We filed our NIST RFI. Here is what we said.

On March 9, 2026, we filed our response to NIST RFI Docket 2025-0035, tracking number mmk-190r-hvap. The RFI asked for public input on AI safety, evaluation, and oversight. The window closed on March 15. We were not the loudest voice in the docket. The major AI providers filed. The major think tanks filed. The major consultancies filed.

We filed something most of them did not.

The position is structural separation. The entity that ships the AI cannot also operate its defense layer.

That is the whole filing in one line. Everything else is mechanics.

Why this is the only argument that matters

Every other industry that handles consequential outputs eventually figured this out, usually after a failure forced the lesson. Securities issuers cannot audit their own filings. Pharmaceutical companies cannot certify their own clinical trials. Aircraft manufacturers cannot operate their own crash investigations. Each of those structures was built after a generation of self-regulation produced casualties.

AI is now in the early phase of that same arc. The providers run the model, the safety evaluations, the red team, and the audit trail. They publish the harm rates. They define the categories of harm. They decide what counts as a violation. When something goes wrong, they investigate themselves. When the investigation completes, they publish a blog post.

This is the structure of self-regulation, and self-regulation has never worked in any industry where the cost of failure was distributed across people who were not the operator. We are not skeptical of the people running the major labs. The point is not personal. The point is that no individual at any provider has the authority to act against their employer's commercial interest, and no individual at any provider can be sued, subpoenaed, or compelled to produce evidence that their employer would prefer not to produce.

That is not a defense layer. It is a marketing function with logging.

What we filed, in three pieces

VOAF (Verifiable Output Audit Format)

A cryptographic chain that records every AI agent action, signed by an authority outside the provider, verifiable by any third party without trusting the issuing entity. The format is open. The reference implementation, vigil-verify, is open source. Anyone can rebuild it from source and confirm a chain holds.

The point of VOAF is not data collection. The point is that audit trails which depend on the operator being honest are not audit trails. They are publication. A regulator examining a VOAF chain six months after an incident does not need to trust the provider. They do not need to trust Vigil either. They verify the cryptography.

TAP (Trusted Agent Protocol)

Identity for AI agents. Today, when an agent acts on your behalf, the receiving system has no way to distinguish a legitimate agent from a compromised one, and no way to verify the chain of authority that produced the action. TAP fixes this with attestation certificates, authority chains with delegation transitivity, and a counterparty handshake that closes in single-digit milliseconds.

We filed TAP v1.0 publicly on March 20, 2026. The spec is published. The reference implementation is in our codebase. Any provider can adopt it. Several have asked. None have committed.

VARP (Vigil Agent Revocation Protocol)

The kill switch. When an agent is compromised, you do not have time to email every counterparty. VARP propagates revocation across every surface that was ever authorized to act for the agent, in under one second, signed and verifiable. This is the protocol equivalent of a credit card freeze, except instead of a card number, you are freezing a non-human actor whose blast radius is whatever you authorized it to touch.

VARP is the answer to the question regulators are starting to ask out loud: when an agent goes wrong, who pulls the plug, and how fast does the plug pull?

The argument inside the filing

Three points, in order of weight.

One: provider self-policing has a structural conflict of interest. Not a cultural one. Not an incentive misalignment that better governance can fix. Structural. The entity that earns revenue per token has no commercial mechanism to escalate harms above a threshold their commercial team has not approved. Every provider safety team in history has been overruled by a release deadline at least once. The ones that have not been are simply too young to have hit the moment yet.

Two: cross-provider visibility is structurally impossible for any single provider to replicate. A user today runs Claude, ChatGPT, Gemini, and Cursor in the same workflow. No provider sees the other three. No provider can. To do so would require becoming a proxy, which would require giving up their own model's privileged position in the request path. They will not do this. The only entity that can see across providers is one that sits outside all of them. That is a structural fact, not a competitive one.

Three: enforcement must be deterministic. Statistical models can detect anomalies. They cannot enforce policy. An LLM in the enforcement path is a prompt injection waiting to happen, and any defense layer that uses one is shipping a vulnerability as a feature. Detection is statistical. Enforcement is deterministic rules. The two surfaces must not touch. We make this argument because we have seen the alternative quietly shipped, and the alternative does not survive contact with a motivated attacker.

What we asked NIST to do

The filing made four recommendations.

The first is to define a regulatory category for independent AI defense providers, separate from the providers themselves, with disclosure obligations and integrity requirements that operators cannot meet without structural separation from the entities they monitor.

The second is to mandate cryptographic audit trails for any AI agent acting in regulated contexts, with the verifiability standard set by an open format that does not depend on a particular vendor's continued operation. We proposed VOAF as one such format. We do not need it to be VOAF. We need it to be open and verifiable.

The third is to require revocation propagation as a property of any agent system that operates across more than one counterparty. The current state, where a compromised agent continues acting until each counterparty manually revokes its access, is the structural equivalent of a stolen credit card that takes six weeks to cancel.

The fourth is to draw a clean line between detection and enforcement in any AI defense framework that NIST endorses. Statistical detection on the request side is one function. Deterministic enforcement on the response side is a different function. Architectures that mix the two by routing enforcement decisions through statistical models inherit every weakness of those models, including prompt injection. A framework that does not specify this separation will produce a generation of defense products that are themselves exploitable. The framework should specify it.

The cost of getting this wrong

The window for setting this up correctly is short. Once the major providers have entrenched their internal safety functions as the regulatory baseline, dislodging them requires a generation. The financial industry took fifty years to install structural separation between issuers and auditors. The aviation industry took forty. Pharmaceuticals took longer than that.

AI does not have forty years before the first systemic failure. The McKinsey Lilli incident in March 2026 was a preview, not an aberration. The next one will be larger. The one after that will be larger still. Somewhere in the next 18 to 36 months, the question of who held the audit trail and who held the kill switch will be asked under oath.

When that question is asked, the answer cannot be "the company whose product caused the incident."

What happens next

NIST will produce a synthesis of the docket. The synthesis will inform a follow-up framework, which will inform proposed rulemaking, which will inform an eventual standard. This process takes years. We do not have years. So in parallel with the regulatory track, we are building the technical layer that operators can adopt now, voluntarily, without waiting for the rule.

VOAF is published. TAP is published. VARP is published. vigil-verify is open source. The reference implementation runs locally on a Mac. Any enterprise that wants cryptographic audit and cross-provider visibility today, without waiting for NIST, can have it today.

We did not file the RFI to wait. We filed it to mark the position publicly so the eventual standard cannot be written without us in the room.

The standard will get written. The only question is whether the people writing it understand the structural argument, or whether the providers convince them, again, that self-regulation is enough.

It is not enough. It has never been enough. The filing is on the public record now. So is this post.