Across The Industry April 27, 2026 · Policy, Regulation & AI Industry Developments
POLICY & REGULATION
Tags: Analysis | European Union
Date: April 28, 2026
EU Digital Omnibus trilogue targets political agreement on AI Act timeline delays
The European Union’s trilogue negotiations on the Digital Omnibus on AI reach their decisive phase on April 28, with institutions expected to move toward political agreement on postponing the AI Act’s high-risk system compliance deadlines. The European Parliament adopted its negotiating position on March 26 with 569 votes in favor; the Council of the EU adopted its position on March 13. Both institutions have converged on fixed deadlines to replace the original August 2, 2026 application date: December 2, 2027 for standalone high-risk AI systems listed under Annex III (including those involving biometrics, critical infrastructure, education, employment, essential services, law enforcement, justice, and border management), and August 2, 2028 for high-risk AI systems embedded in regulated products under Annex I. The Commission’s original proposal would have made compliance deadlines conditional on the availability of harmonized standards and guidance, a position both co-legislators rejected in favor of fixed dates.
The trilogue process faces a tight timeline: political agreement must be reached before August 2, 2026, when the original AI Act high-risk obligations are scheduled to take effect. If the Omnibus is not formally adopted by then, the original, unextended deadlines apply as written. Current trajectories suggest endorsement by Parliament and Council in May and June respectively, with potential publication in the Official Journal in July. Both institutions have also introduced a ban on AI systems capable of generating or manipulating non-consensual intimate imagery of identifiable individuals, narrowed the extension for synthetic content watermarking requirements to November 2, 2026 (instead of the Commission’s proposed February 2, 2027), and maintained stricter requirements for processing special categories of personal data for bias correction than the Commission recommended.
Organizations operating across the EU should treat August 2, 2026 as the legal deadline until the Official Journal confirms otherwise, but should simultaneously prepare for the proposed extended dates as if they will take effect. The delay buys time for the publication of harmonized standards, conformity assessment procedures, and regulatory guidance that are currently missing from the implementation ecosystem. However, it also represents a structural recalibration of the AI Act’s enforcement posture, shifting from presumptive immediate application to conditional, later application tied to infrastructure readiness. Compliance programs should plan for both timelines and monitor the outcome of the trilogue closely.
Source: https://www.aoshearman.com/en/insights/digital-omnibus-on-ai-what-is-really-on-the-table-as-trilogues-begin
Tags: News | United States
Date: April 24, 2026
Trump administration misses AI executive order deadlines as regulatory scope remains contested
The Trump administration has missed multiple deadlines established by its December 2025 executive order on AI preemption and federal regulatory coordination, according to reporting from Axios on April 24. The executive order directed the Commerce Department to establish rules tying broadband funding to state AI law compliance, ordered the Federal Communications Commission to consider a national AI reporting and transparency standard within 90 days of identifying conflicting state laws, and directed the Department of Justice to challenge state AI statutes on constitutional grounds. As of late April, the Commerce Department has not published its proposed broadband funding rules, the FCC has not announced a timeline for its transparency standard, and the DOJ’s AI Litigation Task Force, while active since January, has not filed preemptive suits against major state AI laws, though it has challenged several state laws on other grounds.
The administration’s stated position remains one of light-touch federal oversight coupled with aggressive state preemption. The White House released its National Policy Framework for Artificial Intelligence on March 20, recommending that Congress enact legislation preempting state AI laws that “impose undue burdens” while carving out limited state authority over generally applicable laws, zoning, and state use of AI in public services. However, the framework’s scope and the administration’s enforcement approach remain contested. White House officials have stated that policy guidance will come “very soon,” and the FTC director of public affairs said a policy statement would be released imminently, but no formal policy document has emerged as of April 27. The delays have created uncertainty for both federal agencies tasked with implementing the order and state legislatures considering AI legislation, with some states pressing forward with their own bills while awaiting clarity on the federal preemption agenda.
The missed deadlines suggest structural challenges in translating a preemption directive into concrete regulatory action. Broadband funding rules require detailed analysis of which state laws qualify as unduly burdensome and coordination with the FCC over whether certain rules are duplicative of the proposed transparency standard. The DOJ’s litigation strategy requires case-by-case assessment of constitutional grounds and strategic selection of plaintiffs. The FCC’s transparency standard must define which state laws trigger the requirement and what content the standard must address. These are not tasks that resolve quickly even in an administration committed to rapid execution. Organizations should continue compliance with existing state obligations and monitor federal developments through the summer, but should not assume imminent preemption will alter the current state-by-state compliance landscape.
Source: https://www.siliconreport.com/trump-administration-pushes-states-on-ai-while-key-federal-deadlines-slip-0210291aa864185a
Tags: Analysis | Global
Date: April 24, 2026
Global central banks and financial regulators escalate scrutiny of Anthropic’s Mythos as rollout expands
Financial regulators across the United States, the United Kingdom, continental Europe, and Asia have coordinated urgent responses to Anthropic’s Mythos Preview model, treating the advanced AI’s cybersecurity capabilities as a systemic financial stability issue rather than a discrete technology risk. Bank of England Governor Andrew Bailey held emergency meetings with major UK banks, insurers, and exchanges on April 24, describing Mythos as “a very serious challenge for all of us” and stating that regulators must move quickly to assess the threat. The Bank of Canada held separate meetings with Canadian financial institutions to discuss the same risks. The US Treasury Department, Federal Reserve, and banking regulators convened systemically important US banks for emergency briefings. Japan’s Financial Services Agency called a high-level meeting on April 25 with Mitsubishi UFJ Financial Group, Sumitomo Mitsui Financial Group, and Mizuho Financial Group, alongside the Bank of Japan and Tokyo Stock Exchange. Bundesbank President Joachim Nagel characterized the model as a “double-edged sword,” capable of both improving digital security and exploiting vulnerabilities for malicious purposes.
The regulatory response is grounded in verified technical capability: Anthropic has stated that Mythos identified thousands of zero-day vulnerabilities across every major operating system and web browser during testing, with some exploitable in ways that would take human security professionals days of work to discover and chain together. The pace and scale of automated vulnerability discovery pose a new risk profile for infrastructure that is often years or decades old and difficult to patch quickly. Banks, in particular, rely on interconnected systems with legacy components that are attractive targets for attackers with access to similar AI capabilities outside the restricted Mythos release. The concern is not that Mythos itself will be used for attack — access is tightly controlled — but that the model’s emergence signals the imminent commoditization of comparable capabilities outside any restricted-access envelope.
Central banks and financial regulators are coordinating responses at the Bank for International Settlements and Financial Stability Board level. Bailey, in his role as chair of the Financial Stability Board, has elevated Mythos risk to the formal international regulatory agenda. The response has not included calls to halt or restrict Mythos, but rather to accelerate cyber resilience assessments and patch velocity improvements. UK regulators have explicitly stated that firms should use AI “to strengthen cyber defence” and are discussing structured access to Mythos for major institutions under oversight. The regulatory posture is pragmatic: leverage the tool defensively before open-source equivalents emerge, but under coordinated governance that prevents misuse. Organizations operating across multiple jurisdictions should expect regulatory guidance on AI-assisted vulnerability management and accelerated cybersecurity maturity assessments to be a standing priority through the remainder of 2026.
Source: https://www.tradingview.com/news/invezz:6ab1117f6094b:0-why-anthropic-s-mythos-ai-has-regulators-central-banks-on-edge/
AI INDUSTRY
Tags: Alert | Industry | Security
Date: April 22, 2026
Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign targeting GitHub Actions
Bitwarden’s command-line interface (CLI) npm package was compromised on April 22 as part of a broader supply chain attack that leverages compromised GitHub Actions within developers’ CI/CD pipelines to steal secrets and credentials. The malicious version, @bitwarden/cli@2026.4.0, was published between 5:57 PM and 7:30 PM ET and remained available for approximately 93 minutes before being deprecated. Bitwarden confirmed the incident on April 23, stating that the compromise stemmed from its npm distribution mechanism following the Checkmarx supply chain attack, but emphasized that no end-user vault data was accessed and that production systems were not compromised. Socket research, alongside analysis from JFrog Security, OX Security, and StepSecurity, confirmed that the attack vector matched the pattern seen across other repositories in the ongoing Checkmarx campaign, involving abused GitHub Actions to inject malicious workflows.
The malicious payload in Bitwarden’s release contained encoded code that attempted to extract credentials from GitHub Actions Runner environments, specifically targeting GitHub tokens that could be used to inject malicious workflows into downstream repositories. The stolen credentials were encrypted with AES-256-GCM and exfiltrated to audit.checkmarx[.]cx, a domain impersonating Checkmarx’s legitimate infrastructure. Once attackers weaponize stolen GitHub tokens, they can inject malicious Actions workflows into every repository the token grants access to, creating a cascading supply chain compromise. The Bitwarden incident references the “Shai-Hulud: The Third Coming” worm and shares infrastructure with both the recent Checkmarx incident (claimed by TeamPCP) and the broader npm ecosystem compromise campaigns observed over the past several months. Attribution remains uncertain: the shared tooling suggests a connected ecosystem, but operational signatures differ in ways that complicate linking to a single threat actor.
Organizations that installed @bitwarden/cli@2026.4.0 should treat this as both a credential exposure and a CI/CD compromise event. Immediate actions include reviewing CI logs for unexpected workflow execution, rotating GitHub tokens, rotating npm publishing credentials, and auditing repository permissions for any unauthorized changes or commits. Any repositories touched by the compromised token should be treated as potentially modified and their commit history reviewed for unauthorized additions. Beyond the immediate response, organizations should implement stricter controls on GitHub Actions permissions, enforce branch protection rules that prevent direct commits to production branches, and move toward a zero-trust model for CI/CD pipeline secret access. The incident highlights the structural risk created by long-lived tokens with broad repository access; token lifetime reduction and scope-limiting architectures are the defensive baseline going forward.
Source: https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html
Tags: News | Industry
Date: April 24, 2026
Anthropic declines to commit timeline as UK government negotiates expanded Mythos access for financial sector
The UK government remains in active negotiations with Anthropic over expanded access to Claude Mythos Preview for British banks and major financial institutions, according to the Financial Times on April 24, more than a week after the model first became available to a limited initial cohort. Anthropic has declined to commit to a rollout timeline despite interest from major UK banks for expedited access to the model’s vulnerability detection capabilities. The UK AI Security Institute previewed Mythos before its release and stated the model can autonomously exploit vulnerabilities that would take human security professionals days of work, a capability that UK banks view as critical for legacy system remediation. JPMorgan Chase CEO Jamie Dimon privately warned a UK banking executive that Mythos use should be coordinated with government rather than deployed on an ad hoc basis, signaling that even early-access participants see governance as essential.
Current access to Mythos is limited to approximately 50 organizations globally as part of Anthropic’s Project Glasswing, with the US-exclusive initial tranche of 40 organizations including Amazon, Microsoft, JPMorgan Chase, and Morgan Stanley. The UK government is the only non-US state to have received a formal preview via the AI Security Institute. UK financial services executives have begun swapping intelligence with American counterparts that already have access, including discussions of specific Mythos-exposed vulnerabilities and coordination on sourcing patches from vendors like Microsoft to bolster defenses. One UK executive told the FT they were discussing specific vulnerabilities with American companies, indicating that early access is being leveraged for cross-border cybersecurity coordination even before formal broader access is granted.
Anthropic’s reluctance to commit to a timeline reflects structural governance concerns that Mythos access raises. Anthropic is investigating reports that users gained unauthorized access to Mythos through third-party vendor environments — a governance incident rather than a model-capability one, but one that has hardened regulator caution over who is using the tool and how access is being controlled. The Bank of England and UK Finance’s cross-market operational resilience group met this week and agreed that firms should use AI “to strengthen cyber defence,” but the rollout pace remains subject to Anthropic’s confidence in governance infrastructure. UK Technology Minister Liz Kendall and Security Minister Dan Jarvis issued a joint public letter warning that AI cyber capabilities are “accelerating even faster than had been previously envisaged,” implying pressure on Anthropic to expand access, but Anthropic’s silence on timelines suggests the company is prioritizing governance assurance over speed. Organizations seeking Mythos access should engage directly with Anthropic on qualification criteria and governance protocols rather than expecting formal announcements on rollout timing.
Source: https://www.resultsense.com/news/2026-04-24-uk-banks-mythos-access-ongoing-talks
