Top Stories This Week

1. Colorado SB 26-189: Five Days to Repeal and Replace SB 24-205

May 1-6, 2026

The long-anticipated formal replacement for Colorado’s AI Act arrived on May 1 with the introduction of Senate Bill 26-189, “Automated Decision-Making Technology”, sponsored by Senator Rodriguez and colleagues who also sponsored the original SB 24-205. The bill cleared the Senate Business, Labor and Technology Committee on a 5-0 vote on May 5 and the Senate Appropriations Committee on a 7-0 vote on May 6, when it was referred to the full Senate for a floor vote. The Colorado legislature adjourns May 13 – as of today, five legislative days remain for SB 26-189 to clear the full Senate and the House.

SB 26-189 makes four changes that together convert SB 24-205 from a compliance-and-disclosure regime to a notice-and-rights regime. First, the bill replaces the “high-risk artificial intelligence system” definition with “automated decision-making technology (ADMT)” – a broader term that captures more systems but applies lighter obligations. Second, it removes the affirmative duty on developers and deployers to prevent algorithmic discrimination and conduct impact assessments. Third, it eliminates explainability requirements: companies will not be required to disclose how their AI systems reach decisions on things like loans, housing, and employment. Fourth, the effective date moves from June 30, 2026 to January 1, 2027. What SB 26-189 keeps from SB 24-205: consumers retain the right to receive notice when AI is used in a consequential decision, to request the personal data used by the system, to correct factually inaccurate data, and to request human review following an adverse outcome. Senator Rodriguez described SB 26-189 as “more of a notice bill.” Colorado Newsline and the Colorado Sun confirm these key changes; the original bill sponsor of SB 24-205 separately noted that “massive amounts of money” from industry lobbyists had shaped the political environment that made the replacement necessary.

Why it matters: Two unanimous committee votes in two days is a strong signal, but the May 13 adjournment creates a binding deadline that process cannot override. If SB 26-189 passes, SB 24-205 is repealed before it ever takes effect and the new ADMT framework does not impose obligations until January 2027. That is six additional months of compliance runway and a substantially lighter compliance burden. If SB 26-189 fails – if the session ends without floor passage in either chamber – SB 24-205 takes effect in its original form on June 30, and a DOJ preemption legal challenge is widely expected within days. Companies should monitor the Colorado legislature’s daily calendar for the week of May 11 and should not defer SB 24-205 compliance planning on the assumption that SB 26-189 will pass: the legislature’s track record on last-session AI bills warrants caution.

2. The White House Weighs Pre-Release AI Model Vetting – A Policy Reversal Driven by Cybersecurity Concerns

April 7 – May 5, 2026

The New York Times and Bloomberg reported on May 4-5, 2026 that the Trump administration is considering an executive order that would require government review of powerful AI models before they can be publicly released. According to reporting confirmed by CNBC, the administration is currently testing models from Google, Microsoft, and xAI as part of evaluating what such a vetting process would require. White House officials met with executives from Anthropic, Alphabet, and OpenAI the week of April 28 to discuss the plans under consideration. A White House spokesperson declined to confirm or deny the reporting, saying any policy announcement would come directly from the president.

The proposal is directly traceable to Anthropic’s Claude Mythos Preview, released April 7, 2026, through Project Glasswing. Mythos is a general-purpose frontier model released not to the public but to a limited group of launch partners – Apple, Google, Microsoft, Nvidia, Palo Alto Networks, and CrowdStrike – specifically to be used for defensive cybersecurity purposes. Anthropic committed $100 million in usage credits and $4 million in direct donations to open-source security organizations. Mozilla’s chief technology officer described Mythos as elevating AI from “competent software engineer” to “world-class, elite security engineer”: the model can identify thousands of zero-day vulnerabilities across all major operating systems and browsers. The UK AI Safety Institute independently evaluated Mythos Preview’s cyber capabilities and published its findings. Vice President JD Vance and Treasury Secretary Scott Bessent had already questioned leading tech CEOs about AI security risks before Mythos was released; after the release, the White House moved to oppose Anthropic’s plans to expand access beyond the initial launch partners.

Why it matters: This is a potential policy reversal of the first order. The Trump administration’s AI posture since January 2025 – EO 14179 (“Removing Barriers to American Leadership in AI”) and the March 2026 National AI Legislative Framework – has been built on the premise that regulation stifles American innovation and that a “freedom to innovate” approach will keep the US ahead of China. A pre-release government review requirement for frontier AI models would contradict that premise directly. The cybersecurity frame matters: the administration is not being asked to regulate AI for consumer protection or civil rights reasons, but because AI models can now conduct offensive cyber operations at a level previously requiring nation-state-caliber human expertise. Whether the administration ultimately issues an executive order or a lighter-touch process depends on how it balances those competing imperatives. The existence of the internal deliberation is the news – the direction of travel has changed.

3. TAKE IT DOWN Act Enforcement Arrives May 19 – Platforms Have Days to Comply

May 19, 2026 (Deadline)

The TAKE IT DOWN Act – the first federal law directly regulating AI-generated content – reaches its platform compliance deadline in eleven days. Signed by President Trump on May 19, 2025, the law’s criminal prohibition on nonconsensual publication of intimate imagery, including AI-generated deepfakes, took effect immediately. Covered platforms, however, were given one year to establish the required notice-and-takedown infrastructure. That year expires May 19, 2026.

As of that date, covered online platforms – public websites, online services and applications, and mobile applications that primarily host user-generated content or are primarily designed to publish nonconsensual intimate visual depictions – must have a compliant system in place that allows individuals (or their representatives) to notify the platform and request removal of nonconsensual intimate imagery. Upon receiving a valid takedown request, platforms must remove the content within 48 hours and make reasonable efforts to remove known copies. Platforms must provide users with clear and conspicuous notice about these obligations. The FTC enforces platform compliance as unfair or deceptive acts under the FTC Act; non-compliance can be treated as a violation of the Federal Trade Commission Act.

Why it matters: The TAKE IT DOWN Act is the first test of whether a bipartisan federal consensus on a specific AI-generated content harm – nonconsensual intimate imagery – can produce workable enforcement at scale. The 48-hour removal window and duty to pursue known copies are operationally demanding requirements that go beyond what many platforms have built for other content moderation obligations. The FTC’s enforcement posture on May 19 will signal how aggressive federal regulators intend to be on AI content law. This also converges with California’s SB 243 (AI chatbot safety) enforcement and the California AG’s ongoing investigation of xAI over Grok-generated nonconsensual sexually explicit imagery – federal and state deepfake enforcement are now running in parallel for the first time.

4. California Court Upholds AB 2013 Against xAI – First Federal Ruling on State AI Transparency Law

March 4, 2026 (Ruling) – Ongoing

On March 4, 2026, US District Judge Jesus G. Bernal of the Central District of California denied xAI’s motion for a preliminary injunction against California’s AB 2013 (AI Training Data Transparency Act) in the case X.AI LLC v. Bonta. The court order is the first federal court ruling on the constitutionality of a state AI transparency law, and it rejected all three of xAI’s constitutional arguments: a Fifth Amendment Takings Clause claim (forced disclosure of trade secrets without compensation), a First Amendment compelled-speech claim, and a vagueness challenge.

AB 2013 requires developers of generative AI systems publicly available in California to publish a high-level summary of the datasets used to train their systems – covering sources, ownership, types, volume, copyright status, and whether personal or synthetic data was used. The law took effect January 1, 2026, and its retroactive scope reaches AI models released since 2022. Judge Bernal found that xAI had standing to challenge the law but had not demonstrated a likelihood of success on the merits on any of its three constitutional claims – the standard required to obtain a preliminary injunction. The case now proceeds to the merits stage; a full constitutional adjudication could take years. Enforcement of AB 2013 continues unblocked while the case is pending.

Why it matters: A preliminary injunction denial is not a ruling on the merits – the constitutional questions are not decided, and xAI’s arguments will be fully adjudicated. But the denial is significant because it demonstrates that trade-secret and First Amendment objections to state AI transparency mandates do not clear the bar for halting enforcement before trial. For the dozens of other AI developers subject to AB 2013, there is no preliminary relief to wait for: compliance is required now. For other states considering training-data disclosure requirements, the ruling signals that courts will not summarily enjoin such laws on constitutional grounds. The xAI case will be watched closely by attorneys general in Colorado, New York, and Texas as they calibrate their own enforcement approaches.

5. EU AI Act: 86 Days to High-Risk Deadline, Enforcement Capacity Concerns Emerge

August 2, 2026 (Deadline)

The EU AI Act’s high-risk AI system obligations – requiring conformity assessments, data governance, transparency documentation, human oversight mechanisms, and incident reporting for AI used in employment, credit, healthcare, education, and other regulated domains – take effect August 2, 2026. As of today, 86 days remain. The final Code of Practice for general-purpose AI (GPAI) models was published in July 2025 and confirmed by the European Commission as an adequate voluntary tool for demonstrating compliance with GPAI model obligations, which have been in force since August 2, 2025. The GPAI Code covers transparency, copyright compliance, and risk mitigation for systemic models.

A concern emerging in EU policy circles is whether the AI Office – the body responsible for GPAI enforcement – has sufficient staffing and resources to implement the Code of Practice at scale. Academics and civil society organizations have identified a gap of approximately threefold between the AI Office’s current Regulation and Compliance unit capacity and what would be required for adequate enforcement starting August 2. European Commission enforcement actions – requests for information, access to models, or model recalls – are authorized only from August 2, 2026 onward. Fines of up to 3% of global annual turnover (or EUR 15 million, whichever is higher) can be imposed for GPAI violations; up to 7% (or EUR 35 million) for prohibited practices.

Why it matters: Companies with EU market exposure that have not yet completed their high-risk AI compliance work have fewer than 90 days. The GPAI Code of Practice is available now and represents the most concrete compliance pathway for frontier AI model providers – waiting for further guidance will compress implementation windows. The resource-capacity concerns do not affect legal obligations: penalties begin accruing for non-compliant systems from August 2 regardless of enforcement staffing levels. The 86-day window also puts EU compliance directly inside the Colorado SB 26-189 resolution window, meaning AI governance teams at multinational companies will face two simultaneous compliance inflection points – one state, one supranational – in a seven-week span.

Analysis: Three Governance Layers Activate Simultaneously

Week 9 is unusual in that three distinct layers of AI governance are moving in real time, on timelines that compress into the next 90 days.

At the state level, Colorado’s SB 26-189 is the most immediate: five days to determine whether the first major state AI consumer protection law is replaced by a lighter-touch notice regime or takes effect in its original form. The unanimous committee votes are encouraging, but the session clock and not political will is the binding constraint. The outcome of Colorado’s final five days will define whether state-level AI governance in the US moves toward negotiated notice frameworks (the SB 26-189 model) or toward full compliance regimes that invite federal preemption challenges (the SB 24-205 model).

At the federal level, the White House’s internal deliberation over pre-release AI model vetting represents a potential inflection point. The administration that entered office on a platform of removing barriers to AI innovation is now considering adding one – not for consumer protection or civil rights reasons, but because Anthropic’s Mythos demonstrated that frontier AI models have crossed a capability threshold with direct national security implications. If an executive order on pre-release vetting is issued, it will define a new federal role in AI governance that neither the Biden nor first Trump administration established. The absence of an AI czar (the Sacks seat remains unfilled; Chief of Staff Wiles and Treasury Secretary Bessent have taken on AI policy coordination) means any executive order will carry the weight of the full senior White House staff, not a single designated official.

At the international level, the EU’s August 2 high-risk deadline is the most structurally certain development: it will happen on schedule regardless of Colorado’s legislative outcome or the White House’s internal deliberations. The enforcement capacity questions do not create a grace period – they create uncertainty about which violations will be prioritized, not whether violations will eventually be pursued.

The connecting thread across all three layers is the same question: who decides what AI can do before it reaches users, and on what criteria? Colorado, California, the White House, and the EU are each arriving at that question from different angles and with different institutional tools. The answers taking shape this month will influence each other.

What to Watch

  • Colorado SB 26-189 floor vote: The full Senate vote is the critical indicator – a floor vote scheduled for the week of May 11 is the signal to watch. If SB 26-189 passes the Senate, House passage in the remaining days becomes the next threshold. A delay to the final day (May 13) would raise procedural risk of session expiration without passage.
  • White House executive order on AI model vetting: A pre-release vetting executive order would be the most significant domestic AI governance action of 2026. Watch for official confirmation or denial from the White House; the administration has acknowledged meetings with AI company executives, which suggests the proposal is further along than pure internal deliberation.
  • TAKE IT DOWN Act FTC enforcement posture: The FTC has not signaled whether it will move to enforcement on May 20 or give platforms additional time to come into compliance. Watch for any FTC statements or guidance issued in the week of May 11. An early enforcement action (complaint or investigation notice) would signal aggressive posture; silence past May 19 would suggest a ramp-up period.
  • xAI v. Bonta merits schedule: Now that the preliminary injunction has been denied, the district court will set a schedule for the merits case. A summary judgment motion by California AG Bonta would be the next likely procedural step.
  • EU AI Office staffing and enforcement preparation: Any announcements from the European Commission or AI Office regarding enforcement capacity, prioritization frameworks, or additional guidance ahead of August 2 are highly material. The Code of Practice is final; watch for supplementary technical guidelines.
  • Colorado SB 24-205 compliance deadlines (fallback): If SB 26-189 fails, companies have 53 days (June 30 deadline) to finalize SB 24-205 compliance work. Any legal challenge by the Colorado AG or DOJ would be filed after the June 30 effective date.

Sources

  1. Colorado SB 26-189 official bill page – Colorado General Assembly: https://leg.colorado.gov/bills/sb26-189
  2. Colorado lawmakers advance AI law rewrite (Colorado Politics, May 4, 2026): https://www.coloradopolitics.com/2026/05/04/colorado-lawmakers-advance-rewrite-of-2024-law-to-regulate-artificial-intelligence/
  3. New bill would narrow scope of Colorado’s landmark AI law (Colorado Newsline, May 4, 2026): https://coloradonewsline.com/2026/05/04/narrow-scope-colorado-ai-law/
  4. Colorado AI bill introduced (Colorado Sun, May 1, 2026): https://coloradosun.com/2026/05/01/colorado-ai-law-change-bill-introduced/
  5. Trump admin testing Google, Microsoft, xAI models (CNBC, May 5, 2026): https://www.cnbc.com/2026/05/05/ai-oversight-trump-google-microsoft-xai.html
  6. White House considers pre-release AI vetting (US News, May 4, 2026): https://www.usnews.com/news/top-news/articles/2026-05-04/white-house-considers-vetting-ai-models-before-they-are-released-nyt-reports
  7. Anthropic Claude Mythos Preview announcement (Anthropic): https://red.anthropic.com/2026/mythos-preview/
  8. Project Glasswing overview (Anthropic): https://www.anthropic.com/glasswing
  9. UK AISI evaluation of Mythos Preview cyber capabilities: https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities
  10. Anthropic Mythos model – Washington Post (April 24, 2026): https://www.washingtonpost.com/technology/2026/04/24/anthropic-mythos-ai-washington-cybersecurity-hacking-risk/
  11. TAKE IT DOWN Act CRS summary (Congress.gov): https://www.congress.gov/crs-product/LSB11314
  12. TAKE IT DOWN Act analysis (Skadden, 2025): https://www.skadden.com/insights/publications/2025/06/take-it-down-act
  13. xAI v. Bonta order denying preliminary injunction (March 4, 2026): https://cdn.arstechnica.net/wp-content/uploads/2026/03/xAI-v-Bonta-Order-Denying-Preliminary-Injunction-3-4-26.pdf
  14. Court upholds California AB 2013 against xAI (Fisher Phillips): https://www.fisherphillips.com/en/insights/insights/court-upholds-california-ai-transparency-law
  15. AB 2013 official text (LegiscanCA): https://legiscan.com/CA/text/AB2013/id/3023192
  16. EU AI Act implementation timeline: https://artificialintelligenceact.eu/implementation-timeline/
  17. GPAI Code of Practice overview (EU AI Act): https://artificialintelligenceact.eu/code-of-practice-overview/
  18. EU AI Act GPAI obligations in force and Code of Practice in place (Latham, 2025): https://www.lw.com/en/insights/eu-ai-act-gpai-model-obligations-in-force-and-final-gpai-code-of-practice-in-place

Published: May 8, 2026 Next Issue: May 15, 2026 (Monday 10:15 AM ET)