Governance on AI: Mumble incoherently and carry a big stick
A flurry of bills, drafts, and executive orders on AI have dropped across the US and EU in the past couple of months. Take a closer look: all this activity is effectively an abdication of governance rather than any constructive scaffolding that could steer AI development and deployment. What we have instead is the heavy hammer of Executive Privilege with limited due process to stop whatever is deemed “unsafe”.
Here are five examples.
Removing the “Safety” in the “AI Safety Consortium”
On May 29th, the National Institute of Standards and Technology (NIST) issued the following press release. It was ‘expanding the scope’ of AI Safety Consortium and calling for new members. Except, that when one says “expanding the scope”, it is additive; you doing the same things as before and some more. But the Orwellian “expanding the scope” here actually means that they will no longer be focusing on AI safety, and will instead focus on “AI innovation and adoption”.
This change runs right through the guts of the organization. The institute itself goes from U.S. “AI Safety Institute” to “Center for AI Standards and Innovation”. The consortium goes from “AI Safety Institute Consortium” to “NIST Artificial Intelligence Consortium”. Notice the removal of “safety” from both places.
The mission statement of the consortium changes too.
Before: “…establishing the foundations for a new measurement science in AI safety.”
After: “…enable the identification of proven, scalable, and interoperable techniques and metrics to promote the development and use of AI.”
The consortium’s own announcements, 2023 versus now:
2023: “…in support of the development and deployment of safe and trustworthy artificial intelligence.”
2026: “…will concentrate on AI measurement, innovation and adoption.”
The working groups are all mostly gone and replaced. Four of five original groups were safety-specific (generative AI risk management, synthetic content, red-teaming, model safety and security). All four dropped. Replacements are measurement and standards-oriented. The word “safety” appears zero times in the current consortium page outside historical references to the old name.
This is not “broadening”, this is usurping the body for its antithetical purpose.
The self destruction in Trump AI Executive Order
The AI Executive Order from June 2nd does a curious linguistic acrobatics of laying out an AI governance structure while simultaneously undermining it within the same section. It starts off talking about “new national security considerations that require coordinated action across executive departments and agencies (agencies), and components” and it says that within the next 30 days, “the Committee on National Security Systems shall prioritize the cyber defense of National Security Systems” and “the Secretary of War shall prioritize the cyber defense of Department of War information systems”, and so on. Within 60 days, it will “develop and maintain a classified benchmarking process to assess the advanced cyber capabilities of AI models”, “design a voluntary framework with AI developers” to engage with this benchmarking, “provide the Federal Government with access to covered frontier models”, and so on.
It sounds like it really has some muscle, and that we might actually get something useful from this. But in that same section, it deflates the entire effort with “Nothing in this section shall be construed to authorize the creation of a mandatory governmental licensing, preclearance, or permitting requirement for the development, publication, release, or distribution of new AI models, including frontier models.”
The executive order pretends to create a governance structure, but bakes in a self-destruct clause that ensures governance never actually happens. It’s a Broadway show where the director introduces the cast, the orchestra swells, and then the curtain falls. That’s the whole show.
The ever-lengthening leash of the EU Digital Omnibus
When you talk of user privacy and regulation, EU is typically seen as the vanguard. GDPR has become the template against which all other user privacy bills are written. Back in May 2024, the EU adopted the EU AI Act. It was an ambitious bill that promised to do for AI development what GDPR did for user data. It talked about prohibited AI practices, defined what it means for AI to be high risk, and the obligations that go with it for both the model developers and providers. It talked about setting up AI regulatory sandboxes at national and regional levels to better understand how to regulate AI. On paper, it made all the right moves.
Last week the EU released the Digital Omnibus proposal which effectively stops the clock on all of the provisions outlined in the EU AI act. These provisions were supposed to kick in in August 2026, but that timeline has been extended to 2027 and 2028 with no promise of that being final. The reason given was to “giving industry time to prepare”, which sounds plausible, but think about it. Were the original framers of the EU AI Act so naive that they baked in unrealistic timelines and the rest of the world (including “the industry”) so bright-eyed that they simply did not realize that the timeline was too aggressive? Or is it more likely that it has been intentionally defanged while keeping the same form as before. Not too different from our previous examples.
The preemption of the Great American AI Act
On the face of it, the Great American AI Act is a rare feat in politics and policy. It is a bipartisan bill and a first of its kind in the US with the goal of creating a federal framework for governing artificial intelligence model development. It even pays lip service to federalism by clarifying that the states retain authority to regulate AI use. This bill only targets AI development and not use; and therein lies the rub.
The bill bars states from laws “targeting artificial intelligence model development.” But it does not actually clarify what it means by development vs. use. Is post-training part of development, or is it part of use? When a company puts in all of its internal data and information so that when the employees are using the AI agent, it already knows about how the company functions, where the documentation is, what the org structure is, etc., is that development or use? The bill doesn’t really answer that question.
Beyond that, there is a temporal gap. The preemption of state laws governing AI development takes effect immediately after the bill is passed. But the federal framework is not ready yet. The bill merely states that one should be developed. It could take an indeterminate amount of time for CAISI working group to be established, standards developed, and verification organizations designated. Work that takes years and may never materialize in a divided Congress.
The text of the bill claims to be for “protecting Americans”, but its first consequence appears to be removing any little protections that had from state legislation on AI development with no timeline for when a federal framework would ever be realized.
As bad as it looks in isolation, consider the compounding effect of Executive Orders and this bill: (a) Trump EO from December 2025 preempts state laws, (b) Trump’s AI Executive Order from June 2 creates voluntary framework disclaiming mandatory authority, and (c) this bill codifies preemption with narrow federal framework. Each instrument legitimizes the next and progressively erodes governance.
The expansive coercion in NSPM-11
The National Security Presidential Memorandum (NSPM) 11 released on June 5th 2026 marks a dangerous expansion of the executive authority in pursuing AI ambitions while simultaneously dismantling governance structures that safeguard against harmful use of AI. NSPM-11 rescinds the Biden-era NSM-25, which outlines the administration’s approach to AI safety. For context, in NSM-25 the word “safety” appears 45 times, whereas in NSPM-11, there are ZERO occurrences of the word “safety”.
The story here is not just that of governance retreat. NSPM-11 also smuggles in a massive coercive authority that was previously marshaled to target other nation states. Section 2(c) requires that (emphasis mine) “no commercial entity or adversary” possesses the capability to prevent use of, disable or degrade, or materially modify any deployed national security AI system. The operative phrase is “no commercial entity or adversary”. So, the same mechanisms used to ensure that (say) China cannot defang US military AI capabilities are also deemed acceptable when targeting a corporation such as Anthropic. That is dangerous overreach. Transnational geopolitics resorts to very heavy mechanisms because there are no enforceable laws when it comes to actions of one nation state against another (think Russia’s election interference in the US; it is not like we can file a suit against Russia in US courts over that). In contrast, commercial entities are subject to US laws and regulations, and therefore, their behavior can be influenced through various means that are consistent with such laws and affords all the protections that due process provides. And this due process is a strong counterbalance against executive overreach. NSPM-11 is an attempt to weaken that very same due process and strong-arm AI companies as if it were an external adversary/threat.
This should scare everyone.