Every enforceable and voluntary framework governing artificial intelligence today — across the European Union, the United States, the United Kingdom, China, the wider Asia-Pacific, Africa, and the major multilateral bodies — regulates the same layer. It regulates how an AI system is used, disclosed, documented, overseen, and deployed. It regulates the output and the process. Not one framework regulates the layer beneath that, where a model can be structurally turned against its own knowledge, and not one framework requires the only artifact that could prove, after the fact, that a given machine action was authorized, admissible, and bounded at the moment it occurred. This paper argues that the wrong layer is being regulated; that the reason is not incompetence but a shared blindness rooted in how these models were built and in the psychology of the people building the rules; and that a policy able to hold must be constructed from the bottom up — from the physics of the failure to the deployed reality — rather than from the top down as every current effort attempts. The paper draws a hard line between two failures that are routinely confused: the jailbreak, which extracts a forbidden output for the benefit of a skilled attacker, and the reality-change, which silently alters what an AI treats as true and makes the trusting human the point of failure. From that distinction it builds outward: the entry-point principle, under which governance that begins after the instruction has entered the system has already lost custody of intent; a reference architecture of required properties, stated without mechanism; a complete governance structure organized around five questions — meaning, authority, admissibility, execution, consequence; the anatomy of an underwriting- and court-grade record; a full taxonomy of dangers, edge cases, and failure cascades; the economics of drift, including a transparent first-order derivation placing its annual cost near 87 billion dollars; a jurisdiction-by-jurisdiction survey of the Western, multilateral, and Chinese regulatory records, all of which converge on the same blind spot; sector treatments spanning medicine, pharma, industry, finance, robotics, and the public interest; and a closing inversion — secured is not certified, certified is not governed — beneath a bottom-up framework guarded by its own conscience, because any safety architecture powerful enough to help is powerful enough to become an instrument of control. The mechanism of the primary adversarial research underlying this framework is deliberately withheld. What is reported is its existence, its effects, and their consequences for policy. Everything in this paper is stated at the level of required properties, architecture-neutral, so that it stands on the argument rather than on an implementation. Authors contributed equally. Author order is alphabetical by surname and denotes neither seniority, precedence, nor relative contribution. Version 1.0. Subsequent versions will be issued under the same Zenodo concept DOI. Artifact integrity — SHA-256 of the deposited PDF:df8170fd8cd1ca45c5be8b2060d90dd88b9297b3a8979374c576429d8ea19b6f
Stuart et al. (Thu,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: