Week of Sunday, May 24, 2026

Twelve months ago, the Colorado AI Act was the most aggressive state AI law in the country. Six weeks before its effective date, it's notice-only paperwork and a footnote in a Department of Justice (DOJ) strategy memo.

The original act, signed in May 2024 with a June 30, 2026 effective date, required AI bias audits, impact assessments, and consumer disclosures backed by a $20,000-per-violation penalty schedule. It was the model other states copied. xAI sued in April 2026 on First Amendment grounds. DOJ moved to intervene on April 24, arguing the Colorado law violated First Amendment protections for algorithmic speech. Intervention is heavier than an amicus brief. It puts the federal government inside the case as a litigant, not commenting from the sidelines. On May 14, Colorado Governor Polis signed SB 26-189, replacing the original framework with notice-only requirements that take effect January 2027. The aggressive law is dead.

This was not accidental. DOJ's posture traces back to Executive Order 14365 in December 2025, which established an AI litigation task force charged with challenging state AI laws on constitutional grounds. A March 2026 Commerce Department evaluation under EO 14365 demanded federal preemption. When Congress failed to deliver (the AI moratorium provision was dropped from the FY2026 defense spending bill in negotiation), the executive branch shifted to courts. The same DOJ team will turn to California's privacy law AI amendments and New York's frontier AI bill (the RAISE Act) next. Major law firms tracking the litigation expect challenges filed within 60 days.

The federal regulatory map is moving too. The White House postponed its own AI executive order on May 21 over concerns it would slow US AI relative to China. The order, when it comes, is expected to give the National Security Agency a role in voluntary AI model testing alongside civilian agencies. Brussels delayed the EU AI Act to 2027 last week.

Earlier this month we flagged the Financial Stability Board's estimate of $220 billion in bank exposure to private credit across its member jurisdictions. JPMorgan moved first.

JPMorgan signaled it is pulling roughly $4 billion out of the lending market that finances many software companies, citing AI bets on those companies going wrong faster than expected. When the biggest US bank steps back, smaller lenders adjust. That market is what keeps a lot of mid-stage software vendors solvent.

When credit gets pulled, the playbook is predictable: hiring freeze, product roadmap cut, layoffs, sale to a larger acquirer at a discount, or wind-down. The companies in your stack most exposed are mid-stage vendors that raised significant private-credit funding and aren't generating enough cash to cover their debt service. Many of them serve enterprises in payroll, HR, security, and CRM.

Data center power demand is outrunning what utilities can build. AI is the dominant new driver, layered on top of existing cloud and streaming growth. The Department of Energy has started giving grid operators emergency authority to curtail data centers before residential neighborhoods.

Data centers consumed roughly 4.4 percent of US electricity in 2023; the Department of Energy projects somewhere between 7 and 12 percent by 2030. The bulk of that growth is AI training and inference workloads. Utility planners cannot build at that pace. A new high-voltage transmission line takes seven to ten years. A new gas plant takes four to six. New AI compute capacity arrives on twelve-month schedules.

DOE has issued more than forty Section 202(c) emergency orders in the past twelve months, the federal authority that lets the agency override the normal electricity market when reliability is at risk. Most of those orders respond to heat waves or generator failures. The new pattern is different. The May 18 order targeting PJM, the grid operator serving thirteen states and DC, authorizes PJM to curtail large data-center loads as a last resort before rolling blackouts hit residential neighborhoods. Northern Virginia's data center alley sits inside PJM and consumes more power than some entire states. When curtailment happens, the data center loses its grid feed and falls back to its on-site backup generators.

Most data-center leases written before 2024 do not address this. When DOE invokes 202(c) and PJM curtails the facility, four things become ambiguous at once. Your service level agreement is subject to a federal order the contract did not contemplate. The backup generators are running for longer and more often than the emergency-spike scenarios they were sized for. Someone has to pay for the fuel. Those generators are permitted as emergency-only assets under state air permits; routine grid-stress operation may breach the permits, and the liability chain reaches the tenant in some jurisdictions. When the curtailment extends past the generator's fuel runtime, your failover plan becomes whatever the colo operator can improvise on diesel deliveries.

Geographic redundancy matters more than it used to, and is more subtle than most companies realize. Two data centers in different states can still share the same grid. PJM covers thirteen states. MISO, the next-largest US grid operator, covers fifteen. A DOE order against PJM affects every operator inside PJM at the same time. Real grid-level redundancy means at least one of your facilities sits inside a different grid operator's territory.

Senator Tom Cotton sent a letter to the Department of Justice (DOJ) this week asking it to investigate whether Chinese-controlled last-mile parcel carriers operating in the United States are a national security risk. The story is not the letter. It is the question the letter forces every retailer to answer.

Cotton's May 19 letter to Acting Attorney General Todd Blanche named five carriers: Zongteng Group (which operates the YunExpress and Cirro brands), Gofo, SpeedX, UniUni, and J&T Express. These carriers grew rapidly with the cross-border e-commerce boom moving packages from Chinese sellers (Temu, Shein, AliExpress) into the US last-mile delivery network. The letter asks DOJ to investigate them on four vectors: foreign government data access, predatory subsidized pricing that may violate antitrust law, customs and tariff evasion, and opacity in the ownership chain. Any US retailer using those carriers, or whose marketplace partners use them, is inside the discovery sweep if DOJ opens a formal investigation.

This is the layer of vendor risk most companies do not track. Your procurement team probably negotiated the last-mile contract on cost per package, delivery speed, and coverage area. Ultimate ownership rarely surfaces. When that vendor has a cyber incident, the customer data they hold (delivery addresses, package contents, recipient names, signature records, GPS routes) is your customer data. Breach notification obligations fall to you because you are the data controller under state breach laws and federal sector rules.

Delivery-layer data has joined the categories the US government now treats as foreign-intelligence-relevant. The same logic that drove the TikTok divestment fight, Chinese-made drone restrictions, and port crane scrutiny is being applied to who knows where your packages go. If your shipping stack includes a carrier with foreign ownership, or a marketplace partner whose stack does, the regulatory question will land on procurement this year whether or not DOJ opens the investigation against the named carriers.

Delta Dental Insurance Company and Delta Dental of New York paid New York's financial regulator $2.25 million last month for a cybersecurity incident. The incident itself was modest. The penalty was driven by a six-month delay in notification. New York's rules require notification of a covered cybersecurity event within 72 hours. Delta Dental detected a webshell in June 2023 and did not notify the regulator until December 2023. The consent order makes the timing the central finding.

This is the third regulator in three weeks to put this on the enforcement frontier. The Oncology Institute, a Nasdaq-listed cancer-care company, filed a cybersecurity disclosure with the SEC this week, six months after their initial voluntary disclosure about a vendor incident. Forensic confirmation from the vendor's third-party administrator took half a year to materialize. In Germany, Unimed, a shared billing services provider, blew open six university hospitals through a single incident in April; the affected hospitals took five weeks to disclose. Across three jurisdictions and three incident types, the pattern is converging: regulators are clocking the delay, not just the incident.

The trouble for incident response programs is that discovery is rarely a single moment. The first alert often does not look serious enough to escalate. By the time forensic confirmation arrives, weeks or months may have passed. Most incident response plans treat the forensic finding as the notification trigger. New York and the SEC are increasingly treating the moment of initial suspicion as the trigger, with forensic work happening alongside notification rather than before it. Your managed security service provider (MSSP) monitors your systems. It cannot file regulatory notifications on your behalf. That is a function only your General Counsel or outside counsel can perform.

Last week we said the Hormuz pass-through had arrived. This week three signals confirmed it is staying.

Frontline, the world's largest publicly traded oil tanker company, has contracted its Q2 large oil tanker rates at $181,700 per day. The same vessel class averaged roughly $78,000 per day in January 2026 before the war. The contracted Q2 rate is more than double that baseline. These are time-charter contracts. They do not unwind on a ceasefire headline. The cost of moving crude through summer is locked in at war-premium rates.

ADNOC, the United Arab Emirates' state oil company, told an Atlantic Council audience this week that full Hormuz flows will not return until 2027 even if the war ended tomorrow. The bypass pipeline that would carry the remaining volume is half-built. Chief of Naval Operations Adm. Daryl Caudle simultaneously testified to Senate Appropriations that escorting commercial shipping through the strait "would exceed the capacity of the Navy to do that effectively." The two backstops boards have been assuming, a quick supply rebound and US Navy escort, were both publicly removed this week.

At the same time, three large crude tankers cleared the strait Wednesday under Iranian coordination. Iran and Oman are negotiating a formal toll regime. The shipping market is settling into a new baseline: managed access at Iranian discretion. The last regional war in this part of the Middle East lasted twenty years. This one has no combat troops on the ground, but it has cyber operations, kinetic incidents, sanctions waves, and energy-market shocks that arrive without warning. Your Q3-Q4 fuel and shipping cost baseline has moved since February. Most CFOs have not refreshed the model.

Brazil is about to raise the maximum penalty for a data privacy violation tenfold. Brazil's General Data Protection Law (LGPD), passed in 2018 as a close adaptation of the EU's GDPR, has historically been enforced lightly. Brazilian legislators are advancing PL 4530/23, a bill that would raise the maximum LGPD fine from two percent of company revenue to twenty percent. That is five times GDPR's four-percent ceiling. The bill also doubles the per-violation cap to R$100 million (approximately twenty million US dollars). The Brazilian data protection authority, ANPD, published its 2026-27 enforcement priorities this month: artificial intelligence training data, children's data, and public-sector data processing.

The audience for this is wider than most boards assume. Any US or European company with Brazilian customers, employees, suppliers, business partners, or data routed through Brazilian servers is covered. Many multinationals assumed LGPD enforcement would lag GDPR for years. That assumption is no longer safe. ANPD has open investigations into Meta's AI training data and into roughly two dozen football clubs over facial recognition. Brazil's largest LGPD fine to date is roughly R$9 million, about $1.8 million US dollars. Under the new ceiling, an enforcement action against a major multinational could produce a fine larger than any single GDPR penalty on record.