State of AI Governance: May 2026 Roundup

As of 2026-05-20, the EU AI Act's high-risk obligations have been in force ~9 months (since 2025-08-02), the Colorado AI Act has been live since 2026-02-01, and California SB-942 is in operation. No public enforcement actions yet under the EU AI Act high-risk regime. Sources: European Commission AI Office, Colorado AG, NIST.

The EU AI Act entered into force on 2024-08-01, with the prohibited-practices ban taking effect 2025-02-02 and the high-risk system obligations taking effect 2025-08-02. As of May 2026 we are nine months past the high-risk effective date. The shape of enforcement so far is consistent with what most large EU regulatory regimes look like in their first 18 months: a heavy focus on standing up the institutional machinery rather than headline penalty actions.

What has actually happened. The EU AI Office (housed within the European Commission's DG CNECT) is operational and has published its initial code of practice for general-purpose AI model providers, dated August 2025. National competent authorities have been designated in the majority of member states, although several smaller member states are still finalising designations. The European Artificial Intelligence Board has held its initial meetings.

What has not happened publicly. As of 2026-05-20, no public enforcement actions or material fines have been announced under the high-risk system obligations of the EU AI Act. This is consistent with the first 12 to 18 months of GDPR enforcement, where the early period was dominated by guidance, supervisory inquiries, and prepared cases rather than headline decisions. For CISOs running EU AI Act compliance programmes, the implication is that the institutional risk window is now open, even if the headline penalty window has not yet been demonstrated in case law.

What to watch over the next quarter. The general-purpose AI model obligations took effect 2025-08-02 with a transition period; expect EU AI Office guidance and supervisory action to focus on GPAI providers first before high-risk deployers. The AI Liability Directive negotiations remain ongoing in the European Parliament as of May 2026 and are worth tracking because they would shift the burden of proof in AI-related liability cases.

The Colorado AI Act (SB 24-205) took effect 2026-02-01 and is now the most operationally relevant US state AI law for mid-market and enterprise organisations. The Colorado AG's office is the lead enforcement authority. The law applies a "high-risk artificial intelligence system" definition centred on consequential decisions in employment, education, housing, insurance, financial services, healthcare, and similar domains.

What deployers and developers are actually doing. Three months in, the public picture from law firm advisories and industry groups is that organisations have prioritised three artefacts: a risk management policy aligned to a recognised framework (most commonly NIST AI RMF), impact assessments for any system meeting the consequential-decision threshold, and updated consumer-facing notices for adverse decisions made with high-risk AI assistance. The Colorado AG has signalled that initial enforcement will focus on the consumer-notice obligations because those are the most directly observable.

California's parallel regime is also live. SB-942, the California AI Transparency Act, took effect in 2026 and imposes disclosure obligations on GenAI providers and on certain platforms. As of May 2026, the California AG has not announced public enforcement actions but has published initial guidance on the watermarking and AI-content-disclosure provisions. For California-exposed organisations, the relevant compliance documents to maintain are: provenance-and-detection capability evidence for covered GenAI content, AI content disclosure language on user-facing surfaces, and a documented process for responding to consumer requests.

Other states moving in 2026. Several other states have AI-specific legislation in various stages of enactment or implementation. The patchwork picture as of May 2026 is unchanged from our earlier US state AI laws patchwork analysis: organisations with multi-state exposure should treat Colorado and California as the operational baselines and overlay state-specific obligations from there.

Singapore's Infocomm Media Development Authority (IMDA) launched AI Verify as an open-source AI governance testing framework and toolkit in 2022, and adoption has continued steadily through May 2026. The toolkit operationalises 11 internationally recognised AI ethics principles via a battery of technical tests and process checks.

The more recent development is Singapore's continued work on agentic AI governance, building on the IMDA's Model AI Governance Framework for Generative AI. CISOs operating in or selling into Singapore should pay particular attention to the agentic-AI workstream because it is among the first national-level governance frameworks to treat agentic systems (AI systems that take multi-step actions across tools and APIs) as a distinct category from generative or predictive AI. The Areebi Singapore agentic AI governance analysis walks through the framing and the practical implications for enterprise deployments.

Why this matters outside Singapore. AI Verify and the Model AI Governance Framework have been treated as reference models by several other jurisdictions in the region and beyond. The framework is also referenced in the OECD AI Policy Observatory's catalogue of national initiatives, which is the canonical cross-jurisdiction directory most enterprise compliance teams use for horizon scanning.

NIST published the AI 600-1 GenAI Profile on 2024-07-26 as a companion to the AI RMF 1.0 (NIST AI 100-1, January 2023), specifically for generative AI use cases. As of May 2026 the GenAI Profile is approaching two years old and has settled into a stable position in enterprise governance programmes.

What enterprises actually use it for. In our work with mid-market and enterprise organisations, the AI 600-1 is most commonly used as the per-system MAP and MEASURE checklist for GenAI deployments specifically. The 12 GenAI-specific risks documented in the Profile (CBRN information uplift, confabulation, dangerous or violent recommendations, data privacy, environmental, harmful bias and homogenization, human-AI configuration, information integrity, information security, intellectual property, obscene/degrading/abusive content, and value chain/component integration) have become the de facto risk taxonomy that even non-US organisations reference. For the cross-cutting governance discipline, organisations continue to anchor on the four AI RMF functions (GOVERN, MAP, MEASURE, MANAGE) covered in the GOVERN function deep dive and MAP function deep dive.

What is missing and worth watching. The AI 600-1 does not directly address agentic AI systems, which is the gap Singapore's agentic AI framework is starting to fill. NIST has signalled (via the AISI work and ongoing AI RMF refresh communications) that agentic-specific guidance is on the roadmap. CISOs with material agentic AI deployments should not wait for that guidance; the practical baseline today is to extend the AI 600-1 risk taxonomy with explicit agentic considerations (multi-step action chains, tool-use authorisation, autonomous decision boundaries) and document the extension.

The honest summary of enforcement to date is that this is still the institution-building phase, not the case-law phase. The table below captures the public picture as of 2026-05-20.

We will refresh this table monthly. If enforcement actions are announced between issues, we will update the dateModified on this post and call out the change in our next monthly roundup. At Areebi, we maintain this monthly cadence specifically because the gap between "what changed" and "what enterprise compliance teams know about" is the single biggest source of avoidable risk we see in the field.

Translating May 2026 status into a quarterly action list:

1. Refresh your EU AI Act gap analysis against the EU AI Office's published guidance from late 2025 and early 2026. If you have not aligned your high-risk-system register with the EU AI Act categorisation, do that now.
2. Verify Colorado AI Act consumer notices are live for any consequential decisions involving Colorado residents. The Colorado AG has signalled this is the early enforcement priority.
3. Stand up California SB-942 GenAI disclosure controls if you have any covered GenAI content surface. Watermarking and disclosure language need to be in production, not in a project plan.
4. Refresh your NIST AI 600-1 risk taxonomy as the per-system MAP/MEASURE checklist for GenAI deployments. Extend the taxonomy with explicit agentic considerations if you have agentic deployments.
5. Subscribe to authoritative sources for monthly tracking: the EU AI Office bulletin, NIST AI bulletin, IAPP Daily Dashboard, and the OECD AI Policy Observatory.

For organisations starting from scratch on any of these, the Areebi AI Governance Assessment generates a prioritised quarterly action plan aligned to the frameworks above.

Related Areebi resources that go deeper on the topics above.

• EU AI Act compliance hub - the canonical Areebi reference for the framework and the high-risk obligations.
• Colorado AI Act compliance hub - the operational guide for the law that has been live since 2026-02-01.
• US state AI laws patchwork - the cross-state view for organisations with multi-state exposure.
• Singapore agentic AI governance - the framing that other jurisdictions are starting to borrow.
• NIST AI RMF GOVERN function deep dive and the MAP function deep dive - the per-function depth for organisations anchoring on NIST.