AI Governance Updates

A self-spreading worm compromised 57 npm packages in under 2 hours using binding.gyp instead of postinstall scripts, bypassing security scanners. What it means for teams that run npm install, and the 5 controls that limit your exposure.

Amazon shut down its KiroRank AI leaderboard after employees gamed it by running fake tasks to inflate token counts. The right AI adoption metrics measure outcomes, not usage. A practical framework for small teams.

Colorado replaced its original AI Act with SB 26-189, signed May 14, 2026. The new law drops bias audits and impact assessments in favor of a lighter notice-and-transparency framework. Effective January 1, 2027, it requires pre-use notice, post-adverse-action notice within 30 days, and 3-year recordkeeping for any employer using AI in hiring, promotions, or terminations.

Illinois BIPA is the most litigated biometric privacy law in the US, with class actions reaching $228M settlements. AI systems that collect or analyze facial geometry, fingerprints, or voiceprints trigger BIPA. This guide covers what compliance requires.

Hackers social-engineered Meta AI into resetting passwords on high-profile Instagram accounts by simply asking. What the attack means for any team deploying an AI chatbot that can take account actions, and the 6 controls that prevent it.

The EU provisional agreement pushed high-risk AI obligations to late 2027. But Article 50 transparency rules still apply August 2, 2026, GPAI requirements have applied since August 2, 2025, and the prohibited-practices ban has been in force since February 2, 2025. Here is exactly what changed and what did not.

One company burned $500M on Claude in a month with no usage limits. Five copy-paste controls, usage caps, budget alerts, per-seat limits, a kill switch, and a monthly review, to keep token-based AI billing from blowing up your budget.

Searching for popular AI tools now surfaces fake malware sites and typosquatted packages at the top of results. A 7-step vetting check to confirm an AI tool is the real one before your team installs it.

AI now writes a large share of the pull requests your team reviews. A copy-paste policy and 9-point checklist for reviewing AI-generated PRs, who is accountable, what to require, and where AI code fails review.

The US Copyright Office has ruled that purely AI-generated content cannot be copyrighted. But most AI outputs involve human creative choices. This guide explains what you can and cannot protect, and how to document the human contribution that matters.

When your AI agent sends a wrong email, makes a bad purchase, or deletes data, the law says you are responsible, not the AI. Here is what small teams must do before deploying autonomous agents in 2026.

Exact copy-paste text for the Amazon KDP AI disclosure checkbox and notes field, covering fully AI-generated text, AI cover art, AI translation, AI-assisted editing (no disclosure), and hybrid books. No guessing what to write.

Courts are now targeting AI outputs, not just training data. After the $1.5B Anthropic settlement, here is which AI providers actually indemnify commercial output and what your team must do before publishing AI-generated content.

12+ states now require AI chatbot disclosure. California SB 243 creates a private right of action: users can sue if your bot claims to be human. Here is what SaaS teams must do in 2026.

AI-powered employee monitoring is now subject to specific laws in 11+ US states and GDPR in Europe. This guide covers what disclosures are required, what's prohibited, and how to build a compliant monitoring policy.

Standard vendor questionnaires no longer satisfy regulators. The Treasury FS AI RMF (February 2026) requires independent testing, bias audits, and hallucination measurement. Here's a practical assessment framework for teams evaluating ChatGPT Enterprise, Claude, Gemini, and similar tools.

Texas TRAIGA requires explicit consent before collecting biometric data in AI hiring tools, even from public sources. Here's what HR teams and AI vendors using facial recognition, voice analysis, or video interviews must do.

NYC Local Law 144 is no longer the only AI bias audit requirement. Colorado, Minnesota, and New Jersey all have active requirements for HR teams using algorithmic decision tools in 2026. Here's what each state requires and what a multi-state employer must do.

Georgia SB 540 takes effect July 1, 2027. $10,000 per knowing violation. Here is what chatbot operators must build into their products before the deadline.

Cox Media Group paid $930K for AI capabilities it didn't have. The 8-step checklist to verify your product claims meet the FTC's substantiation standard.

The Senate stripped AI preemption from the One Big Beautiful Bill 99-1. The White House is now using a DOJ task force instead. What compliance teams need to do in the patchwork era.

The European Commission published draft guidelines May 19 on how to classify high-risk AI under Article 6. Consultation closes June 23. Here is what changes for small teams before August.

Not all "GDPR compliant" AI assistants actually meet the bar your DPO will check. Here is how Claude Teams, ChatGPT Enterprise, Gemini for Workspace, Mistral Business, and Microsoft Copilot score against 6 GDPR requirements: EU data residency, DPA availability, training opt-out, SOC 2, GDPR Article 28 processor agreement, and self-hosting option.

A free AI register template with 12 fields covering system name, vendor, risk classification, data inputs, human oversight, and compliance framework mapping. Copy and adapt for EU AI Act Article 70, Colorado SB 26-189, and NIST AI RMF.

A 25-question yes/no scorecard to assess your AI regulatory readiness across EU AI Act, EEOC, GDPR/CCPA, FDA AI guidance, and Colorado SB 26-189. Score yourself and get a tiered verdict, from baseline to audit-ready. Built for software and biotech teams with August 2026 deadlines approaching.

VCs and PE firms are adding AI governance questions to due diligence in 2026. This 18-item checklist covers what investors ask about bias documentation, data licensing, privacy compliance, acceptable-use policies, incident response, and EU AI Act exposure. Framed for founders preparing for fundraising.

AI risk decisioning is automated accept, deny, or review logic used in credit, fraud, underwriting, and insurance. This guide explains how it works, which regulations apply, and includes a 10-item governance checklist aligned with the US Treasury FS AI RMF published in February 2026.

Colorado Governor signed SB 26-189 on May 14, 2026, rewriting the state AI law. The impact assessment requirement is gone. A notice and disclosure framework replaces it, with a January 1, 2027 effective date. Here is what changed, what stayed, and the 8-step employer checklist.

The FTC began enforcing the Take It Down Act on May 19, 2026. Covered platforms must remove non-consensual intimate imagery within 48 hours of a valid request. This guide covers which platforms are covered, the removal clock, the $53,088 per-violation penalty, and a 6-step compliance checklist for platform operators.

California SB 942 requires generative AI providers serving 1M+ monthly California users to label AI-generated content and disclose AI system information. Enforcement starts August 2, 2026. Here is the 6-step compliance checklist.

EU AI Act Annex III lists 8 categories of high-risk AI systems. The EU Digital Omnibus extended the full compliance deadline to December 2, 2027. Plain-language guide: which AI qualifies, what providers and deployers must do.

Illinois law requires employers to notify candidates before using AI to analyze video interviews, give an opt-out option, and disclose which characteristics the AI evaluates. In effect since January 1, 2026. Here is the 6-step compliance checklist and sample consent language.

Copy-paste AI agent governance policy for teams of 5-50. Covers authorization scope, data minimization, human-in-the-loop triggers, audit log format, and the 5 actions agents must never take without human approval.

Article 50 compliance checklist: chatbot disclosure by August 2, 2026. AI content labeling and deepfake marking delayed to December 2, 2026 (EU Digital Omnibus). Who it applies to, C2PA watermarking standards, 8-step checklist.

Model Context Protocol (MCP) servers give AI agents access to your filesystem, databases, and APIs. Here are the 5 attack vectors, 12-point governance checklist, and access scope framework every engineering team should implement before deploying agents with MCP.

Colorado SB 189 was signed May 14, 2026, replacing SB 24-205 with a narrower automated decision-making framework. Effective date is now January 1, 2027. Here is what changed, what the new requirements are, and the 5-step preparation checklist for Colorado employers.

California AB 2013 requires AI developers to post a training data summary on their website if their product is sold in California. In effect January 1, 2026. Here is what to disclose, who is covered, and a sample disclosure page template.

AI agents accumulate OAuth tokens, API keys, and tool permissions without formal approval processes. Here is how to find unauthorized agents in your environment, assess their access, and build an access inventory before something goes wrong.

The EU AI Act Code of Practice for general-purpose AI providers finalized in June 2026. Here is what changed from the April draft, what obligations are now locked in, and the 7-step action checklist for GPAI providers before the August 2, 2026 enforcement date.

GPAI provider under the EU AI Act? 8 yes/no questions to find your classification and the obligations you must meet before August 2, 2026. Covers model size, EU market access, and systemic risk.