It was 2019 at the RSA Conference in San Francisco, when I presented seven years of AI safety research in “Top 10 Security Disasters in ML: How Laurel and Yanny Replaced Alice and Bob“. It didn’t get much attention. Why would it? I had been focused on integrity breaches as the coming wave of threat modeling. The market wasn’t interested at that time.
Integrity flaws stand looming and untamed despite the security industry making great progress in availability and confidentiality awareness and control. Now a crisis of trust is developing as developers rush into ‘machine learning’ with integrity a paramount risk.

Then RSAC 2020 was “Breaking Bad AI: Closing the Gaps between Data Security and Science” and RSAC 2021 “Top Seven AI Breaches: Learning to Protect Against Unsafe Learning“.

In fact, by March 2020 I was explaining COVID early warning states in this context, based on research going back to at least 2009. Of course I often point back to my BSidesLV 2016 Ground Truth keynote “Great Disasters of Machine Learning“, because I covered Tesla’s second “driverless” death in that year (as well as Google’s image recognition failures) as an integrity problem needing immediate attention to prevent extreme dangers to humanity. 
And guess what happened next? A lot more death. Even my article that robots have been killing a lot of people already wasn’t getting much attention, despite Bruce Schneier saying he would get it published in The Atlantic to increase my exposure.
AI and robotics companies don’t want [regulation] to happen. OpenAI, for example, has reportedly fought to “water down” safety regulations and reduce AI-quality requirements. According to an article in Time, it lobbied European Union officials against classifying models like ChatGPT as “high risk” which would have brought “stringent legal requirements including transparency, traceability, and human oversight.” The reasoning was supposedly that OpenAI did not intend to put its products to high-risk use—a logical twist akin to the Titanic owners lobbying that the ship should not be inspected for lifeboats on the principle that it was a “general purpose” vessel that also could sail in warm waters where there were no icebergs and people could float for days. (OpenAI did not comment when asked about its stance on regulation; previously, it has said that “achieving our mission requires that we work to mitigate both current and longer-term risks,” and that it is working toward that goal by “collaborating with policymakers, researchers and users.”)
I guess I bring up the Titanic a lot. But the point was we aren’t really paying attention if we’re not counting the Tesla deaths as a single catastrophe of AI.

Well, here we are in July 2026 and the United Nations Preliminary Report restates my 2019 thesis as settled science. See their figure V (page 30, adapted from Bottou and Schölkopf): transformations that preserve fluency break factuality, and users treat linguistic confidence as evidence of reliability.

That’s right up my alley and their page 42 supplies the casualty class that I had warned about: Tigrinya machine translation rendering smallpox as syphilis, gonorrhoea as diabetes, intravenous antibiotics as intravenous insecticides, in clinical settings serving 7 to 9 million speakers.
Forty UN-appointed experts used their General Assembly resolution to arrive where my single expert RSAC track session in 2019 said they should hurry up and go. Of course I wasn’t the only one, but I’m certainly not someone they have cited in their late acknowledgement of the problems.
Perhaps I should now tell you where they went horribly wrong in the report? It has serious integrity failures, to put it simply. Here are just four examples.
First. The vendor citation circle that I called out last April, behind the Anthropic marketing. The “Dangerous cybercapabilities” box (pages 35 and 36) sources its Mythos claims to references 16, 17, and 72: Anthropic’s Frontier Red Team page, Anthropic’s Glasswing announcement, and a Mozilla blog post written by a Glasswing participant. This is a closed circle of three self-interested documents presented as scientific assessment, with the record frozen at 7 April. The panel cited nothing after the launch marketing: none of the independent critics, and not even the vendor’s own May update, meaning the report is stale in the vendor’s favor. They ARE NOT proof. The report diagnoses this exact failure on page 15: safety evaluation methodologies are designed by the companies being evaluated, and assurance depends on developer goodwill. Section 2.1 names the disease. Section 3.4 performs that disease. Like, are we sure we want to keep reading? Twenty pages after warning about vendor-controlled evidence, the report runs vendor-controlled evidence, and skips any antidote.
Second. They have omitted contrary evidence. I’m not sure it feels better that I’m not the only one being ignored. AISLE’s reproduction of Anthropic’s showcase bugs with eight open-weights models, published April 2026, was public for three of the panel’s four drafting months (first meeting March 2026, publication July). Their box repeats “previously unknown” and “survived decades of human review” with zero reference to the reproduction results. The 27-year OpenBSD flaw the box holds up as proof of frontier capability? False. Disproven. GPT-OSS-120b recovered the full exploit chain for pocket change, which demolishes the frontier-exclusivity framing that this box was built on. The panel’s mandate is allegedly documenting scientific consensus and disagreement. Instead it runs a claim made by the vendor and presents zero disagreement, despite it being all over the Internet. AISLE is now extremely well-regarded for their bust of the Anthropic bubble, so it’s hard to understand how they aren’t the lead story here.
Third. The distribution asymmetry is quite interesting to me, as a disinformation historian. The executive summary ships in all six official UN languages, unlike the full report, which is in English and French. The conclusions are thus presented in six languages while 386 references, the evidence-gaps concessions, the footnotes qualifying the Goldman Sachs projections, and the disclaimer (no member endorses every point) are cut down to just two languages. This translates into a ministry reading Arabic, Chinese, Russian or Spanish getting the pure vendor claims on UN letterhead that has all the context stripped away from it. A report that is documenting language exclusion as a life-threatening integrity failure, has itself reproduced that very exclusion. Ironic, no? This is the sort of thing I suspect makes me hard to invite to these events. I find flaws. I present flaws.
Fourth. The timing sure seems awkward. Released 1 July, feeding the Global Dialogue on AI Governance now underway in Geneva, 6 and 7 July. Member State delegates are deliberating on a five-day-old document carrying vendor claims, most working from the summary tier. That means the truth is buried, because the verification drops into two languages and 58 pages. And a detail the panel apparently missed: the Glasswing announcement it cites as evidence promised a 90-day public accountability report, due 6 July by my count last April. The UN cited the promise as a proof, and the Dialogue opened on the day the promise came due. The vendor shipped an interim update in May with aggregate self-reported numbers, then a June system card which I’ve debunked. The actual accounting?
If you are in the room in Geneva, the fix costs nothing but a microphone. Four questions, matched to the four failures.
- Ask the Co-Chairs why the “Dangerous cybercapabilities” box rests entirely on references 16, 17 and 72, when page 15 of their own report states that assurance built on developer disclosure is assurance built on developer goodwill. Ask whether the panel will adopt a sourcing rule for the annual report: no capability claim enters a UN scientific assessment on vendor citation alone.
- Ask why the AISLE reproduction results, public since April and available for three of the panel’s four drafting months, appear nowhere in a document mandated to record scientific disagreement. And hey, I’m not even saying I should be in there, despite publishing continuously since April that Anthropic is misstating their capabilities. Ask whether the annual report will correct the record.
- Ask when the full report, with its 386 references, its evidence-gaps concessions and its disclaimers, will exist in all six official languages. A summary without carrying the balance of evidence is a breach of trust in the editorial process. The panel documented language exclusion as a life-threatening integrity failure, so I recommend they stop practicing one.
- Ask what review period Member States will get between the annual report and the second Dialogue in New York. Five days is a briefing. It is nothing like a proper assessment, including time for tests, even in a field moving rapidly.
Ok, here’s a Fifth failure. Bonus round. The Secretary-General launched the report saying the world cannot govern what it cannot understand, yet page 26 of that same report tells us governing under uncertainty is normal. Record scratch. Parliaments regulated steam boilers (e.g. Grover Shoe Factory Disaster), adulterated food (e.g. The Jungle) and unsafe ships (well, you know, the Titanic) long before anyone could explain the perfect physics and chemistry, by demanding inspection access and punishing false claims.
So skip the plea for comprehension (like skipping the demand everything be open source) and demand the older, proven machinery: the references, the disagreements and the time. The point is the world should see what I’ve been saying for over a decade, and have the time to review why the vendor’s claims don’t stand on their own let alone in the face of a simple test.
The AI vendor brochure presented in six languages is disappointing, to say the least. Or, if you’re like me, to say nothing at all because we’re not in the room to explain when and why things go boom.
