Disclosure: I am the Co-Founder of Rupture Labs, a compliance technology company that builds compliance infrastructure for financial institutions. A regulatory environment that put new reporting obligations on technology platforms would expand the category Rupture Labs operates in. That makes me an interested party. I write here as a practitioner who spent a decade inside the compliance function, with the conflict in plain view.

In June 2026, the chief executives of the largest AI companies in the world signed the same letter.

Sam Altman of OpenAI, Dario Amodei of Anthropic, Demis Hassabis of Google DeepMind, and Mustafa Suleyman of Microsoft AI, people who spend most of their waking hours trying to beat each other, put their names on the same page. So did Nobel laureates and former defense officials. The ask was narrow. They want Congress to require every company that makes and ships synthetic DNA to screen each order and each customer before it goes out the door, and to keep a record of what they found. Not voluntarily, the way parts of the industry already do. By law. Because, in their words, AI is starting to erode the knowledge barriers that have historically kept biological weapons out of reach.

If that sounds abstract, the mechanics are simple. You can order custom strands of DNA from a manufacturer and have them shipped to you. The fear is that someone orders the genetic building blocks of a dangerous pathogen, and that AI now helps a non-expert figure out what to order and how to assemble it. Screening the order, and screening the customer who placed it, is how you catch that before it ships.

I read that letter as a compliance person, and I recognized it on sight.

Screen the customer. Keep the record. That is not a new idea. That is the Bank Secrecy Act, the law that has governed the American financial system since 1970, written in a different vocabulary. The most credible people in artificial intelligence just asked Congress to apply the 1970 banking model to the most dangerous thing their technology can touch.

What they actually asked for

I spent more than a decade building and running compliance programs under the Bank Secrecy Act. Head of AML at a brokerage. Compliance program management at a payments company and a digital bank. Stripped of the acronyms, the law does four simple things.

Know who you are dealing with before you transact. Watch for the activity that does not make sense given what you know. Write it down and file it with a central agency. And let that agency connect patterns across the whole system that no single institution could see on its own.

There is a fifth piece that makes the other four work. The law protects you when you report in good faith. A bank that files a suspicious activity report is shielded from liability for filing it. Without that protection, the rational move is to stay quiet, and the whole system collapses. The safe harbor is the reason anyone reports at all.

The Bank Secrecy Act did not end financial crime. It was never going to. What it did was build a contemporaneous record, filed at the time, that investigators could read later.

The DNA letter asks for the same two foundational pieces, screening and recordkeeping, in a different industry. The labs did not ask Congress to pre-approve every DNA order or to stand a regulator at the loading dock. They asked for the lightest kind of regulation there is, the kind that leaves a paper trail without standing in the way of the work.

They reached for that model because, when the stakes are catastrophic, it is the model that has actually worked at national scale. That is worth sitting with. The companies with the most to lose from regulation, and the most credible claim to understand where the technology is heading, looked at a worst-case scenario and asked for the banking compliance playbook.

Where they stopped

Here is what I keep returning to. They asked for it in one place. The one place where the harm is a mushroom cloud that nobody can wave away. They did not ask for it on the rest of what the same models do.

The systems that could one day lower the barrier to a biological weapon are, today, generating synthetic media at scale, producing child sexual abuse material, taking autonomous actions outside the envelope they were given, and amplifying content that a platform’s own engineers have flagged as harmful to children. We know that last one is happening because juries in Los Angeles and New Mexico found Meta and Google liable this spring for designing platforms that harm young people, after reading the companies’ own internal documents. Employees had flagged specific features as dangerous. Those warnings were overruled.

For none of that is there a letter. No mandate. No central agency receiving the reports. No record being kept. When a bank teller notices a suspicious pattern, federal law gives them thirty days to file. When a technology company’s own staff documents that a product is harming children, there is no obligation to tell anyone at all.

That is the gap. The DNA case got an open letter signed by four CEOs and a row of Nobel laureates. The rest of it got internal documents that surfaced only because a lawsuit forced them into the open, years after the harm.

The framework underneath the argument

Closing that gap on paper is what I have spent the past several months doing. I have drafted a legislative framework called the Technology Accountability and Social Harm Prevention Act, TASHPA, that does for artificial intelligence and social media what the Bank Secrecy Act did for finance. The same architecture, translated.

A mandatory incident report modeled on the suspicious activity report. A central intelligence unit modeled on FinCEN, to receive those reports and connect patterns across companies. Risk-tiered compliance obligations, so a startup carries a lighter load than a system reaching hundreds of millions of people. And the safe harbor again, because without it people learn to keep what they see to themselves. A full white paper and the legislative text are forthcoming. This piece is the short version of why it should exist.

The point of the architecture is not to catch every harm in the moment. The Bank Secrecy Act never did. It did not stop the September 11th attacks or the Epstein network in real time. What it did was leave a record that let investigators, after the fact, map the financing, identify the network, and do the attribution work that would have been impossible otherwise. The record is what mattered, and records compound. The value shows up on a longer timeline than the quarter the report was filed in.

The line was drawn too narrowly

The most credible people in AI just told Congress, in writing, that the banking model works when the stakes are high enough. I agree with them. I have lived inside that model, on the days the examiner was in the conference room and the days the data could not answer the question they were asking.

My only argument with the letter is where it drew the line. The stakes are already high enough across the rest of the surface their technology touches. The synthetic media, the autonomous systems, the algorithmic harm aimed at children. The same logic that justifies mandatory screening and recordkeeping for synthetic DNA justifies it there too. The harm there is already happening, and it is already in the documents. It is just still waiting for someone to write it down.

This is part of an ongoing series on applying proven compliance architecture to technology accountability. The full TASHPA white paper and legislative text are forthcoming.