AI Compliance Weekly — 2026-06-28

The European Commission released the general-purpose AI Code of Practice along with companion implementation guidance. The materials give GPAI providers a concrete path to demonstrate AI Act conformity while supervisory practice continues to mature.

Why it matters: GPAI providers now have a current benchmark for governance, documentation, transparency, copyright, and systemic-risk controls. Compliance teams should compare internal controls against the Code now instead of waiting for enforcement to define the standard.

The Commission opened consultations on AI regulatory sandboxes, rights-reservation protocols for text and data mining, and the scientific panel. These consultations indicate that important implementation pieces are still being built and stakeholders can still shape them.

Why it matters: If your AI roadmap depends on sandbox participation or training-data reuse, the consultation stage is the time to raise compliance concerns and influence design choices. Teams should review rights-management notices and training-data pipeline handling now.

The SEC’s AI-washing cases and related commentary confirm that exaggerated or false claims about AI use in securities business lines are a live anti-fraud issue. The agency is treating misleading AI statements in disclosures, marketing, and client communications as current securities risk.

Why it matters: Investment advisers and issuers need to inventory every AI-related statement and verify it matches actual system behavior and controls. Legal review should be mandatory before any filing or external communication that references AI or automation.

The FTC’s Operation AI Comply and related case activity show it is actively pursuing unsupported or deceptive AI marketing claims. The enforcement posture makes AI performance, automation, and targeting statements a direct Section 5 risk.

Why it matters: Marketing, sales, and investor-facing materials should be tested for overbroad claims and backed by validation records. Companies offering AI-enabled targeting or profiling should also document decision-making and consent practices.

The Commission’s GPAI guidance and the AI Act consultations both point to operational expectations that map closely to structured management-system controls. For firms using ISO/IEC 42001 or similar governance frameworks, the new materials provide a practical reference point for documentation and control design.

Why it matters: Compliance teams can use the Commission’s published materials to test whether their AI governance, transparency, and risk processes are actually implementation-ready. This is especially useful for teams trying to align internal controls with recognized management-system practices.

GPAI supervisory practice: The Commission has given providers an operational starting point, but supervisory expectations will keep evolving. Expect firms to monitor how the AI Office applies the Code in practice.

AI-washing enforcement risk: SEC and FTC activity suggests deceptive AI claims will remain a live enforcement priority in the US. Firms should expect scrutiny of marketing language, investor disclosures, and client-facing descriptions of AI capabilities.

AI Act implementation details: Consultations on sandboxes, TDM rights-reservation, and the scientific panel show key EU AI Act mechanics are still being shaped. Companies with EU-facing AI products should watch for final design choices that affect compliance workflows.