3 Levels of AI Use Disclosure
Why a single AI disclosure checkbox tells reviewers nothing, why jailbreaks are mathematically guaranteed to exist, and how Morse code moved $200k in crypto
1. AI Use Disclosure
By: Andrew Gamino-Cheong
Almost every AI governance framework requires disclosing AI use somewhere in a document or policy. Almost none of them ask how much. A binary “AI was used” isn’t useful to someone reviewing the content in particular. Should the reviewer focus on the substance of the document, or just on the style and presentation? That distinction changes how carefully they need to read, whether the work in question is a blog post or a pull request.
We ran into this ourselves. As Trustible started to use AI more for code and content, we needed to be clear about how AI was used, and adjust our reviews accordingly. For our own governance purposes, we needed to understand how much scrutiny does this piece of work actually need before it goes out the door? Since we build AI governance software for a living, it felt fair to hold ourselves to the same standard we ask of the enterprises we work with. Our internal AI Use Policy sets three tiers instead of one flag, and each tier carries a different review bar.
Primarily Human (Level 1), covers anything under 20% AI generated. In writing, that’s a human draft AI copy edited or fact checked. In code, it’s AI catching a typo or suggesting a variable name inside an otherwise human-written function. Standard review applies here, since AI has less room to invent anything and hallucination risk stays low.
Partially AI (Level 2), is the real grey area. This is a human outline filled in by AI, or a deliverable that mixes AI and human sections. In code, this is what we’d call harness engineering, where AI works inside a defined spec against an existing codebase, with guardrails on what it can touch. This tier gets deeper scrutiny, and we check the output against the original outline or spec to confirm it matches what was actually intended, not just that it compiles or reads well.
Primarily AI (Level 3), covers one-shot generation, long agentic runs, or vibe coding, where AI carries the mental work instead of executing inside a human-built structure. Roughly 80% or more of the output is AI produced. It’s fine for prototyping, but it gets the strictest review, and we document the prompts used so a reviewer can trace how the output was built. Every purely AI-generated image falls here too, no matter how much brand context or detail went into the prompt.
Key Takeaway: A single AI disclosure checkbox doesn’t tell a reviewer what to actually scrutinize. Within a few years, AI will likely be used to some degree to create more content, and disclosing the amount of AI use will become increasingly important. This could start to matter a lot in the IP space as well, as current standards don’t protect fully generated content in many legal jurisdictions.
Disclosure: This piece falls under “Level 1” by our policies. AI helped tighten the draft, but the argument, structure, and examples are human-written. The accompanying image is Level 3, generated end to end from a detailed prompt with our brand assets attached.
2. Tech Explainer: The Mathematical Inevitability of Jailbreaks
By: Anastassia Kornilova
Claude Fable 5 was taken offline last month in part due to a fairly simple “jailbreak” that involved adding the words “fix this code” to a prompt; Anthropic responded by adjusting the settings on their guardrails. However, their adjustments are not a guarantee that the system will be safe under all conditions, because a recent paper from NIST shows that it is mathematically impossible to prevent all jailbreaks. The proof in this work shows that given a finite set of guardrails (in this paper the term is used broadly to include protections across all layers of the system including data sanitization, model alignment and input/output filtering), there will always exist a prompt that circumvents the guardrail and causes the system to violate its own policy. Intuitively, guardrails work by applying general rules based on known examples, not by having an enumerated list of every possible bad prompt, since such a list would have to already contain the answer to the very question it’s meant to solve. Because the space of ways to phrase a prompt will always be larger than what a workable set of rules can anticipate, something will always get through, no matter how good the rules are.
This theoretical result does not give attackers a method for finding a new exploit; it only guarantees that one exists somewhere in the space of possible prompts. Instead, this points to the need for a risk management framework that anticipates successful jailbreaks rather than tries to prevent all of them. Vassilev, the paper’s author, translated this into practical terms: the goal should be “to reach a state where the cost of finding new exploits exceeds attackers’ resources”. He lays out three concrete practices for getting there: ongoing red-teaming to surface new adversarial prompts before attackers do, continuous guardrail updates as those prompts are found, and operational resilience, meaning the ability to limit damage and recover quickly once, not if, a jailbreak succeeds. In addition, as jailbreaks affect complex agents, not just LLMs, controls that sit on top of the system, like human review or access control limits, will form an important layer of mitigations.
Key Takeaway: New jailbreak techniques will be an evergreen concern for AI systems. Risk assessments should include questions around how quickly policy violations are detected, how guardrail can be updated and how damage from attacks can be mitigated. This mirrors how mature cybersecurity practice already treats vulnerabilities: not as something to eliminate outright, but as something to find and patch faster than adversaries can exploit them.
3. AI Incident Spotlight: Using Morse Code Prompt Injection to Steal Crypto
By: Andrew Gamino-Cheong
What Happened: An X user walked away with roughly $200,000 in crypto without cracking a password or exploiting any software bug. The target was an automated account, linked to Grok on X, with permission to move cryptocurrency through a trading bot called Bankrbot. The attacker first found a way to expand that account’s transaction permissions, then posted a message in Morse code and asked Grok to translate it. Grok complied, decoding the message into a plain-language instruction to send a large batch of tokens to the attacker’s address, and tagged Bankrbot, which scans Grok’s replies for commands. Bankrbot treated the decoded text as authorized and moved the funds. Most of the money was later returned after the crypto community identified the attacker. Dexerto first reported the exploit.
Why It Matters: Morse code sounds like a novelty, but the underlying technique is well documented. Language models trace their architecture back to machine translation research, and converting between languages, alphabets, and encodings is a core capability, not an add-on. Researchers have spent the past few years showing that prompts translated into low-resource languages, run through simple ciphers, or encoded in Base64 can bypass safety training built almost entirely around natural English text. The pattern has a name in the literature, mismatched generalization: a model’s capacity to decode something can outrun the safety training meant to govern what it does with the result. Grok’s handling of the Morse message fits that pattern. Nothing in the request looked adversarial until after the model had already processed it, and the output then moved from Grok, a text generator with no direct control over funds, to Bankrbot, which treated a public reply from an authorized account as equivalent to a signed transaction. That specific safeguard had reportedly existed once before and was dropped in a later system update, per Repello AI, showing how easily this kind of protection erodes without dedicated testing.
How to Mitigate: Organizations should consider a policy layer between anything a model outputs and any system that can act on it financially, one that checks whether a transaction fits a predefined scope rather than scanning the text for suspicious phrasing. That layer already exists in production form. Mastercard’s Agent Pay and Visa’s Trusted Agent Protocol issue credentials scoped to a specific agent, counterparty, and spend cap, revocable in real time. Stripe offers something similar through single-purpose virtual cards. None were built with crypto bots in mind, but they address the same gap: a credential that knows what it’s for, rather than an account that trusts anything wearing the right tag.
Key Takeaway: Translation and other format-conversion features are a known, studied weak point in how models are secured, and agents with financial reach are worth evaluating on whether a scoped, revocable credential sits between their output and the money, not just on how well they resist conventional jailbreak phrasing.
4. Trustible Spotlight: Introducing AI Controls
By: Lauren Madden
Every new AI framework triggers the same instinct: start the compliance process from scratch. Document the requirements again, run through the checklist again, and treat it as its own project.
That instinct assumes each framework introduces entirely new requirements, but in practice, most of them don’t. The EU AI Act, NIST AI RMF, and ISO 42001 overlap heavily, asking for the same underlying work, but in different wording and checklist formats. We rolled out Trustible Controls to address this directly
Trustible Controls normalize governance requirements into a single set mapped across every framework an organization tracks. Document human oversight once, and that evidence satisfies multiple global, regional, and industry frameworks. Conditional obligations, such as the EU AI Act's high-risk and GPAI designations, are scoped the same way, so teams see only the controls that apply. Read more.
5. Policy Updates
By: Sydney Cullen
FTC Proposed Policy Statement Concerning the Suppression of Accuracy in AI Systems
The FTC’s recently released proposed policy statement asserts that state AI laws that require AI systems to reduce perceived biased or discriminatory outputs, such as Colorado’s AI Act, could be perceived as “deceptive” practices towards customers under Section 5 of the FTC Act. This policy document stems from the December Executive Order on “Ensuring a National Policy Framework for AI”, which directed the FTC to release a policy statement on how state laws which “require alterations to the truthful outputs of AI models” would be preempted under Section 5. The proposed policy statement is open for public comment until July 31.
Our take: With Congress unwilling to act, the White House is finding other levers to limit state AI authority, and this FTC statement is the latest one. It’s important to remember what this statement doesn’t touch existing federal anti-discrimination law. A state can’t force a company to alter outputs to fix bias, but if that same system produces discriminatory outcomes in lending, housing, or employment, it’s still exposed under Title VII, ECOA, and similar statutes. Non-discrimination compliance isn’t optional just because the bias-correction mandate is contested.
US Government vs Frontier Labs: A few weeks after the US government utilized export controls to restrict the use of Claude Fable 5 and Mythos 5, they have pseudo-restricted the use of OpenAI’s GPT-5.6 Sol. Although export controls were not put into place, the USG requested that OpenAI only release to a small group of customers approved by the government. OpenAI representatives have stated they do not want this process become the norm; however, they are complying for now in hopes to help the government create a repeatable framework for new frontier models. In the meantime, Anthropic announced export controls have been lifted, and Fable 5 and Mythos 5 have since gone live again with new cyber security safeguards in place. OpenAI’s restrictions were also lifted, and set to launch publicly on July 9.
Our take: The White House continues to play a larger hand in frontier model deployment than it promised to do. For governance teams, the lesson is to build contingency plans around model access, not just model performance. If the government can pull a model overnight or gate its release before the public ever sees it, any AI roadmap that assumes uninterrupted access to a given frontier model is a roadmap with an unstated dependency.
RAISE US: Former Secretary of Commerce Gina Raimondo and former Governor of Indiana Eric Holcomb launched a nonpartisan organization called RAISE US aimed towards developing public-private partnerships around the future of work. The group will test workforce reskilling programs with corporate partners and use private and philanthropic funding to expand the ones that work. It launched with partnerships already in place with Arkansas, Connecticut, Maryland, and Utah.
Our take: RAISE US is betting that industry can move faster than Congress on workforce transition. Raimondo has been candid about the track record here, having called past federal retraining efforts “ineffective.” Whether $500 million in state pilots does any better remains to be seen.
In Case You Missed It:
UN Global Dialogue on AI Governance: The inaugural Global Dialogue on AI Governance, hosted by the UN in Geneva this week, opened with calls for greater international cooperation on AI governance to promote safe and secure AI systems. A recurring theme was the need to move from broad principles to concrete, implementable action. More than 4,200 participants from nearly 170 member states attended, and organizers urged them to return to the next session, in New York in May 2027, with tangible progress rather than more statements of principle.
EU AI Act omnibus finalized: The EU AI Act omnibus received final approval and is now law. It delays high-risk obligations for standalone systems to December 2, 2027, and to August 2, 2028 for high-risk systems embedded in products. It also adds a new prohibited practice: generating non-consensual sexual content or CSAM, effective by the end of this year. Transparency obligations are also delayed, to December of this year.
Illinois SB 315: We covered in a previous newsletter that Illinois’s SB 315 had passed the state legislature and was headed to the governor’s desk. SB 315 is the country’s most aggressive law targeting frontier AI developers to date, due to its requirement of an annual third-party audit. It was officially signed into law this past week by Governor Pritzker and takes effect January 1, 2028.
—
As always, we welcome your feedback on content! Have suggestions? Drop us a line at newsletter@trustible.ai.
AI Responsibly,
- Trustible Team





