Regulatory feed

High-risk system requirements take effect for new placements. Penalties reach €35M or 7% of global turnover. Notified bodies begin conformity assessments. Existing high-risk systems must complete conformity by end of 2026. EU 2024/1689 Art 9–17

General-purpose AI model providers must publish technical documentation, training-data summaries, copyright policies. For systemic-risk GPAI (>10²⁵ FLOPs): mandatory model evaluations, adversarial testing, incident reporting. Art 51–55

AIMS certification scheme mature; first wave of accredited audits opening. Agentics maps oversight log → 8.x, risk register → 6.x, evidence pack → 9.x. Issued certificates become a procurement signal.

Govern / Map / Measure / Manage. GenAI profile (AI 600-1) extends the core with synthetic-content provenance, prompt-injection defense, hallucination governance. Aligns with the EU AI Act on high-risk requirements.

Sector-led approach via CMA, FCA, ICO, MHRA, Ofcom + a central AI Authority. AI Safety Institute keeps testing flagship models. Lighter-touch than the EU AI Act on horizontal duties.

Federal agencies subject to OMB AI memo: chief AI officers, public inventories, impact assessments. Watch state-level: CA SB 1047 successor, CO SB 24-205, IL HB 5116, NYC Local Law 144. Sectoral guidance from FDA, EEOC, CFPB.

Trust Service Criteria CC / A / C / PI / P. Agentics aligns CC-series controls automatically from audit logs. Inherits AI-specific controls via the ISO 42001 mapping.

ISO published three GenAI insurance carve-outs early 2026. Coalition added explicit affirmative AI coverage. Klaimee writing first AI-agent liability policies. Higher trust posture → lower premium. Get an insurance check →

DPIA required for systematic large-scale processing. Automated-decision-making rights (Article 22). DSAR workflows must capture AI-derived inferences. CCPA: opt-out of "automated decision-making technology" coming via APRA-style rules.