Independent coverage of workplace AI governance, shadow AI risks, compliance, and enterprise AI policy. https://shadowaiwatch.com en-AU 2026-05-06T06:00:00+08:00 https://shadowaiwatch.com/shadow-ai/ft-focaldata-ai-adoption-divide-high-earners-governance-2026/ https://shadowaiwatch.com/shadow-ai/ft-focaldata-ai-adoption-divide-high-earners-governance-2026/ 2026-05-06T06:00:00+08:00 An FT-Focaldata poll of 4,000 US and UK workers found over 60% of top earners use AI daily versus 16% of lowest earners. The people with the most autonomy, the most seniority, and the broadest access are adopting AI fastest, with the least oversight. Shadow AI https://shadowaiwatch.com/compliance/doj-xai-colorado-ai-act-constitutional-challenge-2026/ https://shadowaiwatch.com/compliance/doj-xai-colorado-ai-act-constitutional-challenge-2026/ 2026-05-05T06:00:00+08:00 The US Department of Justice intervened in xAI's constitutional challenge to Colorado SB24-205 on 24 April 2026, calling the state's algorithmic discrimination requirements unconstitutional. The law's 30 June 2026 compliance date has not changed. Compliance https://shadowaiwatch.com/compliance/eu-ai-act-omnibus-collapse-august-2026-deadline-2026/ https://shadowaiwatch.com/compliance/eu-ai-act-omnibus-collapse-august-2026-deadline-2026/ 2026-05-04T06:00:00+08:00 Twelve hours of EU trilogue negotiations broke down on 28 April 2026 without agreement on the Digital Omnibus reforms. The original 2 August 2026 deadline for high-risk AI systems and Article 50 transparency obligations is still in force. Compliance teams that were banking on an extension need to change course. Compliance https://shadowaiwatch.com/compliance/ftc-ai-enforcement-playbook-section-5-2026/ https://shadowaiwatch.com/compliance/ftc-ai-enforcement-playbook-section-5-2026/ 2026-05-01T06:00:00+08:00 The FTC brought at least 12 AI-related enforcement actions in 2025, targeting deceptive capability claims, undisclosed automated decisions, and AI-generated fake content. Section 5 of the FTC Act is doing the work that AI-specific legislation has not. Compliance https://shadowaiwatch.com/compliance/uk-ico-ai-adm-code-of-practice-si-2026-425/ https://shadowaiwatch.com/compliance/uk-ico-ai-adm-code-of-practice-si-2026-425/ 2026-04-30T06:00:00+08:00 A new statutory instrument requires the UK Information Commissioner to produce a formal code of practice on AI and automated decision-making. SI 2026/425 comes into force on 12 May 2026 and includes mandatory guidance on children's data. Compliance https://shadowaiwatch.com/shadow-ai/vercel-context-ai-breach-shadow-ai-supply-chain-2026/ https://shadowaiwatch.com/shadow-ai/vercel-context-ai-breach-shadow-ai-supply-chain-2026/ 2026-04-29T06:00:00+08:00 Vercel was breached through Context.ai, a consumer AI productivity tool connected to a single employee's Google Workspace with 'Allow All' OAuth permissions. Stolen data is now listed on BreachForums for USD 2 million. The kill chain started with a Roblox cheat download. Shadow AI https://shadowaiwatch.com/governance/canada-sovereign-ai-compute-infrastructure-program-2026/ https://shadowaiwatch.com/governance/canada-sovereign-ai-compute-infrastructure-program-2026/ 2026-04-28T06:00:00+08:00 Canada's AI Sovereign Compute Infrastructure Program opened applications on 15 April 2026. The $890 million investment turns data residency and provider jurisdiction from abstract risks into funded infrastructure decisions. Governance https://shadowaiwatch.com/research/fbi-ic3-2025-ai-enabled-fraud-893-million/ https://shadowaiwatch.com/research/fbi-ic3-2025-ai-enabled-fraud-893-million/ 2026-04-24T06:00:00+08:00 The FBI's IC3 logged 22,364 AI-related complaints with losses exceeding USD 893 million in 2025. It is the first time the annual report includes a dedicated AI section. Enterprise risk frameworks need to catch up. Research https://shadowaiwatch.com/research/stanford-ai-index-2026-incidents-transparency-governance/ https://shadowaiwatch.com/research/stanford-ai-index-2026-incidents-transparency-governance/ 2026-04-23T06:00:00+08:00 Stanford HAI's 2026 AI Index shows AI incidents rose from 233 to 362, the Foundation Model Transparency Index dropped from 58 to 40, and organisational adoption hit 88%. The gap between capability and accountability is widening. Research https://shadowaiwatch.com/governance/grant-thornton-ai-proof-gap-governance-audit-2026/ https://shadowaiwatch.com/governance/grant-thornton-ai-proof-gap-governance-audit-2026/ 2026-04-22T06:00:00+08:00 Grant Thornton surveyed 950 senior US leaders. 78% lack confidence they could pass an AI governance audit in 90 days. Only 12% say their workforce is AI-ready. The gap between AI spend and AI proof is widening. Governance https://shadowaiwatch.com/governance/asic-apra-anthropic-mythos-cybersecurity-risk-2026/ https://shadowaiwatch.com/governance/asic-apra-anthropic-mythos-cybersecurity-risk-2026/ 2026-04-21T06:00:00+08:00 Australian and Asian financial regulators have confirmed they are monitoring Anthropic's Claude Mythos Preview, an AI model that can autonomously find and exploit zero-day vulnerabilities at scale. ASIC expects licensees to be on the front foot. Governance https://shadowaiwatch.com/research/walkme-enterprise-ai-rejection-governance-gap-2026/ https://shadowaiwatch.com/research/walkme-enterprise-ai-rejection-governance-gap-2026/ 2026-04-21T06:00:00+08:00 WalkMe surveyed 3,750 enterprise workers across 14 countries. 54% bypass company AI, 33% never use it, 78% of executives want to discipline shadow AI use, only 21% of workers have ever been warned about AI policy. The numbers describe a governance gap, not a training gap. Research https://shadowaiwatch.com/governance/uk-eu-agentic-ai-consumer-law-cma-drcf-2026/ https://shadowaiwatch.com/governance/uk-eu-agentic-ai-consumer-law-cma-drcf-2026/ 2026-04-20T06:00:00+08:00 The UK CMA, the cross-regulator DRCF, and the ICO published cluster guidance on agentic AI in March 2026. The CMA can fine up to 10% of global turnover under the DMCC Act. The EU AI Act caps manipulation penalties at 35M EUR or 7% of turnover. Governance https://shadowaiwatch.com/compliance/eu-ai-act-high-risk-delay-omnibus-2026/ https://shadowaiwatch.com/compliance/eu-ai-act-high-risk-delay-omnibus-2026/ 2026-04-17T06:00:00+08:00 The EU is pushing back high-risk AI obligations from August 2026 to late 2027 or 2028. Non-retroactivity means systems deployed before those dates may never have to comply. Compliance https://shadowaiwatch.com/compliance/doj-ai-job-ads-citizenship-discrimination-2026/ https://shadowaiwatch.com/compliance/doj-ai-job-ads-citizenship-discrimination-2026/ 2026-04-16T06:00:00+08:00 Two DOJ settlements in six weeks have put AI-assisted recruitment squarely inside federal anti-discrimination enforcement. The vendor did not draft the ads, the AI did, and the employer still paid. Compliance https://shadowaiwatch.com/compliance/canada-privacy-act-review-ai-pia-2026/ https://shadowaiwatch.com/compliance/canada-privacy-act-review-ai-pia-2026/ 2026-04-15T06:00:00+08:00 Canada has opened the first comprehensive review of its 1983 Privacy Act in 43 years. The proposed reforms would write AI transparency and mandatory privacy impact assessments into statute. Compliance https://shadowaiwatch.com/governance/naic-ai-insurance-evaluation-tool-pilot-2026/ https://shadowaiwatch.com/governance/naic-ai-insurance-evaluation-tool-pilot-2026/ 2026-04-14T06:00:00+08:00 Twelve US states have launched the first coordinated examination of AI claims decisions using a structured evaluation tool. Regulators want technical evidence, not policy statements. Governance https://shadowaiwatch.com/compliance/oaic-childrens-online-privacy-code-ai-2026/ https://shadowaiwatch.com/compliance/oaic-childrens-online-privacy-code-ai-2026/ 2026-04-13T06:00:00+08:00 Australia's OAIC has released the draft Children's Online Privacy Code. The rules target children's data, but the AI design baseline they set will likely become the expectation for every AI system. Compliance https://shadowaiwatch.com/compliance/connecticut-ag-existing-laws-regulate-ai-2026/ https://shadowaiwatch.com/compliance/connecticut-ag-existing-laws-regulate-ai-2026/ 2026-04-10T06:00:00+08:00 Connecticut's Attorney General has mapped AI uses to existing privacy, civil rights and consumer protection laws. The message: regulators do not need new AI laws to come after you. Compliance https://shadowaiwatch.com/research/ai-rollout-pressure-outrunning-governance-2026/ https://shadowaiwatch.com/research/ai-rollout-pressure-outrunning-governance-2026/ 2026-04-09T06:00:00+08:00 Two global studies from TrendAI and Deloitte, surveying nearly 7,000 leaders between them, find the same pattern: organisations are deploying AI faster than they can govern it. Only 38% have comprehensive policies. Research