Policy Position · June 2026
AI guardrails need infrastructure,
not improvisation.
The United States can govern frontier AI the way the EU AI Act governs it — through a structured, transparent, fact-grounded process — without the licensing regime it has rejected. The missing piece is a verifiable evidence layer at the point of deployment. RCAN provides that layer for embodied AI; the Robot Registry Foundation provides the institution that anchors it.
What this document is.
A position paper from the RCAN protocol project and the Robot Registry Foundation (RRF). RCAN is an open technical specification, not a regulator; RRF is a standards and registry body, not a government agency. The June 2026 events summarized below are drawn from public reporting and the involved companies' own statements, cited inline. Our proposals describe a structure the US government could adopt and the deployment-layer infrastructure that would make it enforceable — not legal advice or a claim of regulatory authority.
The catalyst: two directives, ten days apart
In June 2026 the United States demonstrated, in the space of ten days, both halves of the problem it has not yet solved: how to set a predictable national policy for frontier AI, and how to act on a specific safety concern without contradicting that policy.
Executive Order 14409 — the voluntary framework
The White House issued an executive order establishing an innovation-first, voluntary framework for frontier models. Agencies were directed to design a pre-release engagement process by August 1, 2026, with NSA and CISA building a classified cyber-capability benchmark. The order pointedly imposed no licensing and no preclearance requirement — the US rejecting the EU's mandatory model.
The Fable 5 / Mythos 5 directive — ad-hoc enforcement
At 5:21pm ET on June 12, the government ordered Anthropic to suspend access to its most capable models — Fable 5 and Mythos 5 — for every foreign national, inside or outside the United States, including the company's own employees, citing national security. The stated basis was a verbal notice of a "potential narrow, non-universal jailbreak." To comply, Anthropic disabled both models for all customers. It was the first US export-control directive ever issued for access to a large language model.
The two actions are not contradictory in intent, but they are incoherent as policy. A voluntary, no-preclearance framework was announced, and then a hard recall was imposed on a deployed model serving hundreds of millions of users — on the strength of a verbal notice, with no published standard for what triggers such an action or how a provider contests it.
The structural gap
Anthropic's own response named the missing piece precisely. The company stated that the government should be able to block unsafe deployments — but through "a statutory process that is transparent, fair, clear, and grounded in technical facts," and that this action did not meet that bar. It warned that if a narrow potential jailbreak were sufficient grounds for recall, applied across the industry, it "would essentially halt all new model deployments for all frontier model providers."
🇪🇺 The EU approach
The EU AI Act is a structured law: risk tiers, defined obligations per tier, conformity assessment, a public database, and named enforcement bodies. A provider knows in advance what is required and how compliance is demonstrated and contested. Predictability is the product.
🇺🇸 The current US reality
A voluntary framework plus discretionary enforcement. No published threshold for intervention, no defined evidentiary standard, no due-process channel. A provider cannot know in advance what triggers a recall — and, as June showed, may learn of the basis only verbally.
The transparency paradox
There is a deeper hazard. Anthropic had stated publicly, in good faith, that perfect jailbreak resistance is impossible — a candid disclosure of a known limitation. That candor appears to have supplied the conceptual frame for the concern that triggered the directive. The lesson the market will draw is corrosive: disclosing a limitation invites action while staying silent does not. A governance regime that punishes transparency selects for opacity. Any durable US framework must invert that incentive — making verifiable disclosure the safe, rewarded path.
The gap, then, is not a missing law and not a missing value. It is a missing evidence layer: a fact base, captured the same way every time, that a transparent statutory process could actually run on. Process needs facts; facts need infrastructure.
What a guardrail actually is
"Guardrail" is used loosely to mean a content filter wrapped around a model's output. For text that is often adequate. For AI that acts — in robots, agents, and physical systems — a filter outside the execution boundary observes outputs but cannot constrain what the system attempts or when it dispatches. A real guardrail has four properties, and each must be verifiable by someone other than the operator:
1 · Structural, not advisory
Enforced before dispatch as a protocol invariant — not a check the model can reason around, rephrase past, or route around with a different tool call.
2 · Attributable
Every consequential action records which model produced it, at what confidence, and under whose authority — so cause can be reconstructed, not guessed at.
3 · Tamper-evident
The record is append-only and cryptographically chained, so a regulator or auditor can detect after-the-fact editing rather than trusting the operator's copy.
4 · Independently replayable
Evidence is a signed bundle anyone can re-verify from the bundle alone — not a dashboard screenshot or a vendor's assurance.
How RCAN provides these guardrails
RCAN already specifies the deployment-layer controls a transparent process would rely on. These are not proposals — they are defined in the RCAN specification today and running on physical hardware via the OpenCastor reference runtime. For the authoritative version/feature mapping, see the live compatibility matrix.
| Governance concern raised by the Fable 5 episode | RCAN provision |
|---|---|
| "Which model did this, and how sure was it?" — model identity is opaque after the fact. | §16.1 AI block — every audit record carries model_provider, model_id, inference_confidence, inference_latency_ms, and thought_id. Model attribution is a structural field, not a log line. |
| "Can the operator quietly edit the record?" — evidence integrity depends on trusting the operator. | §6 AuditChain — HMAC-SHA256 append-only chain; any edit breaks the hash linkage and is detectable by a third party from the bundle alone. |
| "A jailbreak produced an unsafe action." — a bad output reaches an actuator before any filter can intervene. | §16.2 confidence gates + §16.3 HiTL gates — per-scope thresholds and structural human-authorization gates enforced before dispatch. A low-confidence or gated action cannot reach an actuator regardless of how the model was manipulated. |
| "Was a human actually in control?" — human oversight is asserted but not provable. | §16.3 structural PENDING_AUTH → AUTHORIZE flow signed by an OWNER principal; §2 RBAC role boundaries an agent cannot self-escalate. Oversight is recorded as a signed event. |
| "Is this output AI-generated?" — provenance of agent actions is unverifiable downstream. | §16.5 AI output watermarking — an HMAC watermark token on every AI-generated COMMAND, with a verification endpoint, so downstream systems can confirm provenance. |
| "What standard was the deployment held to?" — no measurable, comparable bar. | L1–L4 conformance suite — quantitative pass/fail per requirement, producing a signed, independently replayable conformance bundle. |
RCAN's lane is the deployment and embodiment layer — where a model becomes an action. It does not regulate how a frontier lab trains or weights a model. That distinction is the point: most AI risk that touches the physical world materializes at deployment, and that is exactly where verifiable evidence is cheapest to capture and most useful to a regulator.
The institutional layer: the Robot Registry Foundation
A protocol produces evidence; an institution makes it count. The EU AI Act works because of named bodies — notified bodies, market-surveillance authorities, a public registration database. The US framework, as of June 2026, has no analogous neutral institution for embodied AI.
The Robot Registry Foundation is positioned to be that anchor — a standards-and-registry body that already operates the pieces a structured process needs:
A public registry
Robots and agents identified by RRN / Robot URI — the EU AI Act's "public database," but for deployed embodied systems, with cross-registry federation built in.
Replayable attestation
Conformance asserted via signed bundles that anyone can re-verify — evidence a regulator can check without trusting the operator or the vendor.
An open spec
The requirements are public and versioned. No vendor lock-in, no black-box compliance product — the standard itself is auditable.
One honest boundary: RRF's conformance is self-asserted and independently replayable, not third-party certification. That is a feature for a fast-moving field — but if the US wants certification-grade assurance, RRF's bundles are the substrate an accredited body would audit against. See Framework Coverage for the "conformance is not certification" boundary.
Recommendations
Five proposals for the US government
These keep the US framework's innovation-first, no-preclearance posture intact. They add what June showed is missing: a predictable, evidence-based process for when the government does act — the EU AI Act's structure, delivered through infrastructure rather than a licensing bureaucracy.
Codify a transparent statutory standard for intervention
Replace verbal, discretionary directives with a published standard: what evidence triggers a deployment restriction, what notice and written basis a provider receives, and how it contests the action. This is exactly the "transparent, fair, clear, and grounded in technical facts" process the affected provider itself called for.
RCAN/RRF role: the standard can require technical facts in a defined, replayable form — RCAN audit bundles — so "grounded in fact" is operational, not aspirational.
Make deployment-layer evidence the unit of accountability
Rather than recalling a general-purpose model over a narrow jailbreak — which, applied consistently, would halt all deployment — hold the deployment accountable through verifiable guardrails and audit. A jailbreak that cannot produce an unsafe physical action because a structural gate blocks it is a contained risk, and the audit chain proves containment.
RCAN/RRF role: §16.2/§16.3 gates plus §6 AuditChain shift the question from "can this model ever be tricked?" (unanswerable) to "can this deployment act unsafely, and can we prove it?" (testable).
Reward transparency instead of penalizing it
Establish a safe-harbor: providers and deployers who disclose known limitations and maintain verifiable guardrails receive procedural protection — graduated remediation before any blunt restriction. This inverts the corrosive incentive June created, where candor invited action and silence did not.
RCAN/RRF role: watermarking (§16.5), model-identity audit (§16.1), and signed conformance bundles give a deployer concrete artifacts that earn the safe harbor.
Adopt a tiered, risk-based scope — for embodiment
Borrow the EU AI Act's best idea — graduated obligations by risk — and apply it where the US framework is thinnest: AI that takes physical action. Obligations scale with consequence (a warehouse arm near people vs. a stationary sensor), mapped to RCAN conformance levels L1–L4 as the measurable rungs.
RCAN/RRF role: L1 (core) → L4 (registry) already provides quantitative, testable tiers; see Conformance.
Recognize an open, neutral registry for embodied AI
The EU AI Act has a public database and named bodies. The US should recognize an open, vendor-neutral registry for deployed robots and agents — public identity, federated discovery, replayable attestation — rather than building a closed government system or leaving a vacuum. Recognition, not control: the registry stays open and auditable.
RCAN/RRF role: the Robot Registry Foundation already operates this — RRN/Robot URI identity, cross-registry federation, and an open spec the government can point to without owning.
The EU AI Act's structure, the US's posture
The US does not need to copy the EU's licensing regime to gain its predictability. The two are separable: the EU AI Act's value is its structure, not its bureaucracy. Infrastructure supplies the structure; the US keeps its innovation-first posture.
| Function | EU AI Act | US today (June 2026) | RCAN + RRF proposal |
|---|---|---|---|
| Risk tiering | Statutory risk categories | None for embodied AI | L1–L4 conformance as measurable tiers |
| Evidence | Technical documentation (Annex IV) | Ad hoc; sometimes verbal | Signed, replayable RCAN audit bundles |
| Transparency | Art. 13, Art. 50 marking | Voluntary; disclosure can backfire | §16.5 watermarking + §16.1 model identity + safe harbor |
| Human oversight | Art. 14 | Asserted, not provable | §16.3 signed HiTL gates |
| Public registry | EU database (Art. 49) | None | RRF open, federated registry (RRN / Robot URI) |
| Enforcement posture | Mandatory, licensing-adjacent | Voluntary + discretionary recall | Voluntary + predictable, evidence-based process |
Detailed article-level mapping of RCAN provisions to the EU AI Act, NIST AI RMF, ISO 10218-1, and others is maintained on the Framework Coverage page.
The bottom line
The Fable 5 episode was not a failure of values — it was a failure of process built on facts. The United States can have the EU AI Act's predictability without its licensing regime, because the structure that makes governance fair is an evidence layer, and that layer can be open infrastructure. RCAN specifies it for embodied AI; the Robot Registry Foundation anchors it. The work is already shipping — what remains is for policy to point at it.
Sources
- Anthropic — Statement on the US government directive to suspend access to Fable 5 and Mythos 5
- CNBC — Anthropic disables access to Fable 5 and Mythos 5 to comply with government directive
- TIME — Anthropic Pulls Its Most Powerful AI Models After U.S. Bars Foreign Access
- Fortune — Anthropic disables Fable and Mythos AI models following U.S. government export ban
- Al Jazeera — US orders Anthropic to disable AI models for all foreign nationals
- Latham & Watkins — Executive Order Establishing AI Cybersecurity and Frontier Model Framework (EO 14409)
- Norton Rose Fulbright — EO sets voluntary 'early access' framework for AI models
This position paper reflects the views of the RCAN protocol project and the Robot Registry Foundation. It summarizes public reporting and the involved parties' own statements for context and does not assert any regulatory authority. Citations of specific intervention timestamps and the "narrow, non-universal jailbreak" characterization are drawn from the sources above.