AI Regulation Tracker
The 100 most recent verified regulatory updates, grouped by framework. Browse all activity for a framework on its hub page.
EU AI Act
EU consults on scientific panel for AI Act oversight
The Commission is consulting on the AI Act scientific panel, indicating that expert oversight infrastructure is still being finalized and could influence how technical disputes and risk questions are handled.
EU seeks feedback on AI regulatory sandboxes under the AI Act
The Commission’s sandbox consultation shows that AI Act supervisory pathways are still being shaped, so organizations interested in testing or pilot programs should monitor the implementing act closely.
EU opens consultation on transparency guidelines for AI-generated content
The Commission is consulting on transparency guidelines for AI-generated and manipulated content, so providers should prepare labeling and disclosure controls for Article 50 now rather than waiting for final guidance.
EU finalizes general-purpose AI Code of Practice
The Commission’s finalized General-Purpose AI Code of Practice gives providers a practical route to demonstrate AI Act compliance, so GPAI teams should map their controls to the code now.
European AI Office prepares AI Act implementation guidelines and codes of practice
The European AI Office is actively preparing AI Act guidance, codes of practice, and implementation materials, so providers should expect practical compliance instructions to tighten before and after rollout.
EU consults on future cloud and AI policies tied to AI Act implementation
The Commission’s cloud-and-AI policy consultation explicitly seeks input on AI Act implementation, so organisations should treat it as an active policy-development channel that may shape future operational obligations.
EU AI Office advances GPAI code of practice and AI-generated content transparency work
The EU AI Office is actively operationalizing the AI Act through codes of practice and related guidance for general-purpose AI and AI-generated content, meaning providers should align now to avoid being behind the forthcoming compliance baseline.
EU consultation on transparency obligations under the AI Act
The Commission has launched a consultation on AI Act transparency rules, signaling that providers should prepare for clearer obligations on informing users and marking synthetic content.
EU AI Office finalizes General-Purpose AI Code of Practice
The Commission’s 2025 AI Act update makes the General-Purpose AI Code of Practice available as a voluntary compliance tool, meaning GPAI providers now have a concrete benchmark for transparency, copyright, and safety/security obligations.
EU AI Office implementation guidance and content-labeling work advances
The EU AI Office says it is preparing implementation guidelines and a code of practice for AI-generated content labeling, so providers should expect near-term interpretive detail on transparency obligations.
EU AI Act sandbox implementing act consultation closes
The Commission’s consultation on the AI Act implementing act for regulatory sandboxes closed on 2026-01-13, so organizations seeking sandbox access should now watch for the final rules and application conditions.
EU AI Office final GPAI Code of Practice available
The European Commission announced the final General-Purpose AI Code of Practice, giving GPAI providers a practical route to demonstrate AI Act compliance before the AI Office begins enforcing the relevant obligations.
AI Act: Have Your Say on Trustworthy General-Purpose AI
The EU AI Office’s GPAI consultation closed on September 18, 2024, and its outcomes feed the Code of Practice and training-data-summary guidance, making the consultation record relevant to present-day AI Act readiness.
General-Purpose AI Code of Practice Now Available
The European Commission made the General-Purpose AI Code of Practice available for voluntary signatories, creating an immediate compliance benchmark for GPAI providers seeking to demonstrate readiness for upcoming AI Act obligations.
DORA
ISO 27001
ISO/IEC 42001
ISO AI governance toolkit expands around ISO/IEC 42001 and ISO/IEC 42005
ISO’s package page shows 42001 as part of a broader AI governance toolkit alongside ISO/IEC 42005:2025, so organizations should track adjacent standards that may shape documentation and impact assessment expectations.
ISO/IEC 42001:2023 remains the reference AI management system standard
ISO confirms that ISO/IEC 42001:2023 remains the baseline standard for establishing and continually improving an AI management system, so teams should keep certification and control mappings anchored to this version.
UKAS grants first accreditation for ISO/IEC 42001 certification
UKAS accredited BSI for ISO/IEC 42001 certification, creating a live accredited certification market that materially changes how organizations can seek independent assurance for AI management systems.
ISO/IEC 42005:2025 published for AI system impact assessments
ISO published ISO/IEC 42005:2025 in May 2025, adding a formal AI system impact-assessment standard that organizations can now use to evidence structured AI governance alongside ISO/IEC 42001.
BS ISO/IEC 42006:2025 requirements for AI management system certification bodies
BSI says BS ISO/IEC 42006:2025 now sets requirements for bodies that audit and certify AI management systems, which raises the bar for ISO/IEC 42001 certification quality.
ISO/IEC AWI 42003 guidance on implementing ISO/IEC 42001
ISO has approved ISO/IEC AWI 42003 as a work item for implementation guidance, signaling that practitioners should expect new detailed advice for applying ISO/IEC 42001.
ISO/IEC 42001:2023 AI management systems
ISO/IEC 42001:2023 is the published AI management system standard, and organizations can use it now to formalize AI governance, controls, and certification-ready documentation.
BSI publishes global guidance on transparent AI decision-making
BSI announced ISO/IEC TS 6254 guidance on transparent AI decision-making, adding a practical companion resource for organizations implementing AI governance and explainability controls.
ISO/IEC 42001:2023 AI management systems standard
ISO confirms that ISO/IEC 42001:2023 remains the core certifiable AI management system standard, so organizations seeking formal AI governance assurance can now anchor their programs to a stable international standard.
NIST AI RMF
NIST draft misuse-risk guidance targets dual-use foundation models
NIST’s draft guidance on dual-use foundation models may affect model governance and testing workflows, so teams should treat it as an emerging reference for misuse-risk management even though it is not itself an AI RMF update.
NIST generative AI profile remains a key AI RMF companion resource
NIST’s July 26, 2024 Generative AI Profile remains a key companion to AI RMF 1.0, so organizations using GenAI should continue to map controls to the profile’s risk scenarios and governance themes.
NIST AI RMF development hub remains the authoritative framework source
NIST’s development page serves as the official baseline for AI RMF 1.0 and related resources, so teams should use it as the authoritative source for the framework’s scope and companion materials.
NIST ITL AI Program confirms concept note and agentic AI evaluation work
NIST’s ITL AI Program page reiterates the April 7, 2026 concept note and a related webinar on agentic AI evaluation probes, indicating the next wave of AI RMF work is focused on testing and evaluation infrastructure.
NIST releases concept note for AI RMF Profile on Trustworthy AI in Critical Infrastructure
On April 7, 2026, NIST released a concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure, which means critical-infrastructure AI programs should start aligning risk assessments and evaluation workflows to the emerging profile now.
NIST updated guidelines for managing misuse risk for dual-use foundation models
NIST’s second public draft on dual-use foundation-model misuse risk closed for comments on March 15, 2025, making it an important adjacent reference for foundation-model governance even though it is not the AI RMF itself.
NIST AI RMF Generative AI Profile
NIST’s generative AI profile was updated on April 8, 2026, making it the current companion reference for organizations governing GenAI risk under the AI RMF.
NIST AI Risk Management Framework hub and critical infrastructure profile concept note
NIST’s AI RMF hub now highlights a new April 7, 2026 concept note for a trustworthy AI profile in critical infrastructure, indicating the framework’s next expansion area for high-consequence sectors.
FTC AI enforcement hub
The FTC’s AI hub consolidates current enforcement materials and investigations, signaling that deceptive AI claims, model substantiation, and AI-related process inquiries remain active priority areas.
Colorado SB 189 – Automated Decision-Making Technology
Colorado SB 189 was signed by the Governor on 2026-05-14, indicating the state has enacted a new automated decision-making framework that compliance teams need to map against existing AI controls.
FTC settles deceptive “active listening” AI marketing claims with Cox Media Group and two firms
On 2026-05-21, the FTC required Cox Media Group and two other firms to pay $930,000 to resolve allegations that they falsely claimed an AI-powered “active listening” service could target ads using consumers’ smart-device conversations and that consumers had opted in.
FINMA
FINMA guidance on governance and risk management when using artificial intelligence
FINMA’s 18 December 2024 guidance says supervised institutions must adapt governance and controls to the materiality and probability of AI risks, including operational, model, data, IT/cyber, third-party, legal, and reputational risks.
FDPIC AI and data protection guidance
The FDPIC states that Switzerland’s FADP applies directly to AI-supported processing and expects manufacturers, providers, and users to be transparent about purpose, functionality, and data sources.
FDPIC guidance on AI and data protection
The FDPIC’s AI guidance states that the Swiss FADP applies directly to AI-supported processing and requires transparency about purpose, functionality, and data sources, which elevates compliance expectations for AI deployments in Switzerland.
FINMA guidance on AI governance and risk management
FINMA’s AI guidance highlights operational, model, cyber, data-quality, third-party, legal, and reputational risks, so Swiss financial institutions should formalize AI governance and oversight now.
FINMA Guidance on Governance and Risk Management When Using Artificial Intelligence
FINMA published AI governance guidance on December 18, 2024, making governance, model risk, data quality, cyber risk, third-party dependence, and legal/reputational risk explicit supervisory priorities for Swiss financial institutions using AI.
CCPA/CPRA
Multiple AI-related U.S. court and state actions signal rising litigation risk
The source set includes multiple recent court decisions and state legislative actions around AI, biometric data, and automated decision tools, indicating that U.S. litigation and state-law exposure for AI systems is expanding even without a single federal AI statute.
California SB 947 – Employment: automated decision systems
California SB 947 remained in motion on 2026-05-20, so employers and HR vendors should track it closely for prospective rules governing automated decision systems in hiring and employment.
California AB 2575 – Health care services: artificial intelligence
California AB 2575 was last acted on 2026-05-18 and is still moving as an introduced bill, so healthcare AI teams should track it for emerging state-level obligations rather than treat it as operative law.
GDPR
ICO investigation into Grok
The ICO has opened an investigation into Grok, signaling active enforcement scrutiny of AI processing under UK data protection law rather than a purely policy-level review.
ICO guidance on AI and data protection
The ICO’s AI guidance remains the key UK data-protection reference for AI systems, and the page is under review because of the Data (Use and Access) Act coming into force on 19 June 2025.
AI v The Information Commissioner – FOIA vexatious request appeal allowed
On 2026-05-22 the UK First-tier Tribunal allowed the appeal and ordered the Leeds Teaching Hospitals NHS Trust to issue a fresh FOIA response by 4:00 p.m. on 2026-06-19, rejecting the vexatious-request characterization under section 14(1).
ICO AI and data protection guidance under review
The ICO says its AI and data protection guidance is under review in light of the Data (Use and Access) Act 2025, so organisations should expect refreshed UK GDPR expectations on AI governance and risk assessment.
U.S. court rulings tracked in May 2026 docket updates
The provided court-listener entries are docket updates rather than identified AI regulatory rulings, so they mainly serve as litigation monitoring signals rather than actionable compliance changes.
HIPAA
FDA draft guidance on artificial intelligence-enabled medical devices
The FDA’s January 2025 draft guidance on AI-enabled medical devices remains the key current benchmark for lifecycle, transparency, bias, and documentation expectations for AI device submissions and post-market controls.
FDA guidance on AI-enabled medical devices remains active
FDA continues to emphasize lifecycle-wide expectations for AI-enabled medical devices, including transparency and predetermined change control, so developers need submission-ready documentation for model changes and postmarket monitoring.
AI-Enabled Optimization of Early-Phase Clinical Trials Pilot Program; Request for Information
FDA issued a request for information on April 29, 2026 to shape a pilot program for AI-enabled early-phase clinical trials, creating an immediate comment-driven opportunity to influence future expectations for AI use in clinical decision-making.
Other updates
California SB1159 advances on AI transparency and governance
California SB1159 is moving forward on AI transparency and governance, so organizations should prepare for potential state-level governance, disclosure, or accountability requirements.
New York FAIR news act proposals would require generative AI transparency in news content
New York’s FAIR news act bills would require transparency for news content created with generative AI, so publishers and content platforms should track whether labeling and disclosure rules emerge.
California SB947 moves forward on automated decision systems in employment
California SB947 advanced out of committee on automated decision systems in employment, so employers using AI for hiring or workforce decisions should prepare for possible new disclosure and governance duties.
California AB2575 advances healthcare AI legislation
California AB2575 is moving through the legislature on AI in health care services, so covered organizations should track whether it introduces new governance, disclosure, or oversight duties for clinical AI use.
FTC Air.ai case shows enforcement against AI-enabled deceptive business opportunities
The FTC’s Air.ai matter shows that AI branding used in deceptive business-opportunity schemes can still trigger enforcement, so teams should not assume “AI” language lowers the fraud risk.
FTC launches Operation AI Comply crackdown on deceptive AI schemes
FTC’s Operation AI Comply signals active enforcement against deceptive or unfair AI schemes, so organizations should expect closer scrutiny of AI marketing, product claims, and consumer-facing automation.
FTC orders accessiBe to stop deceptive AI accessibility claims and pay $1 million
The FTC settlement with accessiBe bars unsupported claims that its AI tool could make websites WCAG-compliant and imposes $1 million in relief, so AI accessibility marketing now needs hard substantiation.
FTC finalizes DoNotPay order over deceptive AI lawyer claims
The FTC finalized its DoNotPay order, imposing monetary relief and barring deceptive AI-lawyer claims, which means legal and compliance teams must police any claims that AI can replace professional services.
FTC seeks substantiation for Workado's AI detection accuracy claims
The FTC proposed an order against Workado over unsupported claims that its AI content detector was 98% accurate, so AI vendors must substantiate performance claims and preserve the evidence now.
FTC continues AI deception and AI-companion scrutiny
The FTC’s recent AI enforcement and 6(b) activity shows that deceptive AI claims, misleading chatbot marketing, and data-handling practices remain active enforcement targets and can trigger orders, notices, or information demands without new AI-specific legislation.
California AB2575 health care services artificial intelligence
California AB2575 was introduced to regulate AI in health care services, adding to the state’s growing AI governance patchwork and requiring ongoing monitoring by health-sector operators.
SEC actions on false and misleading AI statements
SEC enforcement releases in 2024–2026 show the Commission continuing to treat false or misleading AI claims as a disclosure and fraud problem for public companies and advisers.
FTC inquiry into generative AI investments and partnerships
The FTC’s 6(b)-style inquiry into major AI investments and partnerships signals antitrust and market-structure scrutiny for AI deals and ecosystem concentration.
FTC authorization for compulsory process for AI-related products and services
The FTC approved compulsory-process authority for AI-related products and services, suggesting faster investigative requests and higher scrutiny of AI claims and practices.
FTC action against IntelliVision for deceptive facial recognition claims
FTC alleged that IntelliVision made unsupported claims that its facial recognition software was bias-free, highly accurate, and spoof-resistant, and the proposed order would bar future claims unless backed by competent and reliable testing.
FTC crackdown on deceptive AI claims and schemes
The FTC’s Operation AI Comply shows the agency is actively pursuing deceptive or unfair AI claims, making substantiation and marketing accuracy urgent compliance issues now.
FCA, Bank of England and Treasury joint statement on frontier AI models and cyber resilience
The FCA, Bank of England, and HM Treasury said firms must be able to identify, monitor, and manage external AI-related applications, libraries, and services integrated into their networks, raising the bar for cyber and third-party resilience.
FCA Mills Review on how AI will reshape retail financial services
The FCA launched a review of advanced AI’s impact on retail financial services, with feedback due 24 February 2026 and recommendations expected for the FCA Board in summer 2026.
COVID-19 Origin Act of 2023
The COVID-19 Origin Act of 2023 was enacted as Public Law No. 118-2 on 2023-03-20, making it a completed federal legislative item with no new AI compliance obligation identified in the source.
Singapore PDPC advisory guidelines on personal data in AI recommendation and decision systems
PDPC finalized advisory guidelines on the use of personal data in AI recommendation and decision systems, clarifying PDPA expectations for training and deployment workflows that use personal data.
Singapore publishes Model AI Governance Framework for Agentic AI
IMDA published Version 1.0 of the Model AI Governance Framework for Agentic AI on 2026-01-22, creating immediate governance expectations for autonomous AI systems that reason and act on their own.
California AB2545 labor force impact report on AI advances
California AB2545 cleared committee on 2026-05-14, indicating growing legislative interest in AI labor impacts and signaling a possible future reporting obligation for employers and developers.
California AB1979 advances on health care AI
California AB1979 passed committee on 2026-05-14, keeping health-care AI regulation active in California and requiring providers and vendors to continue preparing for disclosure and oversight duties.
New York bill on technological displacement notice and workforce transition
New York S08589 was printed on 2026-05-14 and would require notice, reporting, and a workforce transition period before technological displacement, so employers should assess restructuring plans now.
Colorado SB189 sent to governor on automated decision-making technology
Colorado SB189 was sent to the governor on 2026-05-12, meaning a statewide automated decision-making law may be imminent and organizations should finalize gap remediation before enactment.
California SB947 advances on employment automated decision systems
California SB947 was read a second time and amended on 2026-05-14, so employers should expect a rapidly evolving employment-AI compliance bill and begin impact assessment planning now.
New York automated lending decision tools bill advances
New York A00773 advanced to third reading on 2026-04-30, signaling imminent scrutiny of automated lending tools and the need to prepare consent/opt-out and governance controls now.
Colorado HB1139 advances on use of AI in health care
Colorado HB1139 advanced to Senate third reading on 2026-05-11, increasing the likelihood of new AI-specific obligations for health-care use cases that could require near-term policy and vendor review.
FISA Amendments Act extension enacted
Congress enacted a law extending the authorities of Title VII of FISA through 2026-04-30, so organizations reliant on US intelligence-collection authorities should refresh legal and vendor-risk assumptions before the extension lapses.
Bill C-27 / AIDA remains proposed in Canada
Canada’s Artificial Intelligence and Data Act remains proposed legislation within Bill C-27 and has not become law, so teams should treat it as a live monitoring item rather than an immediate compliance deadline.
ICO maintains enforcement posture on AI chatbots and biometrics
The ICO has continued investigating AI systems such as Grok and reiterating its willingness to use full enforcement powers, so AI chatbot and biometric deployments remain under active data-protection scrutiny.
FTC continues AI deception enforcement
The FTC kept up AI deception actions, including bans, monetary relief, and notice obligations, so any unsupported AI performance, compliance, or capability claim now carries concrete enforcement risk.
FCA, Bank of England and Treasury issue frontier AI cyber resilience statement
UK authorities issued a joint statement on frontier AI model cyber resilience, so regulated firms and FMIs should now align AI governance with existing operational resilience and cyber controls.
Family Court endorses secure AI use for judgment summaries
The Family Court published a judgment noting that secure Judicial Copilot summaries were useful for parents with learning difficulties, underscoring that courts will scrutinize AI use but may accept it when carefully controlled and beneficial.
BSI publishes G7 SBOM for AI guidance
BSI released a G7-developed guideline setting minimum requirements for a Software Bill of Materials for AI, so organizations should tighten AI component inventory and supply-chain traceability practices.
Council of Europe AI Framework Convention published
The Council of Europe AI Framework Convention is now published and signed, but it will only enter into force after the Article 30 ratification threshold is met, so organizations should prepare for rights-based AI governance obligations in advance.
SEC Enforcement Against AI Misstatements and AI-Related Fraud
The SEC continued AI-related enforcement in FY2025 and created a Cyber and Emerging Technologies Unit in February 2025, meaning false or misleading AI claims and technology-related investor fraud remain an active enforcement priority.
FTC Inquiry into AI Chatbots Acting as Companions
The FTC launched a 6(b) inquiry into AI companion chatbots, requiring seven companies to produce information on testing, monitoring, child safety, disclosures, and personal-data handling, which raises immediate investigation-readiness concerns for AI providers.
Singapore Model AI Governance Framework for Agentic AI
Singapore released a Model AI Governance Framework for Agentic AI on January 22, 2026, adding practical controls for bounded autonomy, human checkpoints, technical safeguards, and transparency that organizations should adopt before expanding agentic deployments.
ICO Guidance on AI and Data Protection
The ICO’s AI and data protection guidance remains live and is under review following the Data (Use and Access) Act coming into force on June 19, 2025, so organisations must reassess UK GDPR controls for AI now rather than treating the guidance as static.
NY A06578: Artificial Intelligence Training Data Transparency Act
New York A06578 was referred to the Internet and Technology committee on May 5, 2026, advancing a training-data transparency bill that could require public disclosure of AI training datasets and related summaries.
CA SB719: Department of Technology: inventory: high-risk automated decision systems
California SB719 was referred to committee on May 4, 2026, indicating continued movement toward mandatory inventorying of high-risk automated decision systems and potential new recordkeeping obligations.
CA SB1159: Artificial intelligence: transparency and governance
California SB1159 was read first time and held at desk on May 4, 2026, signaling an active transparency-and-governance proposal that could impose new documentation and disclosure expectations for AI systems.
CA SB1011: Energy: Utility Infrastructure AI Safety, Oversight, and Workforce Protection Act
California SB1011 was set for hearing on May 14, 2026, putting AI safety and oversight obligations for utility infrastructure uses under active legislative review and warranting immediate stakeholder monitoring.
CO SB189: Automated Decision-Making Technology
Colorado SB189 passed House Third Reading on May 9, 2026, moving automated decision-making technology legislation closer to adoption and increasing the need to map impacted systems and controls now.
CA SB947: Employment: automated decision systems
California SB947 was set for hearing on May 14, 2026, which keeps automated decision systems in employment squarely on the compliance radar and suggests near-term scrutiny of hiring and workplace AI practices.
CO HB1139: Use of Artificial Intelligence in Health Care
Colorado HB1139 advanced to Senate Second Reading Special Order on May 8, 2026, signaling continued movement toward state-level AI governance for health-care use cases that may require operational and disclosure planning.
California AB1898 workplace artificial intelligence tools
California AB1898 remained active on 2026-04-29 with a first hearing and referral to Appropriations, so employers using AI in the workplace should continue readiness work for likely AI employment controls.
Weekly digest — coming soon
Leave your email to get the first issue when it ships. Free, no account required.
We use your email only for the digest. Privacy policy