This week’s biggest compliance signal is that AI governance is moving from guidance into enforcement and assurance. In the US, the FTC and SEC are clearly targeting deceptive or unsupported AI claims, while UK regulators, including the ICO and FCA, are sharpening scrutiny of AI privacy, cyber resilience, and third-party dependencies. In parallel, NIST is expanding the AI RMF with updated GenAI and critical-infrastructure references, and ISO/IEC 42001 continues to harden as the main certification baseline for AI management systems. Switzerland also stood out, with FINMA and the FDPIC both reinforcing direct AI governance and transparency expectations for supervised firms and data controllers.
US Federal & State Regulation
FTC intensifies action against deceptive AI claims
The FTC’s Operation AI Comply shows the agency is actively pursuing deceptive or unfair AI claims across products, ads, and user interfaces. It also approved compulsory-process authority for AI-related products and services, which should speed up investigative requests and enforcement follow-up.
Why it matters: Compliance teams need stronger substantiation before any AI capability claim goes public, especially in marketing and investor materials. Recordkeeping and rapid response readiness now matter because the FTC is signaling both higher scrutiny and faster information gathering.
Read source →FTC targets unsupported facial recognition claims
The FTC alleged IntelliVision made unsupported claims that its facial recognition software was bias-free, highly accurate, and spoof-resistant. The proposed order would bar future claims unless backed by competent and reliable testing.
Why it matters: Teams selling biometric or AI-enabled products should assume that “bias-free” and “high accuracy” statements need defensible test evidence, not just vendor assurances. This is a concrete warning to retain testing methodology and align product claims with validated performance data.
Read source →SEC keeps treating AI hype as disclosure risk
SEC enforcement releases from 2024 through 2026 indicate the Commission is still treating false or misleading AI statements as a disclosure and fraud issue for public companies and advisers. The posture is ongoing and enforcement-driven rather than tied to a new rulemaking date.
Why it matters: Public companies should review investor-facing AI statements for accuracy and material omissions before they create disclosure or antifraud exposure. Legal, IR, and product teams need to coordinate so public claims about AI use in trading, analytics, or operations are supportable.
Read source →FTC probes AI deals and market concentration
The FTC’s 6(b)-style inquiry into major AI investments and partnerships signals antitrust and market-structure scrutiny for AI deals. The inquiry is focused on strategic rationale, access to AI inputs, and competitive effects in the ecosystem.
Why it matters: Deal teams should inventory exclusivity terms, access restrictions, and partner dependencies that could attract competition questions. Documentation explaining why a partnership exists and how critical inputs are secured may become important evidence if regulators ask.
Read source →California bill would add state AI health controls
California AB2575 was introduced to regulate AI in health care services, adding another layer to the state’s growing AI governance patchwork. The bill is only at introduction stage, so it does not yet create operative compliance obligations.
Why it matters: Health-sector operators should watch for state-specific governance or disclosure requirements that may sit on top of existing HIPAA, CCPA/CPRA, and internal AI controls. If passed, it could force documentation and oversight changes for health AI use cases.
Read source →GDPR / Data Protection Enforcement
ICO opens investigation into Grok
The ICO has opened an investigation into Grok, which turns AI oversight in the UK from a policy discussion into an active enforcement matter. The source does not give a final outcome, but it clearly signals live regulatory scrutiny of AI processing under UK data protection law.
Why it matters: Organizations running AI systems in the UK should be ready for DPIA, lawful-basis, and vendor-contract scrutiny, especially where systems interact with the public. Incident response and regulator-response playbooks should be tested now for AI-specific complaints or investigations.
Read source →ICO keeps AI guidance as UK baseline
The ICO says its AI and data protection guidance remains the key UK reference for AI systems, and the page is under review because of the Data (Use and Access) Act. The current guidance still applies, but it is a living reference that may change after the Act takes effect.
Why it matters: UK deployments should continue applying GDPR principles such as fairness, transparency, and data minimisation to AI design and retraining decisions. Teams should also watch for guidance updates that could alter notices, rights handling, or lawful-basis expectations.
Read source →NIS2 / Cybersecurity
UK regulators raise bar on frontier AI resilience
The FCA, Bank of England, and HM Treasury said firms must identify, monitor, and manage external AI-related applications, libraries, and services integrated into their networks. The statement links frontier AI use directly to cyber resilience and third-party control expectations.
Why it matters: Security and resilience teams need a full inventory of external AI-enabled dependencies, including libraries and embedded services, not just sanctioned tools. Incident response and operational resilience plans should explicitly cover AI-related outages, compromise, and supplier failure.
Read source →ISO Standards
ISO/IEC 42001 becomes the AI governance baseline
ISO/IEC 42001:2023 is now the published AI management system standard and can be used immediately to formalize AI governance, controls, and certification-ready documentation. It provides a voluntary management-system framework for AI lifecycle oversight.
Why it matters: Organizations looking for an auditable AI governance structure can now map policies, responsibilities, and controls into a recognized framework. This is especially useful for certification preparation and for showing board-level discipline around AI risk.
Read source →ISO advances implementation guidance for 42001
ISO approved ISO/IEC AWI 42003 as a work item for implementation guidance, indicating that more detailed advice for applying ISO/IEC 42001 is on the way. It is still under development and not yet binding guidance.
Why it matters: AIMS owners should expect forthcoming clarification on competency and implementation practices that may affect documentation and training. This is a monitoring item now, but it may shape auditor expectations once published.
Read source →BSI raises quality bar for AI certification bodies
BSI says BS ISO/IEC 42006:2025 now sets requirements for bodies that audit and certify AI management systems. The change is aimed at improving the quality and competence of AI certification providers.
Why it matters: Companies seeking ISO/IEC 42001 certification should vet certification bodies more carefully and confirm AI-specific capability before engagement. Procurement and assurance language may need updating so audit providers meet the new standard.
Read source →ISO note clarifies Statement of Applicability scope
An ISO committee note explains how scope and control coverage are handled in a Statement of Applicability, which can affect how AI-related controls are documented inside ISO/IEC 27001 certification. The note is non-binding but useful for audit preparation.
Why it matters: Teams adding AI controls to an existing ISMS should make sure the Statement of Applicability accurately reflects control coverage and scope changes. This can help avoid confusion with auditors about whether a full recertification is needed.
Read source →Other jurisdictions / frameworks
FINMA formalizes AI risk governance expectations
FINMA’s guidance says supervised institutions must adapt governance and controls to the materiality and probability of AI risks. It explicitly covers operational, model, data, IT/cyber, third-party, legal, and reputational risks.
Why it matters: Swiss financial firms need to classify AI risks and show that controls are embedded in governance, model oversight, and third-party management. The expectation is supervisory now, so firms should document how AI is monitored in line with size, complexity, and risk profile.
Read source →Swiss privacy authority sets AI transparency bar
The FDPIC says Switzerland’s FADP applies directly to AI-supported processing. It expects manufacturers, providers, and users to be transparent about purpose, functionality, and data sources.
Why it matters: Any AI processing touching Swiss residents may need notice, transparency, and data-source controls aligned with FADP expectations. Privacy teams should check whether their AI deployments trigger Swiss obligations and whether current notices are specific enough.
Read source →NIST updates GenAI profile for AI RMF
NIST’s generative AI profile was updated on April 8, 2026, making it the current companion reference for organizations governing GenAI risk under the AI RMF. It is meant to refine how organizations identify, measure, and manage generative AI risk.
Why it matters: Teams using the NIST AI RMF should update prompt, output, and misuse controls against the latest GenAI profile. It is also a useful evidence source for showing that GenAI governance is aligned with current NIST guidance.
Read source →NIST signals next AI RMF expansion for critical infrastructure
NIST’s AI RMF hub now highlights an April 7, 2026 concept note for a trustworthy AI profile in critical infrastructure. The note is a draft signal, not a final profile, but it indicates the next area of framework expansion.
Why it matters: High-consequence operators should map current AI use against Govern, Map, Measure, and Manage functions now so they are ready if sector-specific expectations land. Risk registers, testing, and incident response plans may all need updates once a formal profile appears.
Read source →NIST adds misuse-risk draft for foundation models
NIST’s second public draft on dual-use foundation-model misuse risk closed for comments on March 15, 2025. Although it is not the AI RMF itself, it remains an important adjacent reference for foundation-model governance.
Why it matters: Foundation-model teams should compare existing misuse controls with the draft guidance and keep internal assessments that were prepared for the comment process. It is also a sign that NIST is still shaping expectations in this area.
Read source →On Our Radar
AI claims under scrutiny: FTC and SEC actions show regulators are focusing on whether AI marketing, investor statements, and performance claims are actually supportable. Expect substantiation files, testing evidence, and disclosure controls to become standard review items.
UK AI enforcement tightens: The ICO investigation into Grok and the FCA/BoE/Treasury resilience statement suggest UK regulators are moving from principles to enforcement and operational expectations. AI systems with public-facing or network-integrated functions should be on the near-term watchlist.
ISO 42001 adoption accelerates: With ISO/IEC 42001 published and ISO/IEC 42006 strengthening certification-body quality, AI management system programs are becoming more operational. Expect more companies to treat AIMS as the practical baseline for governance evidence.
NIST expands sector profiles: NIST’s GenAI update and critical-infrastructure concept note indicate the AI RMF is evolving through companion profiles. Organizations using NIST as their governance anchor should monitor for sector-specific clarifications that could reshape control testing.