AI Compliance Weekly — 2026-04-19

The European Commission published the final General-Purpose AI Code of Practice and related FAQs, giving GPAI providers a practical route to operationalize transparency, copyright, and systemic-risk obligations. The Commission also opened consultation on prohibitions and the AI system definition, showing scope questions are still being refined.

Why it matters: GPAI developers now need evidence-ready controls, not just policy statements, for model documentation, copyright handling, and risk management. If your AI taxonomy or release process is EU-facing, these materials should be mapped into current governance immediately.

The Commission’s AI Act FAQ confirms the Act entered into force on 2024-08-01 and is being applied in phases. The AI Office guidance for GPAI providers reinforces that documentation and oversight expectations are live implementation work, not future planning.

Why it matters: Compliance teams should separate immediate obligations, especially for GPAI and transparency duties, from later-phase requirements and assign owners now. This reduces the risk of building controls too late or in the wrong order.

The Commission continued guidance work on transparent AI systems and on marking and labeling AI-generated content. These efforts are aimed at making Article 50 transparency duties operational, especially for content-generation and consumer-facing workflows.

Why it matters: Teams that generate, edit, or distribute synthetic content should expect labeling, disclosure, and traceability to become standard compliance expectations. Product and communications functions need to align now so disclosures are not bolted on later.

On 2026-04-16, the EDPB adopted new guidance on processing personal data for scientific research purposes and accelerated finalisation of anonymisation guidance. This makes research exemptions and anonymized datasets more closely scrutinized under GDPR.

Why it matters: Organizations using personal data for model development, analytics, or research should revisit lawful basis, purpose limitation, and safeguards before relying on research carve-outs. Anonymisation assumptions now need fresh documentation, not legacy sign-off.

CNIL’s January 2026 guidance says AI models can fall within GDPR scope when they store personal data from training or enable reasonably likely extraction. CNIL also finalized recommendations on AI system development and emphasized balancing tests for legitimate interests.

Why it matters: Model teams in France need to document whether the model itself contains personal data, not just whether training data once did. If you rely on Article 6(1)(f), the balancing test and mitigation record become essential audit evidence.

The Irish DPC opened and continued inquiries into X’s use of public posts to train Grok, and separately into intimate-image processing linked to the system. These actions put lawfulness, transparency, DPIAs, and by-design safeguards under active supervisory review.

Why it matters: Any AI training program using EU or EEA personal data should assume that public content is not automatically low risk. Teams need defensible lawful basis, notice, opt-out handling, and high-risk DPIAs before training begins.

The ICO stated that its AI guidance will inform audit functions and enforcement activity, and separately confirmed that its AI risk toolkit and rights guidance are under review after the UK Data (Use and Access) Act. The ICO also opened formal investigations into Grok processing.

Why it matters: UK teams should treat current AI guidance as supervisory baseline material, not optional reading. Documentation for lawful basis, transparency, rights handling, and investigation readiness should be current now because the guidance itself may shift soon.

The FDPIC reiterated that Swiss data protection law applies directly to AI-supported processing and published AI and data protection guidance with concrete expectations on transparency, DPIAs, and automated decisions. It also flagged high-risk uses such as real-time facial recognition and social scoring as especially sensitive.

Why it matters: Swiss organizations cannot treat AI as outside the nFADP perimeter or defer privacy work until launch. Teams should build rights handling, human review, and DPIA logic into AI design and deployment workflows now.

HHS advanced a HIPAA Security Rule NPRM to strengthen cybersecurity for ePHI, alongside related AI and health-data initiatives and an AI-focused RFI. HHS also continued to emphasize risk analysis, health-data sharing guidance, and current Security Rule controls for AI systems handling ePHI.

Why it matters: Health AI programs should expect more prescriptive security, documentation, and incident-response expectations if the proposal advances. Covered entities and vendors need to reassess AI data flows, vendor dependencies, and risk-analysis evidence now.

FDA’s draft guidance for AI-enabled medical devices and its guidance on predetermined change control plans both reinforce lifecycle management, transparency, bias, documentation, and postmarket monitoring expectations. The agency is making clear that adaptive model updates need defined, pre-authorized governance.

Why it matters: Manufacturers should build change-control, validation, and monitoring evidence into the device program before submission or commercialization. If model updates are handled ad hoc, the product will be misaligned with FDA review expectations.

The FTC continued enforcement against deceptive AI claims, including Workado, IntelliVision, DoNotPay, accessiBe, Evolv, and AI accessibility marketing matters. It also opened an inquiry into AI companion chatbots and authorized compulsory process for AI-related investigations.

Why it matters: Marketing, product, and legal teams need substantiation for accuracy, accessibility, capability, and safety claims before launch. The FTC is clearly treating AI-washing, weak consumer protection controls, and inadequate youth-safety measures as live enforcement issues.

Colorado continues to stand out as an enacted state AI governance regime, according to the state tracker. The source highlights ongoing obligations around high-risk AI inventories, impact assessments, and consumer-facing disclosures.

Why it matters: Multi-state organizations need Colorado-specific controls in place even if federal AI law remains unsettled. The practical burden is maintaining current system inventories, assessments, and notices that can be reused across jurisdictions.

Illinois HB4980 on human control of AI and several California bills on workplace AI, labor-force impact reporting, social media AI, and health care AI all remained in legislative motion. None are enacted yet, but several have advanced far enough to merit active tracking.

Why it matters: Employers and platform operators should map where AI is already used in hiring, scheduling, evaluation, and workforce analytics so they can respond quickly if human-control or reporting duties are added. Health and consumer-facing teams should do the same for disclosure and oversight obligations.

ISO/IEC 42001 remains the core AI management system standard, and the update notes a maturing certification ecosystem with active audit and certification-body requirements. Related materials, including implementation guidance work and conformity-assessment drafts, show the standard’s control model is expanding in practice.

Why it matters: Organizations pursuing AI assurance or certification should treat AIMS evidence, governance roles, and continual improvement records as operational necessities. If you already run ISO 27001 or SOC 2 programs, 42001 now needs to be integrated rather than treated as a separate side project.

ISO/IEC 42005:2025 is now published and provides a formal AI system impact assessment reference. It is designed to fit into AI intake, approval, vendor review, and change-management workflows.

Why it matters: This gives compliance teams a concrete structure for documenting harms, mitigations, residual risk, and affected stakeholders. It is especially useful where organizations need consistent evidence across privacy, security, and AI governance reviews.

ISO/IEC 42006:2025 has been published for AIMS audit and certification bodies, and ISO’s draft conformity-assessment work on AI systems continues to advance. Together, these changes indicate that certification practices are becoming more standardized and more demanding.

Why it matters: If you rely on ISO/IEC 42001 certification or market assurance claims, your certification body’s methodology and accreditation status now matter more. Procurement and supplier questionnaires should be updated to reflect the evolving certification landscape.

NIST’s AI RMF hub now points to a revised playbook path, the Generative AI Profile, and a concept note for a critical-infrastructure profile. NIST also published an adversarial machine learning report and launched ARIA to improve testing and evaluation methods.

Why it matters: Teams using the AI RMF should refresh implementation assumptions instead of freezing on the original 1.0 publication. The newer profile and threat guidance make GenAI, adversarial testing, and critical-infrastructure readiness more concrete for risk programs.

Singapore’s IMDA released a new Model AI Governance Framework for Agentic AI, extending practical guidance to autonomous systems. PDPC also kept advisory guidance active for personal data used in AI recommendation and decision systems.

Why it matters: Agentic systems need stronger accountability, supervision, and escalation controls than conventional AI use cases. If you operate in Singapore, governance documents, DPIA-style reviews, and vendor oversight should be updated to reflect the new expectations.

Australia’s eSafety updates say mandatory codes commenced on 9 March 2026 and that AI companion and generative AI services must take meaningful steps to protect children. The guidance focuses on access controls for harmful material such as sexualised content, self-harm, suicide, and violence.

Why it matters: Providers serving Australia need age-assurance and content-safety controls that are actually enforceable, not just policy statements. If minors can access the product, child-safety compliance should be part of product design and moderation now.

FINMA’s AI supervisory guidance highlights operational, model, data, cyber, third-party, legal, and reputational risks for Swiss financial institutions. Separately, the ESAs’ spring risk update points to geopolitics and private-finance pressures as active supervisory concerns.

Why it matters: Financial institutions should fold AI into enterprise risk, board reporting, and operational resilience reviews rather than treating it as an isolated technology issue. Vendor risk, incident readiness, and stress scenarios now need to reflect the combined AI and macro-risk environment.

Canada’s Bill C-27 continues as the core federal AI legislative vehicle, with AIDA’s high-impact system, harm-mitigation, and reporting concepts still central to the bill. The source does not show final enactment, but it confirms the direction of travel for federal AI law.

Why it matters: Organizations with Canada exposure should keep an inventory of high-impact AI systems and the controls needed for future harm-mitigation and reporting duties. This is a good time to align governance with likely federal expectations before the bill moves further.

GPAI compliance becomes operational: The EU AI Act’s GPAI regime is moving from concept to evidence-backed implementation. Providers should expect documentation, copyright, transparency, and systemic-risk proof to be requested rather than merely described.

AI claims under enforcement microscope: The FTC’s enforcement line on AI-washing, accessibility promises, detection claims, and companion chatbot safety is broadening. Marketing substantiation and product-governance records are becoming first-order compliance artifacts.

Privacy regulators target model scoping: CNIL, the Irish DPC, the ICO, and the FDPIC are all sharpening how AI models fit within data protection law. Model memorization, training-data lawful basis, and rights handling are now central scoping questions.

Impact assessments are standardizing: ISO/IEC 42005 and related AI management-system work suggest formal AI impact assessments will become more structured across audits, certification, and procurement. Teams should expect more demand for repeatable, documentable assessment output.