AI Pulse Daily Brief | 2026-05-11
Reading time ~15 mins
EU Council and Parliament agree to push high-risk AI Act compliance to December 2027, but keep the 2026 transparency deadline.
An AI gateway tool, a public AI marketplace, and a third-party productivity assistant each became a live banking-supply-chain risk this fortnight.
DNB now rejects DORA incident reports that fail its technical template; the Dutch AI Act Implementation Act consultation runs to 1 June.
ING confirms 1,250 cuts targeting AML; Dutch banks are now shedding ~2,600 AML roles collectively.
The EU's 27 May Tech Sovereignty Package will define what "sovereign cloud" means for regulated workloads.
BCG and Yale argue AI governance — not capability — is now the binding constraint at the top of the bank.
Top signal
EU Council and Parliament agree to delay high-risk AI Act compliance to 2 December 2027, but keep the transparency deadline in 2026. Authority
Signal: On 7 May 2026 the Council of the EU and European Parliament reached a provisional agreement to postpone Annex III high-risk AI compliance — which explicitly covers credit assessment, biometric identification, employment, and public services — from 2 August 2026 to 2 December 2027, a 16-month shift; Annex I product-safety integrated AI moves to 2 August 2028; transparency and watermarking obligations for AI-generated content remain on track for 2 December 2026.
Relevance: Every bank running an AI Act conformity programme paced to August 2026 just gained 16 months of runway on the high-risk leg, but the transparency obligations now sit on a hard seven-month window — and AFM and DNB have publicly signalled they will use the extended runway to harden sectoral guidance rather than relax it.
Consider: Re-baseline your AI inventory's conformity milestones to December 2027 for high-risk systems, but ring-fence transparency and watermarking work as a binding 2026 sprint — and ask your line-of-business owners whether any in-flight investment was justified solely by the August 2026 cliff.
Security
A widely used AI gateway tool had its credential database emptied within 36 hours of a flaw being disclosed. Media
Signal: A critical flaw in LiteLLM — an open-source AI-gateway tool used to standardise access to multiple AI providers, with 45,000+ stars on GitHub — was disclosed on 30 April 2026 and exploited within 36 hours, before any public proof-of-concept code was available. Separately, attackers earlier broke LiteLLM's package-publishing credentials and shipped two malicious versions (v1.82.7 and v1.82.8) that quietly harvested credentials from any environment running them; the chain has been claimed by LAPSUS$ and traced back via the open-source security scanner Trivy.
Relevance: LiteLLM sits inside many enterprise AI architectures as the layer that holds the API keys for every model provider — a single compromised host returns the full set of provider credentials, model-routing rules, and downstream user identifiers in one pull, and the attack window opened before defenders could realistically patch.
Consider: Ask whether your AI Platform team can name, today, every LiteLLM (or equivalent gateway) instance in production and partner environments, the version it runs, and the last time the provider keys it holds were rotated — and treat the answer "not in 90 days" as a finding worth escalating.
Around 600 trojaned "skill" packages on a public AI marketplace turn agent automation into a malware-delivery channel. Media
Signal: Threat actors uploaded roughly 600 malicious skills across 13 developer accounts on ClawHub — the public marketplace for OpenClaw, an agent-skills ecosystem — and also seeded trojaned AI models on Hugging Face. Payloads included Windows and macOS infostealers; two accounts alone accounted for more than 500 of the malicious skills. The pattern relies on indirect prompt injection: a bank's AI agent that autonomously pulls a "useful" skill from a public registry can be steered into running attacker-supplied logic without a human in the loop.
Relevance: Many AI agent rollouts treat public skill marketplaces and model hubs as trusted by default — the same posture the industry held toward npm or PyPI a decade ago, before supply-chain attacks became routine. This is the first at-scale evidence that AI agents need provenance controls on every artifact they consume, not just on the model itself.
Consider: Ask whether your AI-agent platform has an allowlist (or a publisher-signature check) for the skills and models it can fetch — and whether anyone outside the AI Platform team can answer that question without checking with vendor support.
A cloud-platform vendor was breached through an AI productivity tool an employee had connected to their work account. Media
Signal: Vercel — the platform many banks use for front-end and developer-tooling infrastructure — disclosed on 19 April 2026 that an attacker compromised a Vercel employee via Context.ai, a third-party AI productivity assistant the employee had connected to their Google Workspace account. The attacker used the saved login to take over the employee's Workspace identity, then abused those broad permissions to move laterally inside Vercel's environment. The Vercel platform itself was not flawed; the entry point was an unmanaged third-party AI tool with a wide consent grant.
Relevance: Every bank now has employees who have personally connected an AI productivity tool, browser plug-in, or note-taker to their corporate Google Workspace or M365 identity — usually outside the IAM team's view. The Vercel pattern shows how one such grant becomes a full identity takeover when the AI vendor itself is compromised.
Consider: Ask your identity team to produce the list of AI-vendor sign-ins ("third-party app access") on your tenant within 30 days, with mandatory revoke-on-expiry for any grant with broad mailbox or drive scope — and treat the absence of that list as the headline finding.
Regulatory
DNB starts rejecting DORA serious-incident reports that do not match its technical template. Authority
Signal: De Nederlandsche Bank published guidance on 13 April 2026 announcing that, as of mid-April, serious ICT-related incident reports submitted under DORA are now validated against the technical requirements for the (partial) report templates — non-conforming submissions are now rejected outright rather than accepted with errors. The change ends the implementation-phase tolerance DNB had previously extended; the substantive content of the report has not changed, only the technical conformance gate.
Relevance: A bank that has been submitting DORA serious-incident reports on a best-effort template basis will, the next time it has to file in an actual incident, discover the report is rejected at the door — the very moment when the supervisory clock is running and any operational delay becomes a separate finding.
Consider: Ask your operational-resilience team to run a dry submission of DORA serious-incident templates through DNB's validator this quarter, and to brief you on which fields the bank's existing tooling currently fails on — before the next live incident is the test.
Dutch government opens consultation on the AI Act Implementation Act, with AFM and DNB as two of eight national AI supervisors. Authority
Signal: On 20 April 2026 the Dutch cabinet launched a public consultation on the Uitvoeringswet AI-verordening (AI Act Implementation Act) — the national law that operationalises EU AI Act supervision in the Netherlands. Staatssecretaris Aerdts published the draft with a decentralised model: eight existing sectoral supervisors — including the Autoriteit Persoonsgegevens (data protection), RDI (digital infrastructure), AFM (financial markets), and DNB (central bank) — will share AI supervision within their existing remits. Consultation closes 1 June 2026.
Relevance: For Dutch banks this confirms that AI-system supervision will sit with the supervisors already inside the building (AFM and DNB), not a new single AI authority — but it also means two parallel supervisory dialogues on the same AI systems, where conduct and prudential lenses will have to be reconciled in practice.
Consider: Ask your public-affairs team whether the bank is filing a consultation response before 1 June, and what the response will say specifically about how AFM and DNB should coordinate on shared AI systems — silence on coordination is the gap most likely to bite later.
Perspectives
BCG: 61% of CEOs say their boards are rushing AI transformation; 75% of boards say their AI knowledge is fine. Advisory
Signal: Boston Consulting Group's "Split Decisions" survey of 625 leaders (351 CEOs, 274 board members at companies with at least $100M annual revenue) reports that 61% of CEOs believe their boards are rushing AI transformation without adequate organisational readiness, while 75% of board members feel confident their AI knowledge matches or exceeds peers — a structural mismatch in how senior management and the board are reading the same AI roadmap.
Relevance: The same governance split is showing up in supervisory dialogues across European banks: the board signs off on the AI strategy at one tempo, the executive committee implements at another, and the supervisor reads the gap as either over-ambition or under-control depending on which side it talks to first.
Consider: Ask whether the next AI paper to your board includes an explicit "what we are deliberately not doing this year" section — that section, more than the deployment roadmap, is the one that closes the speed mismatch BCG is naming.
Yale's Sonnenfeld argues existing financial-services regulation is a competitive advantage for agentic AI, not a constraint. Institute
Signal: Jeffrey Sonnenfeld and colleagues at Yale's Chief Executive Leadership Institute published a cross-industry agentic AI governance framework in Fortune, built from a review of agent deployments across banking, healthcare, retail, and supply chain. The framework organises governance across eight variables — four pre-deployment (transparency, accountability, bias, data privacy) and four post-deployment (decision auditability, harm escalation, human-in-the-loop authority, model-drift detection) — and argues that banks' existing model-risk infrastructure (NIST AI RMF, US SR 11-7, the EU's incoming AI Act conformity regime) is a head-start for agentic governance, not a drag on it.
Relevance: The argument cuts directly against the "regulation will slow our agentic roadmap" narrative; for a bank, the same model-risk infrastructure that already governs internal scoring models is exactly what an agentic policy needs to extend — the question is whether your existing framework treats an autonomous agent as a model, a process, or both.
Consider: Ask your model-risk function whether the bank's current agentic AI policy maps to its existing model-risk lifecycle (development, validation, monitoring, retirement) or sits beside it as a parallel track — the parallel-track answer is the more expensive long-term answer.
Netherlands & Sovereignty
The European Commission presents its Tech Sovereignty Package on 27 May, including the Cloud and AI Development Act. Institute
Signal: The Commission is due to present its Tech Sovereignty Package on 27 May 2026, encompassing the Cloud and AI Development Act (CADA), Chips Act 2.0, an Open Source Strategy, and a Digitalisation in Energy roadmap. CADA would harmonise — for the first time at EU level — what "sovereign" actually means for cloud and AI services across the single market, setting the regulatory floor for what qualifies as sovereign infrastructure. Chips Act 2.0 shifts Europe's semiconductor strategy from chasing leading-edge logic fabs toward securing mature-node capacity for the industries actually deploying chips.
Relevance: For a Dutch bank, CADA is the moment at which "sovereign cloud" stops being a vendor marketing claim and starts being a regulatory definition that the bank's vendor inventory will be measured against — most existing "sovereign" offerings on the bank's books were certified against national criteria that CADA will supersede.
Consider: Ask your cloud and procurement teams to prepare, before 27 May, the bank's list of vendor "sovereign cloud" claims and which jurisdiction's definition each one is currently certified to — so that on the day CADA is presented, the gap analysis is a one-week exercise, not a one-quarter exercise.
The European Commission is considering rules that would block sensitive public-sector data from US-owned cloud platforms. Media
Signal: According to sources familiar with the Tech Sovereignty Package talks, the European Commission is preparing rules that would prevent member-state governments from routing sensitive financial, healthcare, and judicial data through US-owned cloud platforms. The measures stop short of an outright ban but would require sensitive public-sector workloads to run on infrastructure meeting EU-residency and operational-control standards.
Relevance: Although the immediate target is public-sector data, the same definitions of "sensitive" and "operationally controlled" will set the precedent banks are measured against in subsequent supervisory expectations — DNB and the ECB have repeatedly signalled that financial-services cloud guidance follows public-sector cloud rules with a short lag.
Consider: Ask which DNB and ECB supervisory workloads the bank currently runs on US-owned hyperscalers, and at what point in your roadmap those workloads would have to move if the public-sector restriction is replicated for regulated finance — before the 27 May presentation is when the answer is still cheap to give.
GPT-NL moves from lab to live pilots at five Dutch government agencies. Media
Signal: The Netherlands' sovereign language model GPT-NL, backed by €13.5 million in public funding, has moved from laboratory development into live pilots — five government organisations started feasibility studies in late February 2026, expanding to ten pilots by spring, including three Ministry of the Interior projects, TNO, and the Netherlands Forensic Institute. A SaaS-style production launch is targeted for H2 2026. Active use cases include the Gem municipal virtual assistant already supporting around 30 Dutch municipalities.
Relevance: GPT-NL becomes the first credible Dutch-controlled foundation-model option for workloads where data residency and operational control are non-negotiable — a category that includes a growing share of the bank's customer-data and supervisory-reporting use cases.
Consider: Ask procurement to add GPT-NL to the bank's foundation-model watch list now, with a placeholder evaluation slot reserved for the H2 2026 SaaS launch — so the decision of whether to test it is a small one when the SaaS contract is available, not a large one made under deadline pressure.
Industry & competition
Dutch banks are collectively shedding around 2,600 AML jobs as AI absorbs transaction-review work. Media
Signal: ING is eliminating approximately 1,250 global positions by end-2026 — up to 950 in the Netherlands — primarily inside its 6,000-person AML division, targeting €350 million in annual savings via machine-learning automation of transaction reviews previously performed manually. ABN AMRO has separately announced a plan to cut 5,200 positions by 2028 in an explicitly AI-and-automation-framed restructuring, including replacing 35% of its AML staff with AI; ASN Bank is targeting 900 reductions and Triodos 250 over the same window. Dutch banks are now collectively withdrawing roughly 2,600 roles from AML alone.
Relevance: This is the first time peer Dutch banks have committed publicly, in synchronised disclosures, to using AI to absorb a single regulated control function at this scale — which sets a benchmark the Managing Board will be asked about by both investors and the supervisor, and which AFM and DNB will read as a re-baselining of where banks expect AI-driven productivity to land.
Consider: Ask Risk and HR jointly whether the bank's own AML target operating model is on the same trajectory, ahead of it, or behind it, and what assumption — about model performance, supervisor tolerance, or workforce timing — the bank is making that the three peers above are not.
Brussels Signal (publication date unverified) | AML Network (publication date unverified)
Anthropic moves simultaneously on capacity, distribution, and bank-sector positioning. Vendor
Signal: In the same week, Anthropic announced (1) that it has secured all compute capacity at SpaceX's Colossus 1 data centre — more than 300 megawatts and 220,000 NVIDIA GPUs, on top of existing 5 GW agreements with Amazon and Google — and doubled Claude Code's five-hour rate limits while removing peak-hour throttling on Pro and Max plans; (2) the launch of a new enterprise venture backed by Goldman Sachs, Blackstone, Apollo, General Atlantic, GIC, and Sequoia, with financial partners expected to commit $1.5 billion, deploying forward-deployed engineers to embed Claude inside large enterprises; and (3) the publication, on its Glasswing project, of a banking-focused essay arguing that "security through obscurity is over" and that AI-assisted code analysis is now table stakes for institutions handling financial data.
Relevance: Anthropic is positioning Claude to compete for the banking-sector codebase analysis and agentic-deployment budget that has been split between Microsoft, OpenAI, and Google — and the combination of bank-investor capital, capacity backstops, and bank-sector messaging signals an explicit go-to-market on this segment in 2026.
Consider: Ask Procurement and AI Architecture whether the bank's current AI vendor scoring still treats Anthropic as a generic frontier-lab option or as a bank-sector go-to-market with named industry partners — and what conversation you would want to have with their forward-deployed engineering team before the next AI Architecture review.
Anthropic — SpaceX capacity | PYMNTS — enterprise venture | Anthropic — Glasswing
Innovation
OpenAI ships GPT-5.5 Instant as the new ChatGPT default, with hallucination reductions targeted at finance, medicine, and law. Vendor
Signal: OpenAI released GPT-5.5 Instant on 5 May 2026 as the new default model for ChatGPT and as `chat-latest` in the API, replacing GPT-5.3 Instant. The headline change is a targeted reduction in hallucination in sensitive domains — specifically law, medicine, and finance — while preserving the low-latency profile of its predecessor. Anyone pinning to `chat-latest` has already been silently moved onto the new model; ChatGPT for Microsoft Intune also reached general availability.
Relevance: Two of the three named hallucination-targeted domains — finance and law — are the bank's most-cited regulated workflows, and the silent `chat-latest` rollover means that internal teams running production benchmarks against ChatGPT or the API picked up a different model this week whether they noticed or not.
Consider: Ask Chapter AI to re-run the bank's most recent hallucination regression suite against GPT-5.5 Instant within 30 days, with a specific cut for finance and legal queries — and to flag any teams pinned to `chat-latest` that did not refresh their benchmarks after the rollover.
ServiceNow ships its Autonomous Workforce — role-scoped AI specialists for L1 service desk, CRM, and employee services available today. Vendor
Signal: At Knowledge 2026, ServiceNow announced the full commercial launch of Autonomous Workforce: role-scoped AI specialists that complete end-to-end business processes without human intervention. The L1 IT Service Desk, CRM, and employee-services specialists are generally available now; IT operations and security/risk specialists move to general availability in June and September 2026 respectively. The capability is built into the platform many large enterprises — including most major European banks — already run for ITSM and HR workflows.
Relevance: Unlike most agentic launches, this one lands inside an existing enterprise platform with established change-management, audit, and SSO controls — so the integration question shifts from "can we trust it" to "which workflows do we let it own first", and the answer is largely a governance question, not a technical one.
Consider: Ask Operations and CISO to scope a 90-day evaluation of ServiceNow Autonomous Workforce starting with L1 IT Service Desk — the cheapest place to surface whether your existing ServiceNow governance is fit for an autonomous agent or whether it has been quietly relying on a human in the loop to absorb errors.
On the radar
- OpenAI's Realtime API left beta on 7 May with EU data residency, GPT-5-class reasoning in voice, and real-time speech translation including Dutch — re-opening voice-AI business cases scoped out 18 months ago. OpenAI
- ING's research arm publicly diagnoses the bank-wide AI gap as 60% pilot activity versus under 30% production — framing 2026's AI challenge as organisational, not technical. ING THINK (publication date unverified)
- Harvard Business Review's Toby Stuart argues pervasive AI uncertainty is now eroding the foundational confidence underlying long-term strategic investment — a case for stage-gating multi-year AI commitments rather than locking budgets. Harvard Business Review
- ABN AMRO has migrated its Anna customer chatbot and Abby internal assistant onto Microsoft's enterprise AI tooling, with 3.5 million annual conversations and a published 7% gain in Dutch intent recognition. Microsoft (publication date unverified)