I&C | Intelligence & Compliance
AI governance, policy, and risk frameworks.
Edition №04 · Tuesday, June 2, 2026 · ~5 min read
📌 The Brief
NIST just dropped "Safety" from the name of its flagship AI consortium and pointed it at innovation and adoption instead.
The body that writes the measurement science behind US AI governance is openly reorienting toward enabling deployment, not constraining it.
If your compliance program leans on federal frameworks as its backbone, the backbone is shifting under you.
⚖️ Regulation & Enforcement
US federal · US states · enforcement actions · compliance deadlines
🦅 US Federal
NIST · 2 min
NIST renamed the AI Safety Institute Consortium (AISIC) the NIST AI Consortium on May 29, dropping "safety" and reorienting roughly 280 member organizations toward AI measurement, innovation, and adoption under Executive Order 14179 and the AI Action Plan. Six task groups will do the work, including AI TEVV, AI Documentation Cards, and a restarted Chemical and Biological Security group.
Existing members must sign an amendment to stay in, and new members enter through a CRADA.
✅ Do this: Read this as the federal baseline tilting from risk constraint toward deployment enablement, and stop treating "NIST-aligned" as a fixed target.
If you rely on NIST artifacts for documentation or TEVV, track the new task groups, especially Documentation Cards, since their templates will shape what auditors and enterprise buyers expect. Watch Federal Register notice 2026-10779 for participation terms.
🌍 Global Policy Watch
EU AI Act · UK · APAC · OECD · multilateral · enforcement actions
🌍 UK · APAC · Multilateral
ICO · 2 min
On May 29 the ICO published its response to a January government request, setting a 2026/27 workplan built around a statutory AI and ADM code of practice, dedicated agentic-AI guidance, and consumer support for an increasingly personalized AI market.
It frames the year as delivering regulatory certainty on how data protection law applies to AI development and deployment, building on the June 2025 AI and biometrics strategy.
✅ Do this: If you run AI on UK personal data, treat the forthcoming statutory code as the document your governance will be measured against, since courts and the ICO must take it into account. Start now on the recurring ICO theme: a human reviewer who can't actually overturn an automated output doesn't count as meaningful involvement under the reformed Article 22A-D regime.
🧰 The Stack
Model releases · capability shifts · technical changes that move your risk
CNN · 2 min
CNN filed suit in the Southern District of New York on May 28, alleging Perplexity scraped more than 17,000 stories, videos, and images and produced near-verbatim output, the first AI copyright action by a TV network.
The complaint targets retrieval-augmented generation specifically: copying that happens live at query time, not just during training, which sidesteps the fair-use arguments that protected the earlier training-data cases.
✅ Do this: If your product uses RAG over third-party content, separate training-time risk from retrieval-time risk in your IP review, because courts may treat them differently.
Confirm you respect robots.txt and licensing for any source you retrieve at inference, and check that your outputs don't reproduce source text at length or imply a publisher relationship you don't have.
⚡ Quick Hits
Signal over noise
NIST scope: The new NIST AI Consortium runs six task groups, including a restarted Chemical and Biological Security group and the BENGAL effort with IARPA on LLM misinformation and leakage. read more
UK code: The ICO confirmed its statutory AI and ADM code of practice, mandated by SI 2026/425, is the centerpiece of its 2026/27 plan, with children's data explicitly in scope. read more
Copyright: Perplexity's response to the CNN suit was "you can't copyright facts," echoing its posture against earlier suits from the NYT and Dow Jones. read more
ADM deadline: The ICO's consultation on automated decision-making and profiling guidance closed May 29, with final guidance expected over summer 2026. read more
📅 On the Radar
Forward look — deadlines, comment windows, effective dates coming up
June 3, 2026: Consultation on the Commission's draft Article 50 transparency guidelines closes.
July 23, 2026: Extended deadline for feedback on the EU's draft high-risk classification guidelines.
August 2, 2026: Article 50 transparency obligations apply and GPAI enforcement powers, including fines up to €15M or 3% of turnover, go live. This date did not move.
December 2, 2026: Synthetic-content marking deadline for generative systems already on the EU market, and two new Article 5 prohibitions take effect.
🔍 One Big Thing
European Commission · 30 min read at source
The most useful document on a compliance desk this week is the Commission's draft Article 6 guidance, published May 19 and open for feedback until July 23, because it turns the abstract Annex III list into worked examples across all eight high-risk areas.
The throughline is that classification turns on consequence, not labelling: a combustion-efficiency optimizer in a household gas appliance can be a safety component because its failure could cause fire or carbon monoxide, while a heating-schedule optimizer whose failure only raises a bill is not.
The guidance confirms the presence or absence of human review is irrelevant to whether a system is high-risk and matters only to which obligations attach, and that the four Article 6(3) filter conditions are read more narrowly than many providers assume. Crucially, intended purpose is assessed across instructions, promotional materials, and technical documentation as a whole, so a carve-out buried in your terms of service won't save a product your own marketing positions as high-risk.
The perimeter is built to move, through annual review and delegated acts, so a static compliance inventory will age badly.
✅ Do this: Bring the safety-component failure-mode examples to your next product-risk review and re-test everything you previously scoped out. Then write down, per system, why it clears Article 6(3), because under this reading the filter is an obligation you have to evidence, not an assumption you get to make.
File your consultation feedback before July 23 if any example reaches your products.
💬 From the desk
A quiet week on the calendar, but the two government moves rhyme. NIST drops "safety" from its consortium and the ICO leans into "enabling safe AI-powered innovation." Both are regulators repositioning around adoption.
The tell for compliance leads: when the standard-setters start optimizing for deployment speed, the documentation burden doesn't vanish, it moves to you and to your contracts.
Next week I'm watching for more state AGs after Florida's OpenAI suit, and for the final Article 50 guidelines ahead of August 2.
Was this forwarded to you? Subscribe →