AIRiskAware
Reading List
May 2026

The EU AI Act Omnibus, Australia's privacy reform commencement, and a wave of enforcement actions across four continents.

10 items curated by AIRiskAware ยท Published 28 May 2026

How we choose items: We link to external sources; we do not reproduce them. Each item is selected because it advances practitioner understanding of AI governance. The "AIRiskAware take" is our editorial interpretation, it is not legal or regulatory advice. Always read primary sources.
RegulationEuropean Parliament / Council of the EU

EU AI Act โ€” Regulation (EU) 2024/1689

The Omnibus Regulation passed in May 2026 simplifies provisions for SMEs and general-purpose AI models. The consolidated text now supersedes the April 2024 version and is the primary source every compliance team should be referencing.

AIRiskAware take

Check your organisation's AI Act implementation against this version, not the 2024 text. The changes to high-risk AI obligations under Annex III are material for healthcare and financial services deployers.

RegulationOffice of the Australian Information Commissioner

Australian Privacy Principles โ€” commencement of Phase 2 amendments

Phase 2 of Australia's Privacy Act reforms commenced in 2026, including new requirements around automated decision-making disclosure and enhanced enforcement powers for the OAIC.

AIRiskAware take

If you're an APP entity and haven't updated your privacy policy to address AI-assisted decisions, the window for doing this voluntarily is now closing.

EnforcementFederal Trade Commission

FTC AI enforcement โ€” recent actions roundup

The FTC continued its enforcement posture toward AI-washing, deceptive AI claims, and consumer harm from algorithmic systems. The FTC blog is the fastest way to track US AI enforcement without legal subscriptions.

AIRiskAware take

Three consistent themes: (1) marketing claims about AI capabilities need substantiation; (2) "AI explains" is not a valid response to an adverse action โ€” actual explanations are required; (3) children's data is a near-zero-tolerance category.

Academic paperBank for International Settlements

AI and bank runs: large language models as a financial stability risk

A BIS working paper modelling how LLM-generated sentiment could accelerate bank runs through coordinated customer behaviour. Directly relevant to financial stability risk frameworks.

AIRiskAware take

The mechanism is novel: not a cyberattack but correlated AI-driven decision-making at scale. Financial services firms using AI for customer communications should factor this into operational risk assessments now.

RegulationNational Institute of Standards and Technology

NIST AI RMF Playbook updates

NIST continues to publish profiles and supplementary guidance against the AI RMF 1.0 framework. The playbook is where the operational implementation detail lives.

AIRiskAware take

If your governance team cites "NIST AI RMF compliance" without referencing the playbook, they're working at the wrong level of abstraction.

RegulationEuropean Parliament

EU Platform Work Directive โ€” algorithmic management obligations

The EU Platform Work Directive includes specific requirements on algorithmic management for gig economy platforms โ€” transparency, contestability, and human review. In force from 2026.

AIRiskAware take

Often missed by AI governance teams who focus on the AI Act. If your organisation uses AI to manage contractors or gig workers, this Directive applies independently of the AI Act and has its own obligations.

RegulationPersonal Data Protection Commission Singapore

Singapore Model AI Governance Framework โ€” updated guidance

Singapore continues to update the Model AI Governance Framework with sector-specific guidance. The PDPC remains one of the most practically useful regulators for governance teams operating in APAC.

AIRiskAware take

The Singapore framework is unusually implementation-focused compared to EU or US guidance. It's worth reading even if you're not operating in Singapore โ€” the operational checklists translate across jurisdictions.

ReportStanford Human-Centered Artificial Intelligence Institute

Stanford HAI AI Index Report 2026

The annual AI Index is the most comprehensive quantitative assessment of AI capabilities, adoption, and policy. The 2026 edition covers regulatory developments across 50+ countries.

AIRiskAware take

Chapter 4 (policy and governance) is where to start for practitioners. The data on AI patent filings by jurisdiction, enforcement action counts, and regulatory publication rates is uniquely useful for benchmarking.

ReportOrganisation for Economic Co-operation and Development

OECD AI Policy Observatory โ€” 2026 updates

The OECD AI Observatory tracks regulatory developments across member countries. The AI Principles were updated in 2024 and the implementing guidance continues to evolve.

AIRiskAware take

Underused by practitioners. The comparative policy tracker is genuinely useful for multi-jurisdictional compliance work.

ReportCSIRO

CSIRO responsible AI research programme

Australia's national science agency continues to publish practical AI governance research, including work on AI evaluation, bias testing, and governance frameworks for Australian contexts.

AIRiskAware take

The CSIRO research on evaluating AI in high-stakes Australian government contexts is among the most practically grounded work in the APAC region.

Keep reading

New issues are published here each month. Browse the full archive, or explore our in-depth analysis, every piece linked to primary regulatory sources.

All reading-list issues โ†’Browse insights