Nicholas You, Esq. @nicholasyou - Tumblr Blog

You Can See the AI Spend. Can You See the Return?

95% of companies report no measurable return on their generative AI spend. MIT put that number out last year. The budgets have grown anyway.

They can show you the usage charts. That's the problem.

This is part three. The first post asked whether you can see your AI spend. The second showed why that spend keeps climbing. This one asks the harder question: did it buy anything?

Key Takeaways

1. Define a cost-per-outcome metric for every funded AI workload, and measure it before you scale.

2. Adoption numbers measure activity. Pair each one with a result the business can name.

3. Kill the token leaderboards. Ranking teams by usage rewards spend, not value.

4. If nobody can say what a workload shipped, stop funding it until they can.

Why 95% See No Return on Investment

MIT's NANDA study put the figure at 95% of organizations with no measurable return from their generative AI initiatives, against more than $30 billion invested. The report's own explanation is worth reading. The failures were not about model quality or regulation. They came from tools that never integrated into real workflows, pilots that never reached production, and money aimed at visible functions like marketing instead of the back-office work where the return was.

Gartner's latest forecast puts worldwide AI spend at $2.59 trillion in 2026, and its lead analyst said plainly that CIOs are struggling to prove value and show tangible business outcomes. The spend is real. The proof is missing.

What Should Get Measured Instead

Most AI programs measure activity, because activity is easy to count. Seats provisioned. Monthly active users. Tokens consumed. Percent of code written by an agent. Uber ranked its engineering teams on an internal leaderboard by how much AI they used, and it is not alone.

The industry has a name for it now: tokenmaxxing, burning tokens to win a metric. Then Uber's own COO admitted he could not draw a line from all that usage to features riders and drivers actually got. Near-total adoption, and the value still has to be argued.

What Cost-Per-Outcome Means

Cost-per-outcome is simple to say and hard to dodge: for a given workload, what did you spend, and what did the business get. Say a contract-review agent costs $40,000 a year and takes nine days off the average review cycle. That has an outcome. A summarization tool that costs the same and saves time nobody can point to does not. The number forces the question most dashboards avoid: name the result.

You do not need a perfect model of ROI. You need every funded workload to have an owner who can say, in one sentence, what it produced.

Recommendations

1. Require a named outcome before funding. No workload gets a budget line without one sentence on what it will produce and how you will know.

2. Report cost-per-outcome next to cost-per-token. Finance already sees the spend. Governance should put the result beside it.

3. Retire the workloads that cannot answer. The agent nobody can tie to an outcome is the first line item to cut.

You can measure how much AI your company uses by Friday. Measuring what it produced is the harder number, and it is the only one that settles the ROI question.

Count that one.

Cheaper Tokens, Bigger Bills

Uber capped employee AI spending this spring after burning a full year of budget in four months. This week, the Wall Street Journal reported that OpenAI is weighing drastic token price cuts to pull customers from Anthropic.

So token prices are falling and token bills are climbing, at the same time. In my last article I argued that spend and usage belong in your AI governance program as a named pillar. This is the part of that problem that gets worse before it gets better.

Key Takeaways

Cheaper tokens will not lower your AI bill. Budget for the bill, not the price.

Every autonomous agent needs a kill switch and a hard spend cap. An agent with neither is an open tab.

Audit agent schedules. The most expensive agent is usually a simple job running far more often than it needs to.

Put cost attribution at the agent level, not the tool level. You cannot govern a number you only see at invoice time.

Why Cheaper Tokens Raise the Bill

If cheaper compute lowered the bill, cloud invoices would have fallen sometime in the last fifteen years. They didn't.

Lower unit prices pull more work onto the platform, and the total climbs. Tokens work the same way.

A price war between OpenAI and Anthropic is good news for your per-token rate and almost no news for your monthly spend, because the savings get spent on more usage before they reach finance.

That is the trap behind the headlines. Leaders hear "prices are dropping" and relax the one control that matters. Usage drives the bill, and usage is going up.

The New Failure Mode is the New Agent

A chatbot costs what a person types. An agent costs whatever it decides to do, on its own, until something stops it. A single agent stuck in a loop can burn most of a team's annual model budget in a week. No attack, no malice, just no kill switch and no human watching the meter.

The expensive agent is rarely the clever one. It is the simple job someone wired to run every 15 minutes when twice a day was enough. Multiply that across every team that spun up an agent on a Friday afternoon, and you get a bill nobody can explain and nobody owns.

Most of us are a few quarters into handing every team unlimited tokens and calling it transformation. That phase ends the first time an agent runs all weekend.

The Controls That Actually Help

Kill switches and circuit breakers - Every agent gets a hard stop on tokens, cost, and run time, with an alert that fires before the cap, not after.

Cost attribution per agent - You should be able to name your five most expensive agents and what each one produced. If you cannot, that is the project.

Schedule discipline - Match run frequency to real need. Most overspend is not a runaway loop, it is a routine job running ten times more often than the business requires.

Recommendations

Budget for rising usage even as prices fall, and tell your board before the variance does.

Require a kill switch and a spend cap on every agent before production, the way you would never ship a service account with no password policy.

Review your top agents by cost every month, and retire or reschedule the ones nobody can tie to an outcome.

Prices will keep dropping. Bills will keep climbing. Govern the usage, not the price.

Your AI Governance Program Doesn't Watch the Meter

An enterprise reportedly spent half a billion dollars on AI in one month before anyone caught it.

The tools were sanctioned. The models were approved. Nobody was watching the usage.

Most AI governance programs govern risk, privacy, and model behavior. Almost none govern spend and usage. That gap is where the budget overruns and the shadow AI both live, and it is the same gap: the control that tells you what your teams are spending is the same control that tells you what they are running. Spend and usage governance should be a named pillar of your AI program, with an owner, not a quarterly surprise from finance.

Key Takeaways

Put a spend-and-usage pillar in your AI governance charter, with one accountable owner who sits across finance, security, and the governance committee.

Require usage visibility before you scale: per-team tagging, cost-per-token tracking, and hard spend quotas on every sanctioned tool.

Treat shadow AI as a usage problem you can measure, not a policy you can wish into compliance.

Tie every AI workload to a business outcome. If nobody can name what it produces, that is your first candidate to cut.

What AI Governance Covers & Where It Stops

NIST AI RMF organizes around Govern, Map, Measure, and Manage. ISO/IEC 42001 builds a management system around risk and accountability. The EU AI Act sets obligations by risk tier. All three ask whether a model is safe, fair, documented, and supervised. None of them ask what it costs to run or whether anyone is watching the meter. Finance has a discipline for that, FinOps, and the FinOps Foundation now publishes a "FinOps for AI" guidance set built around cost-per-token, quotas, and resource tagging. The catch is the org chart. FinOps lives in engineering and finance. AI governance lives in legal, risk, and compliance. The two rarely share a table, and spend falls between them.

Why Token Spend is a Governance Problem

Cheaper tokens raise the bill, because they multiply the number of places you use them. Economists call it Jevons paradox, and it is running through AI budgets right now. The half-billion-dollar month was an extreme case, but the pattern is everywhere. Uber burned through its 2026 AI coding budget by April, and its COO said publicly he could not yet connect that spend to better product. MIT's NANDA study found 95% of companies see no measurable financial return on their generative AI investment, even as Gartner forecasts worldwide AI spending will reach $2.59 trillion in 2026, up 47% year over year.

Uncontrolled usage is uncontrolled risk. Every tool nobody approved is also a data path nobody secured, and the spend signal is the earliest place you can see it. You can't manage what you don't measure, and usage is the thing most programs never measure.

What a Spend & Usage Pillar Looks Like

One instrument does two jobs. Usage visibility holds down the runaway bill and shows you the shadow AI at the same time. In practice:

Quotas and spend limits on every sanctioned tool, set before rollout, not after the invoice.

Per-team and per-use-case tagging, so cost attaches to a named owner.

A cost-per-outcome metric for each workload, so the bill maps to something the business actually got.

Model routing rules: the cheapest model that clears the quality bar, chosen on purpose.

Shadow AI discovery connected to the same dashboard, because the tool nobody approved is the tool nobody is costing or securing.

Recommendations

Spend and usage should appear in your AI governance charter next to risk and privacy, with one accountable person who reports to the governance committee and partners with finance.

No workload should reach production scale without tagging, a spend quota, and a stated business outcome.

Run shadow AI discovery monthly and treat the findings as governance data, not an IT cleanup.

Review cost-per-outcome every quarter with the same seriousness you give model risk. The workload nobody can justify is the first one to retire.

What the June 2 AI Executive Order Actually Means for Private Companies FAQ

The June 2, 2026 executive order on advanced AI generated a lot of "do we need a license now?" emails. Short answer: no.

Here are the questions clients have actually asked me this week, with straight answers.

Does this order create a federal AI license or a preclearance requirement?

No. The order is explicit that it does not establish mandatory licensing or pre-release approval for AI models. It sets up a voluntary opt-in framework where developers of the largest models can choose to give the government pre-release access. If you were bracing for a permitting regime, that is not what this is.

Who does the order actually bind?

Federal agencies. The operative deadlines and directives run to CISA, Treasury, Commerce, and DOJ, on 30 and 60-day clocks. CISA gets authority to issue Binding Operational Directives for federal systems. Treasury stands up an AI cybersecurity clearinghouse. None of that is a direct obligation on a private company.

Do my company's compliance obligations change because of this?

Not from this order. Your obligations still come from where they came from yesterday: state privacy laws, your sector regulator, and what you promised customers in contracts. The order does not preempt or rewrite any of those. If someone tells you the EO "changes your AI compliance posture," ask them which clause. There isn't one that does.

What is a "covered frontier model" and should I care?

It is a classification the order creates for the most capable models, the ones with the largest training compute. Most companies do not build these. You care for one reason: if a vendor you rely on builds or hosts a covered frontier model, government security expectations attached to that designation can reach you through your contract with that vendor. That is the realistic transmission path for a mid-market company. It is a vendor-risk question, not a direct-compliance question.

Could this order create legal exposure for us?

Indirectly, and only through statutes that already exist. The order directs DOJ to enforce current law against AI-enabled fraud and computer crime, naming 18 U.S.C. §§ 1028, 1030, and 1343. Those statutes covered this conduct before June 2. The order signals enforcement priority, it does not create a new offense. If your AI use was clean last month, it is clean now.

What should I actually do this quarter?

Three things. Read your contracts with any AI vendor and find out whether they touch a covered frontier model. Confirm your existing privacy and security commitments are documented, because that is still the regime that governs you. And tell your board the honest version: this order points at federal systems and model developers, and your job is to watch the vendor channel, not to chase a license that does not exist.

Sources: Executive Order, "Promoting Advanced Artificial Intelligence Innovation and Security" (June 2, 2026); 18 U.S.C. §§ 1028, 1030, 1343.

Tokenmaxxing & the AI Bill Companies Forgot to Price

The free and cheap AI access of the last three years was a customer acquisition cost. Providers were buying adoption. They needed companies to build workflows around their models and employees to stop doing certain tasks by hand, and both happened faster than anyone expected. The pricing is moving now and the dependency is already set. Most companies measured neither.

The savings everyone projected rested on one assumption: that AI is a fixed, cheap, reliable input. It is none of those things at scale. Token spend is variable, it is rising, and it is set by a price list you don't control. The workforce that could have absorbed the difference is smaller than it was.

The discount was always temporary

Aggressive pricing built to win the market. Free consumer tiers, cut-rate API access, enterprise deals priced to win the relationship before anyone compared cost to output. The goal was to get models into daily work before companies built a habit of asking what each task actually costs.

That worked. Now two things are pushing the real cost up. Newer models cost more per token than the ones they replace. And the move to reasoning models and agents multiplies how many tokens a single task consumes, because the model thinks in tokens and an agent loops until it finishes. A task that cost a fraction of a cent in 2023 can cost real money when an agent runs it end to end.

Switching is expensive once your processes assume the model is there. That is the position providers wanted you in, and it is the position a lot of companies are now in.

Tokenmaxxing turned consumption into the metric

A lot of leaders told their teams to use AI for everything and treated usage as a sign of progress. Some started tracking tokens or AI activity as a proxy for productivity. The result is an organization optimized for consumption instead of output.

You can't manage what you don't measure, and plenty of teams measured the wrong thing. Token volume tells you how much the model is being used. It tells you nothing about whether the work got better, faster, or cheaper per unit. When the metric is "are people using AI," people use AI, including on tasks where it adds cost and no value.

The capability is quietly degrading

When people stop drafting, analyzing, and troubleshooting by hand, the skill fades. This is the cost that never shows up on an invoice. It shows up the first time the model is wrong, down, or rate-limited and nobody in the room can catch the error or do the work the old way.

The viral version of this point is blunt: the people you let go knew what to do when something broke, and the model just bills you for the downtime. The blunt version is mostly right. Judgment and the ability to operate without the tool are the things that erode first and matter most when something fails.

A fixed cost became a metered one

Salaries are predictable. You know the number for the year. Token spend is variable, it scales with use, and it is tied to pricing you don't set. Reports are starting to surface where the cost of running agents on a workflow approaches or passes what the company paid the people who used to do it. I would treat the specific numbers with caution, but the direction is real and the mechanism is simple. More capable models, plus agentic workflows, plus a culture of tokenmaxxing, gives you a bill that climbs.

There is also a reliability problem hiding inside the cost. When the budget cap hits or the service goes down, the work stops, and there is often no fallback because the fallback was a person. That converts a predictable fixed cost into an uncapped variable one with a single point of failure.

The access problem is a governance gap

To do real work, an agent needs access. Systems, contracts, internal plans, customer data. Companies are granting that access fast, often without the controls they would demand from any other third party touching the same data.

This is the part I spend most of my time on, and it gets the least attention in the rush to deploy. An agent with broad standing access is a third party with deep reach into your systems and weak oversight. The fix is not exotic. Scope permissions to the task. Log what the agent reads and does. Apply least privilege. Keep an off switch a human controls. These are the same controls you would put on any contractor with keys to sensitive systems, and most AI deployments skip them.

What to do before the bill lands

The companies that get hurt worst here are the ones that treated AI as a replacement and a permanent discount. Treat it as what it is: a metered input from a vendor, with the same cost discipline and risk controls you would apply to any dependency that can raise prices and go down.

Three moves now:

Measure cost per outcome, not token volume, and kill any metric that rewards usage for its own sake.

Keep the people who exercise judgment and can operate when the tool is wrong or unavailable.

Govern agent access like the third-party risk it is, with scoped permissions, logging, and a human-controlled off switch.

AI augments people who know what they're doing. As a replacement for them, it is weak, and the bill that is coming will be smaller for the companies that understood that before they cut headcount.

California Won't Let It Go

Disney had opt-out controls. Consumers still needed to click up to 10 different buttons across Disney+, Hulu, and ESPN+ to actually stop the sale of their data.

Having a mechanism and having an effective mechanism are two different problems. On February 11, California's AG made that distinction worth $2.75 million.

Conceal, Don't Feel

The California Attorney General secured the largest CCPA settlement in the state's history against The Walt Disney Company. The violations came down to fragmentation in how Disney handled consumer opt-out rights across its streaming ecosystem.

Opt-out toggles only applied per device, per service. A consumer who opted out on Disney+ on their phone still had data flowing from Hulu on their laptop and ESPN+ on their smart TV. The webform opt-out only stopped Disney's own ad platform. Third-party ad tech partners kept receiving data. GPC (Global Privacy Control) signals were limited to a single device, even when the consumer was logged into their account.

The AG cited both the CCPA (Civil Code Sections 1798.120 and 1798.135) and California's Unfair Competition Law. This was the seventh CCPA enforcement action and the largest by a wide margin. The previous record was $1.55 million.

Into the Unknown

I've seen this exact pattern in client work. A company deploys a toggle, checks the compliance box, and moves on. Nobody maps the actual data flow to figure out whether the toggle does what consumers think it does. The opt-out exists on paper. In practice, data keeps moving through vendor pipes that nobody connected to the mechanism.

Disney isn't unique here. They're the biggest name to get caught doing something that is common across media, retail, and any industry running a multi-product ad-supported ecosystem.

The deeper problem is that most opt-out implementations were built product by product, not designed as a unified system. Privacy engineering and product teams often operate independently, and the result is exactly what the AG described: a consumer who thinks they've opted out but hasn't, because "opt-out" means something different on each platform.

The Cold Never Bothered Me Anyway

$2.75 million is a rounding error for Disney. Three years of AG oversight is the actual cost.

The settlement requires Disney to implement account-level opt-out for all logged-in users across its streaming services. It includes anti-dark-pattern requirements for how opt-out choices are presented, obligations to notify downstream third-party ad tech partners when a consumer opts out, three years of compliance monitoring with 60-day progress reports to the AG's office, and annual compliance reports.

That's a three-year regulatory residency program. And it sets the template for what the AG will expect from every company going forward.

The Next Right Thing

If you're running a privacy program, start here:

Walk your own opt-out. Pick one consumer profile, log into every service your company offers, and try to opt out of the sale or sharing of your data. Count how many clicks it takes. If it's more than one for a logged-in user, you have a problem.

Map the opt-out to your actual data flows. When someone clicks that toggle, does data actually stop flowing to your ad tech and analytics vendors? If your privacy team can't answer that question in under 30 seconds, your opt-out is decorative.

Audit your GPC signal handling. If a logged-in user sends a Global Privacy Control signal from one device, that preference should carry across every service tied to their account. Single-device GPC honoring is what got Disney here.

Notify your downstream vendors. The settlement requires Disney to tell third-party ad tech partners when a consumer opts out. If you don't have a mechanism to push opt-out signals to your vendors, the consumer's choice dies at your front door.

Check your UX for dark patterns. If opting out requires more steps than opting in, a regulator will notice. The AG included anti-dark-pattern requirements in the injunction for a reason.

Colorado Just Changed Its AI Law. Read It Before You Relax.

Most of the coverage of Colorado SB 26-189 is calling it a reprieve. That framing is going to get a lot of compliance programs in trouble.

Governor Polis signed SB 26-189 on May 14. It repeals and replaces SB 24-205, the original Colorado AI Act, and takes effect January 1, 2027. The statutory furniture got rearranged. The liability underneath did not.

What's gone: the mandatory risk management program tied to NIST AI RMF or ISO 42001, annual impact assessments, the duty to self-report algorithmic discrimination to the AG, and the freestanding duty of reasonable care to consumers. These were the most operationally expensive pieces of SB 24-205, and the business community got the relief it asked for.

What stayed, and what's new, is where the work actually is. Developers still owe deployers documentation covering intended uses, training data categories, known limitations, and human review instructions. Deployers still owe consumers clear notice before a Covered ADMT materially influences a consequential decision in employment, financial or lending services, housing, healthcare, insurance, education, or essential government services. Within 30 days of an adverse outcome, deployers owe a plain-language explanation of the ADMT's role and a process for the consumer to request meaningful human review where technically feasible. Three-year recordkeeping applies on both sides. The statute also voids any contract clause that purports to indemnify a party for its own discriminatory ADMT acts, which means every AI vendor contract signed in the last 18 months needs a fresh read.

The piece most clients are underestimating is the "meaningful human review" standard. The statute requires a reviewer with actual authority to override the system, who considers relevant evidence, and who is trained for the role. A recruiter who rubber-stamps an AI-generated candidate ranking does not satisfy this. If your employment, credit, or claims process has a human in the loop in name only, you have a build problem. Documentation will not paper over it.

There's a litigation overlay worth tracking. xAI sued the Colorado AG in April over SB 24-205, the DOJ intervened in support, and the court stayed enforcement on April 27. AG Weiser has said he will not enforce SB 24-205 or its replacement, including SB 26-189, until rulemaking concludes. The January 1, 2027 date is real, the enforcement posture is genuinely uncertain, and waiting for the rules to settle is the more expensive option once they do.

Four things I'd push clients to do now.

Inventory the ADMT footprint. If you cannot list every system that processes personal data and produces a prediction, score, ranking, or recommendation feeding a consequential decision, you cannot scope the program. Start there.

Re-paper vendor contracts. The indemnification voidance flips the risk allocation. Anti-discrimination liability under existing Colorado and federal law is fully preserved, so contract repair work is urgent and probably overdue.

Operationalize human review. Map the workflow, identify the reviewer, document the authority to override, and build the training. The output is a working process, with people doing real review. A policy memo in a binder is not the deliverable.

Treat January 1, 2027 as the floor. Companies that wait for final rules will be retrofitting under deadline pressure while their competitors are already running. The seven-month runway closes fast.

The biggest risk in moments like this is reading "the rules got easier" and concluding "the risk got smaller." It did not. Build for the exposure.

You Can't Govern What You Can't Classify

The risk tier on the model means nothing when nobody can tell what went into training it.

Most of the AI governance programs I've reviewed in the past eighteen months look mature on paper. Tiered model inventories. Approval workflows. A named oversight committee with a charter. Quarterly board reporting. The artifacts are real, the policies are written, the training is rolled out.

Then you ask one question that should be easy: which data classes were used to train this model, and where are they classified in our data inventory? The room goes quiet. Somebody pulls up a SharePoint folder. Somebody else opens a ticketing system. Twenty minutes later you have a half-answer and three follow-ups out to engineering.

That is the program failing in real time. The governance layer is sitting on top of a foundation that was never built.

The Risk Tier is Just a Guess If Your Inputs are Unlabeled

Tiered model inventories assume you know what each model touches. Rating a hiring-screen model as "high risk" only matters if you can confirm whether protected-class attributes are in the training data, the embeddings, or the inference inputs. A "low risk" internal productivity assistant is low risk until someone discovers it indexed the legal team's shared drive, which holds attorney-client privileged matter, settlement terms, and PII from former employees.

Without a working data classification scheme behind the model inventory, the risk tier is a label your governance committee assigned based on intended use. Not actual use. Not actual exposure. The committee is rating a movie they haven't watched.

Three Breaking Points & Their Impacts

The regulator inquiry. A state attorney general or a sector regulator sends a request asking whether a specific class of consumer data was used in model training or fine-tuning over a defined period. If your classification is incomplete or trapped in unstructured policy documents, the answer becomes a 60 to 90 day forensic exercise across legal, privacy, data engineering, and the model owners. Outside counsel bills against that timeline. The cost is not theoretical.

The vendor DPA gap. Third-party model providers and AI-enabled SaaS vendors increasingly require the customer to represent that no special-category data, no protected health information, and no children's data will be transmitted through the API. If your classification doesn't tag those data classes consistently across systems, the data protection addendum you signed is unenforceable on your own side. The vendor passes the audit. You don't.

The ediscovery and breach exposure. When a breach affects a system that fed an AI training pipeline, the question is not just what was in the system. It is what propagated downstream. Without classification labels traveling with the data into the model lifecycle, breach notification scope becomes a guess. Regulators in California, Colorado, and New York are not accepting "we are still investigating" as an answer at day 75.

The Frameworks Already Told You This. Most Programs Skipped the Chapter.

The frameworks AI governance teams cite when they pitch their program to the board already require this work. Teams cite the framework. They skip the part that asks for the homework underneath.

NIST AI RMF GOVERN 1.2 asks the organization to establish the legal and regulatory requirements involving AI, and MAP 4 asks for context establishment that explicitly includes the data the AI system depends on. You cannot map context if your data inventory does not know what it has.

ISO/IEC 42001 Annex A control A.7 covers data for AI systems, and A.7.4 specifically addresses the quality of data used in development and operation. Quality is a downstream attribute. Classification is the input.

EU AI Act Article 10 imposes data governance obligations on high-risk AI systems, including examination of biases, gaps, and shortcomings in training, validation, and testing data sets. Article 10(5) allows processing of special categories of personal data for bias detection only when strictly necessary, with safeguards. Knowing whether your data set contains special-category data is the prerequisite to invoking that clause.

GDPR Article 5(1)(b) requires purpose limitation. Article 5(1)(d) requires accuracy. Article 30 requires records of processing. If your AI training data is not classified, your Article 30 record is wrong by default, and your purpose-limitation analysis cannot be completed.

The frameworks are not asking for new work. They are asking for work most programs are pretending they already did.

What Records Retention Has Been Doing Right for 30 Years

The information governance discipline figured this out before AI was on the agenda. Defensible disposition rests on a classification scheme that tags records at creation and supports a legal hold that travels with the record. The records team can answer "what was in custody, in what state, on what date" because the labels were applied at the source.

AI governance has been trying to build the same defensibility without the same foundation. The model inventory is the records schedule. The classification scheme is the labeling. Without the second, the first is a list.

This pattern shows up across adjacent programs. Privacy, records, third-party risk, and AI governance all sit on the same substrate. Classification is the load-bearing wall. Every program above it is borrowing capacity from a wall that may or may not exist.

What to Do Before Standing Up Another Committee

Before the next AI oversight committee charter goes to the board, run a 30-day check on the layer underneath. Three questions, asked to the data owners, not the governance team:

Can you produce, in plain language, a list of the data classes your team owns and the classification level assigned to each? If the answer requires a meeting, the answer is no.

For each AI use case in the model inventory, can the model owner identify which classified data classes feed training, fine-tuning, retrieval-augmented generation, and inference? If they have to ask engineering, the answer is no.

If a regulator asked you tomorrow whether a defined data class was used in any AI system in the past twelve months, what is the realistic turnaround? Anything over two weeks tells you where the gap is.

If the answers are not clean, stop the committee work. Start the classification work. Apply it consistently. Label at the source. Propagate through the pipeline.

Fix the foundation. The committee can wait.

The model is only as governable as the data feeding it.

That is the whole job. Anything above that layer is paperwork.

Anthropic's Mythos found 10,000+ critical flaws in code that governments and infrastructure already run. Nobody is asking the harder question: Who's going to fix them? Project Glasswing is expanding from about 50 partner organizations to 150 across more than 15 countries. The headline number is the 10,000-plus high and critical vulnerabilities Claude surfaced, not the expansion itself. The line that should stop you is buried lower in the announcement: the bottleneck has moved from finding vulnerabilities to patching them. I've said for years that you can't manage what you can't measure. AI just solved the measurement problem at a scale we've never had. It did not solve the management problem. Those are different jobs, and most security programs are built for the first one. Here's what makes this worse than a backlog. A lot of the flawed code Glasswing found sits in small vendors and open-source projects that critical systems depend on. Most organizations never mapped those dependencies, so they have no idea which of the 10,000 flaws touch their own stack, and no relationship with the parties who would have to push a fix. That is concentration risk and fourth-party risk you can now name, with a number attached. So the question for a GC, a CISO, or a risk lead is not whether AI can find your exposure. Assume it can, and assume your adversaries are running the same playbook. The question is whether you have a disposition process for what it surfaces. Who owns remediation. How you triage 10,000 findings into the few hundred that actually reach you. What you do when the fix lives three vendors deep and you have no contract leverage to demand it. If you can't answer those in a room, the scan made you more liable, not more secure. A documented vulnerability you chose not to act on is a worse position than one you never knew about. ✅ Start with the boring work that nobody funds. ✅ Map your software dependencies past the first tier. ✅ Build the remediation workflow before you run the scan, not after. That's the part AI won't do for you.

Connecticut's New AI Law (SB 5) Just Made Your Hiring Software a Compliance Problem

The hiring software you renew in 2026 is the software you'll defend to a Connecticut regulator in 2027.

Senate Bill 5 is now law (Public Act 26-15), and most of the coverage is about chatbots and kids on social media. Those parts matter. But the provision that should pull a legal or compliance leader out of their chair is the one almost nobody is leading with: employment AI.

Connecticut now regulates "automated employment-related decision technology." The definition is wide on purpose. It covers any system that processes personal data and produces a prediction, ranking, score, or recommendation that is a "substantial factor" in an employment decision. Substantial factor means it "meaningfully alters the outcome." That language reaches past the fully automated rejection bot. It catches the resume screener, the candidate ranker, the interview-analysis tool, and the workflow that quietly nudges a human reviewer.

If a person still makes the final call, you are not off the hook. If the tool shaped the call, you are in scope.

3 Takeaways Worth Your Time Now

This is a disclosure-and-transparency law, not a risk-assessment law. Connecticut did not require impact assessments or internal governance documentation, and it did not adopt the "algorithmic discrimination" framework other states have fought over. The obligations center on telling people what you are using. Lighter than Colorado on paper. Still real.

Certain uses of these tools are defined as an unlawful discriminatory practice. That moves AI hiring from a policy concern into civil-rights exposure with teeth. The bill also adds reporting requirements for layoffs that AI causes or influences. Most companies have no idea how they would even answer that question today.

Tthe dates are staggered and they are not far off. The general framework starts October 1, 2026. Chatbot rules hit January 1, 2027. The employment AI obligations apply to systems deployed on or after October 1, 2027. That sounds distant until you remember procurement cycles. The tools you are buying or renewing in 2026 are the tools you will be defending in 2027.

So what should you actually do?

💡 Start with an inventory. You cannot govern what you have not named. Pull together every tool that touches the hiring lifecycle, including the ones HR bought without telling legal. Recruiting platforms, screeners, assessment vendors, scheduling bots, anything that scores or ranks a human being.

📋 Run each tool through the substantial factor test. Ask one blunt question per tool: does this meaningfully alter who gets hired, promoted, or cut? If yes, it is in scope, and your disclosures, vendor contracts, and audit trail need to reflect that.

📝 Push the work to your vendors now. Your contracts should require them to tell you how the model produces its outputs and to support your disclosure obligations. If a vendor cannot explain what the tool does in plain language, that is your answer about whether to keep them.

📌 Do not build this for Connecticut alone. Connecticut is one more entry in a fast-moving state patchwork. The companies that win this are the ones who treat AI hiring oversight as a standing program, not a fifty-state fire drill.

‼️ One closing thought. The instinct will be to wait until 2027 because the employment date feels far away. That instinct is how teams end up explaining a tool they never inventoried to a regulator who already has.

Build the inventory this year. The rest gets easier once you know what you own.

Texas Squid Game - Red Light, Green Light, Subpoena

Most companies treat privacy enforcement as a federal problem. State attorneys general keep proving them wrong.

On May 11, 2026, Texas Attorney General Ken Paxton sued Netflix in Collin County under the Texas Deceptive Trade Practices Act. The 59-page complaint alleges Netflix spent years marketing itself as the calm, kid-friendly alternative to Big Tech surveillance while quietly building one of the largest behavioral data pipelines in consumer tech. The legal vehicle is consumer protection, not privacy. The penalty exposure is $10,000 per violation, and Texas has roughly 31 million residents.

The most damaging framing in the case is not a privacy allegation. It is Paxton's office calling Netflix "a logging company that records and monetizes billions of behavioral events, and occasionally streams movies." The line draws on a public Netflix engineering talk describing its ingestion pipeline, and it collapses years of public positioning. Around 2019 and early 2020, Reed Hastings told investors and shareholders Netflix had no interest in advertising and said the company did not collect data the way ad-driven platforms did. Today, ads are a core growth pillar, and the complaint alleges Netflix processes roughly five petabytes of behavioral logs daily at a sustained rate near ten million events per second. Texas argues the gap between public statement and internal reality is the actionable deception.

The kids' profile angle is where this gets harder for in-house counsel. The complaint alleges Netflix applied the same telemetry surface to accounts marketed as designed for children, with autoplay defaulted on and content sequencing optimized against engagement signals derived from minors. Texas frames autoplay as a dark pattern aimed at children who cannot meaningfully consent. The remedies sought include disabling autoplay by default on kids' profiles, purging the underlying data, and stopping further collection. Netflix has said the suit lacks merit and rests on distorted information. That posture will be tested against the company's own documents and public statements.

Here is why this matters beyond one defendant. Federal privacy legislation has been stuck for the better part of a decade. State AGs noticed. Texas has now demonstrated twice in recent memory, first with the $1.4 billion Meta biometric settlement and now with Netflix, that a consumer protection statute is a perfectly serviceable enforcement tool when a company's marketing copy contradicts its data architecture. The legal theory does not require a comprehensive federal privacy law. It only requires a gap between what a company tells consumers and what its pipelines actually do.

For privacy officers and general counsel, here is what should move this quarter.

Audit your public statements against your data flows. Investor decks, marketing pages, trust centers, and CEO interviews are all admissible. If your CEO said in 2019 that you would never sell data, and your ad sales team is now pitching look-alike audiences in 2026, you have a Netflix problem in waiting. Reconcile the record before a state AG does it for you.

Treat children's data telemetry as a board-level workstream, not a product feature. Default autoplay, recommendation loops trained on minor engagement, and ad targeting on kids' accounts are now active enforcement targets. The Texas complaint reads as a roadmap for every state AG with a deceptive trade practices statute, which is all of them.

Separate your advertiser story from your consumer story and stress-test the delta. The complaint relies on internal language pitched to advertisers about behavioral signal richness. That language reads very differently against consumer-facing claims of privacy-first design. If both narratives cannot coexist in a deposition, you have an exposure that no privacy notice will paper over.

There is a broader read here. The enforcement frontier has shifted to state consumer protection law. It does not require Congress to pass anything. It only requires a state AG with a complaint, a few well-placed public statements, and a deceptive trade practices statute already on the books.

Play accordingly.

The Most Expensive Test Drive in CCPA History

GM just paid $12.75 million for turning OnStar into a data brokerage. That's the largest CCPA settlement in the law's history, and the part most companies should be paying attention to has nothing to do with cars.

Here's what happened. From 2016 to 2024, GM collected driving behavior, precise GPS location, and personal contact info from hundreds of thousands of California OnStar subscribers. They told consumers the data was for navigation, safety features, and service improvement. Then in 2020, GM started selling that data to Verisk Analytics and LexisNexis Risk Solutions so insurance companies could score drivers based on how fast they accelerated, how hard they braked, and where they drove at night. GM made roughly $20 million from the sales.

The California Attorney General filed the enforcement action on May 8, and the details are worth reading closely. This is the first case to enforce the CCPA's data minimization principle. Not the opt-out requirement. Not the right to delete. Data minimization. The AG argued that GM retained driving data longer than necessary to provide the services consumers signed up for, then repurposed that data for something consumers never agreed to.

What stands out to me is the purpose limitation argument. The complaint specifically says that even if GM had disclosed the insurance use in its privacy policy, developing a driver-rating product would not have been compatible with the original reason the data was collected. Read that again. Disclosure alone would not have been enough. The AG is saying that some secondary uses of data are off-limits regardless of what your privacy policy says.

That's a meaningful shift. For years, the U.S. privacy compliance playbook has been built on notice-and-choice: disclose the practice, offer an opt-out, manage consumer rights requests. This case puts a ceiling on that model.

And this isn't just GM. CalPrivacy has also settled with Honda for $632K and Ford for $376K over similar connected vehicle data practices. The auto industry is the test case, but the logic applies to any company collecting behavioral, location, or sensor data.

Takeaways For Privacy Leaders

The notice-and-consent model has a ceiling now. Purpose limitation means certain secondary uses of data may be off-limits even if you disclose them. If the downstream use isn't compatible with why you collected the data, a line in your privacy policy won't fix it.

Data minimization is an enforceable obligation, not a best practice. You should be able to explain why each category of data is collected, how long it's retained, and why it's necessary for each specific use. "We might need it later" is not a retention justification.

Internal policies you don't follow are worse than having no policy at all. GM had internal requirements for written risk assessments before selling data. They couldn't produce one for the sales in this case. Regulators notice that gap.

The $12.75 million is 10x the previous CCPA record. The Sephora settlement in 2022 was $1.2 million. California is done with warning shots.

This case is a data monetization case dressed up as a connected car case. Any company sitting on behavioral data, location data, or sensor data and thinking about new ways to extract value from it should treat this as a direct warning. Collecting data for one purpose and selling it for another is not a business model. It's a liability.

Counting the Casualties: What California's New AI Executive Order Means for You

California just made AI workforce displacement everyone's problem.

Governor Newsom signed Executive Order N-6-26 this past Thursday (May 21), targeting how AI reshapes jobs, wages, and labor markets. This is already California's third AI-related EO in three years, and it's the first one aimed squarely at workers.

The prior orders (N-12-23 in 2023 and N-5-26 in March 2026) dealt with procurement, safety, and civil rights. This one directs over a dozen state agencies to study AI's labor market impact, modernize the WARN Act for tech-driven displacement, review whether companies should provide severance or equity to displaced workers, and launch a public dashboard tracking AI's employment effects by sector. Most deliverables are due within 90 to 180 days.

That's the summary. Here's what it means if you're running an AI governance program, advising a board, or sitting in a general counsel's office.

🔑 Key Takeaways

The WARN Act is being reviewed for AI-driven triggers. If California updates its Worker Adjustment and Retraining Notification requirements to cover technology-driven workforce changes, companies deploying AI at scale will face new notification obligations. Flag this to employment counsel now.

Displacement compensation is on the table. The EO directs a study of "severance and other forms of compensation such as stock or other forms of equity" for displaced workers. If this moves forward, it creates a cost model for AI deployment decisions that doesn't exist today.

A public dashboard on AI employment impacts is coming within 90 days. EDD will also collect business feedback on how technology adoption affects hiring decisions, twice per year through 2027. That data will feed future regulation. Assume what you say publicly about AI and workforce decisions becomes part of the record.

Collective bargaining and AI are about to formally intersect. The EO directs a review of how bargaining processes address new technology. For companies with unionized workforces, AI deployment may become a mandatory bargaining subject.

California is building the infrastructure that typically precedes regulation. The EO itself doesn't create new private-sector obligations. But every study, dashboard, and recommendation it produces will become the evidence base for legislation that does.

Map these timelines against your AI deployment plans. The 90-day requirements land in August 2026. The 180-day ones land in November.

By the time those reports go public, you should already know where your organization stands on workforce impact, notification practices, and compensation policy.

Your Expert's AI Prompts Could Be Fair Game In Discovery

A federal court just ordered an expert witness to hand over her AI prompts. If you work in litigation, compliance, or AI governance, pay attention.

Last week, Magistrate Judge Thomas Farrish in the District of Connecticut ruled that AI prompts used by an expert witness are discoverable under Rule 26(b). The case is Conservation Law Foundation v. Shell Oil Company, a climate liability lawsuit. Shell wanted the prompts that CLF's expert, Dr. Naomi Oreskes, used when she ran AI analysis to cull down Shell's document production into a working subset for her expert report.

CLF tried three arguments. AI prompts aren't within the scope of discovery. A Rule 29 agreement shielded them as "expert notes." And the expert only used "search terms," not "prompts," so there was nothing to produce.

The court rejected all three. An expert's methodology is fair game. A Rule 29 agreement has to be "quite clear" before it blocks relevant discovery, and calling prompts "notes" doesn't meet that bar. And CLF's own expert assistant used the word "prompts" in a sworn declaration, giving the court an evidence-backed reason to doubt the "search terms only" characterization. The court ordered production and put Rule 37(b) sanctions on the table if the representation turns out to be false.

Why this matters beyond one case.

The moment an expert uses AI to filter, analyze, or synthesize evidence, those prompts become methodology. Under Daubert and Rule 702, methodology is always subject to scrutiny. This ruling makes explicit what was already implicit: if AI shapes the evidence, opposing counsel gets to see how.

Most existing discovery agreements weren't drafted with AI in mind. Silence on AI prompts is not protection. And the gap between what your team calls their process internally and what they say in declarations can create exactly the kind of credibility problem that happened here.

What to do about it.

Assume prompts are discoverable. Build retention and documentation practices around that assumption now.

Review your discovery agreements. If they don't explicitly address AI tools, prompts, and workflows, renegotiate before the next dispute.

Use private, enterprise-grade AI instances. If an attorney or expert is using AI for legal work, it has to happen inside an environment where data is encrypted, isolated, and contractually guaranteed not to train the base model. A consumer-grade tool does not give you that.

Develop internal prompt guidelines. Train experts to use hypothetical or anonymized data. Prohibit inputting core mental impressions into any model. Minimize what goes into each prompt. Every prompt is a record that could be scrutinized, and this ruling proves it.

Treat prompts as formal ESI. Define how long they're kept, where they're stored, and address AI use proactively at Rule 26(f) conferences. The teams that set boundaries early will avoid the motion practice that happened in CLF v. Shell.

This is a magistrate judge order, not binding appellate precedent. But it's the clearest signal yet that courts will treat AI in expert analysis the way they treat every other aspect of methodology: as something you have to show your work on.

Build the documentation practice before a court orders you to. "We didn't keep records of our AI prompts" is not an answer any judge wants to hear.

Trending Blogs

Recently Viewed Blogs

Nicholas You, Esq.