Across The Industry May 26, 2026 · Policy, Regulation & AI Industry Developments
POLICY & REGULATION
Tags: News | United States Date: May 21, 2026
Trump pulls AI cybersecurity executive order hours before signing; frontier model oversight framework left without legal footing
On May 21, 2026, President Trump postponed a planned executive order on artificial intelligence and cybersecurity that would have created a federal process to evaluate frontier AI models before they are released to the public. The draft order contained two sections: a cybersecurity component aimed at securing the Pentagon and national security agencies, boosting cyber hiring, and encouraging threat sharing between the AI industry and government; and a frontier model component that would have established a voluntary framework under which AI labs would share models with the government at least 90 days before public release and provide access to certain critical infrastructure providers. Trump, speaking to reporters in the Oval Office, offered a brief explanation: “I didn’t like certain aspects of it. I postponed it.” NASCUS + 2
The reported trigger for the policy rethink was Anthropic’s Mythos model; cybersecurity specialists flagged the model’s ability to spot software vulnerabilities and engineer exploits at a level not previously seen in publicly available systems as a potential force multiplier for attackers. Longtime Trump ally Steve Bannon and more than 60 other conservative leaders had sent a letter to the president urging him to sign the executive order, calling for more government oversight of “potentially dangerous” frontier AI models. The week prior, CAISI had announced new agreements with Google DeepMind, Microsoft, and xAI for pre-deployment evaluations of frontier AI models, building on existing partnerships with OpenAI and Anthropic. Inside Global Tech + 2
With no order signed, the only oversight that exists is the kind labs volunteer for; the CAISI evaluation agreements and Anthropic’s caution with Mythos represent the actual policy, and they depend entirely on companies choosing restraint. Organizations deploying or evaluating frontier AI models with cybersecurity capabilities should treat this policy vacuum as a material factor in their vendor risk assessments. The absence of a federal framework does not reduce regulatory risk under existing sector-specific laws; the SEC, HHS, and banking regulators retain full authority to scrutinize AI-related cybersecurity failures under frameworks already in force. CISA
Source: https://www.axios.com/2026/05/22/ai-executive-order-cancelled-white-house
Tags: News | United States Date: May 21, 2026
California Governor Newsom signs first-in-the-nation executive order directing state agencies to prepare for AI-driven workforce disruption
California Governor Gavin Newsom issued Executive Order N-6-26 on May 21, 2026, directing California to prepare workers, small businesses, and communities for the economic disruption that artificial intelligence will bring to the workforce. The order requires state agencies to study potential labor market shifts tied to AI adoption, including layoffs, hiring changes, and skills gaps, and calls for recommendations within 180 days on potential updates to California’s WARN Act to strengthen early warning systems for workers impacted by automation. The executive order does not create any new laws or immediate worker protections; it launches a process for California agencies to study how the state should respond as AI continues changing the workforce and job market. CISA + 2
The order directs state agencies to explore policies including severance standards, employment insurance and transition support for displaced workers, worker ownership models, universal basic capital concepts, expanded workforce training, and stronger tracking of hiring and payroll trends. The move comes as major tech companies including Meta, Block, and Cisco have announced layoffs while increasing investments in AI. The order supplements the Governor’s March 2026 executive order, which strengthened civil rights and privacy in California’s procurement of AI technology and expanded California’s adoption of AI to improve government services. CISA + 2
Labor attorneys note there are few immediate implications for employers; the document sets a roadmap for where the state might be heading on AI-related labor policy. Organizations with California operations should track the 180-day agency recommendation process. The potential WARN Act amendments and severance standard revisions represent the primary near-term compliance risk surface; organizations should assess whether current mass-layoff notification processes would satisfy a more stringent standard and begin that gap analysis before the recommendations land in the fall. LLM Leaderboard
Tags: News | European Union Date: May 19, 2026
European Commission publishes 148-page draft guidelines on high-risk AI classification under EU AI Act; consultation open until June 23
On May 19, 2026, the European Commission published draft guidelines on the classification of high-risk AI systems under Article 6 of the EU AI Act and launched a public consultation open until June 23, 2026. The draft reflects input from stakeholders and EU Member States through the EU AI Board and represents the most detailed interpretative material issued to date on this topic. The publication follows a delay from the European Commission’s original timetable; guidance on high-risk classification had initially been expected by February 2, 2026, ahead of the EU AI Act’s original compliance milestones, and the absence of final guidance had become a central issue in broader discussions on the operational readiness of the Act. Ropes & Gray + 2
The draft clarifies when the filter mechanism that allows certain systems to be excluded from high-risk classification may apply, and notes the mechanism is read narrowly; it also covers how human involvement and profiling of natural persons affect classification, and provides practical direction on classification in complex scenarios where AI systems form part of broader products or services. The guidance includes practical examples to illustrate categorization across different sectors and emphasizes that the list of examples is non-exhaustive and may be updated over time. The draft guidelines’ most instructive illustration concerns how the consequences of failure can override the marketing label: an AI system marketed as a combustion-efficiency optimiser in a household gas appliance may still be a safety component because its failure could lead to carbon-monoxide formation, explosion, or fire; how a feature is positioned commercially does not control its classification, but the realistic failure mode does. DLA Piper + 2
Organizations operating AI systems in any of the eight Annex III domains — including employment, biometrics, education, financial services, healthcare, law enforcement, migration, and essential services — must review these guidelines against their current internal classification decisions before the June 23 consultation deadline. Those with their Article 6(3) analysis in order can demonstrate to market surveillance not only that the choice is defensible, but that it is documented; those who wait until August 2, 2027 will do so under time pressure, with less room for diligence. CA
AI INDUSTRY
Tags: News | Security | Industry Date: May 21, 2026
GitHub links breach of 3,800 internal repositories to TanStack npm supply-chain attack; TeamPCP worm compromised 170-plus packages
GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension, compromised in the TanStack npm supply-chain attack. The attack is attributed to the TeamPCP threat group and began with the compromise of dozens of TanStack and Mistral AI npm packages, then quickly extended to other projects including UiPath, Guardrails AI, and OpenSearch using stolen CI/CD credentials. The original TanStack compromise occurred on May 11 between 19:20 and 19:26 UTC, when the attacker published 84 malicious versions across 42 packages by chaining a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork-to-base trust boundary, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. YouTube + 2
The malicious payload, embedded as router_init.js, exfiltrated sensitive credentials and established persistent, destructive mechanisms on infected systems. This attack was the third documented wave from TeamPCP, following compromises of SAP npm packages in late April 2026 and PyTorch Lightning on April 30, 2026. The malicious package versions passed SLSA provenance checks, carried valid signed certificates, and appeared fully legitimate to security tools checking cryptographic proof of origin; the attacker used stolen OIDC tokens with the legitimate Sigstore stack to produce valid Build Level 3 attestations for malicious packages. On May 22, a separate attacker used the same technique against the Laravel-Lang GitHub organization, rewriting git tags across multiple Composer packages in a 15-minute window. malaymail + 2
Any developer or CI environment that installed affected TanStack package versions on or after May 11, 2026, should be considered compromised. Organizations using any affected packages must audit GitHub Actions runs for unexpected npm publish events and outbound connections to filev2.getsession.org or api.masscan.cloud, check for router_runtime.js or setup.mjs files in .claude/ and .vscode/ directories that survive npm uninstall, and rotate all credentials from any affected machine or pipeline. The GitHub breach confirms that the downstream blast radius of this attack extends well beyond direct package consumers; any organization whose CI pipeline ran a compromised downstream dependency should treat its entire secret store as potentially exposed. malaymail
Tags: News | Industry Date: May 22, 2026
OpenAI confidentially files S-1 IPO prospectus with the SEC; targeting September 2026 public listing at valuation above $1 trillion
OpenAI confidentially filed an IPO prospectus with the SEC on May 22, 2026, with Goldman Sachs and Morgan Stanley leading the process, targeting a public listing as early as September 2026 at a valuation above $1 trillion, which would make it the largest IPO in history. OpenAI’s current private valuation is $852 billion, set in a $122 billion March 2026 round backed by Amazon, Nvidia, and SoftBank, with annualized revenue at $25 billion as of February 2026. The filing arrives despite OpenAI losing $1.22 for every $1 of revenue in Q1 2026, and the S-1 will need to disclose every material risk to investors upon public release. Understanding AI + 2
Rival Anthropic has indicated it is targeting an October 2026 IPO, potentially at a valuation above $900 billion, meaning two of the world’s most valuable AI companies could become publicly traded within months of each other; this is unprecedented in the history of the technology sector. A confidential IPO filing allows companies to submit draft documentation to the SEC for private review before any public disclosure, with the full prospectus not appearing until weeks before the offering. The October 2025 restructuring into a Public Benefit Corporation removed the 100x investor return cap and created the legal path to a public listing. The confidential filing means detailed financials, including the company’s full risk factor disclosures, remain sealed until roughly 15 days before the roadshow. TechCrunchTechCrunch
Organizations currently negotiating enterprise AI contracts with OpenAI should treat this filing as a signal that pre-IPO pricing flexibility is closing. Post-listing, public market margin pressure will constrain enterprise discount structures that have defined the private-company sales cycle. Organizations evaluating multi-year OpenAI commitments should accelerate contract review and lock in terms before the public listing window opens. The S-1’s risk factor disclosures, once public, will also constitute the most detailed regulatory and competitive risk assessment OpenAI has ever been required to produce; those disclosures will be material reading for any organization conducting vendor due diligence on OpenAI enterprise products.
Source: https://greyjournal.net/news/openai-ipo-confidential-filing-trillion-valuation/
