There is a specific horror in being handed a blank page when the building is already on fire. CISA, the US cybersecurity agency, admitted it had to construct its incident response playbook in real time during a live breach. This is the institutional equivalent of reading the fire safety instructions while the sprinklers are going. But the confession lands differently when you notice how many institutions are quietly doing the same thing.
From Cyberattacks to AI Rollbacks: Improvised Governance Is Everywhere
The same week CISA came clean about its extemporaneous rulebook, Meta pulled a controversial AI feature from Instagram after public backlash, citing intent to provide a useful creative tool while offering no pre-existing framework for how it evaluated harm before launch. The feature lived, caused damage, and died. The policy arrived post-mortem. This is governance-as-retrospective, and it is now the dominant mode. Tech companies ship, watch what catches fire, and then write the rules. Government agencies, apparently, do the same. A 2026 arXiv paper by Williams, Zannone, and Mateen calls this the alignment plausibility gap: LLMs and agentic systems operating in high-stakes domains without reliable pre-deployment standards. The authors propose a new benchmark called alignment plausibility, arguing that plausibility of safe behavior is not the same as assurance of it. CISA would understand the distinction intimately.
Phia, Cookie Stuffing, and the Ethics of Invented Rules
The improvised-rulebook problem is not only a government or AI-giant issue. Phia, the shopping startup co-founded by Phoebe Gates, stands accused of cookie stuffing, a practice of silently claiming affiliate credit for purchases it had no role in generating. Cookie stuffing is technically prohibited by most affiliate networks, but enforcement is patchy and the incentives to exploit grey areas are enormous. The alleged misconduct persists precisely because the ambient rulebook is vague and the playbook was never written in advance. What connects CISA's cybercrisis, Meta's AI rollout, and Phia's affiliate scheme is the same structural failure: institutions operating at speed, in complex technical terrain, with governance that lags the action. Kyle Raymond Fitzpatrick's framework of enshittification applies here with precision. The rules get written when the reputational damage is already done, and the next cycle begins before anyone has read them.