By the Shadow AI Policy team
The week of June 4, 2026 delivered some of the most consequential AI governance news of the year so far. A new White House executive order, a landmark rewrite of Colorado's employer AI law, fresh data from Verizon's annual breach report exposing the scale of shadow AI in workplaces, and a significant enforcement infrastructure build-out by the EU AI Office all landed within days of each other — giving HR, legal, and compliance teams plenty to act on before summer.
This week's briefing covers four developments you need to know: President Trump's June 2 executive order on AI and cybersecurity and what it signals for private-sector AI governance; Colorado Governor Polis's signing of SB 26-189, which rewrites the state's employer AI law ahead of its June 30 deadline; Verizon's 2026 DBIR finding that shadow AI use through personal accounts has quadrupled in a year; and the EU AI Office's appointment of its new Scientific Panel and Advisory Forum, signaling that EU AI Act enforcement is shifting from preparation to operation.
Colorado's SB 26-189 is now law — if you have employees or applicants in Colorado and use any AI tool in hiring, promotion, or performance decisions, you need to map those tools now, before the January 1, 2027 effective date. Pair that with Verizon's finding that 67% of workplace AI users are running tools through personal, unauthorized accounts: if you don't have a written AI acceptable use policy, generate a tailored AI policy kit this week and close that gap before it becomes a compliance exposure.
What happened: On June 2, 2026, the White House issued an executive order titled "Promoting Advanced Artificial Intelligence Innovation and Security," reflecting the Administration's stated policy of advancing U.S. leadership in AI while addressing national security risks associated with increasingly capable AI systems.
What it does: The order outlines two approaches: strengthening U.S. Government and private industry cyber defenses in response to "advanced AI," and developing voluntary benchmarking and review frameworks for secure development and release of "frontier" AI models. The order emphasizes that its approach is voluntary and should not be construed as a mandatory licensing, permitting, or preclearance requirement. On the criminal enforcement side, the order requires the Attorney General to prioritize enforcement of federal criminal laws against anyone who uses AI to illegally access or damage a computer, specifically identifying 18 U.S.C. § 1028 (identity fraud), 18 U.S.C. § 1030 (the Computer Fraud and Abuse Act), and 18 U.S.C. § 1343 (federal wire fraud).
Why it matters for SMBs: The order's voluntary framework is primarily aimed at frontier AI developers, not typical mid-size employers. But legal analysts at WilmerHale note that although the EO's initiatives are framed as voluntary, its provisions may well migrate into procurement standards, sectoral cybersecurity guidance, and contractual requirements over time, particularly for clients in regulated industries or those doing business with the federal government. If you're a government contractor or operate in healthcare, finance, or utilities, watch for downstream procurement and contract requirements built on this framework. Read the full executive order at whitehouse.gov.
What happened: On May 14, 2026, Governor Jared Polis signed Senate Bill 26-189 into law. The bill repeals and reenacts the original "Colorado Artificial Intelligence Act" (SB 24-205), which was enacted in May 2024 and had been set to take effect on June 30, 2026. SB 26-189 regulates employers' use of automated decision-making technology (ADMT) in employment-related decisions, starting January 1, 2027.
What the new law actually requires: The rewrite is significantly narrower than the original. Colorado's governor signed SB 26-189, substantially reducing the compliance burden on employers. Gone are the sweeping bias audit requirements and annual impact assessments. What remains are concrete transparency and process obligations: when an AI-assisted decision results in an adverse outcome (such as a rejection, a termination, or a denial of an opportunity), the employer must provide the affected individual within 30 days with a plain-language explanation of the AI's role, the categories of data the system used, instructions on how to request correction of inaccurate personal data, and information on how to request human review. Additionally, workers and applicants who receive an adverse AI-assisted decision can request meaningful human review and reconsideration "to the extent commercially reasonable," and that human reviewer must have actual authority to override the decision and cannot simply defer to the system's output.
Coverage is broader than you might think: SB 26-189 applies to Colorado resident applicants and employees and individuals evaluated in a consequential decision by a person doing business in Colorado. Even for employers without operations in Colorado, given the nature of web-based application systems, it would appear no employer can assume the law will not apply to them at all. The compliance action item is clear: in order to ensure compliance, employers will need to have a concrete grasp of which AI tools they use, what data they use AI to process, what outputs AI is generating, how AI outputs are used by human decision-makers, and whether AI outputs "materially influence" employment decisions. Distinguishing between AI tools which merely assist with administrative tasks and AI agents that actually "materially influence" consequential employment decisions will likely become one of the most important compliance questions under the new law. Read the full analysis from Ogletree Deakins at ogletree.com.
Below is a quick-reference comparison of what changed between the original Colorado AI Act and SB 26-189:
| Requirement | Original SB 24-205 (Repealed) |
New SB 26-189 (Effective Jan 1, 2027) |
|---|---|---|
| Scope | Broad "high-risk AI systems" framework | Narrower "automated decision-making technology" (ADMT) that materially influences a consequential decision |
| Bias/Risk Audits | Annual impact assessments required | Not required under the new law |
| Pre-Use Notice | Required | Required — must be clear, conspicuous, and accessible at points of interaction |
| Post-Adverse Decision Disclosure | Required | Required within 30 days — plain-language explanation, data categories used, correction rights |
| Human Review Right | Required | Required "to the extent commercially reasonable" — reviewer must have actual override authority |
| Enforcement | Colorado AG; no private lawsuits | Colorado AG only; 90-day cure period before civil penalties (unless knowing or repeated violation) |
| Effective Date | June 30, 2026 | January 1, 2027 |
What happened: Verizon's 2026 Data Breach Investigations Report (DBIR), released in mid-May 2026, included the most concrete shadow AI measurement from a major credible source yet. Of the 45 percent of all professionals using AI in the workplace regularly, 67 percent of those were accessing the platforms using personal accounts that were not authorized by their IT teams. Verizon said that the proportion of users accessing AI through personal accounts now represents a fourfold increase in non-malicious insider actions detected across a dataset of more than 22,000 breaches globally.
The data exposure isn't theoretical: Verizon reported that 28 percent of data loss prevention policy violations involved employees entering source code into an AI tool, potentially exposing an organization's intellectual property. And this isn't just a junior-employee problem. A separate report from TrustedTech published May 25, 2026 found that senior decision-makers are the heaviest users of unapproved AI tools and continue using them despite being aware of the security and privacy risks — with 65% of decision-makers using shadow AI, compared with 31% of employees below decision-maker level.
Banning doesn't work: Nearly one-third of employees said they would continue using AI tools even if workplace rules prohibited them and disciplinary action was possible. Employees said they would likely turn to personal AI tools if organizations limited access because of higher software costs. The practical response isn't a ban — it's a policy that gives employees a sanctioned, visible path. Read the Verizon DBIR coverage at The Register and the TrustedTech report at Help Net Security.
What happened: On June 1, 2026, the European Commission appointed a Scientific Panel and an Advisory Forum to support enforcement of the AI Act. The two bodies will advise the Commission's AI Office and national authorities on applying rules, with members serving two-year terms. Specifically, the Scientific Panel brings together 60 world-leading independent experts with experience in frontier AI, engineering, technical auditing, industry, and societal impact, and will focus on general-purpose AI models and systems, systemic risks, model classification, evaluation methodologies, and cross-border market surveillance.
Why the timing matters: This panel is being stood up just two months before the EU AI Act's next major enforcement wave. The transparency rules of the AI Act will come into effect in August 2026. Under the EU AI Act Omnibus — which reached provisional political agreement on May 7, 2026 — the main high-risk AI deadlines have been deferred: Annex III systems (recruitment, credit scoring, law enforcement) must comply by December 2, 2027, and Annex I systems embedded in regulated products must comply by August 2, 2028. However, prohibited practices are already enforceable, with fines of up to €35 million or 7% of global annual turnover applying to violations of Article 5, including social scoring, manipulative AI, and biometric categorization based on sensitive attributes.
What SMBs with EU customers or employees need to act on now: The August 2026 Article 50 transparency deadline is not deferred. Under Article 50, providers must ensure that AI systems intended to directly interact with individuals are designed so that those individuals are informed they are engaging with an AI system, and when you deploy a system that interacts with people (e.g., chatbots), users must be informed unless it is obvious they are interacting with a system. Additionally, the AI Act Omnibus adds a further prohibition effective December 2, 2026, covering emotion recognition in workplace or educational settings and AI systems that generate non-consensual intimate imagery. Read the official EU announcement at digital-strategy.ec.europa.eu.
About Shadow AI Policy: We build AI acceptable use policy tools for HR and operations teams at 50–500 person companies. We publish guides on shadow AI, acceptable use policies, and AI governance, updated as regulations and AI tools change.
Three concrete deadlines are converging. If you have employees or applicants in Colorado, Colorado SB 26-189 takes effect January 1, 2027 — start mapping which AI tools materially influence your hiring, promotion, or performance decisions now, while the attorney general's rulemaking is still open. If you deploy chatbots or AI-facing tools to EU users, Article 50 transparency requirements under the EU AI Act kick in August 2, 2026 — users must be informed they're interacting with an AI. And regardless of geography, Verizon's DBIR finding that 67% of workplace AI users are on personal, unauthorized accounts means shadow AI is almost certainly happening in your organization — a written policy with clear data-handling rules is your first line of defense.
Yes, and specifically on two points. First, if your current policy doesn't specify which AI tools are approved and explicitly prohibit entering source code, confidential client data, or personnel information into personal-account AI tools, it needs to be updated this month. Verizon's DBIR shows 28% of DLP violations already involve code pasted into AI tools. Second, if you use any automated tool in hiring or employment decisions and have Colorado-based applicants, you need to add a pre-use notice procedure and a post-adverse-decision disclosure workflow before January 1, 2027.
Not directly, and not immediately. The June 2 executive order is primarily directed at federal agencies and frontier AI developers, and its voluntary benchmarking framework creates no mandatory compliance requirements for employers. However, legal analysts note that its provisions may migrate into government procurement standards and sectoral cybersecurity guidance over time — particularly for companies in regulated industries (healthcare, finance, utilities) or those with federal government contracts. Companies in those categories should monitor forthcoming CISA directives and related agency guidance for any downstream requirements.
Tailored to your industry and the AI tools your team uses. Free preview, $79 one-time or $149/mo with monthly updates.
Generate my policy kit →