The gap is live, not theoretical
AI agents are already making binding commercial commitments in multi-party, multi-jurisdiction travel arrangements. Not in the future. Now. They are assembling itineraries across four, five, six suppliers in real time. They are confirming bookings on behalf of travellers without a human reviewing each one. They are managing disruptions, re-routing guests, and making welfare-affecting decisions at a level of speed and autonomy that no existing regulatory framework was designed to handle.
In the previous post, we described two dimensions of the gap. The structural gap: no existing regulatory framework maps cleanly to the AI-era booking chain, where no single entity is the organiser and accountability is distributed across suppliers, protocol operators, and AI agents. And the catastrophic gap: no travel regulation in any jurisdiction provides a framework for government-industry coordination when the disruption is at the scale of the Dubai stranding or the Tohoku earthquake.
Regulators are aware the problem exists. The EU AI Act addresses some AI transparency requirements. Japan's Cabinet Office has published AI governance guidelines. Singapore's IMDA has produced the most developed agentic AI governance framework yet seen in any jurisdiction. But none of this is travel-specific. The gap between where AI travel is and where regulation is has been widening for two years.
What a systematic review across five jurisdictions found
A systematic review of regulation across the EU, United States, Japan, United Kingdom, and Singapore produced a consistent picture. Zero CONFLICT findings were identified across fifty total findings: the Activity Travel Protocol does not contradict any existing regulation. The gaps are structural — frameworks that predate AI-native booking and have not yet been updated to address it.
| Jurisdiction | Key gap | Reform direction | Protocol relevance |
|---|---|---|---|
| EU | Organiser liability in AI-assembled packages | Clarify who holds organiser status in a multi-agent booking chain | Booking Object controller as organiser of record |
| EU | AI Act — high-risk classification boundary | Guidance on whether protocol-conformant agents trigger Annex III | HEM and Synchronisation Points as Article 14 compliance evidence |
| US | No federal AI transparency standard | Federal baseline for AI booking agent disclosure and human oversight | HEM and pre-use notice as reference implementation |
| US | DOT refund rule — AI merchant of record | Guidance on automatic refund trigger in AI booking chains | Booking Object CANCELLATION / SUPPLIER_FAILURE states as trigger standard |
| Japan | Travel Agency Act — AI controller licensing | Interpretive guidance on whether Booking Object controller requires registration | Party-role model as basis for new licensing sub-category |
| UK | PTR reform — organiser attribution | Submission to UK PTR consultation on AI-assembled package organiser designation | Booking Object model as reference framework for digital package construction |
| Singapore | Travel Agents Act — Booking Object controller | STB practice circular on AI booking platform provider licensing | Protocol party roles as compliance framework for platform providers |
Three patterns emerge across all five jurisdictions. First, the organiser liability problem is universal: every package travel framework assigns liability to a single organiser, and in an AI-assembled booking, that identity is unclear. Second, there is no standard for machine-readable Duty of Care records: the accountability exists in principle, but the infrastructure to make it visible does not. Third, cross-border incident coordination is an institutional gap, not just a regulatory gap.
The key insight
Three architectural elements of the Activity Travel Protocol are directly relevant to reformers. The Booking Object is a machine-readable, append-only audit trail of every state transition in a booking — organiser identity, every Duty of Care transfer, every supplier handoff — from initial request to safe return home. The Human Escalation Manager architecture ensures that a qualified human is in the loop at every decision point with significant welfare consequences. The TRAVELER_UNREACHABLE chains and BOOKING_SUSPENDED state handle every known scenario of loss of traveller contact — and in a mass disruption event, become the data infrastructure that tells an emergency authority exactly which travellers are affected, who holds Duty of Care over them, and which are uncontactable.
Three concrete reform directions
| Direction | What it requires | What the protocol provides |
|---|---|---|
| 1. Recognise the protocol-participant role | Regulators create a streamlined compliance pathway for operators who implement a conformant Travel Operating System — analogous to ICAO conformance in aviation. | Capability Declarations, Pre-Arrangement Declarations, and the Booking Object audit trail constitute a machine-verifiable conformance record. The protocol provides conformance testing, not operator certification. |
| 2. Mandate machine-readable Duty of Care records | Regulated bookings must maintain a machine-readable record of who holds Duty of Care at each handoff point, accessible to enforcement authorities on request. | The Booking Object records every Duty of Care transfer from booking confirmation to safe return. The HEM architecture ensures a qualified human is in the loop at welfare-consequential decision points. |
| 3. Establish cross-border authority coordination for AI-mediated incidents | A government-led framework enabling cross-border coordination when AI-mediated bookings produce incidents crossing jurisdiction lines — disruptions, Duty of Care failures, traveller welfare emergencies. | The TRAVELER_UNREACHABLE chains and BOOKING_SUSPENDED state provide the data infrastructure governments need to locate and account for affected travellers. The Booking Object is the shared record across jurisdictions. |
Direction 1 — recognising the protocol-participant role — is the highest-leverage action available to regulators right now. It does not require new legislation. It requires a signal: operators who implement a conformant Travel Operating System receive a streamlined compliance pathway. The ICAO/IATA model demonstrates how this works in practice. Travel has never had that signal for multi-supplier experiences. Regulators can provide it without waiting for primary legislation.
Direction 2 — mandating machine-readable Duty of Care records — is the single amendment that would do the most to modernise package travel frameworks in every jurisdiction simultaneously. The Booking Object is the mechanism. A requirement that AI-mediated bookings maintain an auditable Booking Object would close the accountability gap at the source.
Direction 3 — cross-border incident coordination — cannot be delivered by any single jurisdiction alone. It requires a multilateral initiative: a shared protocol for how national authorities coordinate when an AI booking incident crosses jurisdiction lines. Industry cannot build this. Governments must. But they need the industry to have built the data infrastructure first. That infrastructure exists.