By the Shadow AI Policy team
The week of June 9–18, 2026 delivered the busiest stretch of AI policy news this year — a new White House executive order, a landmark bipartisan federal bill, a major overhaul of the EU AI Act's deadlines, a rewritten Colorado employer law, and fresh research showing two-thirds of workers are already ignoring their company's AI rules. Any one of these stories would warrant a policy review. Together, they signal that the governance window for mid-sized employers is closing fast.
This week's briefing covers four developments: President Trump's June 2 executive order shifting U.S. AI policy toward national security; the June 4 bipartisan "Great American AI Act" discussion draft and its controversial three-year freeze on state AI development laws; Colorado's last-minute replacement of its original AI Act with a narrower, decision-level accountability framework (now delayed to January 1, 2027); and the EU's publication of its final Code of Practice on AI-generated content, released June 10, just weeks before the August 2, 2026 Article 50 transparency deadline. We also flag a June 15 PagerDuty/Wakefield shadow AI survey and a June 15 EDPS warning — both directly relevant to HR and compliance teams.
Colorado employers using AI in hiring or performance management must now map their automated decision tools, prepare plain-language adverse-action disclosures, and note a January 1, 2027 compliance deadline — but should not assume the old law is gone, as litigation is ongoing. If you're in any U.S. state, the Great American AI Act's public comment window is open now: submit feedback to GAAIA@mail.house.gov before the bill hardens into a formal introduction.
Published: June 2, 2026 | Source: White House
On June 2, 2026, President Trump issued an executive order titled "Promoting Advanced Artificial Intelligence Innovation and Security." The order continues the administration's pro-innovation posture but breaks new ground on cybersecurity. It calls for AI developers to voluntarily share certain new models with the federal government up to 30 days before providing access to other partners, and directs national security agencies to create a framework for evaluating AI-related risks and establishing an AI-cybersecurity clearinghouse.
The final EO shortens the pre-public access period from a proposed 90 days to 30 days, and makes clear it does not authorize mandatory licensing, preclearance, or permitting requirements for the development, release, or distribution of AI models. For most employers at 50–500 person companies, this EO doesn't create immediate new compliance obligations. But it signals the administration's frame: AI oversight will flow through security and innovation, not consumer protection or employment fairness. The EO also directs the Attorney General to prioritize enforcement of federal criminal laws — including 18 U.S.C. §§ 1028, 1030, and 1343 — against anyone who uses AI to illegally access or damage computer systems or engage in related crimes.
The practical implication for HR and legal teams: don't expect federal-level AI employment rules from this administration. The regulatory pressure on how you use AI in hiring, performance management, and compensation will continue to come from states — which makes the Colorado story below, and the Great American AI Act's preemption provision, especially important to watch.
Published: June 4, 2026 | Sources: Rep. Obernolte's Office | SHRM | DLA Piper
On June 4, 2026, Representative Jay Obernolte (R-CA) and Representative Lori Trahan (D-MA) released a discussion draft of the Great American AI Act (GAAIA), alongside a joint op-ed in Bloomberg Law. This bipartisan legislation would create the first comprehensive federal framework for governing AI in the United States; the nearly 270-page draft is intended to solicit feedback from stakeholders, experts, and the public before the bill is formally introduced to Congress.
The bill contains four major titles: Frontier AI Governance, Workforce, Cybersecurity, and Research, Development, and International Cooperation. It requires frontier AI model developers to disclose information about those models, obtain third-party audits through designated Independent Verification Organizations (IVOs), and refrain from retaliating against whistleblowers. For HR managers, the bill touches on issues including AI workforce development and education funding, directing NIST and the National Science Foundation to establish grants and prizes focused on AI education and workforce development. It would also require the Census Bureau and Bureau of Labor Statistics to revise federal surveys to include AI adoption and usage questions, meaning AI workforce adoption metrics may become benchmarked nationally.
The most contentious provision: Section 121 would preempt state and local laws specifically regulating AI model development for three years, while preserving generally applicable laws and those governing the use and deployment of AI systems. Existing consumer protection, civil rights, and privacy laws would remain intact, but specific AI development transparency laws in California, New York, and Illinois would effectively be frozen or superseded. The House Democratic Commission on AI framed itself in opposition hours after the draft's release, leaving the bill's path to formal introduction filled with uncertainty. The bill is still a discussion draft. It is open for public stakeholder comment, with feedback directed to GAAIA@mail.house.gov.
For compliance teams, this draft matters even before it passes. If GAAIA advances in anything like its current form, it would simplify multi-state AI compliance for employers — but it does not eliminate employment-level AI obligations, which would remain enforceable under deployment-focused state laws. Start tracking this one closely.
Published: May 14, 2026 (signed) | Sources: Littler Mendelson | HR Dive
Colorado's original AI Act (SB 24-205) was weeks away from taking effect when the state legislature passed a replacement. Colorado's governor signed S.B. 26-189, substantially reducing the compliance burden on employers. The Colorado General Assembly passed the bill one day before the end of the 2026 legislative session, and the governor signed it less than two months before the original law was due to take effect on June 30, 2026.
Governor Jared Polis signed SB26-189 into law on May 14. The new bill replaces a system-focused compliance regime with a decision-by-decision accountability model. In practice, employers using covered tools that "materially influence" decisions leading to an adverse outcome must provide a description of the tool's role in the decision, alongside other required disclosures, within 30 days. The law is effective January 1, 2027.
The new CO AI Act goes into effect on January 1, 2027 — still a relatively short period for employers to implement the Act's three requirements: pre-use notice; an adverse action process; and record retention. Several parties opposed the original SB 24-205, including Elon Musk's xAI, which sued Colorado's attorney general to block enforcement of the law. In response to SB 26-189's passage, attorneys advise employers to map their AI tools and engage with vendors, note the law's three-year recordkeeping requirement for relevant compliance documents, and watch for pending legal challenges to the revised law.
The bottom line for HR: if you use AI tools in hiring, promotion, performance scoring, or termination decisions — for Colorado employees or applicants — you now have until January 1, 2027 to operationalize three specific requirements. Use the table below to understand the scope. And if you operate across multiple states, note that generating a tailored AI policy kit calibrated to your industry and headcount can accelerate the gap-mapping process considerably.
| Requirement | What It Means for HR | Deadline |
|---|---|---|
| Pre-use notice | Inform Colorado employees/applicants when covered automated decision-making technology (ADMT) will be used in a consequential decision (hiring, promotion, termination, benefits) | January 1, 2027 |
| Adverse action disclosure | Within 30 days of an adverse decision materially influenced by ADMT, provide plain-language description of the tool's role, its name, version, developer, and data types used; include instructions for correcting inaccurate personal data | January 1, 2027 |
| Record retention | Maintain compliance documentation for at least three years; covers decision records, ADMT descriptions, vendor documentation, and notice logs | 3 years rolling from January 1, 2027 |
| Human review right | Individuals may request meaningful human reconsideration of an adverse consequential decision; "to the extent commercially reasonable" — positions already filled may qualify as exceptions | January 1, 2027 |
| Scope exclusion | Law does not apply to independent contractors or to applicants/employees who are not Colorado residents; routine scheduling and administrative routing are excluded from "consequential decisions" | N/A |
Published: June 10, 2026 | Source: European Commission
On June 10, 2026, the European Commission published its final Code of Practice on marking and labeling AI-generated content. This caps a six-month drafting process and is directly tied to Article 50 of the EU AI Act — the transparency rules that require AI systems to disclose when users are interacting with them. The transparency obligations for chatbots take effect in August 2026, and the deferral for AI-generated content labeling is only four months (to December 2, 2026).
Separately, the EU's Digital Omnibus deal — reached on May 7, 2026 — gives compliance teams more time on some fronts but closes doors on others. The headline 2026 development: the Digital Omnibus pushes the main high-risk deadline for Annex III systems back from August 2, 2026 to December 2, 2027 — buying compliance teams roughly 16 extra months. However, among the most visible changes to the EU AI Act is the introduction of two new prohibited AI-related practices: the use of AI systems to generate or manipulate non-consensual intimate material and child sexual abuse material (CSAM). The prohibition takes effect on December 2, 2026.
The European Commission has also appointed a Scientific Panel and an Advisory Forum to support enforcement of the AI Act, with members serving two-year terms. The Scientific Panel brings together 60 independent experts with experience in frontier AI, engineering, technical auditing, industry, and societal impact. It will focus on GPAI models, systemic risks, model classification, and cross-border market surveillance. This is the EU enforcement apparatus becoming operational in real time — not theoretical future enforcement.
For SMBs with EU-facing operations or EU customers: if you use any customer-facing AI chatbot, virtual assistant, or AI-generated content pipeline, your August 2, 2026 disclosure obligations under Article 50 are now in effect with published guidance. Don't wait for your counsel to surface this — check your customer-facing tools now.
Published: June 15, 2026 | Sources: PagerDuty / Wakefield Research | Digital Watch Observatory / EDPS
Two reports dropped on June 15 that together make a compelling — and uncomfortable — case for urgency. PagerDuty's 2026 Shadow AI Survey, conducted by Wakefield Research among 1,250 office professionals, found that AI adoption in the workplace is outpacing the policies designed to govern it. Two-thirds (66%) of office professionals have used AI tools at work despite believing they were not permitted under company policy. 43% have entered work-related correspondence into public AI tools such as ChatGPT, Claude, or Gemini that aren't part of their company's internal systems. In the UK and Japan, that figure rises to 51% and 50%, respectively. More than a third (34%) have entered customer data or information into public AI tools; another 31% have input financial information or disclosed confidential company documents or strategies.
While 86% of surveyed workers believe their company has formal AI policies in place, more than four-fifths (81%) believe those rules are applied differently to leadership than to the rest of the workforce — a perception especially strong among mid-level managers and below (85%). This is a policy enforcement problem, not just a policy-writing problem. A report from PagerDuty found more than half (53%) of workers had received informal guidance or feedback telling them to stop using unapproved AI, but many still chose their preferred AI services over workplace tools. Nearly as many (48%) also faced formal consequences, like official warnings or disciplinary action.
On the same day, the EU's data protection regulator added a compliance dimension. The European Data Protection Supervisor (EDPS) warned that shadow AI can create hidden data protection and breach risks when employees use unauthorized AI tools without organizational approval. The warning was published in a blog post by EDPS Wojciech Wiewiórowski on June 15, 2026. According to the EDPS, data entered into unapproved AI tools can fall into a regulatory and compliance blind spot — unauthorized tools may lack formal agreements governing the legal basis for processing, data retention periods, and safeguards for international data transfers. The EDPS said policies should be backed by technical controls and monitoring, including blocking unapproved AI domains, enforcing data loss prevention rules, and restricting the installation of unauthorized AI software. It also recommended that organizations provide approved AI platforms that are secure, compliant, and capable of meeting employees' operational needs.
For HR and legal teams, the combination of these two reports creates an audit trigger. If you have a written AI policy but no enforcement mechanism — no technical controls, no DLP rules, no approved-tool list — you effectively have no policy at all.
About Shadow AI Policy: We build AI acceptable use policy tools for HR and operations teams at 50–500 person companies. We publish guides on shadow AI, acceptable use policies, and AI governance, updated as regulations and AI tools change.
The short answer is that AI governance is no longer an abstract future concern — it's a current employment law question in Colorado, an August 2026 deadline if you have EU-facing tools, and a live data-security risk based on what your employees are doing right now with public AI tools. If you have employees in Colorado, map your HR AI tools against the SB 26-189 framework before year-end. If your business touches EU customers, check whether any customer-facing AI chatbot or content tool has a disclosure mechanism in place before August 2. And run an honest audit of which AI tools your employees are actually using — not just which ones you've approved.
Yes, if any of these apply to you: you employ Colorado residents (January 1, 2027 deadline for AI adverse-action disclosures); you have EU-facing AI chatbots or AI-generated content tools (August 2, 2026 Article 50 transparency deadline); or you have no technical controls — like DLP rules or an approved-tool list — backing up your written AI policy. The PagerDuty survey shows that written policies alone aren't working: two-thirds of workers are bypassing them anyway. Policy plus enforcement controls is the standard the EDPS and state AGs are beginning to expect.
No. The GAAIA is a 269-page discussion draft that hasn't been formally introduced in Congress yet, faces significant opposition, and even its sponsors describe it as "the start of a conversation." State employment AI laws in Colorado (effective January 1, 2027), Illinois (already in effect since January 1, 2026), and Connecticut (effective October 1, 2026) are current law — they apply now regardless of what happens federally. The GAAIA would only preempt laws governing AI model *development*, not laws governing how employers *deploy* AI in employment decisions. Your HR compliance exposure from state deployment-focused laws is unaffected by whatever Congress does with this bill.
Tailored to your industry and the AI tools your team uses. Free preview, $79 one-time or $149/mo with monthly updates.
Generate my policy kit →