The Digest: Regulators Stopped Asking If You Use AI

The thread this fortnight: regulators and standards bodies stopped asking whether you use AI and started asking two harder questions. Is your claim about it true, and who is accountable when it fails.

The short version

• FTC takes $930,000 from Cox Media Group and two firms over a deceptive "Active Listening" AI ad service.
• SEC turns to AI-washing, sending comment letters and enforcement on exaggerated AI disclosures in H1 2026.
• FTC fined accessiBe $1 million for claiming its AI made any website accessibility-compliant.
• Colorado repealed and replaced its 2024 AI Act with SB 26-189, shifting to disclosure and consumer rights.
• The EU AI Act phases in toward full effect around 2027, governing systems by risk level.
• ISO 42001 emerges as the AI management certification buyers will start asking for.
• Forrester says agentic systems need a governance "control plane" that sits outside build and orchestration.
• Gartner predicts guardian agents will be 10 to 15 percent of the agentic AI market by 2030.
• UK Upper Tribunal rules on the reach of GDPR over Clearview AI's facial recognition.

FTC takes $930,000 over a deceptive "Active Listening" AI ad pitch

The Federal Trade Commission settled with Cox Media Group and two smaller marketing firms over claims that an AI service called "Active Listening" could target ads by analyzing consumers' private smart-device conversations, and that users had opted in. The three firms will pay a combined $930,000. The FTC went after the marketing claim and the consent behind it, not the technology.

Why it matters. If your sales deck, your website, or your product copy describes what your AI does in terms you cannot defend with logs and documentation, that copy is now an enforcement target. Have someone who is not in marketing read every AI claim against what the system actually does.

Source: Federal Trade Commission

The SEC is now chasing "AI-washing" in disclosures

The SEC is now treating exaggerated AI disclosures as material. In H1 2026 it sent comment letters and brought enforcement tied to AI claims it considered an investor-protection issue.

Why it matters. For a PE-backed company, AI claims in a CIM, a board deck, or lender materials carry the same exposure as any other disclosure. Before you tell investors AI is driving results, make sure the operating data supports the sentence.

Source: Robbins LLP

accessiBe paid $1 million for an unprovable compliance claim

The FTC ordered accessiBe to pay $1 million over claims that its AI-powered tool could automatically make any website compliant with WCAG accessibility guidelines for people with disabilities. The order also cited undisclosed connections to reviewers who endorsed the product. The lesson sits in the word "any." A blanket compliance guarantee that the software cannot actually deliver is what drew the penalty.

Why it matters. Watch your vendors' language as closely as your own. If a tool you bought promised "fully compliant" or "automatically compliant" anything, that promise is now your operational risk.

Source: Federal Trade Commission

Colorado scrapped its 2024 AI Act and wrote a new one

Colorado enacted SB 26-189 in 2026, repealing and replacing the 2024 Colorado AI Act. The new law governs automated decision-making technology used in consequential consumer decisions, and it moves away from heavy prescriptive risk assessments toward disclosure and consumer rights. Obligations land on both developers and deployers of covered systems.

Why it matters. State-level rules are the live regulatory front, and they keep moving, so the compliance plan you built last year may already be aimed at a repealed statute. If you use AI in hiring, lending, or any decision that affects a consumer, track the state laws where your customers live, not just where you are headquartered.

Source: Lathrop GPM

The EU AI Act phases toward full effect around 2027

The EU AI Act, published in July 2024, regulates AI systems by risk level and governs general-purpose AI models by their capabilities. It phases in over roughly three years, with full effect expected around 2027, and guidelines, technical standards, and codes of practice arriving in the interim to support compliance.

Why it matters. If you sell into Europe or your portfolio company does, the high-risk obligations are coming on a fixed clock, not a maybe. Use the runway now to classify which of your AI uses fall into the risk tiers, because retrofitting documentation under deadline is the expensive path.

Source: European Parliament

ISO 42001 is becoming the AI governance certification buyers ask for

ISO 42001 is a certification standard for AI management systems, setting processes and controls for security and accountability in how organizations build and deploy AI. It functions for AI roughly the way ISO 27001 functions for information security, a structured framework a buyer or auditor can point to.

Why it matters. Expect ISO 42001 to show up in enterprise procurement questionnaires and customer security reviews within the next cycle. Knowing whether you need it, and starting the gap assessment early, beats scrambling when a large customer makes it a condition of renewal.

Source: BDO

Forrester: agentic AI needs a governance layer that sits outside the build

Forrester argues that enterprise agentic systems need a "control plane," a governance layer that sits outside both the build and orchestration layers, and that the standards to run it at scale do not yet exist. The firm describes the current moment as the "dial-up internet" phase, where the architecture is racing ahead of the controls. Its formal landscape research on this begins in mid-April 2026.

Why it matters. If you are piloting autonomous agents that take actions, not just answer questions, the oversight has to be a separate layer you can audit, not a setting buried inside the tool that built them. Decide who owns that layer before the agents are in production, not after.

Source: Forrester

Gartner: guardian agents become 10 to 15 percent of the agentic market by 2030

Gartner predicts that guardian agent technologies will capture 10 to 15 percent of the agentic AI market by 2030. Guardian agents are AI systems built to supervise other AI, handling content review and monitoring, and in some cases acting semi-autonomously to block or correct unsafe outputs. The forecast tracks a simple reality: as you deploy more agents, you need agents to watch them.

Why it matters. The watcher costs money too. Budget for it. The cost of an autonomous agent program includes the monitoring layer that catches it when it goes wrong, and that line item is easy to forget in the pilot.

Source: Gartner

UK tribunal weighs how far GDPR reaches over Clearview's facial recognition

The UK Upper Tribunal decided The Information Commissioner's Office v Clearview AI Inc on 6 October 2025, addressing the scope of GDPR and UK GDPR over Clearview's facial recognition practices, including how data protection rights and enforcement powers apply to automated biometric processing. The case turns on jurisdictional reach over a company processing biometric data at scale.

Why it matters. Biometric and facial data carry the heaviest compliance exposure in the regulation, and the question of which regulator can reach you is still being settled in court. If any part of your operation touches biometric identifiers, treat that data as the highest-risk category you hold.

Source: GOV.UK

Our read

The through-line: regulators stopped trusting the AI claim and started checking the record behind it. The FTC is punishing the gap between what you said your AI does and what it actually does. The SEC is reading your disclosures with the same eye. Colorado, the EU, and ISO 42001 are all converging on the same demand: name who is accountable and show your work. The operators who get hurt this cycle will be the ones whose marketing got ahead of their logs. The ones who do well will treat every AI claim, internal or external, as something they can defend with a record. That is an operating discipline. Humans are the moat.