Explain that `outputValidation` requires governance

The specification should explain that recognizers need to validate all fields that they are issuing claims for. For example, if an institution is providing a JSON Schema for validation, the recognizer needs to vet that schema to make sure what it allows is aligned with what the recognizer thinks the institution is issuing.