Skip to content
Alignentalignent
01For enterprises and safety teams

The rules are arriving.
The infrastructure isn't ready.

Every major AI regulation now on the books, and the ones already on a 2026 and 2027 schedule, assumes that deployed AI systems can be disclosed, scoped, audited, and revoked. None of them say how. Most enterprises are improvising in software the agent itself can be tricked into bypassing.

Alignent is building the infrastructure underneath. Identity, scope, lifecycle, and audit for agentic systems, enforced at the network layer instead of the application layer.

Get on the listTalk to us
02The problem

Four problems regulation can name but not solve.

  • 01
    Disclosure. Almost every new AI law requires telling people when they're interacting with AI. A piece of software can claim it disclosed. A network-bound identity can prove it. The difference matters when the question moves from policy to evidence.
  • 02
    Scope. “The agent should only do X” is a sentence. Mission scope is the same sentence enforced cryptographically before the agent attaches to a network. Spending caps, geographic limits, time windows, permitted purposes, all encoded into the identity, all checked on every connection, none of it living in a prompt the agent can be jailbroken out of.
  • 03
    Revocation. When something goes wrong, an enterprise needs an off switch that works. Pulling an API key leaves connectivity intact for as long as the agent's session lives. A network-layer burn terminates connectivity in seconds and writes the immutable record that the audit will eventually ask for.
  • 04
    Audit trail. Every issuance, modification, scope change, revocation, and termination is a permanent record on infrastructure the deploying organization doesn't have to maintain itself. When the regulator, the customer, or the litigation arrives, the answer is already on the chain.
03The regulatory clock

A timeline of what's already in effect and what's coming.

Dates verified from primary sources. None are speculative.

Last verified May 2026. Updated as regulations evolve.

  1. January 1, 2026

    California SB 243 (Companion Chatbot Law)

    Operators of AI companion chatbots in California must disclose that users are interacting with AI, implement crisis-response protocols, and prepare for annual reporting. Includes a private right of action.

  2. January 1, 2026

    Texas TRAIGA (HB 149)

    Texas Responsible Artificial Intelligence Governance Act takes effect. Disclosure requirements for government and healthcare interactions, prohibitions on certain AI uses, and a NIST AI RMF safe harbor. Enforced by the Texas Attorney General.

  3. February 1, 2026

    Colorado AI Act

    Disclosure obligations for consumer-facing AI systems take effect, unless interaction with AI would be obvious to a reasonable person.

  4. February 5, 2026

    FCC Robocall Mitigation Database final rule

    Voice service providers face stricter reporting requirements and higher penalties for inaccurate filings. Builds the enforcement infrastructure that AI-generated call rules will eventually plug into.

  5. February 2026

    NIST AI Agent Standards Initiative launched

    Through the Center for AI Standards and Innovation (CAISI), NIST opens work on voluntary guidelines for agentic AI systems.

  6. April 7, 2026

    NIST AI RMF Profile for Critical Infrastructure

    Concept note released. Guidance for critical-infrastructure operators using AI-enabled capabilities.

  7. TodayMay 2026
    August 2, 2026

    EU AI Act Article 50 transparency rules apply

    Providers of AI systems interacting directly with people must disclose the AI nature of the interaction. AI-generated synthetic content must be marked in machine-readable form.

  8. August 2, 2026

    California AI Transparency Act (SB 942 / AB 853) operative

    Date extended to align with the EU AI Act. Covered generative-AI providers face disclosure, detection-tool, and contractual obligations. Enforced by the California Attorney General with civil penalties.

  9. Q4 2026

    NIST AI Agent Interoperability Profile planned release

    First formal U.S. federal standards work specifically on agentic AI identity and interoperability.

  10. December 2, 2026

    EU AI Act Article 50 deferred deadline for existing systems

    AI systems generating synthetic content placed on the EU market before August 2, 2026 must comply with marking obligations.

  11. July 1, 2027

    California SB 243 annual reporting begins

    Companion chatbot operators must begin filing annual reports with the California Office of Suicide Prevention.

  12. August 2, 2027

    EU AI Act compliance deadline for pre-existing General-Purpose AI models

    Providers of GPAI models placed on the EU market before August 2, 2025 must reach full compliance.

  13. December 2, 2027

    EU AI Act high-risk AI system obligations

    Annex III high-risk AI obligations (biometrics, critical infrastructure, education, employment, migration, asylum, border control) take effect.

04The pattern

Every regulation in that list is asking for the same primitives.

Read the laws above and the same four words show up over and over: disclose, scope, revoke, audit. The drafters are reaching for an infrastructure layer that doesn't exist yet, and writing requirements around the absence of it.

The compliance industry is responding with policies, training, and documentation. Useful, but not the same as enforcement.

An agent identity that is verifiable at the network, scoped before it acts, revocable in seconds, and auditable by default, is the substrate the laws above are reaching for. That's what a +1+1 is.

Disclose. Scope. Revoke. Audit.

05Inside an enterprise

Where Alignent fits in a real AI-governance program.

For CISOs and security teams

Every agent your organization deploys is currently a piece of credentialed software with no independent identity. A compromised agent is indistinguishable from the original until something visible breaks. A +1+1 gives each agent a hardware-rooted identity, a defined operational envelope, and a revocation primitive that doesn't depend on the agent cooperating with its own shutdown.

For Chief AI Officers and AI risk leads

The NIST AI RMF, the OWASP Top 10 for Agentic Applications, and the EU AI Act all describe controls. They don't ship controls. A +1+1 is one of the few primitives that gives you a control surface external to the agent, which is the property the frameworks keep asking for and the products in the market keep failing to provide.

For Chief Compliance Officers and General Counsel

When the question "who did this, on whose authority, under what scope, with what audit trail" arrives, from a regulator, a customer, a court, you want the answer to be a record, not a deposition. Alignent's audit trail is designed to be that record.

For Chief Privacy Officers and trust and safety

Disclosure obligations under EU AI Act Article 50, California's chatbot laws, and the FCC's AI robocall direction all assume the user can know they're talking to AI. A +1+1 is the structural answer that makes the disclosure verifiable rather than self-attested.

06Where we are

The window to influence the spec is now.

The patent estate predates the category. The architecture is built on the primitives every framework above is converging on. Production SDK and sandbox are in active development with a small set of design partners.

If you're deploying agents at scale in the next 18 months and you want the rail to fit the regulation you'll be subject to, the list is open. Spots are limited. Design partners get input into the spec.

We write infrequently. Unsubscribe anytime.

Talk before launch: hello@alignent.com