On July 1, 2026, the Federal Trade Commission proposed a policy statement asserting that an AI company which steers its systems' outputs toward undisclosed objectives and away from what users request or reasonably expect, is likely deceiving consumers under Section 5 of the FTC Act. While this is not a rule as yet, it is instructive of how the oldest consumer protection statute in American commerce intends to meet the newest technology.
I. What Just Happened
The July 2026 proposed statement was issued pursuant to Executive Order 14365, signed December 11, 2025, which directed the Commission to clarify how Section 5 applies to AI models and, in particular, how state laws that require alterations to the accurate outputs of AI systems can conflict with federal law.
The Commission authorized the statement on a 2-0 vote; it was published in the Federal Register on July 7, 2026, and the public comment period closes on July 31, 2026. Although the statement creates no new legal obligation on its own, it announces an enforcement posture; such a declared posture deserves nearly as much attention from enterprises as a finished rule.
Dec 11, 2025 — Executive Order 14365
A national AI policy framework is established, and the Commission is directed to clarify the application of Section 5 to AI systems.
July 1, 2026 — Proposed Policy Statement
The Commission asserts that undisclosed steering of AI outputs is likely deceptive. Comments close July 31, 2026.
II. The Theory of the Case
The Commission's reasoning proceeds in three steps, each of which deserves a close reading from any enterprise that builds, embeds, or resells AI capability.
The first is that the marketing itself constitutes the representation. AI companies have spent years telling the market, both explicitly and implicitly, that their systems aim to produce the most accurate output possible within their technological constraints, and the Commission cites the industry's own promotional language as the operative promise. Consumers, it concludes, reasonably expect an AI system to pursue the objectives they set for it rather than objectives set for them without their knowledge.
The second is that undisclosed steering breaks that consumer promise. Under the Commission's long-standing deception test, a representation is actionable when it is likely to mislead a reasonable consumer in a material way, and an AI system trained or configured to prioritize objectives its users never requested and cannot see fails that test, whatever the motive, for the Commission is explicit in treating motive as irrelevant.
The third step reaches back to the oldest doctrine in the Commission's arsenal: representations must be substantiated. The FTC has already brought enforcement actions against companies that could not support the claims made for their AI, among them weapons-screening systems, facial recognition software, and automated legal services. A claim invites a question, and the question demands evidence.
III. The Preemption Turn
The statement's most consequential passage concerns state law. Several states have enacted or advanced statutes that press AI companies to alter their systems' outputs, and Colorado's Artificial Intelligence Act is named directly. The Commission's position is unambiguous: compliance with a state law is no defense to deception under Section 5, and a state law that effectively requires a company to deceive its consumers is impliedly preempted to the extent of the conflict.
This places enterprises in a genuine squeeze. State law may pull a system's behavior in one direction while federal deception doctrine demands that any such pull be disclosed prominently and persistently. The two pressures compound rather than cancel one another; the only stable position between them is documentation of precisely what a system is designed to do, what has been disclosed about it, and what it did in operation.
It should be said plainly that this is a proposed statement, that its framing is contested, and that its preemption theory will be tested in the courts. Enterprises should not treat it as settled law, but neither should they miss what it demonstrably is: the third major regulator in twelve months, after the European Parliament and FinCEN, to converge on the same underlying demand.
IV. The Safe Harbor Is Disclosure — and Disclosure Is a Claim
The Commission offers one path to safety: a company may avoid liability by making clear, conspicuous, and adequate disclosure that its system is designed to prioritize certain objectives over what users request or would otherwise expect. The statement is emphatic about the standard. Such disclosure cannot be buried in the terms of service; it must be prominent and persistent, and the more it cuts against user expectations, the more prominent it must be.
Yet a disclosure is itself a representation about the design and behavior of an AI system, and representations, under the very doctrine this statement invokes, require substantiation. An enterprise that discloses "our system prioritizes X" has not escaped the evidentiary question; it has merely restated it. What supports the disclosure? What demonstrates that the system, in operation, does what the disclosure says it does, no more, no less, and nothing undisclosed besides?
Traditional logs provide records. High-consequence AI systems increasingly require evidence. The distinction is not one of storage but of trust: a log is self-attested, a diary kept by the party under examination, and for ordinary operations it serves well enough. As the consequence of a machine decision rises, however, so does the burden of proof, and what the Commission's framework implies without yet naming it is an independent record: non-repudiable, cryptographically bound to time and context, and capable of establishing both what a system was instructed to do and what it did. The point is not to discard the record but to elevate it.
V. The Witness Requirement
Beneath the surface of the statement lies a problem older and larger than any regulator. Historically, evidence was created by humans. The entire architecture of proof — testimony, deposition, cross-examination, and the business records exception itself — rests on a single assumption: that when a question is asked, a human witness can eventually be produced. Machine decisions break that assumption.
It is worth being precise about what the Commission has and has not done. The FTC did not create a witness requirement; it expanded the substantiation requirement for AI systems. The witness requirement is our prediction of what enterprises will ultimately need in order to satisfy that burden at scale: for every consequential representation about an AI system's objectives and behavior, there must exist evidence, independent of the party making the representation, sufficient to establish that the representation is true.
Design documents describe intention, and disclosures describe policy, but neither establishes conduct. Only execution-level proof decisions, captured as they occur, and bound to the AI model version, the configuration, the inputs, and the moment, only that can close the distance between what a company says its system does, and what its system demonstrably did.
This is the infrastructure ROSÉ exists to provide: neither as a commentary on AI behavior, nor summaries of it, but a signed, ordered, and regulated record of execution, the difference between asserting good faith and being able to demonstrate it. ROSÉ does not replace the log; it seals it.
VI. The Convergence
For two centuries, institutions have relied upon a simple assumption: when a consequential decision is questioned, a human being can eventually be called to explain it. That assumption is now failing simultaneously across multiple domains.
Financial regulators require firms to demonstrate the basis of decisions that affect risk and compliance. Consumer protection regulators require companies to substantiate representations made about products and services. AI regulators increasingly require transparency into the objectives, behavior, and outputs of automated systems. Courts are being asked to determine liability for decisions made by algorithms rather than people. And enterprises themselves must explain the actions of software agents operating across increasingly complex environments.
These institutions did not coordinate their demands. They arrived at them independently. Yet each is converging upon the same question.
When the answer was a human, testimony was sufficient. When the answer is a machine, testimony becomes an account after the fact. The emerging requirement is not fundamentally regulatory. It is evidentiary. A society that delegates consequential decisions to machines must create a new mechanism of proof.
Existing systems were built to record transactions. They were not built to establish provenance of autonomous decisions. A payment system can tell you that money moved. A workflow system can tell you that a task executed. A log can tell you that an event occurred. None of them were designed to answer the question increasingly asked by regulators, courts, and enterprises alike: why did the machine decide what it decided, and how can that account be independently verified?
The regulators are merely the first to discover the problem.
VII. What This Means for Regulated Enterprises
Although the statement is addressed to AI companies, its gravity extends to every enterprise that embeds or resells AI capability, because representations travel down the channel. A platform that embeds a third-party model and markets its capability to customers has made a representation about that model's behavior, and if the claim cannot be substantiated, the exposure belongs to the party who made the claim rather than merely to the party who trained the model.
Enterprises in financial services will recognize the shape of this obligation, for it is the same principle that SR 11-7 has long applied to model risk: a third-party model in your product is your responsibility to validate and monitor. The FTC statement extends that logic from safety and soundness to consumer protection, and the perimeter of accountability now encloses the deployer.
VIII. What to Do Now
- → Inventory every representation your organization makes about AI capability; in marketing, in sales materials, and in product documentation.
- → Map the actual objectives of each AI system in your stack, including third-party and embedded models, against those representations.
- → Align disclosures to the Commission's standard: clear, conspicuous, prominent, and persistent, never buried in terms of service.
- → Build the substantiation record: execution-level evidence of what each system was configured to do and what it did in operation.
- → Consider filing a public comment before July 31, 2026, the comment window is where the final shape of this policy will be argued.
- → Evaluate ROSÉ as the execution proof infrastructure beneath your disclosures, before the question is asked under oath.
IX. The Strategic Divide
Those who can prove their disclosures
Able to make confident representations about AI capability, satisfy state and federal regimes simultaneously, and answer the evidentiary question before it is asked.
Those who can only assert them
Exposed on both flanks, to state obligations pulling system behavior in one direction, and to federal deception doctrine demanding proof of every undisclosed pull.
X. Conclusion
The FTC's proposed statement will be debated, revised, and litigated, and its final text cannot be known today. Its direction, however, can. Regulators on two continents have now arrived, by entirely different roads, at the same destination: an AI system's stated objectives are a promise, and promises made in commerce must be capable of proof.
Every prior technological shift created a corresponding trust layer. Cybersecurity emerged because digital commerce required trust in systems; the witness requirement emerges because autonomous commerce requires trust in decisions.
Accounting produced the audit. The internet produced cybersecurity. Autonomous systems will produce the witness.
The enterprises that flourish under this standard will not be those with the most careful lawyers; they will be those with the most credible evidence.
About ROSÉ.xyz
ROSÉ is the Regulated, Ordered & Signed Execution federation, the infrastructure with the ability to prove the work of AI agents. The federation includes Selfient.xyz · Matric · ROKO.Network · Latitude.sh · Fortémi · TimeBeat · CustodyCore
This paper is provided for informational purposes only and does not constitute legal advice. The FTC policy statement discussed herein is proposed and subject to revision following the public comment period. Consult qualified legal counsel for guidance specific to your organization.