NormSense tracks how AI companies’ decisions affect the people on the other side of their systems.

That’s a different beat than most AI-policy newsletters cover. The good ones: Lawfare, Tim Lee’s Understanding AI, and Oliver Patel’s Enterprise AI Governance track the rules being written about AI: what regulators are proposing, which legislatures are moving, where the EU AI Office and the FTC are positioning. And I read it all so you don't have to. Mostly.

What’s underserved is the layer beneath. The norms forming through accumulated industry practice rather than statute. What AI companies are actually doing, where their behavior is converging, what’s being normalized that nobody quite announced. The signal is more diffuse than a Senate hearing. The work to surface it is harder. And it’s where compliance and governance leaders need a tool because by the time it’s in a rule, the leverage to influence it has shifted.

So I built NormSense. The platform monitors 137 source connectors across regulators, standards bodies, courts, industry consortia, and academic institutions, and currently tracks 102 active norm clusters scored on the methodology I've published in two SSRN papers. Most recently Cognitive Surrender and Constitutive Delegation is under review at AI and Society. Both numbers will be different a month from now. The platform is a snapshot, always.

Every claim in this newsletter is anchored to a NormSense “cluster.” A body of observations from named organizations that the platform has identified, named, and tracked. Cluster references look like 14df3966. Public cluster pages launch with the next issue; click-through verification is the version of “show your work” that AI policy reporting has historically lacked.

Let’s get to this week.

This week — AI companies are sharing less, not more

The headline in AI policy this past quarter has been new disclosure mandates. The EU AI Office issued implementation guidance for Article 72 post-deployment monitoring. The SEC continued enforcement of AI risk disclosure in 10-K filings. New York City’s Local Law 144 bias-audit regime expanded its compliance footprint. State AGs filed coordinated AI consumer-protection actions.

If you read only AI policy newsletters, the picture is one of accelerating transparency. More disclosure, more visibility into how AI systems work, more accountability.

NormSense’s data tells a different story. While regulators race to compel disclosure, the actual transparency available to people on the receiving end of AI systems is contracting.

Three converging signals make this concrete.

First, what major AI companies share is decreasing. Cluster 14df3966 tracks what the platform names Strip Oversight Capacity Through Algorithmic Opacity in Critical Decisions. Across observations from 20 organizations and three actor types, a pattern shows up that’s hard to see without infrastructure to aggregate it: AI labs and platform companies are systematically reducing what they disclose about training data, model access for external auditors, and post-deployment monitoring. One observation in the cluster captures it directly: “Major AI companies are systematically reducing disclosure about their AI systems, including data acquisition, model access for auditors, and post-deployment monitoring. This widespread pattern, with industry-wide adoption...” This isn’t a single company’s policy shift. It’s the contour of an industry-wide one.

Second, standards bodies are codifying the acceptability of AI inaccuracy. Cluster 977dec6a — Normalize Acceptable Error Rates for AI System Outputs — tracks IEEE working groups establishing what they call hallucination tolerance baselines: defined acceptable error rates for AI outputs. The technical framing is reasonable. The downstream effect is significant: when standards institutionalize that AI systems will produce false or unreliable information within defined ranges, error stops being a defect and becomes a feature with documented bounds. Compliance teams are now navigating a world where the IEEE has effectively said: yes, your AI hallucinates, here’s how much is acceptable.

Third, explainability is being deprecated in high-stakes deployment. Cluster 346c3d82 — Override Explainability Requirements in High-Stakes AI Deployments — captures a pattern that academic research has been flagging for years and that’s now visible across deployment practice: black-box deep learning systems are being deployed in healthcare, criminal justice, autonomous vehicles, and military applications without the explainability mechanisms that earlier AI governance frameworks treated as foundational. The trade-off is being made tacitly, not in any single statute, by deployers who decided the operational benefit outweighs the explainability requirement.

Read these three clusters together and the strategic claim becomes clear:

AI policy newsletters cover the first. NormSense exists to surface the second.

For a Chief AI Governance Officer, this isn’t an academic curiosity. The disclosure mandate your team is preparing for assumes a baseline of transparency that the underlying systems are quietly walking away from. By the time the rule lands, the visibility it’s meant to enforce may already have eroded. The compliance question, can we comply, is downstream of a more fundamental one: is the underlying ground stable enough that the rule can do what it’s meant to do.

Watch list — three other movements worth tracking

Cluster 3cd338f4 — Deploy Behavioral Profiling Systems for Predictive Personalization and Pricing. AI-driven personalized pricing is hitting visible regulatory resistance. Indian competition authorities have begun analyzing dynamic price discrimination as a competition issue; EU GDPR Article 22 interpretation is being contested in this domain. Six observations across two actor types. More importantly, the cross-jurisdictional convergence suggests this norm is in the early phase of its lifecycle. If your organization has revenue tied to algorithmic pricing, this is the one to watch.

Cluster 2a9f8c6b — Strip Public Awareness of AI Surveillance Scope and Purpose. Five organizations across three actor types document the same pattern: AI surveillance systems deployed with publicly stated narrow purposes that quietly expand. One observation calls this AI Surveillance Mission Creep Normalization. Companies announce a limited use case, then enable broader uses without explicit safeguards. Vendor relationships and procurement language are where this affects compliance teams.

Cluster de4379dc — Displace Marginalized Voices Through Opaque Content Moderation Practices. Four major social media platforms, Facebook, Instagram, YouTube, and TikTok, show convergent practices in algorithmic content moderation. Reading the underlying observations together, the pattern is broader than any one platform’s moderation policy: it’s the structure of automated enforcement combined with broad policy definitions and limited transparency. Relevant for any organization with employee or partner content reaching these platforms.

What didn’t move this week

• The FTC issued no AI-related enforcement action. First such week in seven.

• NIST’s Artificial Intelligence Risk Management Framework had no public revisions.

• The EU AI Office published no Article-72 implementation updates.

Quiet weeks are themselves signal; the contestation that emerges in these gaps tends to land harder.

— Zach, see you in the cluster pages