By the Shadow AI Policy team
The week of June 19–25, 2026 brought a crowded policy calendar for HR, legal, and compliance teams at small and midsize businesses. Three regulatory fronts moved simultaneously: the EU AI Act's August 2 enforcement date loomed larger, Congress dropped its first bipartisan federal AI framework in U.S. history, and the latest shadow AI research confirmed what compliance teams have long suspected — two-thirds of employees are using unauthorized AI tools, and many are feeding sensitive company data into public models while doing it.
This briefing covers four developments you need to understand before the end of June: the EU Digital Omnibus AI deal reshaping your August 2026 compliance calendar; the bipartisan Great American AI Act discussion draft and its new whistleblower and WARN Act provisions; Colorado's last-minute repeal and replacement of its landmark AI Act; and fresh survey data from PagerDuty that quantifies exactly how bad the shadow AI problem has gotten — and where the sensitive data is going.
If your company operates in Colorado or has employees there, start mapping your automated hiring and performance tools against Colorado SB 26-189's definition of "covered ADMT" now — you have until January 1, 2027, but the pre-use notice and adverse-outcome disclosure workflows will take months to build. While you're at it, check whether your AI acceptable use policy addresses employees entering customer data into public tools like ChatGPT — the PagerDuty data shows a third of workers are already doing exactly that.
If your legal team's EU AI Act checklist predates May 7, 2026, it needs a revision. On May 7, 2026, negotiators from the Council of the European Union, the European Parliament, and the European Commission reached a provisional agreement on the terms of the Digital Omnibus on AI — the first set of amendments to the EU AI Act since its adoption in June 2024. That agreement reshuffled several key compliance deadlines that the entire compliance industry had been targeting.
The most consequential change: high-risk Annex III AI systems (use-based) now face an obligation deadline of 2 December 2027 — a deferral of 16 months from the original August 2, 2026 date. For HR teams, Annex III covers AI used in employment evaluation and worker monitoring. But don't mistake the deferral for a clean pass. High-risk Annex III systems no longer face an August 2026 deadline — but August 2, 2026 is not a non-event. Specific obligations do take effect that day, and GPAI fine enforcement begins.
The Omnibus deal also adds new prohibited practices. Among the most visible changes is the introduction of two new prohibited AI practices: the use of AI systems to generate or manipulate non-consensual intimate imagery, and the generation of child sexual abuse material. The prohibition — taking effect December 2, 2026 — amends Article 5 of the EU AI Act to ban placing on the market or use of AI systems that generate realistic depictions of an identifiable person's intimate parts without freely given, specific, and explicit consent. Separately, the Commission published a Code of Practice on marking and labelling AI-generated content on June 10, 2026. Signing the Code is technically optional, but it provides a "presumption of conformity" — essentially a safe harbor that carries significant weight in enforcement proceedings.
One enforcement reality that hasn't changed: prohibited practices have been enforceable since February 2, 2025, and GPAI model obligations have been binding since August 2, 2025. The largest tranche — high-risk AI, general deployer obligations, and the full penalty framework — activates August 2, 2026. Companies using AI in HR processes within the EU — including AI-powered CV screening or performance assessment — should confirm their vendor compliance status before August 2, regardless of the Omnibus deadline shift. Sources: Global Policy Watch (June 2, 2026) and the European Commission AI Act page.
On June 4, 2026, Representatives Jay Obernolte (R-CA) and Lori Trahan (D-MA) released a discussion draft of the Great American Artificial Intelligence Act of 2026 (GAAIA) — bipartisan legislation that would create the first comprehensive federal framework for governing AI in the United States. Most coverage has focused on its proposed three-year preemption of state AI development laws, but for HR and employment counsel, the more immediate provisions are elsewhere.
The bill would establish robust federal whistleblower protections for employees and independent contractors who report "AI violations" — defined broadly as any violation of federal law or regulations related to the development, deployment, or operation of AI. That definition covers a wide range of conduct, and notably extends to workers at any employer, not just the large frontier AI developers that are the primary targets of the governance provisions. Covered workers would be protected against discharge, demotion, suspension, threats, blacklisting, harassment, or any other form of discrimination for making lawful disclosures to a regulatory official, the Attorney General, a law enforcement agency, or Congress.
The WARN Act amendment deserves particular attention. The draft amends the Worker Adjustment and Retraining Notification Act to require 60-days advance notice whenever AI is a "substantial factor" in a qualifying mass layoff. Additionally, the bill would require the Census Bureau and Bureau of Labor Statistics to revise federal surveys to include AI adoption and usage questions — meaning AI workforce adoption metrics may become benchmarked nationally. This is a discussion draft, not enacted law. Many observers believe the current Obernolte-Trahan discussion draft is unlikely to pass out of committee based on opposition from industry and various Members of Congress — it may be best viewed as a conversation starter developed out of frustration that Congress has not yet really legislated on AI. Still, the direction of federal scrutiny is unmistakable. Source: Fisher Phillips (June 2026) and SHRM.
Colorado delivered a last-minute rewrite of the most significant state AI employment law in the country. On May 14, 2026, Governor Polis signed SB 26-189 into law, repealing and replacing the original Colorado AI Act (SB 24-205), which had been set to take effect June 30, 2026. The new law takes effect January 1, 2027. The original law would have required employers using AI in employment decisions to run risk management programs and annual impact assessments — obligations that had drawn a federal lawsuit and a DOJ intervention.
The new statute is meaningfully narrower. The new law forgoes three of the most significant obligations of the prior statute: risk management programs, impact assessments, and the duty to use reasonable care to prevent algorithmic discrimination. In their place, the law narrows its scope to automated decision-making technologies (ADMT) that make "consequential decisions" and imposes four new operational duties: to notify users when they interact with AI, disclose to consumers within 30 days of an adverse outcome, correct inaccurate personal data when requested, and provide meaningful human review and reconsideration.
For employers, the definition of who's covered matters. Under SB 26-189, "consumer" includes employees and job applicants who are Colorado residents, as well as any individual whose access, eligibility, or opportunity in Colorado is evaluated in a consequential decision by a person doing business in Colorado. That means any company using AI-assisted resume screening, performance scoring, or compensation tools for Colorado workers is potentially in scope — not just Colorado-headquartered businesses. Companies developing or deploying decision-support tools in Colorado should reassess their compliance roadmaps now. Mapping covered ADMTs and developing the general framework for compliance do not need to wait, as operational changes to implement consumer rights may take several months to execute. Source: Colorado General Assembly, SB 26-189 and Crowell & Moring.
The table below shows what changed — and what's new — for Colorado employers:
| Obligation | Original CO AI Act (SB 24-205) | New CO AI Act (SB 26-189, eff. Jan 1, 2027) |
|---|---|---|
| Scope | "High-risk AI systems" in consequential decisions | "Covered ADMT" that materially influences consequential decisions |
| Risk management programs | ✅ Required | ❌ Eliminated |
| Annual impact assessments | ✅ Required | ❌ Eliminated |
| Duty to prevent algorithmic discrimination | ✅ Required | ❌ Eliminated (existing anti-discrimination laws still apply) |
| Pre-use notice to consumers | ✅ Required | ✅ Required |
| Post-adverse-outcome disclosure | Partial | ✅ Required within 30 days |
| Meaningful human review | Partial | ✅ Required (to extent commercially reasonable) |
| Attorney General reporting | ✅ Required | ❌ Eliminated |
| Private right of action | Ambiguous | ❌ Explicitly prohibited; AG enforcement only |
| 60-day cure period | No | ✅ Yes (expires Jan 1, 2030) |
The PagerDuty 2026 Shadow AI Survey, published June 15 and covered by TechRadar, puts hard numbers on a problem compliance teams already suspect. AI adoption in the workplace is outpacing the policies designed to govern it — and two-thirds (66%) of office professionals have used AI tools at work despite believing they were not permitted under company policy. That number alone is striking. What it reveals about data handling is worse.
The question of whether employees are adhering to AI policies matters because of the type of information they're feeding into public models. 43% have entered work-related correspondence into public AI tools such as ChatGPT, Claude, or Gemini that aren't part of their company's internal systems. More than a third (34%) have entered customer data or information into public AI tools. Another 31% have input financial information or disclosed confidential company documents or strategies. For any company under HIPAA, SOC 2, PCI-DSS, or EU GDPR, each of those categories represents a potential reportable breach depending on what was entered.
Policy awareness doesn't appear to be the core problem. While 86% believe their company has formal AI policies in place, more than four-fifths (81%) believe those rules are applied differently to leadership than to the rest of the workforce. A report from PagerDuty found more than half (53%) received informal guidance or feedback telling them to stop using unapproved AI, but continued anyway. Nearly as many (48%) faced formal consequences like official warnings or disciplinary action. The survey was conducted by Wakefield Research among 1,250 office professionals at companies with minimum annual revenue of $500 million, in non-IT roles, across the U.S., UK, Australia, and Japan, between April 9–20, 2026.
This data matters for policy design — not just policy existence. If you want to understand what a practical response looks like, generate a tailored AI policy kit that addresses data classification rules alongside tool approvals. Separate policies for "what tools are approved" versus "what data can be entered into any AI tool" tend to be more enforceable than a blanket list of approved apps. Source: PagerDuty 2026 Shadow AI Survey and TechRadar (June 15, 2026).
About Shadow AI Policy: We build AI acceptable use policy tools for HR and operations teams at 50–500 person companies. We publish guides on shadow AI, acceptable use policies, and AI governance, updated as regulations and AI tools change.
This week's developments hit three separate compliance tracks. If you have EU operations or EU employees, confirm which of your AI tools fall under the EU AI Act's August 2, 2026 transparency obligations — the Omnibus deal deferred high-risk employment AI to December 2027, but GPAI and chatbot disclosure rules still activate August 2. If you have Colorado employees or job applicants, map your AI-assisted hiring and performance tools against SB 26-189's "covered ADMT" definition now — you have until January 1, 2027, but the pre-use notice and adverse-outcome disclosure workflows take time to build. And regardless of geography, the PagerDuty shadow AI data is a strong argument for auditing what data your employees are entering into public AI tools today.
Yes, if any of the following apply: you use AI in hiring or performance decisions for Colorado employees; you use AI-generated content, chatbots, or GPAI tools in EU-facing operations; or you don't currently distinguish between "approved tools" and "data classification rules" in your acceptable use policy. The PagerDuty data shows that having a policy employees are aware of isn't sufficient — 86% of surveyed workers said their company had a policy, but 66% ignored it anyway. The gap is usually in clarity about what data is off-limits, not which tools are blocked.
Three provisions are worth watching closely even though the bill isn't law yet: (1) the WARN Act amendment that would require 60-day advance notice when AI is a "substantial factor" in a qualifying mass layoff; (2) the AI whistleblower protection applying to any employee at any company, not just AI developers — broadly covering retaliation for reporting AI-related violations of federal law; and (3) the new federal data collection mandate on AI's workforce impact, which will eventually inform enforcement priorities. None of these are in force today, but employers who document their AI-assisted workforce decisions now will be far better positioned if they become law.
Tailored to your industry and the AI tools your team uses. Free preview, $79 one-time or $149/mo with monthly updates.
Generate my policy kit →