Global Tech Policy Tracker — 2026-05-15

Top Story

White House Weighs Mandatory Pre-Release Vetting for Frontier AI Models

The Trump administration is deliberating a significant course correction on AI policy: requiring federal government review of frontier AI models before they are commercially released. According to Politico, ongoing White House discussions — described by multiple sources as still in flux — represent a marked departure from the laissez-faire approach championed by AI advisors like David Sacks and Marc Andreessen, who had previously steered the administration away from regulatory intervention.

The proximate trigger appears to be Anthropic's Claude Mythos model, described in reporting as possessing "unprecedented hacking capabilities" that have alarmed national security officials. The White House has been holding meetings with tech companies over the past several weeks specifically to discuss how to regulate frontier models whose capabilities could pose systemic security threats.

Former DHS Secretary Mayorkas, speaking publicly this week, endorsed building on the Biden-era framework of voluntary standards for frontier model deployment as a starting blueprint. He referenced those earlier voluntary standards as a credible foundation even as the current administration considers moving toward mandatory vetting requirements.

The deliberations put the White House in an unusual posture: simultaneously resisting state-level AI regulation while potentially introducing federal pre-release review mechanisms. If enacted — whether via executive order or congressional action — mandatory federal vetting would be the most significant structural intervention in the AI development pipeline in U.S. history, directly affecting the release timelines of every major frontier model from OpenAI, Anthropic, Google DeepMind, and Meta.

New Legislation & Regulatory Actions

US (Colorado): Pared-Down AI Transparency Bill Signed

• What happened: Governor Jared Polis confirmed he will sign a substantially rewritten version of Colorado's AI law. The new bill shifts focus from requiring companies to disclose how AI systems make consequential decisions (hiring, loans, housing) to a narrower transparency framework. It passed both chambers in under a week after introduction.
• Who it affects: Companies and governments that develop or deploy AI systems in Colorado for high-stakes decisions, though with significantly reduced obligations compared to the original 2024 law.
• Status: Signed (or imminent signing confirmed), replacing the original law that was set to take effect June 30, 2026.
• Why it matters: Colorado's original law was among the first in the US to regulate "consequential" AI decisions. Its watering-down signals how even progressive US states are retreating from comprehensive AI risk regulation under industry pressure and federal preemption threats.

US (Georgia): AI Chatbot Safety Bill Signed Into Law

• What happened: Georgia Governor Brian Kemp signed an AI chatbot safety bill into law. The Transparency Coalition's May 15 legislative update confirms the signing as part of a broader wave of state-level AI activity this week.
• Who it affects: Developers and operators of AI chatbot systems deployed in Georgia, particularly consumer-facing applications.
• Status: Enacted — signed into law by Governor Kemp.
• Why it matters: Georgia joins a growing list of states creating baseline safety standards for consumer AI products, adding another layer to the patchwork of US state AI rules that businesses must navigate.

US (Missouri): AI Regulation Bill Killed in Committee

• What happened: A Missouri state house committee killed an AI regulation bill that had aimed to establish several provisions governing AI use in the state.
• Who it affects: Missouri-based businesses and consumers who would have been covered by the proposed rules.
• Status: Dead — killed in committee.
• Why it matters: Missouri's failure illustrates the uneven path of AI regulation across US states. While some states are advancing legislation, others are actively blocking it — reinforcing the fragmented national compliance landscape that Fortune characterized this week as "1,200 AI bills and no good test for any of them."

Maryland: First-of-Its-Kind Surveillance Pricing Law Enacted

• What happened: Maryland enacted a surveillance pricing law — described by IAPP analysts as the first of its kind — though the analysis notes the law contains loopholes.
• Who it affects: Retailers and platforms that use personal data or algorithmic systems to set individualized prices.
• Status: Enacted (signed into law).
• Why it matters: Surveillance pricing — using data about individuals to charge them more than other customers — has been a growing concern among consumer advocates. Maryland's law establishes a new legal category distinct from existing privacy frameworks, potentially influencing other states.

UK: King's Speech Signals No AI Bill

• What happened: The UK's King's Speech — which sets out the government's legislative agenda — signaled a "diffuse digital policy agenda" but contained no dedicated AI bill, according to IAPP analysis published May 14.
• Who it affects: UK-based AI developers and companies operating in the UK who had anticipated a legislative framework.
• Status: No AI legislation introduced — government's position remains under review.
• Why it matters: The absence of an AI bill from the King's Speech confirms that the UK will not have comprehensive AI legislation in the near term, leaving businesses to operate under sector-specific guidance rather than a unified framework — a deliberate divergence from the EU's approach.

Enforcement & Penalties

• California Privacy Regulator → Undisclosed Company: California authorities announced the largest CCPA fine to date, according to IAPP reporting from May 11. The specific company, fine amount, and violation details were not available from the IAPP listing page — full article access would be required — but the precedent-setting scale of the penalty signals that California's privacy enforcement is escalating significantly heading into mid-2026.

• Canadian Privacy Regulators → OpenAI (ChatGPT): Canadian federal and provincial data protection authorities released findings that ChatGPT's model training violated Canada's federal and provincial privacy laws, following a formal probe. IAPP reported the findings on May 8, with regulators making the announcement following the IAPP Canada Symposium 2026. The case reinforces that scraping and training data practices remain a live enforcement risk for AI developers operating in or serving Canadian users.

Industry Response

• OpenAI: OpenAI granted the European Commission direct access to a new AI model as the EU considers frontier AI cybersecurity risks, according to IAPP reporting from May 12. The move is a notable proactive compliance gesture — giving regulators early access to evaluate capabilities before formal requirements kick in — likely intended to demonstrate goodwill ahead of the EU AI Act's evolving enforcement timeline.

• AI Governance Vendors: Multiple companies released an "Automated AI Governance Package" this week, per IAPP reporting from May 13. The product launch reflects accelerating commercial demand for compliance tooling as organizations scramble to prepare for overlapping regulatory deadlines across jurisdictions.

• Major Tech Industry (collective): According to Fortune's analysis published May 15, Yale's Jeffrey Sonnenfeld, Stephen Henriques, and NYU's Gary Marcus called out the fundamental dysfunction in the US regulatory environment — 1,200 AI bills with no coherent evaluative framework — and proposed a method for separating necessary regulation from legislative noise. The piece reflects growing industry and academic concern that the US patchwork is creating compliance cost without meaningful safety gains.

• Malaysia (Government): Malaysia's Personal Data Protection Department released a trio of new guidance documents tightening data protection expectations, per IAPP's Asia-Pacific notes from May 14. While not a company response, the guidance is functionally shaping compliance behavior for multinationals operating across Southeast Asia.

1 sources

fortune.com

fortune.com

Region Scorecard

Analysis: What This Means

• Frontier AI developers must prepare for potential federal pre-release review in the US. The White House deliberations around mandatory vetting of advanced models are still in flux, but companies like Anthropic, OpenAI, Google DeepMind, and Meta should be war-gaming compliance scenarios now — including internal capability documentation and government liaison protocols — rather than waiting for a formal announcement.

• EU compliance teams should update their roadmaps immediately. The provisional deal extending high-risk AI Act obligations from August 2026 to December 2027 gives enterprises additional runway, but the delay is not a reprieve — GPAI model rules and prohibited AI practice bans remain on schedule. Use the extra time to close compliance gaps, not defer them.

• US-based companies with multi-state footprints face compounding patchwork risk. Georgia has a new chatbot safety law, Colorado has a revised transparency regime, Maryland has a novel surveillance pricing law, and Missouri killed its bill — all in one week. With no federal preemption law in place, enterprises need a state-by-state compliance matrix that is updated continuously, not annually.

• AI training data practices remain an active enforcement target globally. Canada's finding against OpenAI's ChatGPT training methodology is a warning signal for any AI developer that has scraped web data without explicit consent frameworks. Legal teams should audit training data provenance and assess exposure under PIPEDA, GDPR, and analogous frameworks before regulators come knocking.

What to Watch Next Week

1. White House executive action on frontier AI: Administration sources told Politico that executive action on pre-release vetting of advanced models is under active consideration. Any announcement — or confirmed delay — would be the most consequential US AI policy event of 2026 so far. Watch for White House press releases and congressional reaction.

2. Colorado Governor's formal signing: While Governor Polis confirmed he will sign the revised Colorado AI transparency bill, the formal signing and effective date trigger compliance timelines for covered businesses. Monitor for the official signing ceremony and any accompanying guidance on implementation.

3. EU AI Act Omnibus formal vote: The provisional political deal struck in early May still requires formal adoption by the European Parliament and Council. Watch for scheduled votes that would lock in the December 2027 deadline extension for high-risk systems and clarify overlap with sectoral machinery rules.