Speaking of regulation, the U.S. Department of Justice (DoJ) has updated its Evaluation of Corporate Compliance Program (ECCP) guidelines to include the use of AI, emphasizing that companies must assess AI’s potential for harm and ensure compliance with criminal laws. Compliance officers are now expected to address questions regarding AI’s impact on legal compliance and mitigate risks associated with its use. Companies will be held accountable for any illegal actions facilitated by AI, highlighting the need for proactive monitoring and risk management in their compliance programs.
The National Institute of Standards and Technology (NIST) is proposing new cybersecurity guidelines focusing on identity proofing and fraud detection for credential service providers. Key updates include expanded identity verification methods, continuous monitoring, and AI and machine learning transparency requirements to mitigate bias. The guidelines aim to enhance security against sophisticated cyber threats, particularly in government systems, and organizations are encouraged to adopt AI governance programs to comply with these standards.
CISA warns of ongoing cyber threats to U.S. water systems following a cybersecurity incident in Arkansas City, Kansas, which forced a switch to manual operations. The agency emphasizes the vulnerability of operational technology and industrial control systems, urging water system operators to implement security recommendations. Water industry groups last year partnered with Republican lawmakers to stop federal efforts to protect water systems despite significant increases in the number of ransomware attacks and nation-state intrusions.
The EU’s AI Pact has over 100 signatories, including Amazon, Google, Microsoft, and OpenAI. It aims to foster voluntary commitments to AI governance and compliance with the AI Act. Apple and Meta are absent, with Meta focusing on the AI Act itself. The Pact encourages companies to adopt AI strategies, identify high-risk systems, and promote AI literacy. Penalties for non-compliance with the AI Act can be significant, prompting companies to consider their participation carefully.
I’ll note Axios covered how Apple faces significant challenges in complying with the EU’s new digital antitrust rules, specifically regarding interoperability for its iPhone and iPad operating systems. The European Commission has initiated proceedings to enforce these requirements under the Digital Markets Act, giving Apple six months to adapt or risk fines. While Apple has made minor adjustments, such as easing App Store restrictions, these changes are seen as insufficient, raising concerns about the company’s ability to operate in the EU.
Why do we care?
The headline was great – If your AI does the crime, you’ll do the time. The DoJ’s updated guidelines, NIST’s cybersecurity proposals, and the EU’s AI Act all emphasize the need for enhanced compliance frameworks.

