This week the clearest signals came from the US and the EU. In the US, the SEC and FTC both doubled down on AI-related enforcement, while FDA opened a request for information on AI in early-phase clinical trials. In the EU, the European Commission published the General-Purpose AI Code of Practice, which is now the most concrete readiness benchmark for AI Act implementation. UK and Swiss regulators also kept pressure on AI governance through live guidance from the ICO and FINMA.
EU AI Act
EU publishes GPAI Code of Practice
The European Commission made the General-Purpose AI Code of Practice available for voluntary signatories. It is intended to support readiness for upcoming AI Act obligations, especially around transparency, risk management, and compliance documentation for GPAI providers.
Why it matters: Teams running GPAI models should treat this as the current implementation benchmark, not a soft suggestion. It gives compliance, legal, and engineering teams a concrete structure to map current controls and identify gaps before AI Act obligations harden.
Read source →Consultation record shapes GPAI expectations
The EU AI Office’s consultation on trustworthy general-purpose AI has closed, but its outcomes continue to inform the Code of Practice and training-data-summary guidance. The consultation record remains relevant because it helped shape the implementation architecture now being used under the AI Act.
Why it matters: If your organization participated or reviewed the consultation, that material may now help demonstrate how you approached transparency and governance expectations. It also gives teams an early signal of the issues the Commission is likely to keep pressing on.
Read source →GDPR / Data Protection Enforcement
ICO keeps AI and data guidance under review
The ICO’s AI and data protection guidance remains live and is being reviewed following the UK Data (Use and Access) Act coming into force on June 19, 2025. The regulator is signaling that UK GDPR controls for AI should be reassessed now, not treated as settled guidance.
Why it matters: UK teams should revisit DPIAs, lawfulness, fairness, transparency, accuracy, and security assessments for AI systems. Because the guidance is used in ICO audit activity, any gap in rights handling or mitigation documentation could become a direct enforcement issue.
Read source →NIS2 / Cybersecurity
None this week
No material NIS2-specific update was provided in the weekly source set.
Why it matters: Cyber and resilience teams should still keep NIS2 workstreams moving, but there was no new source-backed development to brief this week.
Read source →DORA (Digital Operational Resilience)
No new DORA update reported
The provided weekly updates did not include a DORA-specific development.
Why it matters: Financial services teams should continue current operational resilience work, but no new compliance trigger is available from this week’s articles.
Read source →ISO Standards
Singapore releases agentic AI governance model
Singapore’s IMDA released a Model AI Governance Framework for Agentic AI, adding practical controls for bounded autonomy, human checkpoints, technical safeguards, and transparency. The framework is positioned as a governance baseline for organizations expanding agentic AI use cases.
Why it matters: Enterprises deploying agentic systems now have a concrete control set to use in procurement, governance, and deployment reviews. The framework helps distinguish agentic AI from earlier generative-AI use cases, which matters for assigning oversight and safety controls.
Read source →FINMA elevates AI governance expectations
FINMA published guidance making governance, model risk, data quality, cyber risk, third-party dependence, and legal or reputational risk explicit supervisory priorities for Swiss financial institutions using AI. It is a technology-neutral, risk-based supervisory signal rather than a binding circular.
Why it matters: Swiss regulated firms should update their AI governance frameworks now, especially around vendor oversight and control ownership. FINMA’s posture means AI risk management needs to sit inside existing supervisory governance, not as a separate innovation program.
Read source →US Federal & State Regulation
SEC keeps AI misstatement enforcement active
The SEC continued AI-related enforcement in FY2025 and highlighted its Cyber and Emerging Technologies Unit as part of that posture. The message is that false or misleading AI claims, along with technology-related investor fraud, remain an active enforcement priority.
Why it matters: Public companies and AI vendors need tighter controls over investor-facing and customer-facing claims about product capabilities and roadmaps. Disclosure, document retention, and marketing review processes should be able to prove what was said and what support existed at the time.
Read source →FTC opens inquiry into companion chatbots
The FTC launched a 6(b) inquiry into AI companion chatbots and required seven companies to produce information on testing, monitoring, child safety, disclosures, and personal-data handling. This is not a final enforcement action, but it clearly sets the agency’s current fact-finding agenda.
Why it matters: AI providers with companion-style products should assume scrutiny of safety testing, content moderation, and how personal data is collected and shared. The inquiry also raises the bar for document preservation because compulsory information requests can quickly turn into enforcement follow-up.
Read source →FDA seeks input on AI trial optimization
FDA issued a request for information to shape a pilot program for AI-enabled early-phase clinical trials. The program is aimed at AI use in clinical decision-making and trial optimization, and it invites comment before future expectations are set.
Why it matters: Life sciences teams should assess whether their trial AI could fall within the pilot concept and whether validation, safety monitoring, and go/no-go workflows are defensible. The RFI is also a chance to influence how FDA frames trustworthy AI in clinical research.
Read source →Colorado AI bill advances in House
Colorado SB189 passed House Third Reading, moving automated decision-making technology legislation closer to adoption. The bill could increase documentation, oversight, and transparency expectations for impacted systems.
Why it matters: Organizations with high-impact automated decision systems in Colorado should inventory affected tools now and be ready to map training data, human oversight, and appeal processes. House passage materially increases the odds that compliance planning will soon become operational work.
Read source →California employment AI hearing set
California SB947 was set for hearing on May 14, 2026, keeping employment-related automated decision systems under active legislative review. The proposal targets AI used in screening, ranking, scheduling, and performance management.
Why it matters: HR, legal, and compliance teams should review bias testing, explainability, and human-review procedures for employment tools used in California. If the bill advances, vendor due diligence and internal controls for hiring AI may need to change quickly.
Read source →Other jurisdictions / frameworks
California AI inventory bill moves to committee
California SB719 was referred to the Internet and Technology committee, advancing a proposal that could require inventories of high-risk automated decision systems. The bill points toward possible new recordkeeping obligations for AI used or procured in the state.
Why it matters: Teams should start thinking about an internal inventory format that could support future reporting or oversight. Even at this early stage, firms with high-risk automation in California will benefit from aligning classifications with current model governance processes.
Read source →California transparency and governance bill begins
California SB1159 was read first time and held at desk, signaling an active proposal on AI transparency and governance. If it advances, it could create new documentation and disclosure expectations for AI systems.
Why it matters: Legal and compliance teams should track how the bill defines transparency and governance so they can map current notices and internal documentation. This is especially relevant for companies with multiple AI product lines that may be pulled into different disclosure regimes.
Read source →California utility AI bill heads to hearing
California SB1011 was set for hearing on May 14, 2026, putting AI safety and oversight for utility infrastructure uses under active legislative review. The bill focuses on operational controls and workforce protections in energy-related AI use cases.
Why it matters: Utilities and vendors supporting critical-energy workflows should review safety, resilience, and incident-response controls now. Vendor contracts may also need audit rights and fail-safe provisions if the bill continues to move.
Read source →New York training-data transparency bill advances
New York A06578 was referred to the Internet and Technology committee, advancing a bill that could require public disclosure of AI training datasets and related summaries. The measure is still early-stage and has no compliance deadline yet.
Why it matters: Developers and service providers should check whether they can identify training datasets, provenance, and licensing terms cleanly enough for possible disclosure. Website and notice language may need to be drafted well before any final obligation appears.
Read source →On Our Radar
GPAI implementation: The EU AI Act’s GPAI layer is becoming operational through the Code of Practice and related guidance. Teams building or deploying foundation models should watch for how voluntary alignment becomes the de facto compliance baseline.
US AI enforcement: The SEC and FTC both showed that AI claims and chatbot practices are live enforcement topics. Expect more attention on substantiation, disclosures, safety testing, and retention of supporting records.
State AI bills: California, Colorado, and New York all have active AI legislation moving through committee or floor stages. Even without final passage, these bills justify building inventories, documentation packs, and review workflows now.
Clinical AI scrutiny: FDA’s RFI suggests more formal expectations may emerge for AI in early-phase trials. Life sciences teams should monitor whether pilot feedback turns into broader guidance on validation and decision support.