Across The Industry April 14, 2026 · Policy, Regulation & AI Industry Developments
POLICY & REGULATION
Tags: News | Security | Global Date: April 7, 2026
EPA, FBI, CISA, and NSA issue joint advisory warning of active Iranian-affiliated attacks on U.S. critical infrastructure PLCs
The Environmental Protection Agency, the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the National Security Agency issued a joint cybersecurity advisory on April 7 warning that Iranian-affiliated advanced persistent threat actors have been actively exploiting internet-facing Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) across multiple U.S. critical infrastructure sectors since at least March 2026. Confirmed affected sectors include government services and facilities, water and wastewater systems, and energy. Victim organizations have reported operational disruption, configuration wiping, software-based mechanical sensor tampering, disruption of human machine interfaces, and financial loss.
The advisory documents the threat actors’ use of overseas-based leased infrastructure and Rockwell Automation configuration software to access unsecured internet-facing PLCs. Observed tactics include command-and-control activity and direct impact operations mapped to MITRE ATT&CK Enterprise framework version 18. The authoring agencies note that the water sector remains an especially attractive target; drinking water and wastewater systems operating equipment that is internet-exposed without current patches are at the highest risk. Rockwell Automation had previously issued guidance in 2021 (PN1550) and 2026 (SD1771) directing operators to disconnect devices from the internet and harden PLC configurations; the advisory reinforces those directives as the minimum baseline.
Organizations operating Rockwell Automation and Allen-Bradley PLCs in any critical infrastructure environment should treat this advisory as requiring immediate action. Internet-connected PLCs that have not been patched or isolated in accordance with prior Rockwell guidance must be addressed without delay. Indicators of compromise and recommended mitigations are published in CISA Advisory AA26-097A. Incidents should be reported to the FBI’s Internet Crime Complaint Center and to CISA through its incident reporting system.
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
Tags: News | United States Date: April 6, 2026
First quarter 2026 legislative update: over 600 state AI bills introduced as DOJ task force activates and Colorado revises its AI Act
Wilson Sonsini and Global Policy Watch published comprehensive first-quarter 2026 legislative tracking summaries on April 6, documenting that state lawmakers have introduced more than 600 AI bills with requirements for private entities across 2026 legislative sessions. The pace represents a continuation of the record-setting state activity that characterized 2025. Enacted state laws during the quarter include health insurer AI restrictions in Indiana, Utah, and Washington, each prohibiting the use of AI as the sole basis for denying or modifying insurance claims. Tennessee and Delaware advanced bills prohibiting AI systems from being represented as licensed mental health professionals or healthcare workers.
At the federal level, the Department of Justice’s AI Litigation Task Force, established in January 2026, is now operational and holds sole responsibility for challenging state AI laws that the attorney general judges to unconstitutionally regulate interstate commerce or to conflict with federal policy. The Commerce Department has not yet published its required evaluation of burdensome state laws, which was due by March 11; the delay introduces uncertainty about near-term federal enforcement posture. Colorado Governor Jared Polis separately released a draft replacement bill for the 2024 Colorado AI Act that would restructure obligations around covered automated decision-making technology used to “materially influence a consequential decision,” potentially altering the scope of requirements that were set to take effect June 30, 2026. Senator Blackburn’s proposed TRUMP AMERICA AI Act, a sweeping package that includes the Kids Online Safety Act, the NO FAKES Act, the GUARD Act, and the AI LEAD Act among others, has been introduced but faces significant challenges as a combined package.
Organizations subject to the Colorado AI Act should monitor the Polis draft bill closely, as a replacement statute would alter compliance scope and timelines. The gap between the Commerce Department’s missed evaluation deadline and the DOJ task force’s activation means that legal challenges to specific state statutes remain the most probable near-term federal enforcement mechanism; organizations should not interpret the Commerce delay as a reduction in federal preemption risk.
Source: https://www.globalpolicywatch.com/2026/04/u-s-tech-legislative-regulatory-update-first-quarter-2026/
Tags: Alert | Security | United States Date: April 13, 2026
CISA adds Microsoft Windows Common Log File System Driver and Exchange Server vulnerabilities to Known Exploited Vulnerabilities catalog; agencies face April 27 remediation deadline
CISA added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on April 13: CVE-2023-36424, a Microsoft Windows Common Log File System Driver out-of-bounds read vulnerability that could allow privilege escalation, and a Microsoft Exchange Server deserialization of untrusted data vulnerability that allows an authenticated attacker to achieve remote code execution. Federal Civilian Executive Branch agencies are required to remediate both vulnerabilities by April 27, 2026, under Binding Operational Directive 22-01.
The KEV Catalog additions reflect confirmed evidence of active exploitation in the wild. The Exchange Server vulnerability is particularly significant given the volume of organizations that operate hybrid Exchange configurations; CISA previously issued separate guidance in April 2025 addressing a related vulnerability in hybrid Exchange deployments and has reiterated that organizations that have not applied that guidance remain exposed. The Windows Common Log File System Driver vulnerability enables local privilege escalation, which threat actors routinely use as a follow-on step after initial access to elevate permissions before executing lateral movement or payload deployment.
Federal agencies must meet the April 27 deadline as a binding obligation. All other organizations should treat the KEV additions as prioritized remediation signals and apply vendor mitigations or patches without delay. Organizations running Microsoft Exchange in hybrid configurations that have not yet implemented the April 2025 patch guidance should treat remediation of both the earlier and the current vulnerabilities as a single coordinated effort, as the attack surface overlaps.
Source: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
AI INDUSTRY
Tags: News | Industry Date: April 8, 2026
Meta debuts Muse Spark, its first major model release from Meta Superintelligence Labs, nine months after $14.3 billion Scale AI investment
Meta released Muse Spark on April 8, the first major AI model from its Meta Superintelligence Labs division. The model, originally code-named Avocado, was developed under Scale AI’s former CEO Alexandr Wang, whom Meta brought in as part of its $14.3 billion investment in Scale AI in June 2025. The release marks the first significant model output from the reconstituted AI unit, which Wang has described as having rebuilt Meta’s AI development stack from the ground up over the nine-month period since his arrival.
The announcement addresses a meaningful credibility gap for Meta. Its previous open-source model release in April 2025 underperformed expectations and failed to gain traction with the developer community, prompting Zuckerberg to overhaul the company’s AI strategy. Meta’s principal competitors have widened their leads during the intervening period: OpenAI and Anthropic are now collectively valued at over $1 trillion, and Google’s Gemini has gained market share particularly in consumer applications. Meta has committed between $115 billion and $135 billion in AI-related capital expenditures for 2026, nearly twice its prior year spending, as it attempts to close the performance gap with the leading frontier model providers. Muse Spark is positioned as the first entry in Meta’s new Muse model series.
The enterprise governance implication of the release lies primarily in procurement and risk assessment. Organizations evaluating Meta AI products should assess whether Muse Spark introduces new data handling practices, training data provenance obligations, or contractual terms that differ from prior Meta AI offerings. Organizations with existing Meta AI deployments should update their vendor risk assessments to reflect the new model series and associated documentation requirements, particularly if those deployments touch high-risk use cases under applicable state or EU AI Act classifications.
Tags: News | Industry Date: April 14, 2026
OpenAI signals Microsoft partnership is a constraint as it pivots enterprise strategy toward Amazon’s Bedrock platform
OpenAI Chief Revenue Officer Denise Dresser distributed an internal memo to staff on April 13 characterizing the company’s long-standing relationship with Microsoft as a constraint on its ability to reach enterprise customers, while describing the recently announced Amazon partnership as a key growth driver. The memo states that Microsoft’s competing position in cloud infrastructure has limited OpenAI’s access to enterprises whose primary cloud environment is Amazon Web Services, and that inbound demand from enterprise customers for OpenAI services delivered through Amazon’s Bedrock platform has been “staggering” since the partnership was announced in late February.
The timing of the memo is significant. Amazon announced plans to invest up to $50 billion in OpenAI as part of the February partnership; Microsoft had previously invested $13 billion in the company since 2019 and has been the foundational infrastructure partner for OpenAI’s commercial deployment. The memo surfaces a structural tension that has grown as OpenAI attempts to build enterprise revenue ahead of a projected IPO, a market segment where Anthropic has established a leading position. OpenAI closed a funding round of $122 billion in committed capital at an $852 billion valuation in April 2026 and projects $17 billion in operating expenditures for the year, with revenue targets requiring significant enterprise contract growth to support. The decision to publicly signal a strategic shift away from Microsoft, its primary infrastructure partner, carries relationship and contractual implications that the company has not yet addressed publicly.
Organizations that have deployed OpenAI services through Azure or Microsoft Copilot environments should monitor this partnership realignment for downstream effects on service availability, pricing structures, and enterprise contract terms. The shift toward Amazon Bedrock as a preferred delivery channel may affect integration architecture decisions for organizations currently evaluating or expanding AI deployments across cloud providers.
Source: https://cxotoday.com/ai/microsoft-is-a-constraint-amazon-is-our-growth-driver-says-openai/
