This week’s biggest move came from the EU AI Act, where the European Commission opened consultation on transparency obligations and finalized the General-Purpose AI Code of Practice, giving providers a clearer path on user notices, synthetic content labeling, copyright, and safety/security controls. In the US, the FTC stayed aggressive on AI deception, using both an enforcement settlement over “active listening” claims and a new AI enforcement hub to reinforce that performance, bias, and security claims must be substantiated. Switzerland’s FDPIC also raised the bar by stating the FADP applies directly to AI-supported processing, while FDA draft guidance continues to shape AI-enabled medical device lifecycle controls. At the state level, Colorado has enacted SB 189 on automated decision-making, and California’s employment and healthcare AI bills remain live risks for 2026 planning.
EU AI Act
Commission opens AI Act transparency consultation
The European Commission launched a consultation on transparency obligations under the AI Act. The draft points toward clearer rules on informing users and marking synthetic content, which should help define how providers will implement the law in practice.
Why it matters: Teams should expect more specific expectations around notices, disclosures, and provenance controls. Product, legal, and compliance teams should use this window to align UX, labeling, and content workflows before enforcement expectations harden.
Read source →EU finalizes voluntary GPAI Code of Practice
The European Commission made the General-Purpose AI Code of Practice available as a voluntary compliance tool. It is intended to support AI Act obligations on transparency, copyright, and safety/security for GPAI providers.
Why it matters: GPAI providers now have a concrete benchmark for documenting controls and evidencing readiness. Even though voluntary, it is likely to shape supervisory expectations and procurement questions from customers.
Read source →US Federal & State Regulation
FTC settles deceptive AI targeting claims
On 2026-05-21, the FTC required Cox Media Group and two other firms to pay $930,000 to resolve allegations that they falsely claimed an AI-powered “active listening” service could target ads using smart-device conversations and consumer opt-in. The case turns on deception under FTC Act Section 5, not on a novel AI-specific statute.
Why it matters: Any AI marketing, sales, or product claim that references data sources, consent, or performance now needs hard substantiation. Compliance teams should review customer-facing statements for unsupported promises about collection, targeting, or device listening.
Read source →FTC AI hub spotlights active enforcement themes
The FTC’s AI hub now consolidates enforcement materials and investigations. The agency is signaling that deceptive AI claims, model substantiation, and AI-related process inquiries remain active priorities.
Why it matters: This is a strong cue to tighten claim review, preserve evidence, and prepare for compulsory-process requests. Teams that market AI features should assume the FTC will ask how claims were tested and documented.
Read source →Colorado enacts automated decision-making law
Colorado SB 189 was signed by the Governor on 2026-05-14, indicating the state has enacted a new automated decision-making framework. The source does not provide the operative date or full text, but it is now a live state law item for compliance mapping.
Why it matters: Organizations operating in Colorado should inventory covered automated decision-making systems and compare existing governance, testing, and notice processes against the new framework. Consumer and employee appeal or review workflows may need redesign once operative details are confirmed.
Read source →California employment AI bill stays in motion
California SB 947 remained active on 2026-05-20 and continues to move through the legislature. The bill would address automated decision systems in hiring and employment, making it a key watch item for employers and HR vendors.
Why it matters: Hiring teams should map where automated ranking, screening, or decision tools are used and whether bias testing, notice, and human-review controls are in place. Vendor due diligence should also start now so model inputs, outputs, and audit evidence are ready if the bill advances.
Read source →California healthcare AI bill advances slowly
California AB 2575 was last acted on 2026-05-18 and remains an introduced bill. It is not operative law, but it continues to move and could create state-level obligations for healthcare AI use cases.
Why it matters: Healthcare teams should inventory AI used in clinical workflows, patient communications, and care decisions so they can respond quickly if the bill progresses. Draft disclosure and policy updates will reduce scramble risk if California tightens requirements.
Read source →ISO Standards
ISO keeps 42001 as core AI management standard
ISO confirms that ISO/IEC 42001:2023 remains the main certifiable AI management system standard. That gives organizations a stable international baseline for formal AI governance assurance.
Why it matters: Compliance teams can anchor governance, risk ownership, and lifecycle controls to a recognized certifiable framework rather than a patchwork of internal policies. The standard also provides evidence that can support customer assurance requests and audit readiness.
Read source →BSI publishes guidance on transparent AI decisions
BSI announced ISO/IEC TS 6254 guidance on transparent AI decision-making. The guidance is a practical companion resource for organizations building AI governance, explainability, and decision-traceability controls.
Why it matters: This is useful for closing implementation gaps where policy exists but transparency evidence does not. Teams can use it to sharpen design requirements for explainability, traceability, and assurance narratives.
Read source →GDPR / Data Protection Enforcement
UK tribunal rejects vexatious FOIA shortcut
On 2026-05-22, the UK First-tier Tribunal allowed the appeal in AI v The Information Commissioner and ordered Leeds Teaching Hospitals NHS Trust to issue a fresh FOIA response by 4:00 p.m. on 2026-06-19. The tribunal rejected the use of section 14(1) vexatious-request treatment on the facts presented.
Why it matters: Public-sector and regulated organizations should be cautious about overusing vexatious-request refusals, especially for narrow, targeted requests. FOIA response templates, exemption analysis, and section 17 notices need to be fact-specific and timely.
Read source →Other jurisdictions / frameworks
Swiss privacy authority clarifies AI duties
The FDPIC issued guidance stating that the Swiss FADP applies directly to AI-supported processing. It emphasizes transparency about purpose, functionality, and data sources, and it also addresses objection rights and human review of automated decisions.
Why it matters: AI systems in Switzerland should now be treated as part of the core data protection program, not as a separate innovation track. Teams need to fold AI into technical and organizational measures, risk analysis, and disclosure practices.
Read source →FDA guidance still sets AI medical device baseline
The FDA’s January 2025 draft guidance remains the key benchmark for AI-enabled medical devices. It continues to frame lifecycle expectations around design, validation, bias, transparency, and post-market change management.
Why it matters: Medical device teams should keep their AI/ML documentation, traceability, and change-control evidence current for submissions and post-market review. The draft guidance is non-binding, but it is highly influential for 510(k), De Novo, and lifecycle planning.
Read source →On Our Radar
AI transparency controls: The EU AI Act consultation and the GPAI Code of Practice suggest transparency, provenance, and user notice requirements are moving from concept to operational detail. Expect product teams to be asked for synthetic-content labeling and disclosure evidence.
AI marketing substantiation: FTC activity shows that AI performance and consent claims are now a live enforcement issue. Any customer-facing statement about capabilities, data sources, or targeting should be backed by records before publication.
State automated decision laws: Colorado has enacted a new automated decision-making framework, while California employment and healthcare bills remain live. Multi-state operators should prepare a mapping exercise now so they can reuse governance controls across jurisdictions.