I&C | Intelligence and Compliance
AI governance, policy, and risk frameworks.
Edition №01 · Tuesday, May 12, 2026 · ~6 min read
📌 The Brief
On May 7, Brussels rewrote the AI Act's calendar. The headline is a 16-month reprieve on high-risk obligations.
But the reprieve isn't the part that should reshape your roadmap, and the same deal starts two new clocks running.
If you've paced your program to an August 2026 finish line, that line just moved. Not all of it.
⚖️ Regulation & Enforcement
EU AI Act · enforcement actions · compliance deadlines
The EU just pushed high-risk AI obligations to December 2027 Council of the EU · 2 min read
Parliament and Council negotiators struck a provisional deal on the Digital Omnibus on AI.
The first amendments to the AI Act since 2024. Use-based high-risk obligations under Annex III slip from 2 August 2026 to 2 December 2027, a 16-month deferral tied to whether harmonized standards are ready.
National regulatory sandboxes move to 2 August 2027.
Here's the catch: the deal still needs formal adoption, expected in July, and the prohibited-practices ban and GPAI rules already in force don't move at all.
↳ The compliance angle: Don't stand the Annex III program down, re-baseline it. Treat 2 December 2027 as the new planning anchor, keep building conformity assessments and technical documentation against the draft standards, and confirm final adoption before you bank the extra time.
Brussels published its Article 50 transparency playbook with open source firmly in scope European Commission · 2 min read
The Commission released 40 pages of draft guidance on May 8 covering chatbot disclosure, deepfake labelling, and machine-readable marking of synthetic output. Consultation runs to 3 June. Two clarifications bite. Open-source systems get no exemption from Article 50. And the "purely personal" carve-out collapses the moment a deepfake touches public discourse. Fines reach €15M or 3% of worldwide turnover.
↳ The compliance angle: Inventory every system that talks to a user or generates synthetic media, then map each to its Article 50 limb. Disclosure (50(1)), emotion and biometric notice (50(3)), and deepfake labelling (50(4)) all apply from 2 August 2026 with no grace period. Only legacy machine-readable marking under 50(2) gets the December extension.
📐 Frameworks & Standards
NIST AI RMF · ISO/IEC 42001 · assurance & audit
NIST is rewriting the AI RMF and cutting three themes out of it NIST · 1 min read
The AI RMF 1.0, the Govern / Map / Measure / Manage spine most US programs are built on, is under its first revision since its January 2023 release. Pursuant to America's AI Action Plan, NIST is removing references to misinformation, DEI, and climate change, and sharpening the document toward reliability and adoption. The framework stays voluntary.
↳ The compliance angle: If your Govern controls cite the current RMF text by section number, expect language drift at your next policy refresh. Anchor your control mappings to the four functions, not to specific wording. That's the part that survives the rewrite.
🌍 Global Policy Watch
US federal · UK · APAC · OECD · multilateral
The ICO just got statutory power to write the UK's AI decision rulebook Information Commissioner's Office · 2 min read
From 12 May, SI 2026/425 hands the ICO a statutory duty to produce a Code of Practice on AI and automated decision-making.
It lands as the Data (Use and Access) Act rewrites Article 22 UK GDPR, scrapping the blanket ban on solely automated decisions for a conditions-based test. The ICO's draft ADM guidance, open for comment until 29 May, already signals the line: a rubber-stamp human review won't count as "meaningful involvement."
↳ The compliance angle: Run AI decisioning in both the EU and UK? You're now maintaining two rulebooks that define human oversight differently. Document where a person can actually overturn an automated outcome, not just sign off on it, and file a consultation response by 29 May if ADM is core to your product.
🏢 Sector Signals
Rotating focus: finance · healthcare · HR/employment
The SEC put AI on its 2026 exam list, and "AI-washing" is the trigger U.S. Securities and Exchange Commission · 1 min read
AI sits among the SEC Division of Examinations' fiscal-2026 priorities, with cyber and AI displacing crypto as the dominant exam theme. The principle is unchanged: claims about AI in disclosures, marketing, and adviser communications must be accurate and evidence-backed, and unsupervised "shadow AI" tools fall under the same recordkeeping duties the agency applied to off-channel messaging.
↳ The compliance angle: Before AI shows up in a pitch deck, an earnings call, or a Form ADV, paper the proof. Stand up an AI acceptable-use policy, run discovery for shadow tools, and keep vendor due-diligence records. Examiners will ask who supervises the output.
⚡ Quick Hits
Signal over noise
EU AI Act: Two new prohibited practices, AI-generated CSAM and non-consensual intimate imagery, apply from 2 December 2026. →
EU AI Act: Legacy generative systems get a 3-month grace on machine-readable marking, moving Article 50(2) compliance to 2 December 2026. →
NIST: A 7 April concept note opens work on a Trustworthy-AI-in-Critical-Infrastructure RMF profile for energy, health, and transport operators. →
OECD: New Due Diligence Guidance for Responsible AI (19 February) maps AI risk onto the Guidelines for Multinational Enterprises. →
SEC: In 3 February staff remarks, the agency pushed advisers past AI "liability paralysis" while holding firm on AI-washing exposure. →
💬 From the desk
What I'm watching: the 3 June close of the Article 50 consultation, and formal adoption of the Omnibus, expected July. If adoption slips past 2 August, the "relief" turns into a gap.
The old deadlines stay technically live while the new ones aren't law yet. I'll flag the moment it's signed.
Intelligence and Compliance · intelligenceandcompliance.com