Your AI Disclosure Disappeared by Turn Three and Nobody Noticed Until the Regulator Did

Your legal team spent four meetings negotiating the exact disclosure sentence. Engineering put it at the top of the system prompt. QA confirmed it appears in turn one of every session. Three months later a regulator forwards a transcript: turn fourteen of a complaint-handling conversation, an hour of substantive guidance about a refund dispute, and nowhere in those fourteen turns does the user see the words "I am an AI." The disclosure your single-turn compliance review approved is structurally incapable of surviving the conversations that need it.

This is disclosure decay, and it is the multi-turn agentic failure mode that the wave of 2025–2026 chatbot regulation was not designed to catch and your QA process is not configured to test for. The EU AI Act's Article 50 obligations become enforceable on August 2, 2026, with fines up to €35 million or 7% of global turnover. California's SB 243 took effect January 1, 2026, with a private right of action that lets consumers sue directly for at least $1,000 per violation. Washington requires recurring disclosures, with hourly cadences for minors. None of these regimes were written assuming the disclosure would silently drop out of a session after the third tool call — but that is what your runtime is doing right now, on every long-running conversation, in production.

The gap is structural, not incidental. The compliance review that approved your prompt looked at a turn-one transcript. The runtime that serves the user runs an agent loop with tool calls, context compression, and conversation summaries. Turn one's disclosure was a single line of visible text. Turns two through thirteen were tool-call rounds where the model produced no user-facing text at all — it was reading email, querying ledgers, calling internal APIs, none of which surface to the user. By turn fourteen, the original system prompt is nine thousand tokens back, the recent conversation has been summarized, and the model is answering from a representation of the session in which "I am an AI" is no longer a present obligation. It is a fact in the past that the summarizer threw away because it did not look like state worth keeping.

The Single-Turn Compliance Review Cannot See the Multi-Turn Failure

Most disclosure compliance was specified, reviewed, and approved against a mental model of a one-shot chatbot interaction. A user types a question, the model answers, the answer either contains the disclosure or it doesn't, ship it. That model is what every regulatory templating tool, every internal QA rubric, every law-firm checklist still implicitly assumes. It works fine when the product is "ask the AI a question and get text back."

The mental model breaks the moment the product becomes an agent. An agent session is not a sequence of question-answer pairs. It is a long-running interaction in which the user types something, the model spends ten or twenty or fifty turns calling tools — none of which produce user-visible output — and eventually emits a paragraph. The compliance artifact that mattered to legal was the user-visible text. The agent loop produces user-visible text only intermittently, and the disclosure obligation that was scoped to "every interaction" was implicitly scoped to "every turn at which the model speaks to the user," which in an agent loop is a small and irregular subset of all turns.

Research on long-context behavior makes the picture worse. A measured study of agentic constraint compliance found instructions followed 73% of the time at turn five and 33% by turn sixteen. That is not a bug in any particular model. It is how attention degrades when the instruction sits at position zero of a context that has grown by a hundredfold since it was issued. Your disclosure is competing for attention with everything that arrived after it, and the math is not on your side.

Why Compression Eats the Disclosure First

The second mechanism is worse, because it is not gradual decay but explicit deletion. Every agent runtime that supports long sessions does some form of context compression — summarizing earlier turns to fit the model's context window or to control cost. The summarizer is a different model run, with its own prompt, optimizing for something like "preserve task-relevant state for downstream turns."

A disclosure is not task-relevant state. From the summarizer's perspective, "the model said 'I am an AI' in turn one" is exactly the kind of conversational pleasantry that gets compressed away in favor of facts about the user's account, the dispute, the tool outputs so far. The summarizer is doing its job. The disclosure is collateral damage of an optimization no one in legal review knew existed.

The same mechanism applies to conversation history truncation. When a long session is resumed, when the user comes back the next morning, when the session moves between devices or surfaces, the runtime stitches a new context together from a stored summary plus the recent turns. The original system prompt is usually re-injected, but the visible disclosure that the user actually read — the artifact regulators care about — was a single line of generated text in a turn that may not be in the new context at all. The compliance footer the user saw at hello does not survive session resumption, because session resumption is a runtime concept and the disclosure was specified as a turn-one obligation.

Disclosure Decay Is a Regulatory Class, Not a Bug

A useful way to think about this is to stop treating disclosure decay as a quality issue and start treating it as a regulatory failure class with its own taxonomy. There are at least five distinct failure modes, each with different triggers and different fixes.

• Tool-call silence. Turns where the model speaks only to tools, not to the user. The disclosure obligation maps awkwardly here because there is no user-facing output to attach it to.
• Attention drift. Long sessions where the system-prompt disclosure remains present in context but is no longer being attended to with enough weight to actually shape generation.
• Summary collapse. Compression steps that drop the disclosure from the model's working representation entirely because no summarizer was told it was load-bearing.
• Session resumption. Multi-day or multi-device conversations where the runtime re-assembles context without re-surfacing the disclosure the user originally received.
• Topic crossing. Conversations that start in a non-regulated domain and drift into a regulated one — refund chat that becomes medical advice, scheduling chat that becomes legal-tier guidance — where the disclosure that was sufficient at hello is no longer sufficient for what the conversation has become.

Each of these is a real production pattern, each violates the spirit of every disclosure regime currently on the books, and each is invisible to the compliance review that signed off on the prompt template. Naming them is the first move that turns "we have a disclosure in the system prompt" into something you can actually audit.

Disclosure Recurrence as a First-Class Runtime Concern

The fix is to stop treating disclosure as a property of the prompt and start treating it as a property of the runtime. The prompt cannot enforce its own recurrence. The runtime can.

Loading…