Governance that cannot be verified is the supervisory perimeter.
DORA Article 28 and EU AI Act Article 14 establish parallel demands. Both require institutions to verify the governance posture of the AI systems they deploy or depend on. Both are necessary for a supervisory standard that does not collapse into trust. The Meridian substrate measures, across 95,876 AI agents at 543 regulated financial institutions, the share of governance evidence that is externally unobservable for each regulatory dimension. The pattern is sharp. Third-party ICT risk under DORA Article 28 cannot be externally verified for 53.3 percent of agents because the vendor relationship is not disclosed. ICT business continuity under DORA Article 11 is unobservable on halt mechanisms for 46.2 percent. Human oversight under EU AI Act Article 14 is unobservable for 9.1 percent. The substrate distinguishes "not detected" from "not present" through the four-state evidence taxonomy. Supervisors require both distinctions; neither is currently produced by self-reporting alone.
Each bar measures the share of 95,876 agents in the v13.1.0 sealed substrate where the named regulatory evidence is unobservable from public sources. Unobservability includes both the absence of evidence and the absence of state-knowledge under the four-state taxonomy. The two states are operationally distinct: the substrate distinguishes between "the institution discloses no halt mechanism" and "we cannot verify whether the institution has a halt mechanism." For supervisory purposes both states are non-compliant under a verifiability standard, but only the second is correctable through institutional disclosure. The narrowest dimensions, GDPR Article 22 data sensitivity and DORA Article 5 ICT-relevance designation, are below 5 percent unobservable across the population.