TheshapeofAIregulation

The week the scoring stopped

In the same news cycle that NIST signaled it would narrow CVE enrichment to critical vulnerabilities only — leaving the medium-severity tier where most real-world exploitation actually thrives unscored — defenders absorbed five CVSS 9+ disclosures across the stack: an 18-year-old unauthenticated RCE in the NGINX rewrite module, a CVSS 10.0 auth bypass in Traefik, plaintext secret extraction in Argo CD at 9.6, LiteLLM already on the CISA KEV with confirmed active exploitation, and a 9.1 directory traversal in Spring Cloud Config. The NGINX bug alone sits on the edge of most ingress controllers, API gateways, and the appliances that quietly bundle it; the vulnerable code path runs before auth middleware in roughly 90% of production configurations. That is the regulatory environment as it actually exists in 2026: the public scoring infrastructure is contracting at exactly the moment the disclosure surface is widening, and the governance frameworks layered on top — EU AI Act classifications, export controls, vendor compliance attestations — are being built on a triage substrate that no longer covers the middle of the distribution.

This is the shape of AI regulation right now. Not the press releases. The substrate.

What binds and what doesn’t

The EU AI Act’s high-risk system classifications are binding law. The certification bodies that are supposed to operationalize them are not staffed to the implied volume, and the gap has produced a stable equilibrium of shadow compliance — vendors self-attesting against checklists that no notified body will examine within the contract cycle. Procurement teams have learned to accept the attestation, mark the box, and move on. The text of the regulation is enforceable in principle; the enforcement queue is not.

Export controls show the same pattern in inverse. The hardware tiers are policed reasonably well at the chip level, but the binding constraint on AI capability has shifted to compute density per dollar, and the workaround surface there is software optimization — distillation, quantization, mixture-of-experts routing, kernel-level rewrites. Anthropic’s June 15 removal of what was effectively a 70-90% subsidy on Claude-backed agents and eval harnesses tells the same story from the commercial side: when the price of frontier inference normalizes, the regulatory levers that assumed a hardware-bound capability frontier lose grip. The export rule that matters in practice is not the one printed in the Federal Register. It is whatever the cheapest token-per-dollar provider charges this quarter.

The NIST narrowing is the most consequential of the three because it changes the inputs every other regime depends on. Compliance frameworks, cyber insurance underwriting, vendor risk questionnaires, and the EU AI Act’s own incident-reporting expectations all assume an enriched CVE feed as ground truth. Strip the medium-severity tier out of that feed and the entire downstream apparatus is reasoning about a smaller world than the one attackers actually operate in.

Patch is not remediation anymore

Three of April 2026’s notable vulnerabilities survived patches, reboots, and token invalidation. That is no longer an edge case worth flagging — it is the working assumption. The Miasma supply-chain worm, which has infected 73 Microsoft-owned GitHub repos and more than 50 npm packages with a Rust-based credential stealer, persists by virtue of being upstream of the patch surface entirely. Cisco Catalyst SD-WAN Manager remains under active exploitation with no patch available. Meta’s AI chatbot was socially engineered into changing the registered email on high-profile Instagram accounts — the first clean, public proof that LLM-fronted identity flows are a credential-theft vector, and one that no CVE will ever describe because the vulnerability is the product surface itself.

Regulators have not absorbed this. The compliance regime still treats “patched” as a terminal state, and audit evidence still flows through patch-management dashboards. That model assumes vulnerabilities are discrete, addressable, and resolved by vendor-issued fixes. The actual deployment surface — agent tool-use chains, OAuth token graphs, package-manager transitive dependencies, AI-fronted account recovery — does not decompose into discrete patches. A serious governance regime would require remediation evidence at the level of attacker capability removal, not vendor advisory closure. None of the current frameworks do.

The EDR transparency problem

A TrustedSec study this quarter showed AI systems reverse-engineering all five major commercial EDR products in days rather than weeks, and Anthropic’s Mythos became the first model to clear both UK AISI simulated attack ranges end-to-end autonomously. The defensive stack that compliance frameworks list as a control — endpoint detection and response — has become structurally transparent to a capability tier that is now commercially available. The control is checked in the audit. The control no longer does what the audit assumes it does. This gap is going to widen before any regulator names it.

Vendor data disposition is the next audit vector

The quietest item in the regulatory landscape is also the one most likely to produce a forcing event. Defunct SaaS companies are selling internal archives — customer data, prompt logs, internal documents, support tickets — to training labs. The contracts that governed the original data collection generally specified deletion on termination; the bankruptcy estates selling the data assets do not consider themselves bound by the dissolved entity’s privacy commitments, and the receiving labs treat the provenance question as the seller’s problem.

This is where the next round of enforcement will land, because it is the rare AI-governance question with a clean legal hook: contract law, not novel regulation. Data processing agreements with disposition clauses are enforceable. The audit vector is straightforward — verify deletion at vendor offboarding, log the verification, retain the evidence. Almost no one does this rigorously today. Almost everyone will be asked to within twelve months.

Operational posture

For practitioners, the implication is that the public regulatory surface and the binding regulatory surface have drifted apart, and the work this quarter is to operate against the latter.

• Build an internal CVE enrichment layer that does not depend on NIST. Subscribe to vendor advisories directly, ingest the CISA KEV, and score medium-severity CVEs against your own deployment topology. Assume the public feed will degrade further. The NGINX rewrite module sitting in 90% of ingress configs is the canonical example of a vulnerability that needed local context to triage correctly.
• Replace patch-closure metrics with capability-removal metrics. For every advisory, document what attacker capability the patch eliminates and verify the elimination in production. If the vulnerability persists across patch, reboot, and token invalidation — as three April 2026 bugs did — the ticket does not close.
• Audit vendor data disposition clauses now, before a defunct-vendor sale forces it. Inventory which DPAs include deletion-on-termination, which include training-data prohibitions, and which vendors are at financial risk. Treat the bankruptcy scenario as a live threat model, not a hypothetical.
• Price your AI stack against the post-subsidy curve. Anthropic’s June 15 metering change is a preview. Recompute agent and eval-harness economics assuming the implicit 70-90% discount is gone everywhere within a year, and decide which workloads survive that pricing before the market does it for you.