I&C | Intelligence and Compliance
AI governance, policy, and risk frameworks.
Edition №2 · Tuesday, May 19, 2026 · ~6 min read
📌 The Brief
The EU just moved its own high-risk deadlines to 2027 and 2028.
And in the same breath published draft guidelines that read the scope wider than the statute does.
The clock you've been planning against is wrong now, and the extra runway comes with higher expectations, so re-baseline before you exhale.
⚖️ Regulation & Enforcement
EU AI Act · enforcement actions · compliance deadlines
Council of the EU · 2 min
The May 7 provisional deal slips standalone high-risk (Annex III) obligations from August 2, 2026 to December 2, 2027, and product-embedded (Annex I) systems to August 2, 2028. But the August 2, 2026 transparency and GPAI dates didn't budge.
✅ Do this: Re-baseline your AI Act roadmap to the new dates today, and keep two near-term workstreams hot: Article 50 transparency (Aug 2, 2026) and synthetic-content marking (Dec 2, 2026). Treat the slip as runway, not reprieve.
European Commission · 3 min
The Commission's draft Article 6 guidelines, out for consultation through July 23, read scope expansively. Promotional materials and technical docs help determine whether your system is high-risk, not just your ToS.
✅ Do this: Align "intended purpose" language across legal, product, and marketing before the final guidelines land. A disclaimer won't save a system your own marketing positions as high-risk.
📐 Frameworks & Standards
NIST AI RMF · ISO/IEC 42001 · assurance & audit
NIST · 2 min
AI RMF 1.0 (January 2023) is being revised, with an April 7 concept note for a Trustworthy AI in Critical Infrastructure profile and a separate AI Agent standards effort targeting a Q4 2026 interoperability profile.
✅ Do this: Lock your current crosswalk RMF plus the AI 600-1 Generative Profile, mapped to Govern / Map / Measure / Manage as a documented baseline now, so you can show continuity when the revision drops. Frame adoption as risk management, not a safe harbor; Colorado just deleted the one that existed.
🌍 Global Policy Watch
US federal · UK · APAC · OECD · multilateral
Council of Europe · 2 min
On May 15 in Chișinău, the EU ratified the Framework Convention on AI (CETS No. 225), the first legally binding international AI treaty, which binds signatory states rather than companies directly.
✅ Do this: No new corporate obligation here, but it confirms the human-rights direction of travel across UK, EU, and other signatories. If you operate across them, build one defensible governance baseline rather than chasing each regime.
🏢 Sector Signals
Rotating: finance · healthcare · HR/employment
OCC Bulletin 2026-13 · 3 min
The OCC, Fed, and FDIC replaced the 2011 model-risk framework for banks over $30 billion in assets, and explicitly state generative and agentic AI fall outside it with a separate interagency RFI on bank AI use coming.
✅ Do this: If you sell models into regulated banks, prepare for a split: traditional models under refreshed SR 11-7 expectations, gen/agentic AI under a coming regime. Build validation evidence and model cards that satisfy both tracks, and watch for the RFI.
💰 Money & Markets
Funding · M&A · liability · insurance · the commercial signal
Cerebras Systems · 2 min
The chipmaker priced 30 million shares at $185 on May 14 and popped 68% but its S-1 flagged that one customer, MBZUAI, was 62% of 2025 revenue, with the top two near 86%.
✅ Do this: Reopening IPO windows raise the temptation to overstate AI capability. Pressure-test every external AI claim against what your systems actually do. AI-washing exposure tracks fundraising cycles.
🧰 The Stack
Model releases · capability shifts · technical changes that move your risk
WhatLLM tracker · 2 min
May's frontier cadence cooled, but the architecture moved: SubQ 1M-Preview (May 5) launched with a native 12-million-token context window, alongside GPT-5.5 Instant becoming the new ChatGPT default.
✅ Do this: A 12M-token window means far more data can enter a single prompt. Re-run your data-minimization, leakage, and retention analysis before adopting any new default model, and update DLP controls to match the larger surface.
⚡ Quick Hits
Signal over noise
Colorado: Governor Polis signed SB 26-189 on May 14, repealing the 2024 AI Act and replacing it with a lighter ADMT disclosure regime effective January 1, 2027. Passed the Senate 34-1. read more
EU prohibitions: Two new Article 5 bans, AI nudifier/NCII tools and AI-generated CSAM, take effect December 2, 2026 under the Omnibus deal. read more
Texas: TRAIGA has been enforceable since January 1, 2026, with penalties up to $200,000 per uncurable violation, a 60-day cure period, and AG-only enforcement. read more
California: SB 53's frontier-AI transparency rules are live since January 1, 2026, with penalties up to $1,000,000 per violation and 15-day incident reporting to Cal OES. read more
Illinois: HB 3773 amendments to the Human Rights Act took effect January 1, 2026, barring AI with a discriminatory effect in employment and requiring employee notice. read more
UK: The ICO's statutory duty to produce a single AI/ADM Code of Practice came into force May 12 (SI 2026/425), with its profiling consultation closing May 29. read more
EU GPAI: Commission enforcement powers over GPAI models, with fines up to €15M or 3% of global turnover, still begin August 2, 2026 untouched by the Omnibus. read more
📅 On the Radar
Forward look: deadlines, comment windows, effective dates coming up
July 23, 2026: Last day to submit feedback on the EU's draft Article 6 high-risk classification guidelines.
August 2, 2026: Article 50 transparency obligations apply and the Commission's GPAI enforcement powers, including fines, go live. This date did not move.
December 2, 2026: EU synthetic-content marking obligation becomes enforceable, and the two new Article 5 prohibitions take effect.
January 1, 2027: Colorado SB 26-189 takes effect; the AG must adopt implementing rules by the same date.
🔍 One Big Thing
Stanford HAI · 40 min read at source
The seventh edition is the data backdrop for any board-level AI risk conversation this quarter. Global private AI investment hit $344.7 billion in 2025, up 127.5% year-over-year, while generative AI reached 53% population adoption within three years, faster than the PC or the internet.
And now sits in at least one business function at 70% of organizations. On SWE-bench Verified, model performance climbed from 60% to near 100% of the human baseline in a single year.
The finding that should worry governance teams: training code, parameter counts, and dataset sizes are no longer disclosed for several of the most resource-intensive systems from OpenAI, Anthropic, and Google; A transparency regression that hits vendor due diligence directly.
✅ Do this: Use the Index for two things: calibrating how far capability and adoption have outrun governance maturity, and hardening your vendor diligence.
With public disclosures shrinking, move model cards, eval results, and training-data provenance into contractual requirements instead of relying on what vendors publish.
💬 From the desk
The Omnibus is still a provisional agreement. The deadlines above hold only once it's published in the Official Journal. Until then, the original August 2, 2026 high-risk dates technically remain on the books. I'm watching for that publication, and for the interagency bank-AI RFI, which will reshape how financial-sector buyers run diligence. Both go in next week's edition if they land.
Was this forwarded to you? Subscribe →
Intelligence and Compliance · intelligenceandcompliance.com · [LinkedIn] · [Unsubscribe]