What regulators spotted. What it means.

A bipartisan House discussion draft would preempt state AI development regulation for three years while preserving state authority over AI use and deployment. The development/deployment split is the governance story.

Colorado's SB 24-205 — the first comprehensive AI governance law in the US — was stayed by a federal court in April and replaced by the legislature in May with a narrower notice-and-transparency framework. The story is not the compliance cliff. It is what happened to the law itself.

The Coalition Against Financial Crime has launched CAPFC, the first professional certification in AI governance for financial crime compliance. The market is institutionalizing human oversight as a distinct profession.

The Sectoral AI Governance Act would equip sectoral regulators to enforce existing federal law against AI-driven conduct. For financial firms, the significance is not a new rulebook but the prospect of existing obligations being enforced more confidently against AI-driven processes.

Britain's Regulating for Growth Bill offers domestic regulatory relief. For cross-border financial firms, that's the part of the compliance problem that was never the hard part.

The June 2 executive order reaches directly into financial infrastructure and stops short of compelling anything. Community banks are named. Developer participation is optional.

The SEC's Draft Strategic Plan for FY2026-2030 commits to EDGAR modernization and AI-enabled oversight. The regulator examining your AI disclosures is sharpening its own tools. Comments close July 2.

For the first time, all three UK financial authorities have spoken with one voice on frontier AI. Their May 15 joint statement reads like a cyber memo, but the first of its required actions is board-level understanding of AI risk. Translation: AI illiteracy in the boardroom is now a supervisory deficiency.

The SEC named AI supervision as a 2026 exam priority, but the enforcement playbook is older than that. Advisers have already paid to settle charges that they marketed AI they did not actually use. The pattern mirrors ESG almost exactly: scrutiny, then guidance, then penalties.

The FCA has reopened its AI Input Zone and wants one thing: evidence of how firms actually govern AI in live operations, not policy documents. Submissions close June 19, 2026, and feed a 'good and poor practice' publication that will become the de facto UK benchmark for AI assurance.

State legislatures introduced more than 1,200 AI bills in a single year, each with its own definitions and duties, and a December 2025 executive order is now trying to preempt many of them in court. The durable move is a model-layer governance framework anchored to the NIST AI RMF and Treasury's new 230-control financial-services adaptation.

Can your model explain every adverse credit action it generates, in terms a consumer can act on? If not, you are already exposed. ECOA and Regulation B require specific, accurate reasons for every credit denial, and the CFPB has been explicit that a black-box model is no excuse.

Around 80% of organizations have already seen AI agents behave badly — including unauthorized system access and improper data exposure. Meanwhile, the SaaS vendors you already use are switching agents on by default. SOC 2 reports say nothing about what an agent does at runtime.

On February 19, Treasury released a financial-services adaptation of the NIST AI RMF with 230 control objectives. It is voluntary. That label is doing a lot of work. The framework comes with adoption-stage questionnaires, a control matrix, and example evidence artifacts — the same shape examiners reach for.