I&C | Intelligence & Compliance
AI governance, policy, and risk frameworks.
Edition №03 · Tuesday, May 26, 2026 · ~6 min read
📌 The Brief
The Commission finally published its high-risk classification guidelines, and they read broader than most compliance teams budgeted for: more systems land in scope under both Article 6 routes than a plain reading of the Act suggested.
If you scoped your AI inventory against the bare text of Annex III, the new examples may move products you wrote off as out-of-scope back onto your risk register.
⚖️ Regulation & Enforcement
EU AI Act · enforcement actions · compliance deadlines
European Commission · 2 min
The Commission published draft guidelines on high-risk classification under Article 6 on May 19, interpreting "safety component" and "intended purpose" expansively: an AI feature can be high-risk based on its realistic failure mode, not how it's marketed. Consultation runs to July 23, and final guidelines arrive end of 2026.
✅ Do this: Re-run classification on every system you scoped out on a Module A / self-assessment assumption, and check the failure-mode test against your product's worst credible malfunction, not its marketing copy.
Consilium · 2 min
The Council updated its Omnibus press release on May 18 with the presidency letter to Parliament, confirming the first-reading path that defers Annex III high-risk obligations to December 2, 2027 and cuts the synthetic-content marking grace period to three months (new deadline December 2, 2026). Formal adoption is expected in coming weeks.
✅ Do this: Don't read the delay as relief. Treat December 2, 2026 as your hard date for machine-readable marking on any generative system already on the EU market, and document the extra runway as planned work, not slack.
📐 Frameworks & Standards
NIST AI RMF · ISO/IEC 42001 · assurance & audit
NIST AIRC · 1 min
NIST confirms AI RMF 1.0 is being revised under the July 2025 White House AI Action Plan, which directed removal of references to misinformation, Diversity, Equity, and Inclusion, and climate change. The four functions (Govern, Map, Measure, Manage) stay intact; the trustworthiness vocabulary around them shifts.
✅ Do this: If your governance policies cite specific RMF language on bias or misinformation, version-pin the 1.0 text you built against under Govern so an auditor can see which edition your controls map to when the revision lands.
🌍 Global Policy Watch
US federal · UK · APAC · OECD · multilateral
ICO · 2 min
The ICO's draft ADM guidance, reflecting DUAA reforms to Article 22 UK GDPR, closes for feedback on May 29, and the draft reads "decision" and "significant" broadly: dynamic pricing and algorithmic recommendations are flagged as potentially in-scope. The statutory Code of Practice that follows (mandated by SI 2026/425, in force May 12) will carry weight courts must consider.
✅ Do this: If you run recruitment screening, scoring, or pricing on UK data, pressure-test whether your "human in the loop" actually has authority to overturn the output. A rubber-stamp review counts as solely automated.
🏢 Sector Signals
Rotating: finance · healthcare · HR/employment
Baker Botts · 2 min
Covered platforms had until May 19, 2026 to stand up a working notice-and-removal process for non-consensual intimate imagery, including AI-generated deepfakes, with the FTC enforcing and a 48-hour takedown clock once content is flagged. The deadline lands the same week the EU agreed a parallel Article 5 prohibition on nudification tools.
✅ Do this: If you host user-generated or AI-generated media, confirm your removal workflow meets the 48-hour window and logs each request. The FTC treats the missing process itself as the violation.
💰 Money & Markets
Funding · M&A · liability · insurance · the commercial signal
U.S. Treasury · 2 min
Treasury's FSOC and AI Transformation Office held the fourth and final roundtable of the AI Innovation Series on May 19, framing the financial-sector challenge as operationalizing AI at scale rather than writing new rules. The readouts will feed FSOC's posture, which leans toward enabling adoption over fresh regulation.
✅ Do this: Read the deregulatory signal for what it is, but don't let it relax your model-risk discipline. SR 11-7 and existing anti-fraud authority still bite, and "AI-washing" enforcement runs on a bipartisan track regardless of Treasury's tone.
🧰 The Stack
Model releases · capability shifts · technical changes that move your risk
Osborne Clarke · 3 min
A technical wrinkle in the May 19 guidelines: the same AI system can be high-risk or not depending on whether its operator is formally designated a "critical entity" under the CER framework, so identical software shifts risk tier based on the customer, not the code. Pure cybersecurity and network-optimization tools without a direct physical-safety role stay outside Annex III point 2.
✅ Do this: Add your customer's regulatory status to your classification inputs. If you sell the same model to a CER-designated utility and a non-designated buyer, your obligations diverge, and your contracts should reflect it.
⚡ Quick Hits
Signal over noise
Consultation extended: The Commission pushed the high-risk guidelines feedback deadline from June 23 to July 23, 2026 after stakeholder requests for 4 more weeks. read more
Article 50 transparency: Interactive-AI disclosure, deepfake labelling, and emotion-recognition notice obligations still apply from August 2, 2026, three months out. read more
New prohibitions: The Omnibus adds two Article 5 bans (non-consensual intimate imagery and AI-generated CSAM), taking effect December 2, 2026. read more
SME relief: Simplified technical-documentation requirements now extend to small mid-cap companies, not just SMEs, under the agreed Omnibus text. read more
Fundamental-rights authorities: The Commission published its consolidated list of national fundamental-rights protection authorities with special AI Act powers on June 1. read more
Sandboxes slip: The deadline for Member States to stand up at least one national AI regulatory sandbox moves a full year, to August 2, 2027. read more
UK code incoming: SI 2026/425 came into force May 12, requiring the ICO to write a statutory Code of Practice on AI and ADM, with children's data explicitly in scope. read more
📅 On the Radar
Forward look — deadlines, comment windows, effective dates coming up
May 29, 2026: ICO consultation on automated decision-making and profiling guidance closes.
July 23, 2026: Extended deadline for feedback on the Commission's high-risk classification guidelines.
August 2, 2026: Article 50 transparency obligations (interactive-AI disclosure, deepfake labelling) become applicable.
December 2, 2026: Synthetic-content marking deadline and two new Article 5 prohibitions take effect.
🔍 One Big Thing — the long read
Bird & Bird · 12 min read at source
The most useful long read this week works through the Commission's May 19 guidelines clause by clause, and the throughline is that classification is now driven by consequence, not labelling. A combustion-efficiency optimizer in a household gas appliance can be a safety component because its failure could cause carbon monoxide or fire; a heating-schedule optimizer whose failure only raises bills is not. For Annex III systems, the analysis warns the Article 6(3) "no significant risk" filter is narrower than many providers assume and carries its own documentation obligations, so claiming the exemption is not a free pass. It also flags that the grandfathering regime under Article 111 survived the Omnibus untouched, but the undefined "significant change" threshold means retraining or material parameter updates could pull a grandfathered system back into scope sooner than expected. The Annex III perimeter is designed to move: annual review, delegated acts, and amendable filter conditions mean a static compliance list will age badly.
✅ Do this: Bring the safety-component failure-mode examples to your next product-risk review and use them to re-test anything you exempted. Then write down why each excluded system clears Article 6(3), because the filter is now an obligation you have to evidence, not an assumption you get to make.
💬 From the desk
Three drafts, one prohibition expansion, and a deadline week, all landing as the Omnibus heads to formal adoption. The pattern worth watching: every "simplification" this month came paired with a broader interpretation somewhere else. The deadlines moved out; the scope moved in. Next week I'm tracking whether the Omnibus text clears Parliament on schedule.
Was this forwarded to you? Subscribe