AI governance frameworks, the EU AI Act, NIST AI RMF, CISA AIBOM guidance, share a silent assumption: that AI models and datasets can be stably identified. That assumption is false. No standard for AI artifact identification exists. Without it, compliance attestations are unverifiable, SBOMs cannot be matched to deployed artifacts, and policy enforcement is theater. The governance stack is fragile by construction.