AI Pulse Daily Brief | 2026-04-29
AI Pulse Daily Brief | 29 April 2026
Reading time ~4 mins
EU AI Act Annex III deadline proposed to shift to December 2027. LMDeploy inference flaw exploited within 13 hours. Anthropic Mythos draws multi-jurisdiction regulatory engagement; five US G-SIBs test via Glasswing, EU banks absent. Dutch AI Control Barometer flags four indicators red. OpenAI breaks Azure exclusivity via Bedrock.
Top signal
EU AI Act Omnibus trilogue targets Annex III deadline shift to 2 December 2027. Authority
Signal: Second trilogue on 28 April targeted political agreement; Annex III high-risk AI deadline proposed to move from 2 August 2026 to 2 December 2027, Annex I to 2 August 2028.
Relevance: Every Annex III system the bank operates or procures, from credit scoring to fraud detection to onboarding, gains 16 months of compliance runway, reshaping AI Act implementation sequencing across the sector.
Consider: Check whether your AI Act implementation calendar still assumes the original August 2026 deadline and update it before the next supervisory board cycle.
European Parliament Legislative Train
Security
LMDeploy SSRF flaw exploited in the wild within 13 hours of disclosure. Media
Signal: CVE-2026-33626 (CVSS 7.5) in LMDeploy, used for serving LLMs in enterprise inference stacks, came under active exploitation on 28 April less than 13 hours after disclosure.
Relevance: Sub-13-hour exploitation on AI-specific serving infrastructure means organisations self-hosting LLM inference must treat serving-layer vulnerabilities as zero-day-equivalent.
Consider: Verify whether LMDeploy is present in your internal or vendor-hosted inference stack and confirm the patch is applied today.
Vercel breached via Context AI OAuth supply chain, API keys and source code stolen. Media
Signal: Vercel confirmed a breach traced to Context AI, a third-party AI productivity tool; an employee's OAuth connection gave attackers lateral movement into internal systems, with stolen data listed for $2M on BreachForums.
Relevance: This is the first major incident proving end-to-end that AI productivity tools with OAuth trust to corporate identity providers create a lateral-movement class that bypasses perimeter defences.
Consider: Ask your IAM team to inventory all AI tools with OAuth connections to corporate identity and assess whether any create comparable lateral-movement paths.
Regulatory
Anthropic Mythos draws global regulatory engagement as five US G-SIBs test via Glasswing while EU banks remain absent. Media
Signal: BoE, US Treasury, Federal Reserve, APRA, MAS, and FSS engaged banks on Mythos cyber risk in April while JPMorgan, Goldman Sachs, Citigroup, BofA, and Morgan Stanley test through Project Glasswing and Anthropic plans European access amid a post-breach credibility crisis.
Relevance: No EU bank is in the Glasswing cohort, so when ECB SSM or DNB issue frontier-model supervisory guidance within the expected 4-6 week window, the bank will need to demonstrate preparedness without early-access testing time.
Consider: Confirm your vendor risk function has a pre-deployment assessment template ready for frontier models with dual-use cyber capabilities before the expected ECB SSM inquiry.
American Banker | Retail Banker International | Retail Banker International | AI Business Review | PYMNTS
Dutch AI Control Barometer flags four of nine indicators red. Authority
Signal: The 6th Report on AI and Algorithms in the Netherlands (RAN, winter 2025/2026) published today shows four control indicators now red, warning that oversight, standards, transparency, and incident visibility cannot keep pace with AI deployment.
Relevance: RAN's systemic-risk framing on AI concentration, interconnectedness, and cascading failure from agentic AI mirrors the lens DNB will use in financial sector supervisory assessments.
Consider: Request the English RAN report and assess whether its four red indicators map to gaps in your own AI control framework before DNB references it.
Lnkd (LinkedIn; original source not verified)
Perspectives
HBR: AI is creating a strategic fog that undermines long-term investment confidence. Institute
Signal: Toby Stuart argues in HBR (27 April) that AI's pace of advance generates an "AI fog" eroding the confidence that traditionally justifies 10-to-30-year investment commitments.
Relevance: The thesis challenges the premise that multi-year AI capital commitments can be planned on fixed horizons, and HBR framing carries weight when board members cite it at strategy sessions.
Consider: Test whether your AI roadmap assumes stable capability trajectories and needs an adaptive governance layer to absorb discontinuities without full replanning.
Innovation
OpenAI models, Codex, and Managed Agents launch on Amazon Bedrock, ending Microsoft cloud exclusivity. Corporate
Signal: OpenAI went live on Bedrock on 28 April under IAM, PrivateLink, and CloudTrail controls, one day after formally ending Microsoft revenue-share exclusivity.
Relevance: Any architecture decision that assumed OpenAI access required Azure changed overnight; Bedrock creates a second enterprise channel with different pricing, security, and data residency properties.
Consider: Check whether any AI procurement decision in flight assumes OpenAI requires Azure, and whether the Bedrock alternative changes the calculus.
On the radar
- AI is reshaping banking cloud contracts as data sovereignty and exit strategies displace cost optimisation as primary drivers. PYMNTS
- Gartner finds organisations with successful AI invest up to 4x more in data and analytics foundations; only 39% of technology leaders believe current AI efforts will improve financial performance. Gartner
- Ed Zitron argues OpenAI must grow revenue 1,000% in three years to service Oracle compute commitments, documenting a dependency chain that raises AI vendor continuity risk. Better Offline