This week the EU moved from AI Act policy into implementation detail: the European Commission opened consultations on the scientific panel, regulatory sandboxes, and Article 50 transparency guidelines, while also finalizing the General-Purpose AI Code of Practice. In the US, the FTC escalated enforcement against deceptive AI claims through Operation AI Comply and new actions involving accessibility, legal-service, and detection-accuracy marketing. California continued pushing state-level AI bills on employment, healthcare, and transparency, while NIST and ISO both advanced the governance references teams are expected to map against. For compliance teams, the message is clear: tighten AI documentation, substantiation, and disclosure controls now, because both regulators and standards bodies are converging on evidence-based governance.
EU AI Act
Commission opens AI Act transparency consultation
The European Commission launched a consultation on draft transparency guidelines for AI-generated and manipulated content under the AI Act. The draft points to how Article 50 transparency duties may be applied in practice, especially around labeling and disclosure.
Why it matters: Providers should not wait for final guidance to build output labeling and provenance controls. If your systems generate or manipulate content, this consultation signals where disclosure obligations are headed and what evidence you should be able to show.
Read source →General-purpose AI code of practice is finalized
The European Commission finalized the General-Purpose AI Code of Practice, positioning it as a practical route for providers to demonstrate AI Act compliance. The code is complemented by Commission guidance and is intended to reduce uncertainty for GPAI teams.
Why it matters: GPAI providers now have a concrete benchmark to map controls against for safety, transparency, and copyright. Compliance teams should use it to identify documentation gaps and build an evidence package before supervisory scrutiny increases.
Read source →AI Office prepares implementation guidance
The European AI Office said it is preparing AI Act guidelines, codes of practice, and implementation materials. The update confirms that the Commission is still building the operational layer around the AI Act's supervision model.
Why it matters: Teams should expect compliance expectations to tighten as practical guidance lands. If you support GPAI or transparency-covered systems, align internal policies and labeling workflows now so you are not forced into a rushed remediation later.
Read source →Commission consults on AI scientific panel
The Commission is consulting on the AI Act scientific panel, which would provide expert support for technical and risk-related questions. This shows the oversight architecture is still being finalized.
Why it matters: Organizations should keep technical documentation ready because expert review may shape how disputes and risk assessments are handled. If your model or deployment could attract technical scrutiny, expect a more evidence-driven oversight process.
Read source →EU considers AI regulatory sandboxes
The Commission also opened feedback on draft implementing rules for AI regulatory sandboxes under the AI Act. The consultation suggests the supervised testing pathway is still being defined rather than fully operationalized.
Why it matters: Companies planning pilots or controlled deployments in the EU should track eligibility and governance expectations now. Sandbox participation may require clearer proof of controls, oversight, and experimentation safeguards than many teams currently maintain.
Read source →US Federal & State Regulation
FTC launches Operation AI Comply
The FTC announced Operation AI Comply, a crackdown on deceptive AI schemes and claims. The enforcement focus covers AI marketing, product representations, and consumer-facing automation that misleads users or buyers.
Why it matters: This raises the bar for substantiating any AI-related claim in sales, marketing, and product materials. Compliance and legal teams should treat AI positioning as an FTC enforcement issue, not just a branding review.
Read source →FTC settles accessiBe AI accessibility case
The FTC ordered accessiBe to stop making unsupported claims that its AI product could make websites WCAG-compliant and imposed $1 million in relief. The action is a direct warning that claims about compliance outcomes need hard support.
Why it matters: Any assertion that an AI tool makes a system compliant with accessibility or other standards now looks high-risk unless backed by testing and clear limitations. Teams should review vendor and partner claims carefully because liability can flow through downstream marketing language.
Read source →FTC finalizes DoNotPay order
The FTC finalized its DoNotPay order over deceptive AI-lawyer claims, adding monetary relief and prohibitions on misleading representations. The case underscores that AI cannot be marketed as a substitute for licensed professional services without strong support.
Why it matters: Legal-tech and adjacent vendors need tighter review of claims that their tools replace or replicate professional judgment. Compliance teams should examine onboarding, pricing, and promotional language for statements that imply legal advice or professional equivalence.
Read source →FTC targets AI accuracy claims in Workado case
The FTC proposed an order against Workado over claims that its AI content detector was 98% accurate. The action focuses on whether the vendor could substantiate performance claims with reliable evidence.
Why it matters: AI vendors should assume accuracy, benchmarking, and performance claims will be tested closely by regulators. If you sell or buy detection tools, retain validation data and make sure marketing language matches what the product can actually prove.
Read source →California SB947 advances on workplace AI
California SB947 advanced out of committee and was re-referred, with the bill focused on automated decision systems in employment. The proposal could impose new disclosure or governance duties on hiring and workforce AI use cases if it continues to move.
Why it matters: Employers using AI for recruiting, screening, or workforce decisions should inventory those systems now and review vendor contracts. If the bill progresses, teams may need to support notices, audits, or other compliance obligations with little lead time.
Read source →NIST AI RMF
NIST drafts misuse-risk guidance for foundation models
NIST released draft guidance aimed at misuse risk in dual-use foundation models. The material is not a final rule, but it adds to the emerging governance references around model abuse and safety testing.
Why it matters: Teams running foundation models should expand risk registers to include misuse scenarios, red-teaming, and abuse monitoring. The draft also points toward how NIST expects organizations to evidence control design for dual-use systems.
Read source →NIST keeps GenAI profile as key companion
NIST reaffirmed its July 2024 Generative AI Profile as a companion to AI RMF 1.0. The profile remains a practical reference for mapping GenAI-specific risks, controls, and governance themes.
Why it matters: Organizations using GenAI should keep this profile in their control library when building or refreshing AI risk assessments. It is one of the clearest NIST references for tying model-specific risks to governance and monitoring evidence.
Read source →NIST confirms AI RMF source of truth
NIST’s AI RMF development hub remains the official source for AI RMF 1.0 materials and companion resources. The page is informational, but it helps anchor framework version control.
Why it matters: Compliance teams should use the hub to avoid working from outdated crosswalks or stale companion documents. That matters when internal policies, audits, and certifications rely on a current framework baseline.
Read source →NIST signals agentic AI evaluation focus
NIST’s ITL AI Program page points to ongoing work around agentic AI evaluation probes and related concept materials. The direction of travel is toward testing and evaluation infrastructure for more autonomous systems.
Why it matters: If your AI stack includes tool use, prompt chaining, or agent-like behavior, current testing harnesses may be incomplete. Teams should start checking whether their assurance process covers misuse, escalation, and failure modes for agentic workflows.
Read source →NIST sketches critical infrastructure AI profile
NIST released a concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure. It is an early-stage framework development that points to how NIST may handle high-consequence AI use cases.
Why it matters: Critical infrastructure operators should start aligning risk assessments and evaluation plans with the emerging profile themes. This is especially relevant where AI affects safety, availability, or other high-consequence outcomes.
Read source →ISO Standards
ISO expands AI governance toolkit
ISO’s publication page shows ISO/IEC 42001 as part of a broader AI governance toolkit alongside ISO/IEC 42005:2025. The update suggests the surrounding standards ecosystem is maturing around impact documentation and governance linkage.
Why it matters: Organizations already aligned to ISO/IEC 42001 should check whether adjacent AI impact documentation needs to be expanded. It is also a reminder to reuse ISMS evidence carefully, because AI-specific gaps may still remain.
Read source →ISO/IEC 42001:2023 remains the baseline
ISO confirmed that ISO/IEC 42001:2023 remains the reference standard for establishing and continually improving an AI management system. The source also points to adjacent linkage with ISO/IEC 42005:2025.
Why it matters: Teams pursuing certification or internal control mapping should keep their AI management system anchored to the 2023 version. That helps avoid version drift in audits, evidence collection, and governance documentation.
Read source →Other jurisdictions / frameworks
New York FAIR news act targets AI news labeling
New York FAIR news act proposals would require transparency for news content created with generative AI. The bills are still introduced legislation, but they signal potential state-level labeling duties for publishers and content platforms.
Why it matters: Newsrooms and content platforms should review how AI-assisted content is produced, labeled, and distributed. If the bills advance, vendors that generate or edit news content could face new disclosure requirements.
Read source →California AI healthcare bill moves forward
California AB2575 advanced through the legislature on AI in healthcare services. The proposal could create new governance, disclosure, or oversight requirements for clinical AI use cases if enacted.
Why it matters: Healthcare organizations should identify where AI touches care delivery and vendor workflows now. That will make it easier to adjust policies, diligence, and governance if the bill becomes law.
Read source →On Our Radar
AI Act guidance wave: The Commission is still issuing consultations and implementation materials around the AI Act, so more practical obligations may crystallize quickly for GPAI, transparency, and sandbox use cases.
FTC claim substantiation: FTC enforcement is now squarely focused on deceptive AI marketing, which means vendors should expect scrutiny over accuracy, compliance, and performance claims.
State AI bills: California and New York are actively pushing AI transparency, employment, and healthcare proposals, making state-level monitoring essential for US compliance teams.
NIST governance references: NIST is building out successor and companion materials around misuse risk, agentic AI, and critical infrastructure, which may shape future control expectations even before any formal rulemaking.