What does your audit committee owe you during the AI regulatory pause?
Two regulators slipped their AI deadlines in a week. The courts and procurement teams did not. Here is what audit committees should be asking before Q3 board meetings.
Two regulators slipped their AI deadlines in the last week. The EU pushed Annex III high-risk obligations to December 2, 2027. Colorado gutted its AI Act and delayed it to January 2027. In the same week, a federal court in New York ruled that "the devil made me do it" is not a valid defense for AI outputs, and procurement teams kept asking vendors for ISO 42001 alignment. Audit committees that read the legislative news as permission to slow down are misreading the room.
The headline your board saw
Two regulators hit pause in seven days. On May 7, EU legislators reached political agreement on the AI Omnibus, deferring high-risk Annex III obligations from August 2026 to December 2, 2027, a 16-month slip. On May 12, Colorado’s legislature passed SB 26-189 by 57 to 6 in the House and 34 to 1 in the Senate, gutting the original Colorado AI Act, dropping the disclosure requirements, and pushing implementation to January 2027. The Colorado Sun called it a fight that ends with “watered-down law, little fanfare.”
If your board read those headlines and exhaled, I understand the instinct. I want to talk you out of it.
What it actually means
While the legislatures were extending deadlines, two other things happened this week that matter more for audit committees.
On May 7, a federal judge in the Southern District of New York ruled in American Council of Learned Societies v. National Endowment for the Humanities that an agency could not blame ChatGPT for outputs it had adopted. The court found, in its own words, that there was not a scintilla of evidence that human reviewers validated the AI-generated rationales before they were used. Sidley Austin’s analysis of the ruling, published May 11, is blunt about what changed. Prompts and outputs are discoverable. The “devil made me do it” defense is no longer a defense.
"There is not a scintilla of evidence that personnel reviewed AI-generated rationales before adoption. The devil made me do it defense does not work for the Government."
That is the first time a federal court has written down what your audit committee already suspects. AI accountability does not delegate to the model. It sits with the humans who deployed it.
The second thing that happened this week is quieter but bigger. On May 12, GoGuardian announced it had earned ISO 42001 certification for its AI safety system, explicitly citing Colorado AI Act alignment in its press release. ISO 42001 is the world’s first AI management system standard. By mid-2026, it is showing up in roughly 40 percent of EU enterprise AI vendor RFPs and 25 percent of North American ones. Gartner has reported that 83 percent of Fortune 500 procurement teams plan to require ISO 42001 alignment from technology vendors by 2027.
Put those three signals together. Regulators slowed down. The courts sped up. Procurement is now writing the rules that the legislatures just postponed.
Regulators slowed down. The courts sped up. Procurement is now writing the rules that the legislatures just postponed.
Three questions your board will ask
1. If the deadlines moved, can we throttle back the AI governance program?
No. The deadlines that moved are statutory. The exposure that did not move is litigation and procurement. The SDNY ruling means any AI workflow that produces an external decision now has a paper trail that opposing counsel can subpoena. And the renewal cycle starts in Q3. If a customer’s RFP asks for ISO 42001 alignment in August and the answer is “we have not started,” that is a revenue conversation, not a compliance conversation.
2. Who is named on each AI workflow that produces an output we cannot disown?
This is the question the SDNY ruling embedded into US case law. Not a policy. Not a steering committee. A name, per workflow, per output. If the answer is “the model did it,” the court already told us how that goes.
3. What is our ISO 42001 alignment plan, and when does the audit committee see it?
Alignment is not certification. Alignment is documented evidence: an AI inventory, a risk classification per system, named human reviewers, a record-keeping schedule. Certification can wait. The evidence cannot. Most of what ISO 42001 asks for is what an audit committee should already want to see on one page.
Your AI compliance exposure just shifted from statutory to structural. Statutory exposure has a calendar. Structural exposure has a docket and a renewal cycle, and both run on someone else's clock.
The 60-second brief
If you have one minute with the audit committee on Friday, this is the line. Regulators slipped 16 to 19 months. The courts and procurement teams did not. The SDNY ruling makes “AI did it” not a defense, and procurement teams are pricing ISO 42001 into Q3 RFPs. Exposure shifted from statutory to structural. We need named human reviewers per AI workflow that produces an external output, a one-page AI inventory, and an ISO 42001 alignment plan by end of Q2. None of that requires new headcount. It requires writing down what we are already doing and admitting where we are not.
What to watch
The Colorado replacement law (SB 26-189) takes effect January 2027 with notice and human-review rights. Connecticut’s SB 5 cleared the legislature on May 1 and Governor Lamont is expected to sign. Expect more state movement before Q3. And keep an eye on which of the large customers updates AI procurement language first. That is the practical deadline.
Sources
- When 'The Devil Made Me Do It' Is Not a Defense: Lessons in AI Governance and Organizational Oversight from an SDNY Decision - Sidley Austin, 2026-05-11
- Colorado's fierce two-year fight over AI regulation ends with watered-down law, little fanfare - The Colorado Sun, 2026-05-12
- Major Developments Put Colorado's AI Law on Ice Ahead of Implementation - Law and the Workplace (Proskauer), 2026-05-11
- GoGuardian Beacon Sets New Standard for Responsible AI in Student Safety, Earns ISO 42001 Certification - GlobeNewswire, 2026-05-12