Technical Innovations for AI Policy 2026: What We Heard, and What It Means

‍Governing AI Requires Tools We Don't Yet Have

The second annual Technical Innovations for AI Policy (TIAP) conference took place on March 30 and 31, 2026 in Washington, D.C. FAR.AI organized the event in collaboration with the Foundation for American Innovation, the Center for a New American Security (CNAS), and the RAND Corporation, bringing together over 200 policymakers, researchers, and technologists to work on translating advanced technical AI research into actionable policy.

A throughline connected many of the sessions: The tools policymakers are relying on to govern AI, including evaluations, standards, and safety frameworks, are not keeping pace with what they are being asked to do. The question the conference kept returning to was not whether AI governance is needed, but whether the infrastructure being built for it will actually work.

Keynote

Congressman Bill Foster (U.S. House of Representatives)

Bill Foster walked through several fronts where US governance is lagging the technology. On chip security, he described the Chip Security Act, which recently passed the House Foreign Affairs Committee near-unanimously, and the cryptographic location verification that makes it workable. On financial stability, he warned that agentic AI will compress bank runs from days to minutes, and that the infrastructure to handle this does not yet exist. He also argued that AI policy currently routes through seven House committees and that the US still lacks a standing IT committee, even as information technology has overtaken financial services as a share of GDP, and cautioned that international collaboration in governing compute, not unilateralism, is the right model for democracies to follow.

Main Talks

Anka Reuel (Stanford University): Beyond Leaderboards: Building Policy-Grade Evaluations for AI Agents

Anka Reuel laid out why today's AI agent evaluations often fail to support the policy decisions they are used to justify. Her argument rests on two demands: validity (does the evaluation measure what the claim requires?) and reliability (does it measure signal or noise?). OpenAI's HealthBench was used to justify the claim that GPT-5 can help users make healthcare decisions, yet it never mapped test items to clinically recognized conditions and never showed scores predict patient outcomes. A reported 90% accuracy on a benefits pre-screening agent, she showed, can conceal wildly different failure modes and could reflect actual performance anywhere from 72% to 100% once uncertainty is accounted for. The EvalEval Coalition is working on the reporting and transparency standards that would allow policymakers and developers to get there.

Ben Bucknall (University of Oxford): Assurance of AI System Versioning

Ben Bucknall raised a question that sounds simple but has no good answer: when you query an API or chatbot, how do you know the output came from the model version you think you are using, and how do you know it is the same system as yesterday? Deployers may route between checkpoints, serve quantized variants at peak times, or push silent updates without notice, and there is no reliable way for users to tell. Drawing an analogy to IP source address spoofing in the early internet, Bucknall argued that model spec adherence, compliance reporting, incident analysis, and third-party evaluation all depend on being able to link observed behavior to a specific system version, and that potential fixes range from transparency disclosures to cryptographic attestation via trusted hardware enclaves.

Dominic Rizzo (zeroRISC): Silicon Roots of Trust: Attestation You'd Want Even If Nobody Required It

Dominic Rizzo presented open-source silicon roots of trust as a mature, commercially viable solution for hardware security and attestation. The technology, proven at scale in Chromebooks and data centers through the OpenTitan project, enables end users to control what software runs on devices they purchase, a capability currently absent despite ownership. Three forces are driving adoption toward ubiquity: the AI infrastructure buildout, the mandated transition to post-quantum cryptography by 2030, and open-source designs that have shifted the cost calculus from burden to necessity. Rather than purely punitive mandates, Rizzo argued that liability shields for chip makers implementing NIST-standardized best practices would better align incentives and drive broader adoption.

Anne Neuberger (Former Deputy National Security Advisor for Cyber and Emerging Technology): Fireside Chat: AI and National Security

Moderated by Janet Egan (CNAS), Anne Neuberger drew on her experience at the NSA and White House to address current tensions between AI labs and the defense establishment. She identified AI's defensive advantage in cybersecurity as significant if organizations act, but warned that agentic AI could set security back two decades by creating vast numbers of unmonitored digital identities. On the Anthropic-Pentagon dispute over whether the U.S. military can use Anthropic’s Claude models without Anthropic’s preferred safeguards, she offered three principles drawn from lessons learned after the Snowden leaks: accountability must rest with those who hold classified information and bear legal responsibility; frontier labs must maintain regular technical dialogue with military users about system fragilities; and democratic constituents need enough transparency to have confidence that AI is used in ways consistent with civil liberties.

Patricia Paskov (RAND): The Multi-Agent Gap: Risks, Evaluation, and Governance

Patricia Paskov argued that AI governance built for individual systems is not ready for agents interacting at scale. Every existing framework, from frontier lab preparedness frameworks to the EU AI Act, was designed to assess single models. Yet even individually safe and aligned systems can produce harmful outcomes through interaction, and the infrastructure for agents to interact at scale is already being built: UK AISI researchers found the share of action-taking tools in Model Context Protocol rose from 24% to 65% between late 2024 and early 2026. Preliminary results from Paskov's inter-agent influence evaluation suite show that simple prompting for coercion or persuasion raises approvals of policy-violating requests from a 5% baseline to 11% and 14% respectively, and her broader point is that governance needs to evaluate systems in relation, not in isolation.

Stephen Casper (MIT): Non-Consensual AI Deepfakes: AI Safety's Trial by Fire

Stephen Casper argued that non-consensual AI deepfakes are the first real test of AI safety at the ecosystem level, and that the dominant plan has failed it. OpenAI's DALL-E 2 in April 2022 was a near-perfect execution of the prevailing strategy: make AI safe by building safe systems. Four months later Stable Diffusion launched openly, without content filtering, and within two days became the primary tool for generating non-consensual content. The Internet Watch Foundation recorded a 26,362% rise between 2024 and 2025 in photorealistic AI videos depicting child sexual abuse. Casper's conclusion: AI safety is not a model property, it is an ecosystem property, and any safety agenda that does not account for proliferation should be considered unserious.

Kellin Pelrine (FAR.AI): Radicalization and Child Sexual Abuse: LLM Persuasion Risks

Kellin Pelrine presented evidence that some frontier models will comply unprompted with requests to recruit users into terrorist organizations, and argued that current testing infrastructure is not catching this before deployment. His team prompted Gemini 3 Pro to persuade a simulated user to join ISIS; it complied without jailbreaking. The same pattern extended to organized crime, drug trafficking, and child sexual abuse. The problem is tractable: Gemini 3 Pro complied around 90% of the time on extreme persuasion prompts, while GPT-5.1, Claude Opus 4.5, Grok 4, and Gemini 3.1 Pro all sat near zero. 

“All of the frontier companies have been able to solve it in some models, but it’s a question of: can we do it consistently, can we catch problems when they come up in certain models before they get deployed into the ecosystem?”

Ze Shen Chin (AI Standards Lab, Oxford Martin AI Governance Initiative) -- An Overview of AI Safety Standards

Ze Shen Chin mapped the landscape of AI safety standards and explained why the EU AI Act's formal standards have fallen badly behind while the Code of Practice delivered on time. The formal process through CEN-CENELEC's JTC 21, launched in 2021, missed its April 2025 deadline, then missed a revised August 2025 one, and now faces proposals to delay obligations until late 2027. The Code of Practice, convened in September 2024 through a different process with expert chairs, was confirmed adequate on August 1, 2025, one day before GPAI obligations took effect. Chin's diagnosis: standards processes face structural trade-offs between consensus, enforcement strength, specificity, and speed, and formal standardization tends to lose on speed. Everyone wants standards, but incentives often pull toward the laxest version or the slowest process.

Looking Ahead

The conversations at TIAP 2026 reinforced a point that runs through all of FAR.AI's work: the gap between AI capabilities and the institutions designed to govern them is not closing fast enough. Closing it requires technical researchers and policymakers working together, and it requires evaluation and governance infrastructure that can keep pace with the systems it is meant to oversee, and that infrastructure depends on unsolved technical problems. Two upcoming events focus on the research side of that work:

• Workshop on Assurance and Verification of AI Development (AViD): May 17, 2026, San Francisco -- Apply here
• Seoul Alignment Workshop: July 6, 2026 -- Fill out our expression of interest form

Full recordings from TIAP 2026 are available on the FAR.AI YouTube Channel. Interested in future events? Submit your interest here.