?\"). The\nEU's SCC model is more complex but more nuanced.\n" }, { "id": "9.6", "title": "Sector-specific data residency as design constraint", "territory": 9, "slug": "sector-specific-data-residency-as-design-constraint", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Sector-specific data-residency law in health and finance." }, { "level": "emerging", "note": "Integration of data-residency requirements into cloud procurement frameworks." }, { "level": "frontier", "note": "Agent-platform routing that enforces sector-specific residency, and citizen-facing assurance indicators." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "Sognos — Data residency in Australian healthcare", "jurisdiction": "Australia", "source": "https://sognos.com.au/data-residency-in-australian-healthcare-sorting-fact-from-fiction/" }, { "name": "Swift Digital — Data Sovereignty in Australia", "jurisdiction": "Australia", "source": "https://swiftdigital.com.au/data-sovereignty-australia/" }, { "name": "Aptible — Data residency for healthcare AI", "jurisdiction": "US", "source": "https://www.aptible.com/hipaa-ai-security/data-residency" }, { "name": "Knowi — Healthcare Data Residency Requirements", "jurisdiction": "US", "source": "https://www.knowi.com/blog/data-residency-requirements-for-healthcare-analytics-platforms/" }, { "name": "Cliffside — APRA CPS 234 Compliance Guide", "jurisdiction": "Australia", "source": "https://www.cliffside.com.au/insights/apra-cps-234-compliance-guide/" }, { "name": "Atlassian — FinServ Compliance: CPS 234", "jurisdiction": "Australia", "source": "https://www.atlassian.com/blog/announcements/apra-cps-234" }, { "name": "Bank of England — PS16/24 Critical Third Parties", "jurisdiction": "UK", "year": 2024, "source": "https://www.bankofengland.co.uk/prudential-regulation/publication/2024/november/operational-resilience-critical-third-parties-to-the-uk-financial-sector-policy-statement" } ], "assurance": "Where a sector imposes a statutory data-residency limit stricter than general privacy law, government must treat that limit as a hard constraint on the platform: before a request is routed, it is confined to compliant infrastructure, and the citizen is told the limit held. A constraint that depends on later audit rather than enforcement before routing does not meet the requirement the law sets.", "access": "A residency assurance written in regulatory boilerplate, or omitted because the constraint is assumed, leaves the citizen unable to tell whether their sensitive data was actually held in place: those least familiar with the sector's rules cannot distinguish a real protection from a routine notice. Keep the path open by surfacing the assurance contextually (for health data, that it was processed in the jurisdiction the sector's law requires) and by distinguishing a constraint required by law from one required only by policy, so the citizen can read the protection that applies to them.", "surface": { "summary": "A contextual assurance line, backed by sector-aware routing, that tells the citizen their data stayed within the jurisdiction the sector's law requires.", "instances": [ { "domain": "service", "kind": "mockup", "annotation": "A sector residency rule, such as My Health Records Act s77 or APRA CPS 234, becomes a pre-routing constraint plus a plain-language assurance, for example 'processed within Australia in accordance with the My Health Records Act'." } ] }, "whereThingsGoWrong": "Encoding a statutory constraint as a hard pre-routing gate, and telling the citizen it held, is exactly the kind of enforceable, visible safeguard whose absence lets a system operate unlawfully at scale.", "challenge": "Some sectors, like health and finance, place stricter limits on where data may be processed\nthan general privacy law does. When a citizen reaches a government service in one of those\nsectors through an AI agent, the agent and the platform behind it have to honor those limits,\nkeeping the data on compliant infrastructure, and the citizen should be able to see that it\nheld.\n\nThe challenge is to make a sector's residency rule something the platform enforces before it\nroutes a request, and something the citizen can actually see.\n", "precedentsNote": "**Australia's My Health Records Act — section 77.** Under section 77, all My Health\nRecord data must remain in Australia, including all copies and backups, with no\nexceptions unless it is non-identifiable operational data held by the System\nOperator. This is an absolute geographic restriction: no offshoring, no\nexceptions. Individual states and territories impose additional restrictions on\ndisclosure outside their jurisdiction without consent.\n\n**HIPAA (US) — no residency mandate, but practical constraints.** HIPAA does not\nmandate US-only storage. It requires encryption, access controls, audit trails,\nand a Business Associate Agreement (BAA) with cloud vendors. However, many\nenterprise health-system customers contractually require US-based hosting, making\ndata residency a market-driven rather than regulatory constraint. Data residency\nfor healthcare AI covers where PHI is stored, processed, queried, and where AI\ninference runs, not just server location.\n\n**APRA CPS 234 and CPS 230 (Australian financial services).** CPS 234 is the\nmandatory information security standard for APRA-regulated entities; CPS 230 replaced\nthe outsourcing standard on 1 July 2025, requiring regulated entities to manage cloud\nrisks under a new operational-resilience framework. Together they constrain where and\nhow a regulated service may process data, including through its cloud and AI\nproviders.\n\n**UK PRA Critical Third Parties regime.** From 1 January 2025, the Bank of England,\nFCA, and PRA can designate third-party providers (including cloud providers) as\nCritical Third Parties (CTPs) where their services to UK financial entities are\nsufficiently systemic. CTPs become subject to direct oversight and must comply\nwithin twelve months of designation. The regime addresses concentration risk: the\ndependency of many financial institutions on a small number of cloud providers.\n", "transferability": "Sector-specific data-residency requirements create a design constraint that AI\nagent platforms must encode and enforce, and the form they take varies by\njurisdiction. Under Australia's My Health Record regime, for instance, an agent\nmust ensure no data is processed offshore: not the prompt, not the response, not the\ninference computation. Under the APRA financial-services regime, an agent must\nsatisfy CPS 234 and CPS 230, including personal accountability of executives.\n\nThe design pattern is \"sector-aware routing\": the agent platform must know, before\nrouting a request to an AI model, whether the data involved falls under a\nsector-specific residency regime and, if so, restrict routing to compliant\ninfrastructure. The US HIPAA framework offers a useful counterpoint, since not all\ndata-residency requirements are statutory. The pattern should distinguish a\nconstraint required by law from one required only by policy.\n" }, { "id": "9.7", "title": "Sovereign AI model selection and disclosure", "territory": 9, "slug": "sovereign-ai-model-selection-and-disclosure", "maturity": "emerging", "maturityLevels": [ { "level": "emerging", "note": "Sovereign AI model selection as government policy." }, { "level": "frontier", "note": "Citizen-facing AI model provenance labeling, and machine-readable model-provenance metadata for agent-to-agent queries." } ], "status": "reviewed", "threads": [], "dependsOn": [], "precedents": [ { "name": "Raconteur — Mistral bets big on European sovereign AI", "jurisdiction": "France", "source": "https://www.raconteur.net/global-business/mistral-bets-big-on-european-sovereign-ai" }, { "name": "GEND — Mistral AI wins French defence framework agreement", "jurisdiction": "France", "source": "https://www.gend.co/blog/mistral-ai-french-defence-framework" }, { "name": "PDP Spectra — Sovereign AI in 2026", "jurisdiction": "UK", "year": 2026, "source": "https://pdpspectra.com/blog/sovereign-ai-initiatives-2026/" }, { "name": "The Register — Europe gets serious about cutting US digital umbilical cord", "jurisdiction": "EU", "source": "https://www.theregister.com/2025/12/22/europe_gets_serious_about_cutting/" }, { "name": "36kr — Sovereignty at Risk: AI Agents' Cross-border Tool Calls", "source": "https://eu.36kr.com/en/p/3569745229699465" }, { "name": "Arxiv — On the Regulatory Potential of User Interfaces for AI Agent Governance", "year": 2025, "source": "https://arxiv.org/pdf/2512.00742" } ], "assurance": "When a government chooses which AI model powers a service, it must make that sovereignty choice visible at the point of interaction, disclosing the model provider, the training jurisdiction, the inference-hosting jurisdiction, and the legal framework that governs the data. A choice held only at the policy level, unseen by the citizen the model decides about, does not meet that requirement.", "access": "A single form of disclosure reaches one kind of reader and excludes the others: a dense page label loses citizens with low reading confidence, while a glanceable badge gives an agent nothing to evaluate, so each is left unable to weigh the sovereignty of the system handling them. Keep the path open by offering the disclosure at graduated depth, a static page label, a contextual tooltip, and machine-readable metadata, so citizens with different needs and their agents can each read it, and by presenting sovereignty as an informed choice across the range of provenance rather than a single domestic-or-foreign verdict.", "surface": { "summary": "A model provenance label that names the provider, training jurisdiction, hosting jurisdiction, and governing law, surfaced at the point a citizen interacts with the AI.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "A food-origin-style provenance label names the provider, training jurisdiction, hosting jurisdiction, and governing law, shown at the point of AI interaction." } ] }, "whereThingsGoWrong": "The failure mode is an opaque automated decision with no record of which model decided a case, or under whose law it ran. Labeling that provenance makes the deciding system contestable.", "challenge": "When a government deploys AI in citizen-facing services, which model it uses, and\nwho controls that model, is a sovereignty question. A government service powered by\na US-headquartered model provider is subject to different legal and political risks\nthan one powered by a domestically developed or EU-sovereign model. Citizens\ncurrently have no visibility into this choice.\n", "precedentsNote": "**France — Mistral for government and defense.** France has committed to deploying\nMistral models in government services, with a framework agreement for the Ministry\nof Armed Forces spanning 2026-2030. In late 2025, Mistral partnered with SAP and\nthe French and German governments to build a sovereign AI stack for public\nadministrations. This represents the clearest example of a government explicitly\nlinking AI model selection to sovereignty objectives.\n\n**Wider sovereign-AI investment.** Other governments are backing sovereign AI\ncapacity by different routes (the UK through equity stakes in domestic AI companies,\nthe EU through public investment in compute infrastructure), which is why a service's\nchoice of model is increasingly a deliberate sovereignty decision rather than a\ndefault.\n\n**2025 AI Agent Index — disclosure gap.** Fewer than 20% of AI agent developers\ndisclose formal safety policies, and fewer than 10% report external safety\nevaluations. This quantifies the disclosure deficit: even basic transparency about\nthe AI system is rare, let alone sovereignty-relevant details like model provenance\nand hosting jurisdiction.\n\n**Arxiv paper — UI for AI agent governance.** A December 2025 paper \"On the\nRegulatory Potential of User Interfaces for AI Agent Governance\" directly addresses\nthe role of user interfaces in governing AI agents, arguing that UI design is an\nunderexplored regulatory lever. The paper notes that 15 months after the EU AI Act\ncame into force, the AI Office has not issued specific guidance for AI agents.\n", "transferability": "The France/Mistral model demonstrates sovereign AI selection at policy level. The part still\nto be built is citizen-facing disclosure at the point of interaction.\n\nThe pattern is an \"AI model provenance label\" that discloses: (a) the model provider, (b) the\nmodel's training jurisdiction, (c) the inference-hosting jurisdiction, and (d) the legal\nframework governing data processed through it. This could be implemented as a static\ndisclosure on the service page, a contextual tooltip at point of AI interaction, or a\nmachine-readable metadata field that a citizen's own agent can query and evaluate.\n\nThe 2025 AI Agent Index disclosure gap suggests that market forces alone will not produce\nthis transparency. Regulatory mandate, building on Article 50 of the EU AI Act, is likely\nnecessary.\n" }, { "id": "9.8", "title": "Concentration-risk and supply-chain disclosure", "territory": 9, "slug": "concentration-risk-and-supply-chain-disclosure", "maturity": "emerging", "maturityLevels": [ { "level": "emerging", "note": "SBOM as structural precedent, and concentration-risk oversight in financial regulation." }, { "level": "frontier", "note": "An AI sovereignty BOM, and agent-queryable supply-chain jurisdiction metadata." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "Bank of England — PS16/24 Critical Third Parties", "jurisdiction": "UK", "year": 2024, "source": "https://www.bankofengland.co.uk/prudential-regulation/publication/2024/november/operational-resilience-critical-third-parties-to-the-uk-financial-sector-policy-statement" }, { "name": "DanubeData — US CLOUD Act European Alternatives", "jurisdiction": "EU", "year": 2026, "source": "https://danubedata.ro/blog/us-cloud-act-european-alternatives-2026" }, { "name": "Executive Order 14028 — Improving the Nation's Cybersecurity (SBOM)", "jurisdiction": "US", "year": 2021, "source": "https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity" } ], "assurance": "Government must make the jurisdictional exposure of the whole AI processing chain inspectable, not just the sovereignty of the service at the top, so a citizen's agent can find hidden foreign dependencies before committing data to a nominally sovereign service. A sovereignty claim that covers only the visible layer, while sub-processors and upstream training infrastructure go undisclosed, does not meet that requirement.", "access": "A raw component manifest is legible only to someone who can read a supply chain, which excludes the citizens it is meant to protect: people without a technical background see a list they cannot interpret and cannot tell whether the service is exposed. Keep the path open by rendering the manifest as a summary 'nutrition label' for sovereignty, so the jurisdictional exposure across the stack is legible at a glance, and by making it agent-queryable for high-sensitivity interactions so an agent can evaluate the detail on the citizen's behalf.", "surface": { "summary": "A sovereignty supply-chain summary card: a nutrition-label-style view of jurisdictional exposure across every layer of the AI processing stack, queryable by the citizen's agent.", "instances": [ { "domain": "strategy", "kind": "mockup", "annotation": "A per-layer sovereignty BOM card shows each component's jurisdictional exposure, drawn from the same supply-chain mapping behind an SBOM and concentration-risk oversight." } ] }, "whereThingsGoWrong": "Hidden foreign dependencies are an accountability gap of the same family as a hidden calculation assumption. A queryable manifest of the stack makes those buried exposures inspectable before harm occurs.", "challenge": "Even when a government picks a sovereign cloud provider or a domestically hosted model, the\nsupply chain behind that service can carry hidden foreign dependencies. A nominally sovereign\nmodel may have been trained on a foreign hyperscaler's infrastructure, fine-tuned on a\nforeign platform, or served through networks that route data across borders. The citizen's\nagent, committing data to what looks like a domestic service, has no way to see those buried\nexposures.\n\nThe challenge is to make the jurisdictional exposure of the whole stack inspectable before\ndata is committed.\n", "precedentsNote": "**Software Bill of Materials (SBOM) — from cybersecurity.** US Executive Order\n14028 (2021) required SBOMs for software sold to the federal government, disclosing\nall components and dependencies. The SBOM concept has been extended to AI systems\nas \"AI BOMs\" or \"model cards\" listing training data, architecture, and\ndependencies. The structural pattern (a machine-readable manifest of all\ncomponents in a system) transfers directly to the sovereignty context as a\n\"sovereignty supply-chain disclosure.\" (No standalone source URL.)\n\n**UK PRA concentration-risk oversight.** The UK's Critical Third Parties regime\nexplicitly addresses concentration risk: the systemic dependency of many financial\ninstitutions on a small number of cloud providers. The PRA proposes linking all\nmaterial product-or-service providers in the same supply chain to identify\n\"nth-party\" concentration risks. This supply-chain mapping approach is directly\nrelevant to AI model sovereignty: a government service's AI stack may depend on\nmultiple layers of providers, each introducing different jurisdictional exposures.\n\n**EU Data Act — resistance to unlawful non-EU access.** The EU Data Act requires\ncloud providers to take reasonable measures to prevent unlawful non-EU government\naccess and to challenge access requests conflicting with EU law. This obligation\nextends through the supply chain: a sovereign cloud provider using US-based\nsub-processors must ensure those sub-processors also resist unlawful access.\n", "transferability": "When a citizen's agent makes a tool call (invoking an API, querying a database, or\nprocessing data through a model), the agent may trigger cross-border data flows\ninvisible to both the citizen and the government service. The 36kr analysis (2025)\ndescribes how AI agent tool calls \"shatter traditional regulatory boundaries\"\nbecause the agent autonomously selects and invokes tools without visibility into\ntheir hosting jurisdiction.\n\nThe design pattern is an \"AI sovereignty BOM\": a machine-readable manifest\ndisclosing the jurisdictional exposure of every component in the AI processing\nchain. For high-sensitivity government interactions, this BOM is queryable by the\ncitizen's agent before committing data. The visual representation follows a\nnutrition-label model, adapted for sovereignty: a summary card showing jurisdictional\nexposure across the processing stack.\n" }, { "id": "9.9", "title": "Context-triggered disclosure", "territory": 9, "slug": "the-when-it-matters-trigger", "maturity": "established", "maturityLevels": [ { "level": "established", "note": "Progressive disclosure, and risk-based triggers in financial services." }, { "level": "emerging", "note": "Risk-based step-up in identity systems." }, { "level": "frontier", "note": "Machine-evaluable sovereignty checkpoints for AI agent interactions, and data-classification-to-sovereignty-tier matching." } ], "status": "reviewed", "threads": [ "financial-services" ], "dependsOn": [], "precedents": [ { "name": "UI Patterns — Progressive Disclosure", "source": "https://ui-patterns.com/patterns/ProgressiveDisclosure" } ], "assurance": "Government must tie sovereignty disclosure to a check it can run before processing, comparing the data classification of an interaction against the sovereignty tier of the available infrastructure, so the citizen is asked to engage only when the two genuinely diverge. A blanket rule that discloses on every interaction, or none, does not meet the requirement that disclosure fire when jurisdiction actually changes the citizen's protection.", "access": "A trigger set too loose buries the citizen in disclosures they learn to ignore; set too tight, it stays silent on the transfers that change their legal protection. Either way the citizens least able to seek out the information themselves, those with low reading confidence, limited time, or no agent of their own, are the ones left uninformed when it matters. Keep the path open by triggering disclosure only when data crosses a boundary that changes legal protections, by defaulting to a minimal indicator with detail available on demand, and by presenting a real choice where an alternative exists.", "surface": { "summary": "A sovereignty checkpoint that resolves silently to a minimal indicator when the infrastructure tier matches the data classification, and surfaces a clear disclosure plus choice only on mismatch.", "instances": [ { "domain": "interaction", "kind": "mockup", "annotation": "A pre-processing checkpoint discloses in proportion to data sensitivity, escalating to the citizen only when the data classification and the infrastructure tier diverge." } ] }, "whereThingsGoWrong": "The failure mode is one crude rule applied to every case, with no escalation when stakes and infrastructure mismatch. A checkpoint that escalates a sensitive-data-on-inadequate-infrastructure mismatch to a human is the proportionate, exception-surfacing control that prevents it.", "challenge": "The hard part of sovereignty disclosure is calibrating when it fires. Surfaced on every\ngovernment interaction, it goes the way of the cookie banner, dismissed reflexively until it\ninforms no one. Surfaced on none, it leaves citizens unaware of the jurisdictional risks that\ngenuinely change their position.\n\nThe challenge is to define a trigger that surfaces sovereignty information in proportion to\nthe data at stake, and to make that trigger something an agent can evaluate before it acts.\n", "precedentsNote": "**Progressive disclosure (general UX pattern).** Progressive disclosure shows users\nonly the information they need at each stage, with the ability to dig deeper on\ndemand. This is the foundational UX pattern for managing information complexity.\nApplied to sovereignty: default to a minimal signal (\"Australian-hosted\"), with\ndetails available on demand (\"Hosted by [Provider] in [Location], certified under\nHCF at [Level], subject to [Laws]\").\n\n**Risk-based disclosure in financial services.** Financial regulators require\nenhanced disclosure for products above certain risk thresholds. A basic savings\naccount requires minimal disclosure; a complex derivative requires a\nproduct-disclosure statement. The trigger is the risk profile of the product, not\nthe medium of interaction. Applied to sovereignty: disclosure triggers should be\ncalibrated to the sensitivity of the data being processed, not applied uniformly.\n(Derived from the APRA and PRA regulatory frameworks discussed elsewhere in this\nterritory; no standalone source URL.)\n\n**Step-up authentication (identity systems).** Multi-factor authentication systems\nuse risk-based step-up: low-risk actions require a password; high-risk actions\nrequire a second factor. The trigger is the risk of the specific action, not the\nsession as a whole. This model transfers to sovereignty disclosure: routine\ninteractions proceed with minimal disclosure; sensitive interactions trigger\nexplicit sovereignty confirmation. (General pattern from identity management,\nreferenced in Territory 2 research; no standalone source URL.)\n", "transferability": "For agent-mediated interactions, the trigger should be machine-evaluable: the agent\nshould be able to determine, before processing data, whether the sovereignty profile\nof the available infrastructure is adequate for the data classification of the\ntransaction. If there is a mismatch (sensitive data being processed on\nnon-sovereign infrastructure), the agent should escalate to the citizen.\n\nThe design pattern is a \"sovereignty checkpoint\": a machine-readable pre-processing\ncheck that compares the data classification of the interaction against the\nsovereignty tier of the processing infrastructure. If the match is adequate,\nprocessing proceeds with a minimal indicator. If there is a mismatch, the citizen is\npresented with a clear disclosure and, where possible, a choice. This avoids the\ncookie-banner failure mode by triggering only on genuine jurisdictional boundary\ncrossings, and avoids information overload through progressive disclosure.\n" } ] }