The AI Disclosure Audit: What the NTSB Spectrogram Means for Every CEO With a Public Voice

What the NTSB released, what happened next

On May 19, 2026, the National Transportation Safety Board opened the public docket for its investigation into UPS Flight 2976, the November 4, 2025 cargo crash in Louisville that ultimately killed 15 people according to subsequent reporting (the NTSB investigation page records 14 fatalities at the time of last update, with one ground victim later dying on December 25, 2025). The docket contained the artifacts every investigation produces at this stage: photographs, technical analyses, witness statements, recovered-data summaries. Among them sat two items investigators had treated as the careful version of a hard problem. A written transcript of the cockpit voice recorder. And a PDF showing a spectrogram, a still image representing the audio waveform as colors and shapes across frequency and time. Federal law forbids the NTSB from releasing the actual cockpit audio. The spectrogram and the transcript were the closest the public was supposed to get.

Within roughly 24 hours of the docket release, posts appeared on X, Reddit, and YouTube containing audio clips that approximated the pilots' final voices, including the last thirty seconds of flight. Users had taken the spectrogram image and the written transcript, fed both through publicly available AI tools, and produced a synthesized rendering of what the cockpit might have sounded like. The reconstructions were not perfect. They were close enough that the families could hear approximations of voices belonging to Captain Richard Wartenberg, First Officer Lee Truitt, and Relief Officer Captain Dana Diamond.

On May 20, the YouTuber Scott Manley, who covers aviation and physics under the handle @DJSnM on X, posted a warning that the spectrogram contained reconstructable audio data: "you can probably reconstruct a lot of audio from the megabytes of data encoded in this image." The next day, May 21, the NTSB took its entire public docket system offline. On Friday May 22, the agency restored most of the system but kept 42 investigations closed pending review, including UPS 2976. NTSB Chairwoman Jennifer Homendy issued a statement saying the situation is deeply troubling, that emerging technology can be used to extract cockpit voice recorder audio from visualized data the agency shares to help the public understand accidents, and that the NTSB is urging X, Reddit, and others to take such posts down.

That is the fact pattern. From the news side, this is a horror story about AI doing something disturbing and new. From the operating side, this is a structural moment for every executive whose company is subject to a public-disclosure regime, which includes essentially all of them.

The fact most coverage missed

The technique is not new.

The math that lets you reconstruct an approximation of audio from a spectrogram image was published in April 1984 by Daniel W. Griffin and Jae S. Lim, two researchers at MIT. The paper is called "Signal estimation from modified short-time Fourier transform." It appeared in the IEEE Transactions on Acoustics, Speech, and Signal Processing. The algorithm has been in standard signal-processing textbooks ever since. It ships, today, in standard open-source audio libraries that any developer can install with one command. The Aalto University speech-processing reference includes it as a teaching example. The librosa Python audio library exposes it as a function with a default parameter set.

What changed in May 2026 was not the capability. The capability has been sitting in textbooks since the year the Macintosh launched. What changed was the population of people who could execute the capability. The audience moved from people with signal-processing training to anyone with a chatbot and a few minutes. The algorithm did not become more powerful. The skill floor on the algorithm collapsed.

That distinction is the operating reality for every executive trying to plan against AI. Most AI news arrives framed as a new capability. A high share of it is an old capability with the skill floor removed. The 1984-textbook fact is the durable read on the NTSB story. It also rewires how to read the next twelve months of AI capability headlines. When the headline says AI can now do something, the next question to ask is whether AI invented the capability or whether AI made the capability accessible to a population that previously could not run it. Most of the time, the second answer is the load-bearing one.

The distance that just collapsed

Every public-disclosure regime in the federal government was designed under one assumption. There is a meaningful distance between the data the law permits releasing and the sensitive information underneath. The transcript is not the audio. The spectrogram is not the recording. The redacted PDF is not the unredacted version. The earnings-call slide is not the internal forecast. That distance is what makes lawful disclosure possible. The law sets the line. The structure of the data preserves what sits beyond it.

AI is closing that distance, regime by regime.

The NTSB is one of the clearest recent federal examples, but the structural exposure runs across every other federal public-records system. Public companies, investor-relations sites, and third-party transcript services publish earnings-call audio and transcripts, while some earnings-related materials may also appear in SEC filings, creating hours of training material for any voice replica of any CEO who hosts public calls. The Freedom of Information Act produces redacted documents whose redaction patterns and surrounding context may allow AI tools to infer parts of the underlying text, especially when formats repeat across documents. Some federal court audio files are available through PACER and other court systems when made part of the court record, providing attorney and judge voices that map to named legal proceedings. Deposition transcripts in the public record provide a written counterpart that can be fed alongside any clipped audio. The Federal Energy Regulatory Commission publishes filings that name individual engineers and contain technical detail readable as training input. Congressional hearing audio is publicly archived for every elected representative and every witness. Regulatory comment letters carry signatures and titles attached to specific positions a competitor or adversary may want to clone.

The pattern is the same in each case. The release is lawful. The structure was designed to protect what the law forbids. The structure no longer protects what the law forbids, because AI tools have collapsed the gulf between the released version and the underlying sensitive version. The legal regime defines the line. The technical reality has moved underneath it.

This is the part most coverage of the NTSB story is missing. The story reads as a structural early-warning about every federal disclosure regime and, by direct extension, every corporate disclosure regime that runs on the same logic. Treating it as a one-off horror about a cargo crash misses the load-bearing point.

What this means for your own public footprint

The same logic applies inside the company.

Pick any senior executive at a publicly visible firm. The CEO. The CFO. The general counsel. Now count the hours of their voice that are already publicly available. Earnings calls. Investor day presentations. Podcast appearances. Conference keynotes. Panel interviews. Fireside chats with journalists. Internal town halls that were leaked. YouTube clips from speaking engagements. The cumulative duration is usually measured in hours, often in tens of hours.

The question is no longer whether someone could clone that executive's voice. The capability is publicly available, has been since at least early 2024, and the skill floor has continued to drop. The question is what happens when someone does. A fraudulent voice call to a CFO authorizing a wire transfer. A synthesized voice on social media stating a political position the executive never held. A fake earnings preview circulated to short the stock. A deepfaked apology issued during a real crisis. A clip of the CEO appearing to admit something the CEO never said, dropped into a regulatory complaint.

Some versions of this are already real, especially executive impersonation and payment fraud. The 2024 Arup case, in which a finance worker authorized a $25 million transfer after a deepfaked video call impersonating senior figures, is the named precedent the audit-committee literature points to. The NTSB case adds a new dimension. The public footprint that creates the exposure is the same footprint the company's investor relations team, communications team, and conference circuit deliberately built. The disclosure was always the strategy. The disclosure now also doubles as training data. Treating it as something that needs governance is no longer paranoia. It is fiduciary work.

Boards are beginning to ask. Audit committees should be asking. The leading firms in regulated industries are starting to put a written disclosure-exposure posture on the governance calendar. The trailing firms will be reactive after the first incident. The next twelve months will separate the two groups.

The 30-minute AI disclosure audit

This is the load-bearing section of the article. It is also the part you can run before the next board or audit committee meeting. The first pass takes about thirty minutes. The output is a written one-page artifact the executive sponsor can take to the audit committee, and a quarterly cadence the governance calendar can hold from there forward.

Run the five steps in order. Do not try to optimize the first pass. The point is to surface the exposure, not to design the perfect protection.

The audit produces three artifacts: two inventory tables, a one-page doctrine, and a calendar entry. None of the four requires a vendor, a procurement cycle, or new headcount. All of them are within reach of any general counsel or audit committee chair this week.

Where this sits in The 7 Levels of AI Proficiency

The 7 Levels of AI Proficiency framework reads the NTSB story differently at each level, and that difference is itself the diagnostic. The story is the same. The capacity to act on the story is what changes.

At Level 1 (Cadet, AI Aware), the executive sees the news and stops at concern. Something disturbing happened. AI is moving fast. The conversation at the dinner table is real. The conversation at the next board meeting will probably mention it. There is no further move.

At Level 3 (Lieutenant, Critical Thinker), the executive starts asking the rereading question. If a federal agency designed to protect this kind of information just got caught by AI accessibility on a 42-year-old algorithm, what else does the company's own disclosure surface look like under the same lens? Where else has the law's assumption about the distance between public and private just stopped being true? The Level 3 move is the act of asking. It does not require building the audit. It requires reading the news as a structural signal about the company's own posture, not as a story about somebody else's failure.

At Level 5 (Captain, Design Thinker), the executive builds the audit. The five-step exercise above is a Level 5 artifact. It requires designing a process the company did not have, with named owners, structured outputs, and a quarterly cadence. It is the move from asking the question to producing the institutional answer.

At Level 7 (Mission Director, AI Orchestrator), the executive operationalizes the doctrine across the company as continuous practice. The disclosure-exposure posture becomes part of how investor relations decides what to release, how legal advises on public testimony, how communications prepares the CEO for podcast appearances, and how the audit committee tracks structural risk. The doctrine stops being a document on a quarterly calendar and starts being a discipline embedded in the operating cadence.

The framework does not say every executive needs to operate at Level 7. It says the level is a measurable property of how the executive reads the story and what the executive does next. If you are reading this article and recognizing the question for the first time, you are at Level 1 on this surface. The move to Level 3 is asking the rereading question across your own organization's disclosure surface this week. That move is available to anyone reading. It does not require approval, budget, or a vendor.

The regulatory catch-up

The legal regime is behind the technical capability. That is the durable pattern across AI policy in 2026, and the NTSB case sits inside it.

The NO FAKES Act, introduced in the 119th Congress as H.R. 2794, would create a federal cause of action for unauthorized AI-generated voice and likeness replicas. The bill includes post-mortem rights and a registration-based structure that can extend protection, subject to limits and named exceptions for documentary, news, and parody use. Specific durations and triggers are set in the bill text and subject to legislative change. As of May 24, 2026, the bill is introduced, not enacted. A Senate companion is in the legislative process. The legislative timeline is uncertain.

State-level work has moved faster on specific surfaces. Tennessee's ELVIS Act provides voice-replica protections under state law. Other states have introduced or enacted variants of digital-replica legislation, particularly around political deepfakes and likeness rights for entertainers. The state patchwork is inconsistent, which is the normal pattern at this stage of a federal-state cycle on a new technology surface.

For an executive trying to read the regulatory direction, the most useful posture is to treat the NO FAKES Act as the direction federal policy is moving, build internal company doctrine that anticipates it, and watch the regulatory tracker for status changes. The AI Law Tracker at ailawtracker.org is the source LaunchReady maintains for this surface. It carries bill-by-bill status across all 50 states and federal action. The point of tracking is not to wait for a law to pass before acting. The point is to act before the law passes, with the law as a signal about where the structural risk is moving.

What changes from here

The NTSB just provided the most extreme primary-source proof yet that a 42-year-old assumption about public-records design no longer holds. The agency was lawful, careful, and explicitly avoided the part the law forbids. AI tools made the careful version equivalent to the forbidden one inside 24 hours. Every other federal disclosure regime is exposed to the same dynamic. Every corporate disclosure regime that runs on the same logic is exposed to the same dynamic. The exposure is structural, not incidental.

The audit takes thirty minutes. The output is a one-page doctrine and a calendar entry. The board conversation goes from theoretical to specific. The company moves from Level 1 reading-the-news to Level 3 asking-the-question to Level 5 building-the-audit. Run it this week.

Related reading: Performative AI Governance: 6 Tests From the New CARMA Paper and The 7 Domains of AI Governance: A Framework for Mid-Market Leaders and Career-Altering: What the Alabama AI Sanctions Order Means for Every Profession.

Sources

1. National Transportation Safety Board. Investigation page DCA26MA024 (UPS Airlines Flight 2976).
2. TechCrunch. "AI is being used to resurrect the voices of dead pilots." May 22, 2026.
3. CNN. "A PDF let the internet hear the final words in the cockpit of a UPS plane as it crashed. The NTSB now wants it taken down." May 22, 2026.
4. The Register. "Feds unwittingly leak pilots' pre-crash conversation." May 23, 2026. Contains the Jennifer Homendy "deeply troubling" statement.
5. FlyingMag. "NTSB: UPS Cockpit Voice Recordings Fabricated With AI." Contains NTSB official statement on the docket pulldown.
6. Scott Manley (@DJSnM). X post warning that the spectrogram contained reconstructable audio data. May 20, 2026.
7. Aalto University. Speech-processing reference. Griffin-Lim algorithm explainer.
8. librosa documentation. Griffin-Lim function reference. Standard Python audio library.
9. U.S. Congress. NO FAKES Act of 2025, H.R. 2794, 119th Congress. Bill text.
10. UPS Airlines Flight 2976. Crash background, casualty count, crew identification.
11. AI Law Tracker. Bill-by-bill status of state and federal AI legislation, including digital-replica and post-mortem voice and likeness provisions.
12. The 7 Levels of AI Proficiency framework. LaunchReady.ai.

Harrison Painter

AI Business Strategist. Founder, LaunchReady.ai and AI Law Tracker.

Harrison helps teams build AI systems that cut cost and grow revenue. Nearly 20 years of business experience. 2.8M YouTube views. Founder of LaunchReady.ai and The 7 Levels of AI Proficiency framework.

Connect on LinkedIn