Independent coverage of workplace AI governance, shadow AI risks, compliance, and enterprise AI policy. https://shadowaiwatch.com en-AU 2026-05-21T06:00:00+08:00 https://shadowaiwatch.com/compliance/california-ab-2027-worker-data-ai-training-ban-2026/ https://shadowaiwatch.com/compliance/california-ab-2027-worker-data-ai-training-ban-2026/ 2026-05-21T06:00:00+08:00 AB 2027 would bar employers from using worker data to train AI that replaces their jobs. It cleared committee on 22 April and is now in Appropriations. Compliance https://shadowaiwatch.com/compliance/oregon-ai-sanctions-fabricated-citations-legal-governance-2026/ https://shadowaiwatch.com/compliance/oregon-ai-sanctions-fabricated-citations-legal-governance-2026/ 2026-05-20T06:00:00+08:00 US courts imposed at least USD 145,000 in AI sanctions in Q1 2026. Oregon's record penalty and per-citation fine formula make AI hallucination costs scalable. Compliance https://shadowaiwatch.com/shadow-ai/vibe-coded-apps-data-exposure-shadow-ai-2026/ https://shadowaiwatch.com/shadow-ai/vibe-coded-apps-data-exposure-shadow-ai-2026/ 2026-05-19T06:00:00+08:00 RedAccess found 5,000 AI-built apps with no authentication leaking patient records, bank data, and corporate documents. Axios and Wired verified the findings. Shadow AI https://shadowaiwatch.com/research/cybercx-hack-report-2026-ai-pen-test-severe-findings/ https://shadowaiwatch.com/research/cybercx-hack-report-2026-ai-pen-test-severe-findings/ 2026-05-18T06:00:00+08:00 CyberCX analysed 70,000+ findings from 7,500+ pen tests. AI systems had severe vulnerabilities at double the rate of web apps. Social engineering won 77%. Research https://shadowaiwatch.com/research/littler-employer-survey-2026-ai-regulation-governance-gap/ https://shadowaiwatch.com/research/littler-employer-survey-2026-ai-regulation-governance-gap/ 2026-05-15T06:00:00+08:00 Littler's 14th Annual Employer Survey: AI is the top policy concern for 84% of US employers, up from 42% in 2025. Only 55% review AI tools pre-deploy. Research https://shadowaiwatch.com/shadow-ai/novoresume-ai-generated-work-undisclosed-governance-2026/ https://shadowaiwatch.com/shadow-ai/novoresume-ai-generated-work-undisclosed-governance-2026/ 2026-05-14T06:00:00+08:00 Novorésumé surveyed 1,000 US workers. 47% use AI to finish early then spend freed time on personal activities. 53% hide their AI use from employers. Shadow AI https://shadowaiwatch.com/shadow-ai/chrome-gemini-nano-silent-install-corporate-governance-2026/ https://shadowaiwatch.com/shadow-ai/chrome-gemini-nano-silent-install-corporate-governance-2026/ 2026-05-13T06:00:00+08:00 Chrome downloads a 4GB Gemini Nano model to eligible devices without consent, re-downloads it if deleted, and powers AI features most users have never enabled. Shadow AI https://shadowaiwatch.com/research/thales-bad-bot-report-2026-ai-agentic-traffic/ https://shadowaiwatch.com/research/thales-bad-bot-report-2026-ai-agentic-traffic/ 2026-05-12T06:00:00+08:00 Thales' 2026 Bad Bot Report: 53% of web traffic is automated, bad bots are 40%, AI-driven attacks grew 12.5x, and financial services bore 46% of account takeovers. Research https://shadowaiwatch.com/governance/five-eyes-agentic-ai-security-guidance-2026/ https://shadowaiwatch.com/governance/five-eyes-agentic-ai-security-guidance-2026/ 2026-05-11T06:00:00+08:00 Six cyber agencies from the US, UK, Australia, Canada and NZ released joint agentic AI security guidance on 1 May 2026, covering five risk categories. Governance https://shadowaiwatch.com/governance/apra-ai-risk-industry-letter-step-change-2026/ https://shadowaiwatch.com/governance/apra-ai-risk-industry-letter-step-change-2026/ 2026-05-08T06:00:00+08:00 APRA's 30 April 2026 industry letter warns AI governance is not keeping pace. The regulator named Mythos and called for a step-change from all regulated entities. Governance https://shadowaiwatch.com/governance/uk-financial-services-ai-governance-gap-zango-2026/ https://shadowaiwatch.com/governance/uk-financial-services-ai-governance-gap-zango-2026/ 2026-05-07T06:00:00+08:00 A Zango AI report draws on 27 C-suite interviews and four roundtables with 60 practitioners from major UK and European banks. The US and Singapore have published sector-specific AI governance frameworks. The UK and EU have not. Governance https://shadowaiwatch.com/shadow-ai/ft-focaldata-ai-adoption-divide-high-earners-governance-2026/ https://shadowaiwatch.com/shadow-ai/ft-focaldata-ai-adoption-divide-high-earners-governance-2026/ 2026-05-06T06:00:00+08:00 An FT-Focaldata poll of 4,000 US and UK workers found over 60% of top earners use AI daily versus 16% of lowest earners. The people with the most autonomy, the most seniority, and the broadest access are adopting AI fastest, with the least oversight. Shadow AI https://shadowaiwatch.com/compliance/doj-xai-colorado-ai-act-constitutional-challenge-2026/ https://shadowaiwatch.com/compliance/doj-xai-colorado-ai-act-constitutional-challenge-2026/ 2026-05-05T06:00:00+08:00 The US Department of Justice intervened in xAI's constitutional challenge to Colorado SB24-205 on 24 April 2026, calling the state's algorithmic discrimination requirements unconstitutional. The law's 30 June 2026 compliance date has not changed. Compliance https://shadowaiwatch.com/compliance/eu-ai-act-omnibus-collapse-august-2026-deadline-2026/ https://shadowaiwatch.com/compliance/eu-ai-act-omnibus-collapse-august-2026-deadline-2026/ 2026-05-04T06:00:00+08:00 Twelve hours of EU trilogue negotiations broke down on 28 April 2026 without agreement on the Digital Omnibus reforms. The original 2 August 2026 deadline for high-risk AI systems and Article 50 transparency obligations is still in force. Compliance teams that were banking on an extension need to change course. Compliance https://shadowaiwatch.com/compliance/ftc-ai-enforcement-playbook-section-5-2026/ https://shadowaiwatch.com/compliance/ftc-ai-enforcement-playbook-section-5-2026/ 2026-05-01T06:00:00+08:00 The FTC brought at least 12 AI-related enforcement actions in 2025, targeting deceptive capability claims, undisclosed automated decisions, and AI-generated fake content. Section 5 of the FTC Act is doing the work that AI-specific legislation has not. Compliance https://shadowaiwatch.com/compliance/uk-ico-ai-adm-code-of-practice-si-2026-425/ https://shadowaiwatch.com/compliance/uk-ico-ai-adm-code-of-practice-si-2026-425/ 2026-04-30T06:00:00+08:00 A new statutory instrument requires the UK Information Commissioner to produce a formal code of practice on AI and automated decision-making. SI 2026/425 comes into force on 12 May 2026 and includes mandatory guidance on children's data. Compliance https://shadowaiwatch.com/shadow-ai/vercel-context-ai-breach-shadow-ai-supply-chain-2026/ https://shadowaiwatch.com/shadow-ai/vercel-context-ai-breach-shadow-ai-supply-chain-2026/ 2026-04-29T06:00:00+08:00 Vercel was breached through Context.ai, a consumer AI productivity tool connected to a single employee's Google Workspace with 'Allow All' OAuth permissions. Stolen data is now listed on BreachForums for USD 2 million. The kill chain started with a Roblox cheat download. Shadow AI https://shadowaiwatch.com/governance/canada-sovereign-ai-compute-infrastructure-program-2026/ https://shadowaiwatch.com/governance/canada-sovereign-ai-compute-infrastructure-program-2026/ 2026-04-28T06:00:00+08:00 Canada's AI Sovereign Compute Infrastructure Program opened applications on 15 April 2026. The $890 million investment turns data residency and provider jurisdiction from abstract risks into funded infrastructure decisions. Governance https://shadowaiwatch.com/research/fbi-ic3-2025-ai-enabled-fraud-893-million/ https://shadowaiwatch.com/research/fbi-ic3-2025-ai-enabled-fraud-893-million/ 2026-04-24T06:00:00+08:00 The FBI's IC3 logged 22,364 AI-related complaints with losses exceeding USD 893 million in 2025. It is the first time the annual report includes a dedicated AI section. Enterprise risk frameworks need to catch up. Research https://shadowaiwatch.com/research/stanford-ai-index-2026-incidents-transparency-governance/ https://shadowaiwatch.com/research/stanford-ai-index-2026-incidents-transparency-governance/ 2026-04-23T06:00:00+08:00 Stanford HAI's 2026 AI Index shows AI incidents rose from 233 to 362, the Foundation Model Transparency Index dropped from 58 to 40, and organisational adoption hit 88%. The gap between capability and accountability is widening. Research