1 – 8 May 2026
HIGHLIGHT OF THE WEEK
Pulling at the threads of AI governance
AI governance increasingly resembles a tangled ball of yarn: regulation, cybersecurity, infrastructure, labour markets, semiconductors, and geopolitics pulling on one another simultaneously.
There is an older word for such a ball of thread: clew. Historically, a clew was not just yarn, but a guide through a maze — the thread used in mythology to navigate complexity and find a way out. It is also the root of the modern word clue.
This week in AI governance felt like standing at the entrance to a maze with a clew in hand, faced with multiple threads.
Europe’s AI Act. Europe’s AI rulebook edged forward this week after negotiators reached a provisional agreement on the latest phase of the EU AI Act omnibus discussions, which aims to simplify parts of the Union’s digital rulebook and ease implementation burdens. The provisional agreement sets new application dates of 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products.
The agreement also extends certain simplification measures beyond SMEs to small mid-caps, while keeping some safeguards. The agreement also reinforces the AI Office’s powers. The text must still be endorsed by both the Council and the European Parliament before formal adoption.
National AI strategies. National AI strategies are also becoming more assertive — and more tied to economic sovereignty. Papua New Guinea has outlined a national approach to AI focused on data sovereignty, trusted public infrastructure, and new legislation, underpinned by four elements of the framework: Strengthening existing digital foundations such as SevisPass and SevisDEx, establishing a National AI Register, adopting sovereign data governance, introducing new laws, including a National Artificial Intelligence Act and a Data Governance and Protection Act. Kazakhstan reviewed proposals to expand AI deployment across all sectors as part of its digital transformation agenda. Canada moved to strengthen domestic photonic semiconductor and AI capabilities by spinning off the National Research Council of Canada (NRC)’s Canadian Photonics Fabrication Centre (CPFC) into a commercial entity. The UAE launched a national AI security laboratory focused on certification and cyber resilience.
These initiatives vary widely in ambition and capacity, but they share a common premise: AI infrastructure, data, and chips are now viewed as strategic assets.
AI diplomacy. At the same time, AI diplomacy is accelerating. Australia and Japan expanded cooperation on economic security and critical technologies. The EU and Japan advanced joint work on AI governance and cross-border data flows. South Korea and the Netherlands discussed semiconductor and AI cooperation. India and France have discussed expanding cooperation in space, AI, applied mathematics and advanced technologies. Norway joined the Pax Silica initiative, which focuses on securing semiconductor supply chains.
Even geopolitical rivals appear to be cautiously reopening channels on AI governance. According to reports, the USA and China are considering launching formal discussions on AI, signalling recognition that some degree of coordination may become unavoidable as frontier systems grow more capable and globally consequential.
Cybersecurity. The security picture darkens as multiple warnings are issued in one week.
The UK’s National Cyber Security Centre warned that AI systems could dramatically accelerate the discovery and exploitation of software vulnerabilities, compressing the time between disclosure and attack. Separate guidance from the NCSC examined the growing risks posed by adversarial machine learning attacks, including model manipulation, prompt injection, and data poisoning techniques designed to undermine AI systems themselves.
Swisscom similarly warned that AI and geopolitical tensions are reshaping the cyber threat landscape, with automation, influence operations, and AI-enhanced cyber capabilities becoming increasingly intertwined.
The Australian Securities and Investments Commission (ASIC) has urged regulated entities to strengthen cyber resilience, warning that frontier AI could intensify cyber risks by exposing vulnerabilities at greater speed, scale and sophistication. ASIC said licensees and market participants should act now to improve their cybersecurity fundamentals rather than wait as advanced AI tools reshape the threat environment.
In the USA, Microsoft, Google, and xAI agreed to provide advanced AI models for government-led security stress testing. The initiative is designed to support pre-deployment evaluations and targeted research intended to improve understanding of frontier AI capabilities and their national security implications.
Other threads. Canada found OpenAI non-compliant in a privacy probe — scraping public data for training was overbroad and lacked consent. Meta fought an EU order in a closed hearing, seeking to avoid letting rival AI chatbots onto WhatsApp for free.
The user’s POV. For compliance teams, the EU deal offers breathing room, but not a free pass — the transparency deadlines actually tightened. For security professionals, the NCSC warnings are a call to audit ML pipelines now, not later. For everyone watching geopolitics, the US-China AI talks would be the first real signal that both capitals see cooperation as necessary. The question is whether they can agree on anything beyond the need to talk.
The bottom line. The challenge for governments, companies, and users alike is no longer simply building AI systems. It is learning which strands matter, which knots are tightening, and which clews still lead out of the maze.
IN OTHER NEWS LAST WEEK
Meta on trial(s)
Meta Platforms is facing growing legal and regulatory pressure both in the USA and Europe over claims that its social media platforms contribute to youth addiction and mental health problems.
In New Mexico, the state is seeking $3.7 billion and asking the court to declare Meta a public nuisance. The lawsuit alleges that Facebook, Instagram, and WhatsApp were designed in ways that encourage addictive behaviour among minors. It also claims that these platforms failed to adequately protect young users from harmful content and exploitation. The state is requesting major changes to the platforms, including age verification and restrictions on features such as autoplay and infinite scroll for minors. Meta claims the case concerns individual users, rather than the harm to the public as a whole.
Meta is also attempting to overturn a California jury verdict that found the company negligent in the design of its platforms and awarded damages to a young plaintiff who claimed that social media use contributed to her depression. Meta argues that the claims are barred by Section 230 of the Communications Decency Act and that the alleged harms were connected to online content rather than the platforms’ design features.
Why does it matter? Both cases are considered important because they may influence many similar lawsuits currently pending against social media companies.
Dutch court backs DigiD contract despite US data access fears
The District Court of The Hague has rejected an attempt by three Dutch citizens to block the government from renewing its contract with Solvinity, the company responsible for hosting and technically managing systems linked to DigiD.
The plaintiffs argued that Solvinity’s planned acquisition by US-based IT provider Kyndryl could place sensitive data from more than 16 million DigiD users under US jurisdiction, potentially exposing it to US authorities and creating risks to critical public services such as healthcare, pensions, taxes, and unemployment systems.
Despite these concerns, the court ruled in favour of the Dutch State, allowing the agreement to proceed. Judges did not accept arguments that the deal would immediately threaten data security or justify halting the contract.
What’s next? The decision leaves further scrutiny to the Investment Assessment Office, which is reviewing national security risks linked to the acquisition.
Why does it matter? The case highlights ongoing tensions around digital sovereignty and data protection in the Netherlands.
End-to-end encrypted messaging on Instagram ends as wider encryption battles grow
As of 8 May, end-to-end encrypted messaging on Instagram is officially over. Meta has switched off the feature globally, abandoning plans to expand the privacy technology across the platform after years of promoting encrypted communication as the future of messaging.
At the same time, Apple and Meta are opposing Canada’s proposed Bill C-22, which they say could force companies to weaken encryption or build government-access mechanisms into their products. Canadian authorities argue the bill would help law enforcement respond more quickly to security threats.
Why does it matter? End-to-end encryption is widely seen as a core privacy protection because it limits access to message content, including by the platform itself. This week’s developments underline the questions about how major platforms prioritise privacy features, user safety, product complexity and interoperability across their messaging services.
LAST WEEK IN GENEVA
WTO resumes talks as 19 members back e-commerce moratorium pledge
The WTO’s General Council has met in Geneva for the first time since the 14th Ministerial Conference (MC14), after negotiators in Yaoundé narrowly missed agreements on several major files, including the future of the long-running e-commerce moratorium and broader WTO reform.
The newly elected chair, Ambassador Clare Kelly, said members remained committed to preserving the careful balance reached during negotiations in Cameroon and avoiding a return to earlier positions.
The discussions follow the expiry on 31 March of the WTO moratorium on customs duties on electronic transmissions, a temporary arrangement first adopted in 1998 that prevented countries from imposing tariffs on digital trade flows such as software downloads, streaming services, and other online transmissions. Ministers at MC14 failed to agree on another extension, exposing deep divisions over how long the moratorium should continue and how governments should respond to rapid technological developments such as AI and 3D printing.
Despite the lapse, a group of 19 WTO members announced they would continue not imposing customs duties on electronic transmissions among themselves. In a joint statement circulated at the WTO, the group said the arrangement would provide predictability and certainty for businesses and consumers while multilateral negotiations continue. The group includes Argentina, Australia, Costa Rica, Ecuador, Guatemala, Iceland, Israel, Japan, South Korea, Malaysia, Mexico, New Zealand, Norway, Panama, Paraguay, Singapore, Separate Customs Territory of Taiwan, Penghu, Kinmen and Matsu, the USA, and Uruguay.
Türkiye also signalled new flexibility during the General Council meeting, announcing it would not block consensus on a temporary extension of the moratorium. However, Brazil maintained its opposition to a four-year extension of the moratorium.
What’s next? The chair announced further consultations on e-commerce and WTO reform, with plans to report back to members in July.
Geneva Cyber Week 2026
The UN Institute for Disarmament Research (UNDIR) and the Swiss Federal Department of Foreign Affairs (FDFA) are co-hosting Geneva Cyber Week from 4 to 8 May 2026, bringing policymakers, diplomats, technical experts, industry leaders, academics, and civil society representatives to venues across Geneva and online for a week of discussions on cyber stability, resilience, governance, digitalisation, and the security implications of emerging technologies, including AI.
Returning after its inaugural edition, the event is being positioned as a response to a more fragile cyber and geopolitical environment. Held under the theme ‘Advancing Global Cooperation in Cyberspace’, Geneva Cyber Week 2026 comes at a moment of mounting cyber insecurity, intensifying geopolitical tension, and rapid technological change. The programme features nearly 90 events and reinforced Geneva’s role as a centre for cyber diplomacy, international cooperation, and digital governance.
As part of Geneva Cyber Week, UNIDIR organised the Cyber Stability Conference 2026, on 4–5 May in Geneva and online, bringing together governments, international organisations, industry, academia, and civil society to discuss ICT security and cyber governance. Under the theme ‘Cyber governance in an era of technological revolution: Past lessons, present realities and future frontiers,’ discussions explored how international cyber stability frameworks are adapting to rapid technological change, including AI and quantum computing, while reflecting on lessons from past cyber diplomacy processes and current security challenges.
Multi-year expert meeting on investment, innovation and entrepreneurship for productive capacity-building and sustainable development, 12th session
UNCTAD’s Multi-year Expert Meeting on Investment, Innovation and Entrepreneurship for Productive Capacity-building and Sustainable Development met for its twelfth session 4-5 May. The experts warned that AI and other strategic technologies are reshaping global investment patterns, concentrating capital in a handful of sectors and countries while leaving many developing economies behind. Discussions at the meeting focused on how developing countries can compete in AI-related sectors, strengthen domestic innovation ecosystems and ensure that AI-driven investment translates into broader development gains.
OSCE Conference ‘Anticipating technologies – for a safe and humane future’ opens in Geneva
The Swiss Chairpersonship of the Organization for Security and Co-operation in Europe opened a two-day high-level conference on anticipatory technologies in Geneva on 7 May. The event is examining how foresight, dialogue, and international cooperation can help reduce misunderstandings, build trust, and strengthen security across the OSCE region amid rapid technological change.
The programme includes discussions on anticipating technological change and its geopolitical impact, water and energy security in the digital age, and the role of AI in early warning and conflict prevention.
The conference also highlights Geneva’s role as a meeting point for science and diplomacy, including through institutions such as CERN, the Geneva Science and Diplomacy Anticipator, and the Open Quantum Institute.
The event forms part of the Chairpersonship’s priority to connect scientific and technological anticipation with policy action.
READING CORNER
Quantum research access, UNESCO says, remains concentrated in wealthier economies.
Public sector transformation requires more than technology, demanding systemic reform in governance, procurement, and talent to meet citizens’ real needs.
Global labour markets face rapid transformation as the ILO highlights growing AI and skills challenges.
OPPORTUNITY
Opportunity: Become a Knowledge Fellow
Diplo is pleased to launch a new call for applications for Digital Watch Knowledge Fellows (2026), the team of collaborators behind the Digital Watch Observatory (DW). Knowledge Fellows (KF) are central to the observatory’s ability to provide comprehensive, accurate, and up-to-date coverage of specific areas of digital governance. More details on what we are looking for and what we offer in return are available here. Interested applicants are invited to apply by 31 May 2026.
