RSL protocol's machine-readable licensing offers more control for AI data, but security and compliance challenges should cause CIOs to take a cautious approach before adopting.
AI needs training data to work but getting access to data has been a chaotic process that creates digital asset governance challenges as AI companies scrape web content without permission or compensation.
Publishers have been stuck with a binary choice: block AI crawlers entirely or let them take everything for free.
The new real simple licensing (RSL) protocol has emerged as one potential solution to the challenge. Launched in September 2025, RSL was created by RSS co-creator Eckart Walther and backed by major publishers like Reddit, Yahoo, Medium and Quora.
RSL introduces a simple licensing agreement framework for AI content, providing machine-readable terms that tell AI companies exactly how they can use content and what they must pay.
Understanding the real simple licensing protocol
At its core, RSL is an XML-based open standard enabling machine-readable licensing and automated compensation for AI training data. The protocol addresses concerns that extend beyond individual publishers. As content licensing becomes a critical component of the software supply chain for AI systems, RSL offers a standardized approach to manage these dependencies at scale.
What RSL actually does
The challenge of limiting access to web resources is one that early web standards aimed to solve with the robots.txt file. That file provides instructions to web crawlers about what search engines can or should not index. RSL extends the robots.txt file to include licensing and compensation terms for the AI era.
Instead of just blocking or allowing bots, publishers can now specify multiple options:
Use their content for free with attribution.
Pay per crawl.
Pay per inference.
Require a subscription.
Contact them for custom licensing.
Chengyu (Cay) Zhang, founding software engineer at Redcar, frames this as automated compliance at scale. Zhang noted that RSL transforms the chaotic scraping landscape into a structured marketplace where software negotiates rights instantly.
Publishers add a license directive to their robots.txt file pointing to an XML license file. The protocol's API interoperability enables automated license verification and rights negotiation between systems. Behind this sits the RSL Collective, a nonprofit modeled after ASCAP music license, that handles negotiations and royalty collection.
Why it matters now
Three pressures have converged to make the status quo untenable, including the following:
AI training without compensation. Companies scraping billions of pages without paying publishers.
Destruction of ad revenue.AI chatbots answering questions directly, eliminating visits to publisher sites.
No enforcement mechanism. Robots.txt operates purely on the honor system.
For Chirag Mehta, vice president and principal analyst at Constellation Research, RSL matters because of its opportunity to create operational clarity.
"Instead of bespoke negotiations and one-off contractual controls, enterprises can publish consistent licensing rules across all their digital properties," Mehta said. "If widely adopted, RSL could reduce friction in AI data sourcing and give organizations more leverage and transparency in how their content is used."
The potential is also that RSL could help with the business model challenges that AI has introduced for publishers.
There are broader implications, according to Brian Jackson, principal research director at Info-Tech Research Group. If AI companies respect the standard, it could solve the business model problem publishers are facing. Publishers lose ad revenue but gain a new revenue stream from AI firms.
"We've seen different efforts to address the technological power imbalance between creators and AI developers, such as Glaze and NightShade out of the University of Chicago, which artists can use to protect individual pieces of content they upload to the web," Jackson said. "But RSL promises a comprehensive model for addressing the AI crawling problem."
Compliance and legal exposure
While RSL promises to simplify licensing, it simultaneously introduces new forms of exposure that CIOs must understand.
For example, RSL can improve auditability. When licensing terms are explicit, structured and timestamped in machine-readable format, verification becomes straightforward.
"RSL makes audits cleaner, there's no question about that," said Manuj Aggarwal, founder and CIO at TetraNoodle Technologies. "When you have a single source of truth, the back-and-forth disappears."
But transparency cuts both ways. Mehta warned that "misconfigurations become highly visible" under RSL. An overly permissive RSL file can unintentionally authorize broad AI usage and that the protocol makes that mistake simple to detect during audits.
RSL makes audits cleaner, there's no question about that. When you have a single source of truth, the back-and-forth disappears.
Manuj AggarwalFounder and CIO, TetraNoodle Technologies
This visibility demands operational discipline, Aggarwal said.
"When everything is visible, everything is exposed," he said. "[A single] misplaced token, one careless log entry and suddenly you reveal license counts, entitlement scopes and even usage patterns."
Organizations must treat these artifacts like passwords, not paperwork, he said.
The legal reality check
RSL as it currently exists also has a fundamental challenge: no legal enforcement mechanism. There's currently no law requiring AI companies to respect RSL terms.
Jackson explained that while RSL provides a compelling path to collaboration, it has "no real teeth behind it."
The law will still need to catch up and realize we're in a copyright era where AI can copy things at scale, he said.
But there's potential for cooperation, despite these challenges, according to Jackson . There's significant incentive for both stakeholders to find a path that provides AI companies with what they need while publishers get paid.
The players behind RSL are putting together a consortium that will share legal costs and try to enforce the standard, creating pressure for AI companies to participate rather than face coordinated litigation, he said.
The standardization problem
Aggarwal noted that the protocol doesn't define how encryption should work, how keys should be rotated or how much metadata is safe to expose. When specifications leave security details to individual implementers, inconsistency is inevitable.
Before trusting RSL with high-value proprietary content, several key areas need standardization:
Key lifecycle management. In enterprise environments, custom cryptography often leads to failure, so a strict standard is needed for how often keys are rotated and revoked.
Mandated cipher suites. RSL allows operators to choose their own encryption algorithms, inviting weak implementations. Trusting RSL with intellectual property requires a mandate for industry-standard suites like AES-256-GCM.
Token binding and replay protection. Without strict mutual TLS or sender-constrained tokens, a stolen RSL token could be replayed by a malicious actor to scrape content they didn't pay for.
The visibility gap
RSL faces another fundamental limitation: audit logs prove access but not usage. This is a double-edged sword, Zhang said, as RSL can prove an AI company downloaded your data, but it cannot prove how they used it. You might have a perfect log of downloads but zero visibility into the model itself, creating a dangerous gap where you have compliance on paper but unverifiable usage in reality.
Weighing benefits and barriers
For CIOs weighing RSL adoption, the decision requires balancing efficiency benefits against implementation realities.
On the plus side, RSL promises new revenue opportunities as AI companies increasingly need licensed training data and early adopters may gain competitive advantages in emerging AI content markets. Organizations with substantial digital content portfolios stand to benefit most from standardized licensing terms that they can apply consistently across all assets.
However, adoption barriers remain. There's no guarantee that AI companies will participate without legal mandates. Implementation complexity spans legal, security, content and IT operations. Security immaturity creates risk for valuable content and revenue models with pricing structures are still evolving.
How to pilot RSL safely
Experts unanimously recommend treating RSL as a controlled experiment rather than an immediate enterprise-wide deployment. Here's the approach:
Start small with low-risk projects. Guidance for clients is consistent: don't start with the mission-critical system, according to Aggarwal. Start with something small and low-risk to let your team build familiarity.
Limit Initial pilots. These should include public or non-sensitive datasets, route RSL changes through normal code review and security controls and involve legal and governance teams early Mehta said.
Audit before you license. A critical first step is to run an audit to see what part of your proprietary data is currently exposed to the public web before touching RSL, Zhang said. You cannot license what you do not know is leaking.
Enforce at the infrastructure layer. Don't rely on RSL tags alone. Zhang advises piloting RSL only if you can pair it with a content delivery network like Fastly or Cloudflare that supports active enforcement, meaning the CDN strictly blocks requests that lack a valid RSL token. RSL without a CDN gatekeeper is just a suggestion rather than a control.
Begin with low-value content. Pilot the protocol on marketing materials or public blogs first. Don't attempt to use RSL to gate high-value IP like technical documentation or codebases until you have stress-tested the key management and revocation workflows.
Treat RSL artifacts as credentials. Security discipline is critical and a safe pilot is about choosing the right entry point and building the right habits, Aggarwal said. Once those pieces are in place, RSL becomes an asset that gives CIOs predictability in a world that keeps shifting under their feet.
Measure and assess. Organizations should implement RSL in a single well-defined content segment to evaluate traffic pattern changes and potential revenue while AI providers begin to recognize and respect the protocol, according to Jackson. Define clear criteria for expanding or halting the pilot based on actual results.
Secure legal and governance alignment. CIOs should include their legal teams early to assess if participation in a legal enforcement consortium is appropriate so that organizations remain compliant and can demonstrate the intention to protect digital rights.
Consider integration. Organizations adopting RSL must consider how it integrates with existing licensing systems and software licensing management frameworks. The protocol introduces a new category of license compliance focused on data assets rather than software licenses, requiring potential expansion of IT governance processes and tools.
While the RSL protocol promises to simplify and standardize license management across ecosystems, CIOs must approach adoption strategically, balancing efficiency, compliance and security to ensure RSL becomes an enabler rather than a liability.
Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.
