AI Governance Daily, 14 May 2026

Different week, different story.

Monday and Tuesday were about enforcement. Today is about something bigger: AI is being treated as strategic industrial infrastructure. Not a product. Not a feature. Infrastructure.

Look at the pattern. Chinese labs turning US export controls into an efficiency moat. The Pentagon swapping bot farms for paid ads. OpenAI shipping actual sandbox engineering for code-executing agents. Supply chain attacks reaching AI tooling. These are not consumer-tech stories. They are critical-infrastructure stories.

Why SME execs should care: critical-infrastructure framing = changed vendor obligations, changed insurance posture, changed procurement risk. Overnight. The question stopped being "is this regulated?" and started being "is this critical?"

🌏 Global & Strategy

• Export controls built China's efficiency moat. Azeem's reporting from inside the Chinese labs is the piece to read if you still think compute caps are slowing the other side down. They are not. They are forcing architectures that are leaner, cheaper, and structurally harder to compete with on margin. Sanctions = unintended R&D subsidy. Read

• "Dominating AI" is not about bigger models. Lawfare argues the US national strategy needs to pivot from raw capability to understanding, testing, and securing frontier systems. Translation for buyers: the vendors who can explain their model will outlive the vendors who can only sell its benchmarks. Read

🇺🇸 US

• The Pentagon stopped using bots. It's buying ads. Post-2022, US military influence ops shifted from synthetic accounts to paid platform amplification. Reaching millions. Drawing real reactions, Community Notes, and appeals to Grok to fact-check the state. State-actor AI-enabled influence now hides inside the ad stack you already trust. If your brand-safety policy still says "watch for bots," it is fighting the last war. Read

🏢 Enterprise & Operating Model

• OpenAI shipped a real sandbox for Codex on Windows. Controlled file access. Network restrictions. Actual engineering, not a blog post about "responsible AI." If you are deploying code-executing agents, this is the reference architecture to benchmark your internal controls against. Ask your vendor: where is yours? Read

• AI tooling now has a supply chain problem. OpenAI's response to the TanStack npm attack ("Mini Shai-Hulud") walks through what they did, the signing certificates story, and the protections taken. The takeaway is not technical. It is governance. Your AI stack inherits every npm, pip, and package risk underneath it. That is now a board-level question, not a dev-team one. Read

🧠 Voices worth 5 minutes

• Azeem Azhar on the efficiency moat. Best single piece this week on why the US-China AI competition is not the race people think it is. Read it before your next strategy offsite. Read

• Lawfare on understanding vs dominating. Short, sharp, and uncomfortable if you have been buying capability without buying comprehension. Read

⚠️ Watchlist

• Trump AI security executive order still expected.
• Council and Parliament formal adoption of the EU Omnibus deal before 2 August 2026.
• Article 50(2) provider transparency obligations now 2 December 2026.
• High-risk AI obligations now 2 December 2027.

---

If you took anything from this week's enforcement run as "the regulators are catching up," today reframes it. The regulators are not catching up. They are recategorising. AI just got moved into the same drawer as power grids and ports. Plan your procurement accordingly.