Tools become counterparties. The floor they stand on (liability, insurance, compute and energy) is the binding constraint, not the network above it.
The AI conversation has moved past whether the technology works. The harder questions this cycle are who is liable when an agent signs a contract, who insures the loss when an agent acts badly, who builds the grid for the next training run, and who decides when an open-weight model from another jurisdiction is good enough.
Regulators are quietly conceding that human oversight does not scale to autonomous agents. Insurers are quietly withdrawing cover. Card networks are quietly making agents into payers. Grid operators are quietly rationing the power AI needs.
The one thing to take into the next meeting: the binding constraint on AI deployment over the next two years is no longer the model. It is the contract layer, the insurance wrapper, the compute supply and the substation. Boards still planning around capability will be planning around the wrong thing.
Which AI deployments on your desk this week were sized around capability, not around who pays when the agent acts badly?
The evidence in this report says the binding constraints have moved to liability, insurance and physical infrastructure.
The frame that organised AI conversation last cycle, that AI had joined the org chart, has hardened into something blunter: AI has started signing, spending and failing. In the six weeks since the May edition, four institutional moves landed in close succession and they reframe the strategic question for every leadership team holding an AI plan.
First, the Federal Reserve, OCC and FDIC amended their tri-agency model-risk guidance on 17 April 2026 to clarify that it no longer applies to generative or agentic AI (Federal Reserve Board, May 2026). The Bank of England's parallel February 2026 AI roundtables recorded firms saying the human-in-the-loop concept was 'challenged by the rise of agentic AI' (Bank of England, February 2026). On 25 May 2026 IOSCO published its Supervisory Toolkit noting member experiments using 'AI as a judge' (IOSCO, May 2026), and on 10 June 2026 the FSB consulted on twelve sound practices placing board and senior-management accountability at the centre (FSB, June 2026). Read together, the global supervisory community is publicly admitting that human review at the moment a decision is made does not scale to agentic AI, and is moving to outcome- and lifecycle-based oversight.
Second, the payment networks have stopped piloting and started production. Mastercard reported on 2 June 2026 that every European issuer is now enabled at network level for Agent Pay, with Santander, ING, Deutsche Bank, KBC, UniCredit, Erste, Bank Hapoalim and N26 among those completing live agentic transactions using passkeys for authentication (Mastercard, June 2026). On 8 April 2026 Visa launched Intelligent Commerce Connect as a neutral on-ramp across protocol stacks (Visa, April 2026). The IMF's April 2026 note on agentic payments argues this changes the unit of analysis: agents are becoming the party (IMF, April 2026). In China, Caixin Global reported in March 2026 that Alipay's AI Pay passed 100 million users during Chinese New Year and former PBoC Deputy Governor Zhu Min called for a 'Know Your Agent' regime (Caixin Global, March 2026).
Third, the underwriting brake has hardened. Munich Re's 2026 cyber report notes Verisk/ISO rolled out three generative-AI exclusion endorsements on 1 January 2026 now sitting behind roughly 82% of US P&C policies (Munich Re, March 2026). The captive market is absorbing the layers commercial insurers will not write (Captive.com, May 2026), and D&O carriers are now probing board-level AI governance at renewal (D&O Diary, June 2026). The Edwin Coe head of insurance told Insurance Journal in May 2026 that the diversifiable-loss assumption on which cyber insurance rests is breaking under frontier AI (Insurance Journal, May 2026). The May 2026 Signal Scan flagged this as 'The Underwriting Brake'. A month on, the brake is harder.
Fourth, the physical floor is moving. The IEA's Electricity 2026 report projects data-centre demand to roughly double to ~945 TWh by 2030 (IEA, February 2026); NERC's January 2026 Long-Term Reliability Assessment lifted its ten-year US summer peak forecast by 69% in a single revision (NERC via Utility Dive, January 2026); Germany's four TSOs are rationing 270 GW of grid-connection requests against ~94 GW of forecast 2037 need (TransnetBW, February 2026). Even Constellation's Three Mile Island restart depends on transmission upgrades not expected before December 2030 (Utility Dive, June 2026).
The last cycle's spine theme was the agent operating model. This cycle's spine is the layer underneath. Whichever AI strategy a leadership team has written in 2025 was written before regulators conceded oversight could not scale, before insurers started writing AI exclusions as standard, before card networks made agents into payers and before grid operators started rationing connections. Each of those four reframings independently changes which decisions sit on the next board agenda.
The synthesis assumes the four institutional shifts (regulator concession, payment-rail enablement, insurance hardening and infrastructure rationing) are converging on a 12 to 24 month horizon and will hold long enough to reshape FY27 board agendas. The single most consequential assumption is that the insurance market does not bend back: if cyber and D&O carriers find a workable underwriting language for agentic AI (model-card disclosure, third-party assurance, attestation regimes), capacity reopens and the deployment brake softens within 12 months. The signal that would force a material revision is an LMA model-clause update or a Munich Re position paper offering insurable agentic-AI wordings; absent that, residual-risk allocation continues to bind. A subsidiary risk: a US-China deal that lifts compute-export friction could reshape the sovereign-compute theme inside one cycle.
Each is developed below, with a decision posture, in the four Strategic Implications.
Four lenses on the same evidence base, one per audience type. Each card carries the one question this cycle puts to that function.
The shift: AI has moved from a strategic option to a layer-by-layer operating question: liability, insurance, compute and grid.
The question to brief: Which of the five themes most disturbs the FY27 plan we sent to the board, and which paper do we re-open first?
The shift: Agent identity, action logging, output classifiers and external review are now procurement primitives, not engineering options.
The question to brief: Which vendor and which sovereign-compute fallback does our 18-month deployment plan assume, and is the assumption explicit?
The shift: Outcome-based supervision plus tightening AI exclusions in cyber and D&O wordings shifts residual risk onto the balance sheet.
The question to brief: Which insured layer have we lost cover on in 2026, and what is the captive or self-retention plan to absorb it?
The shift: The May cycle's entry-level reset deepens: routine signing, ordering and reconciliation work moves to agents while exception handling and oversight roles thin out.
The question to brief: Which mid-career roles are net consumers of automated outputs rather than producers, and how do we redeploy?
The cycle's signals are organised into five themes, ranked by impact on Shaping Tomorrow's near-term decisions. Immediate: changes the FY27 plan, the corporate structure or the proposition. Near-Term: changes Shaping Tomorrow's competitive position over the next twelve months. Longer-Range: a multi-year compounding factor to track and revisit each cycle.
The most consequential 2026 shift in AI is not capability; it is contract. Agents are no longer acting on behalf of a human, they are becoming the party. The Singapore IMDA, the IMF, the OECD, UNCITRAL, the BIS, Visa and Mastercard have all moved within five months to build identity, authentication, settlement and contract law around agent-initiated transactions. For any organisation that pays, gets paid or signs contracts at scale, the question is not whether to allow agents to transact, but who answers when the agent signs and on what authority.
Source: Shaping Tomorrow synthesis of IMDA (Jan 2026), OECD (Feb 2026), UNCITRAL (Mar 2026), Visa (Apr 2026), IMF (Apr 2026), BIS (May 2026) and Mastercard (Jun 2026) announcements.
The deployment data so far is largely pilot or controlled-launch. Mastercard's named live transactions are still discrete events rather than steady-state retail volume, China UnionPay's APOP is a protocol rather than market share, and Visa Intelligent Commerce Connect launched only two months before this brief. A reasonable reading is that the contract and rail layer is assembling faster than transaction volume, and an operator could prudently wait two more quarters to see which protocol stack and which authentication standard wins. The counter-counter: every prior payments shift (contactless, instant payments, tokenisation) showed that infrastructure assembled before steady-state volume and the cost of being late to the rail outweighed the cost of choosing the wrong protocol.
The supervisory consensus has cracked. Across five months and seven jurisdictions, regulators with statutory responsibility for AI in finance have publicly stated that human oversight cannot scale to agentic AI. The shift is from supervising what an agent does to governing what an agent is allowed to do: objectives, guardrails, audit trails, outcome thresholds. It lands at the exact moment the EU AI Act's human-oversight rules (Article 14) take full force on 2 August 2026. For any leadership team that has written human-in-the-loop into its AI governance policy, the question is whether the policy describes the present or the past.
Single-agent oversight (one agent, one task chain) is what current human-in-the-loop guidance assumes. Anthropic's Model Context Protocol, Microsoft Copilot Connectors, Google's Agent-to-Agent protocol and Salesforce Agentforce are now enabling teams of agents that negotiate, delegate and escalate among themselves. The supervisory question is no longer "which agent decision needs human approval" but "which multi-agent interaction triggers human review at all"; both governance and audit frameworks were written for the simpler case.
The Ada Lovelace Institute's December 2025 polling of UK adults found 89% want AI proven safe before release and 82% support mandatory pre-market safety testing (Ada Lovelace Institute, December 2025). The regulator drift toward outcome-based oversight outruns public consent: a single high-profile agent failure (a wrongful payment, a biased denial, an unauthorised contract) could force jurisdictions to re-impose hard human-controlled gates, with the EU AI Act's August 2026 application date providing the readiest statutory vehicle. The fact that supervisors privately agree human-in-the-loop does not scale does not mean lawmakers will say so publicly when the first incident makes headlines.
Capacity and capability are no longer the binding constraint on AI deployment; allocated residual risk is. Cyber insurers are writing standardised AI exclusions; professional indemnity wordings are being rewritten around agent-driven actions; D&O carriers are probing board-level AI governance at renewal; the captive market is shifting to absorb the layers commercial insurers will not write. The 23 May 2026 Signal Scan flagged this as the underwriting brake. A month on, the brake is harder. For any organisation deploying AI in the credit, claims, customer-service, contracting or trading perimeter, the next 12 months will turn on what the cyber, professional indemnity and D&O policy say about AI in the small print, and on what cover the captive can provide if the answer is 'nothing'.
Source: Munich Re Cyber Insurance: Risks and Trends 2026 (25 March 2026); Pillsbury Policyholder Pulse (13 April 2026).
Cyber, D&O and professional-indemnity underwriter due-diligence questionnaires now set governance standards faster than legislators codify them, and the 82% AI-exclusion endorsement rate is not just a coverage retreat. The underwriter checklist is operating as a parallel compliance regime that boards are answering against, in many jurisdictions before any AI-specific statute lands. Where the regulator is permissive, the insurer is prescriptive; the binding rule on day-to-day deployment is increasingly the policy wording, not the Act.
Two arguments cut against the hardening reading. First, the underwriting brake may be a discovery-phase tightening rather than a market-wide withdrawal; if the Lloyd's AI Adoption Toolkit, captive innovation and reinsurer modelling converge on an insurable form for agentic AI within 12 to 18 months, the brake softens. Second, large operators can self-insure or use captives at scale; the constraint binds harder on mid-cap and public-sector deployers who lack captive scale and rely on commercial cover. The counter-counter: even temporary capacity withdrawal still binds at the FY27 plan horizon, and the captive option transfers cost rather than removes it.
Model weights are no longer the moat. Open-weight frontier capability now sits within a four-month gap of closed proprietary models; US export-control posture has flipped from presumption of denial to case-by-case review; China, the UK, the EU, Korea, India, the UAE and Saudi Arabia have all launched explicit sovereign-compute architectures. Competitive position in AI is being rebuilt around compute supply, deployment locality and trusted-data integration, not around access to the best model. For any organisation procuring AI for material workflows, the question is whether the vendor lock-in language in the 2025 contract still reflects where leverage sits in 2026.
Moody's, S&P and Fitch are beginning to flag datacentre concentration and AI-driven productivity divergence in sovereign methodology commentary. Nations with thin AI infrastructure may face credit downgrade pressure on a 3-5 year horizon as the productivity gap with AI-rich peers widens. The implication runs both ways: hyperscaler capex location decisions are starting to carry sovereign-credit consequences for host countries that current trade-and-investment policy does not yet account for.
Two readings push back. First, the open-versus-closed gap may stop closing: closed labs are widely thought to be withholding their most capable systems, so Epoch's four-month gap may understate the true gap and the moat may reassert itself if frontier training compute keeps doubling. Second, sovereign-compute funds in the UK, EU and Korea may struggle to outrun the US hyperscaler USD 450bn spend; the realistic equilibrium is a two-stack world in which sovereign compute provides national resilience for state and regulated workloads but is not the centre of gravity for frontier training. Both readings are compatible with the cluster's thesis: model-weight moats are weakening even if not collapsed, and competitive position must be planned around the assumption that the next-best open-weight model is good enough for most enterprise workloads.
The previous cycle's 'capex reckoning' theme assumed money was the binding constraint on AI scaling. What the last six months have established is that physical infrastructure is the binding constraint instead, on a three- to seven-year horizon. Grid-interconnection queues run four to seven years; the official US grid-reliability regulator has lifted its ten-year peak forecast by 69% in a single revision; Germany's four TSOs are openly rationing connection slots; water-rights pushback has crossed from advocacy into municipal bans in over 50 US cities. For boards approving AI capex on a three-year payback, the question is whether the substation and the river basin are part of the business case.
Source: TransnetBW joint TSO press release, 5 February 2026.
As hyperscalers shift to behind-the-meter generation (BTM gas, BTM small modular nuclear) to escape grid-interconnection queues, regulators in California, Virginia, Texas and Ireland are starting to ask whether this triggers utility classification. The implication: loss of priority interconnection, rate-regulation exposure and public-utility commission jurisdiction. A capex strategy built on regulatory arbitrage of the grid queue could collide with utility-classification rulings inside the same 3-7 year window in which the grid constraint itself bites.
Two arguments soften the ceiling. First, the energy mix can move faster than the grid: behind-the-meter generation, small modular reactors and dedicated nuclear restarts can serve hyperscaler load without waiting for transmission upgrades, and the FERC PJM colocation order is an attempt to make that legal at scale. Second, water consumption falls sharply with liquid cooling and renewable-powered closed-loop systems, so the water question is partly a siting question rather than a global ceiling. The counter-counter: even with behind-the-meter generation the substation and the transmission upgrade matter for any deliverable beyond a single site, and water-rights pushback is now a social-licence question that engineering alone does not resolve.
Four decisions turn this cycle's signals into the FY27 plan. Each names the move, a horizon and a decision posture.
Following the Federal Reserve, OCC and FDIC carve-out of agentic AI from formal model-risk guidance on 17 April 2026 and the FSB's 10 June 2026 placement of board and senior-management accountability at the centre of its 12 sound practices, every organisation deploying AI in material workflows must have a named senior accountable owner for agent deployment, distinct from the CIO and reporting to the board. The AI governance policy that referenced 'human-in-the-loop' as the primary control must be rewritten around objectives, guardrails, action logging and outcome thresholds before EU AI Act application on 2 August 2026.
Action: By 31 August 2026, the board should approve a revised AI governance policy with a named accountable owner, an outcome-based control framework and a documented response to the FSB sound practices.
Decide Draws on Theme 1 and 2.Two binding constraints have replaced capability and capex as the deployment gate. First, roughly 82% of US P&C policies now carry Verisk/ISO generative-AI exclusion endorsements, and D&O carriers are probing board-level AI governance at renewal; AI deployments without an explicit residual-risk allocation now sit on the firm's own balance sheet whether the business case acknowledges it or not. Second, grid-connection queues run four to seven years, water-rights pushback is now municipal-ban territory in 50 plus US cities, and physical-infrastructure supply is rationed (270 GW of requests against ~94 GW of forecast 2037 need in Germany). Business cases written in 2025 against 'capacity available' assumptions need re-examining against both.
Action: By end Q3 2026, every live or proposed AI deployment carrying material residual exposure should be re-examined against the current cyber, professional indemnity, D&O and grid/compute supply assumptions and flagged to risk and audit committees.
Decide Draws on Theme 3, 4 and 5.Captive practitioners are explicit (Marsh, Hylant, Milliman, Iowa Insurance Division) that AI-related coverage is a domain where the commercial market is excluding or sub-limiting risk and where captives are absorbing the layers via difference-in-conditions wrappers and excess attachments. Marsh reports roughly USD 166m of cyber premium running through its captives. For any operator at sufficient scale, the captive route is the alternative to taking the residual risk on the balance sheet uninsured. For sub-captive operators, the choice is between accepting the exclusion, switching carrier or restructuring the deployment to avoid the excluded fact pattern.
Action: By end Q4 2026, group risk should present a paper on captive-versus-commercial allocation of AI residual risk for the next FY27 insurance buying cycle, with specific layers identified as captive-absorbed.
Prepare Draws on Theme 3.Open-weight frontier models now lag closed proprietary models by an average of four months on Epoch's capability index. Sovereign-compute funds in the UK, EU, Korea, India, the UAE and Saudi Arabia plus the US export-control shift from denial to case-by-case review mean that vendor lock-in language in 2025 contracts likely understates the leverage that has shifted to compute supply, deployment locality and trusted-data integration. The right posture this cycle is not to renegotiate every contract but to monitor the open-versus-closed capability gap and the sovereign-compute build-out, and to ensure FY27 vendor commitments include explicit fallback language and exit terms.
Action: By 31 December 2026, refresh the AI vendor map quarterly, flagging where open-weight frontier capability has reached operational parity for any material workload and where sovereign-compute or in-country deployment is now a procurement option.
Monitor Draws on Theme 4.The vertical axis is the pace of agentic-AI legal-and-operational maturation (fast at the top, slow at the bottom). The horizontal axis is the regulator stance (permissive on the left, prescriptive on the right). The four scenarios below are planning aids, not forecasts.
Agentic commerce scales rapidly under outcome-based oversight. Card networks, Big-Tech agent platforms and payment regulators converge on a workable agent identity, authentication and dispute architecture. First-mover sectors capture share quickly; the contract layer assembles in 12 to 18 months. Liability flows are clarified by case law rather than statute. Insurance retreats then re-enters at higher prices with sharper exclusions. Sovereign compute matters less because deployment leverage shifts to data and integration. Boards face a high tempo but legible operating environment.
Rapid agentic scaling lands in jurisdictions with clear ex-ante rules. The EU AI Act's human-oversight requirements bite at the 2 August 2026 application date and bifurcate global deployment: EU and UK financial-services operators deploy under FSB sound practices, IOSCO toolkit and EIOPA dashboard pressure; US operators deploy under outcome-based supervision; China deploys under a sovereign protocol stack with PBoC oversight. Compliance costs are real but predictable. The brake remains on cyber and D&O cover; captives expand fast.
Agents mature in-house under permissive regimes but commercial deployment lags. Capability keeps improving on benchmarks; production deployment stays narrow because the contract, dispute and insurance layer does not coalesce. The supervisory carve-outs in the US and UK become a quiet stalemate: firms have responsibility but no rulebook. Boards inherit AI agents inside their own operations long before agents become market-facing counterparties. The competitive position question is internal productivity, not external scale.
Slow agentic scaling and prescriptive rules. A high-profile agent failure (an unauthorised contract, an automated trading event, a wrongful denial of service) forces lawmakers to re-impose hard human-controlled gates. The EU AI Act becomes a global de facto template; agentic AI stays mostly a tool rather than a counterparty through 2028. Sovereign-compute funds redirect to internal-government and critical-infrastructure use. Insurance reopens for narrowly-defined deployments. The capital case for agentic AI lengthens.
Multiple credible voices argue scaling is hitting diminishing returns and the next 12 months will not produce a discontinuous jump in frontier capability. The IMF, the OECD, the BIS and Epoch AI all anchor their analyses on continuous-but-incremental improvement. This briefing therefore treats the 2026 to 2028 horizon as compounding rather than discontinuous capability change. If a frontier lab demonstrates verified agentic reliability above 95% on long-horizon production tasks (currently around 50%), the picture shifts.
Reinstate if: Frontier capability moves to verified end-to-end agentic reliability above 95% on a multi-hour task suite, or a frontier lab demonstrates a multi-trillion-parameter training run delivering qualitatively new behaviour.
The Bureau of Industry and Security shifted from presumption of denial to case-by-case review on 15 January 2026, but the bipartisan US Congressional posture on Chinese AI capability remains hawkish. CSIS's December 2025 testimony argues compute denial is the single most consequential US lever and should be sharpened, not loosened. This briefing therefore plans on continued export friction rather than a deal. If a comprehensive deal lands, the sovereign-compute theme reshapes inside one cycle and frontier-model parity gaps narrow further.
Reinstate if: A US-China bilateral framework lifts the case-by-case license review and re-opens H100 or B200 class exports at scale, or BIS publishes a broad delegated-authority framework permitting routine exports under licence.
The 2023 Bletchley AI Safety Summit declaration and successor processes have produced soft language; no jurisdiction has imposed a binding moratorium on agentic AI deployment, and the regulatory direction in 2026 is enabling outcome-based oversight rather than prohibition. The G7, G20 and OECD processes are moving toward common principles, not coordinated suspension. This briefing therefore does not plan around a multilateral pause. If a coordinated G7 deployment pause emerges, every theme in this cycle is repriced.
Reinstate if: Two or more G7 members impose statutory moratoria on agentic AI deployment in finance or critical infrastructure, or a binding G7 declaration emerges from a successor AI safety summit.
This briefing draws on 39 verified sources, gathered under a soft six-month recency window (publications from December 2025 onward), with 4 structural anchors in the six-to-twelve-month band.
Source tiers: Tier 1, governments, regulators and intergovernmental bodies. Tier 2, think-tanks, academic institutes, major consultancies and quality data providers. Tier 3, quality journalism and specialist trade press. Tier 4, vendor, company and practitioner sources, used only as directional corroboration.
| Source | Tier | Date | Key claim used |
|---|---|---|---|
| Infocomm Media Development Authority of Singapore (IMDA), Singapore Launches New Model AI Governance Framework for Agentic AI | Tier 1 | Jan 2026 | IMDA launches a Model AI Governance Framework dedicated to agentic AI, building on the 2024 generative-AI framework and treating agents as a distinct governance class needing identity, action logging and lifecycle accountability. |
| International Monetary Fund, How Agentic AI Will Reshape Payments (IMF Note 2026/004) | Tier 1 | Apr 2026 | Agentic AI changes the unit of analysis in payments: agents will initiate, authorise and reconcile transactions, requiring new authentication, dispute and settlement architecture and reshaping who counts as a payer for AML/CFT purposes. |
| OECD, The Agentic AI Landscape and Its Conceptual Foundations (OECD AI Papers No. 56) | Tier 1 | Feb 2026 | OECD defines agentic AI as coordinated ensembles of agents that decompose tasks, delegate, collaborate and sustain operations over extended periods in open environments, mapped across 177 jurisdictions; treats it as a system-level paradigm whose governance is lifecycle-embedded rather than per-decision. |
| Visa, Visa Opens the Door to AI-Driven Shopping for Businesses Worldwide (Intelligent Commerce Connect) | Tier 2 | Apr 2026 | Visa launched Intelligent Commerce Connect as a network-, protocol- and token-vault-agnostic on-ramp that lets AI agents pay and merchants accept agentic transactions through a single integration, supporting Trusted Agent Protocol, Machine Payments Protocol, Agentic Commerce Protocol and Universal Commerce Protocol. |
| Mastercard, Europe is Building the Foundations for Trusted Agentic Commerce | Tier 2 | Jun 2026 | All Mastercard issuers in Europe are now enabled at network level for Agent Pay; named banks including Santander, ING, Deutsche Bank, KBC, UniCredit, Erste, Bank Hapoalim, N26 and Carrefour Banque have completed live agentic transactions using passkeys for authentication, with Worldline and ING completing a fully European end-to-end agentic payment in production. |
| Bank for International Settlements, Project Agorá shows how tokenisation can improve wholesale cross-border payments; work will advance to real-value testing | Tier 1 | May 2026 | Project Agorá's prototype across seven major central banks and 40+ private financial institutions demonstrated that atomic, multi-currency cross-border settlement using tokenised central-bank reserves and tokenised commercial-bank deposits is feasible; the project will now move to real-value testing. |
| UNCITRAL (United Nations Commission on International Trade Law), Report of Working Group IV (Electronic Commerce) on the work of its seventieth session (A/CN.9/1242) | Tier 1 | Mar 2026 | UNCITRAL Working Group IV held its 70th session on 23-27 March 2026, advancing draft model legislative provisions on contracts for the provision of data, extending the automated-contracting framework into data and AI-mediated transactions. |
| Caixin Global, In Depth: AI Agents Ignite Global Battle for the Future of Payments | Tier 3 | Mar 2026 | Alipay's AI Pay surpassed 100 million users and 200 million transactions during 2026 Chinese New Year; China UnionPay released the Agentic Payment Open Protocol with 19 institutions; former PBoC Deputy Governor Zhu Min has called for a 'Know Your Agent' regime to supplement KYC as systemic risk rises. |
| Source | Tier | Date | Key claim used |
|---|---|---|---|
| International Organization of Securities Commissions, Supervisory Toolkit for AI Use in Capital Markets (Final Report FR/02/2026) | Tier 1 | May 2026 | IOSCO's supervisory toolkit covers the full AI lifecycle including emerging agentic AI; two responding members reported experiments using AI to oversee other AI ('AI as a judge'), and members raised concerns about control over agentic systems and the need for greater governance and accountability focus. |
| Financial Stability Board, FSB consults on sound practices for the responsible adoption of artificial intelligence (AI) | Tier 1 | Jun 2026 | The FSB published a consultation report identifying 12 sound practices for responsible AI adoption, covering organisation-wide governance, lifecycle risk management and cyber/ICT/third-party risks; strongly encourages boards and senior management to reference them, with responses due 22 July 2026 and a final report in October 2026 as a US G20 deliverable. |
| Bank of England, Summary of AI roundtables - February 2026 | Tier 1 | Feb 2026 | Across BoE roundtables, regulated firms said traditional model risk management would not be sustainable as generative and agentic AI proliferated; the emphasis on understanding a model's inner workings was no longer tenable; the concept of 'human-in-the-loop' was challenged by agentic AI; several suggested risk management should shift to testing, monitoring and setting guardrails around AI outcomes. |
| Federal Reserve Board, Artificial Intelligence in the Financial System (speech by Vice Chair for Supervision Michelle W. Bowman, FSOC AI Roundtable) | Tier 1 | May 2026 | The Federal Reserve, with the OCC and FDIC, amended its model risk management guidance (SR letter 26-2, 17 April 2026) to clarify it does not apply to generative or agentic AI; Bowman said supervisors should assess whether guidance is fit for the future and that other risk-management and governance practices should support agentic AI adoption. |
| Autorité de contrôle prudentiel et de résolution (ACPR), Banque de France, The ACPR presents its work programme for 2026 | Tier 1 | Jan 2026 | The French prudential supervisor formally adds 'Prepare for AI supervision' as one of five 2026 priority focus areas, confirming it will be designated competent market authority for the AI Act in banking and insurance and will co-develop assessment methodologies with industry rather than rely on case-by-case human approval. |
| KPMG Klardenker (Germany), Ein Blick auf die neue BaFin-Orientierungshilfe zu künstlicher Intelligenz | Tier 2 | Jan 2026 | BaFin's new AI guidance (Dec 2025) places AI under DORA's ICT-risk-management lifecycle rather than treating Article 14 human oversight as a stand-alone control; DORA addresses operational resilience while the AI Act layers human-oversight, transparency and non-discrimination requirements; the two regimes only together form a complete German framework. |
| U.S. Securities and Exchange Commission, Remarks at FSOC AI Innovation Series Roundtable on Strategy and Governance Principles (Chairman Paul S. Atkins) | Tier 1 | Mar 2026 | The SEC Chair rejects prescriptive AI-disclosure or human-in-the-loop checklists in favour of a principles- and materiality-based regime; affirms that human judgment remains imperative but signals the SEC will police outcomes (fraud, materiality) rather than mandate human-oversight architectures. |
| Ada Lovelace Institute, Great (public) expectations | Tier 2 | Dec 2025 | Nationally representative UK polling: 89% say AI should not be released until proven safe; 82% support mandatory (not voluntary) pre-market safety testing; 89% want an independent regulator with enforcement powers. Counter-case: without binding human-controlled gates, public trust withdraws. |
| Source | Tier | Date | Key claim used |
|---|---|---|---|
| Munich Re, Cyber insurance: Risks and trends 2026 | Tier 2 | Mar 2026 | Munich Re's flagship 2026 cyber report names agentic AI as a defining trend reshaping the cyber threat landscape, notes Verisk/ISO rolled out three generative-AI exclusion endorsements on 1 January 2026 now sitting behind roughly 82% of US P&C policies. |
| Lloyd's Market Association, LMA launches AI Adoption Toolkit to support governance-led implementation across the Lloyd's market | Tier 2 | Apr 2026 | Lloyd's trade body issued a formal AI Adoption Toolkit pushing managing agents from experimentation to structured governance-led adoption with risk tiering, human oversight and embedded controls; translates directly into the questions managing agents put to AI-deploying insureds. |
| Captive.com (IRMI), Captive Insurance Expands Role in Cyber-Risk Financing Strategies | Tier 2 | May 2026 | Captive practitioners (Marsh Captive Solutions, Hylant, Milliman, Iowa Insurance Division) explicitly identify AI-related coverage as a domain where the commercial market is excluding or sub-limiting risk and where captives are stepping in via difference-in-conditions wrappers, deductible buy-downs and excess layers; Marsh reports roughly USD 166m of cyber premium running through its captives globally. |
| European Insurance and Occupational Pensions Authority (EIOPA), EIOPA's insurance risk dashboard shows overall stability, with geopolitical uncertainty shaping the future outlook (April 2026) | Tier 1 | Apr 2026 | EIOPA's April 2026 supervisory dashboard formally flags digitalisation and cyber exposures, including AI-driven complexity in insurer operations and underwriting, as a persistent risk vector, sustaining supervisory pressure begun with the August 2025 AI Opinion. |
| The D&O Diary (Kevin LaCroix / RT ProExec), AI, D&O Risk, and the Limits of Underwriting | Tier 3 | Jun 2026 | AI exposure cannot be cleanly underwritten through traditional methods; carriers are routinely probing AI governance, board reporting, model validation and disclosure controls at renewal; companies failing those tests face premium loadings, AI-specific coverage restrictions, or declination, making AI governance the new gate for D&O capacity. |
| Insurance Journal, Viewpoint: The AI Boom - When Risk Stops Being Rare, Insurance Must Evolve | Tier 3 | May 2026 | Edwin Coe head of insurance argues frontier AI tools are breaking the independence-and-time assumptions on which cyber insurability rests; premiums up, wordings tightening around 'reasonable precautions', exclusions expanding, capacity withdrawing from highly correlated AI risks. |
| Pillsbury Winthrop Shaw Pittman (Policyholder Pulse), AI Exclusions in Insurance Policies: Broad Language, Uncertain Impact | Tier 3 | Apr 2026 | Pillsbury counsel analyses three Verisk/ISO generative-AI exclusion endorsements taking effect across US P&C lines, noting their broad scope (including any 'AI-related' loss), the litigation risk of broad ambiguity, and the immediate effect on coverage architecture for AI-deploying insureds. |
| Source | Tier | Date | Key claim used |
|---|---|---|---|
| US Federal Register / Bureau of Industry and Security, Department of Commerce, Revision to License Review Policy for Advanced Computing Commodities | Tier 1 | Jan 2026 | BIS shifts its export-control posture on advanced AI semiconductors (Nvidia H200, AMD MI325X and equivalents) for China and Macau from a presumption of denial to case-by-case review, subject to supply, security and testing conditions. |
| Center for Strategic and International Studies (CSIS), Wadhwani AI Center, Countering China's Challenge to American AI Leadership (Congressional Testimony, Gregory C. Allen) | Tier 2 | Dec 2025 | Five US firms (Meta, Alphabet, Microsoft, Amazon, Oracle) are projected to spend more than $450bn in AI capex in 2026 alone; compute concentration and access to advanced chips remains the largest single US advantage over China, but export-control implementation has been flawed. |
| Bank for International Settlements, BIS Bulletin No 120: Financing the AI boom - from cash flows to debt | Tier 1 | Jan 2026 | AI-related investment exceeds 1% of US GDP and total IT investment 5% (highest since the dot-com peak); firms are shifting from internal cash flows to debt; outstanding private credit to AI firms could reach $300-600bn by 2030, raising systemic and concentration risks. |
| UK Government / Department for Science, Innovation and Technology (DSIT), AI Opportunities Action Plan: One Year On | Tier 1 | Jan 2026 | 10x rise in UK public AI compute (2 to 21 ExaFLOPs) toward a 420 ExaFLOP 2030 target; 6x expansion of the Cambridge DAWN supercomputer by Spring 2026; launch of a Sovereign AI Unit backed by up to £500m in April 2026 to back UK AI companies in the value chain. |
| Bruegel, Europe needs a strategy to close the artificial intelligence compute gap | Tier 2 | May 2026 | Europe faces structural loss of economic autonomy if it remains dependent on US or Chinese compute infrastructure; Mistral 'barely registers' against frontier labs; an 'Airbus-style' AI hardware consortium is needed; the EU lacks a Chinese-style mechanism to direct procurement to domestic AI hardware. |
| Caixin, T早报|DeepSeek V4预计4月下旬发布;美国AI芯片出口审批放缓 | Tier 3 | Apr 2026 | Chinese open-source frontier models continue to land on domestic compute: MiniMax M2.7 (229B params, ~10B activated) scored 56.22% on SWE-Pro and was deployed Day-0 with zero-code adaptation on Pingtouge, Huawei Ascend, Moore Threads, Iluvatar CoreX and Nvidia, while DeepSeek V4 was readied for late-April release amid slowing US AI-chip export approvals. |
| Epoch AI, Open models lag state-of-the-art closed models by 4 months | Tier 2 | May 2026 | Since January 2026 the best open-weight models have lagged frontier closed models by an average of just 4 months / 8 ECI points on Epoch's Capability Index, comparable to the GPT-5 to GPT-5.5 gap and the smallest open-vs-closed gap Epoch has measured. |
| Centre for European Policy Studies (CEPS), EU plans for AI (giga)factories: sanctuaries of innovation, or cathedrals in the desert? | Tier 2 | Nov 2025 | The Commission's plan for 4-5 AI gigafactories (each ~100,000 chips) under InvestAI's ~€20bn envelope is being sited mostly outside Europe's AI hubs of excellence; only Sweden and Finland have power prices competitive with US/Chinese hubs; the build-out remains almost exclusively dependent on Nvidia. |
| Source | Tier | Date | Key claim used |
|---|---|---|---|
| International Energy Agency, Electricity 2026 - Executive summary | Tier 1 | Feb 2026 | Global electricity demand from data centres is projected to roughly double from ~485 TWh in 2025 to ~945 TWh by 2030 in the Base Case (~3% of global demand); data-centre electricity use grew 17% in 2025 and AI-focused data-centre use surged 50%. |
| Utility Dive, FERC orders PJM to craft large load colocation rules | Tier 3 | Dec 2025 | On 18 December 2025 FERC ordered PJM to develop new rules and three new transmission services for data centres and other large loads colocating at power plants, and to revise behind-the-meter generation rules. |
| Utility Dive, Constellation's Three Mile Island nuclear restart gets boost with FERC waiver | Tier 3 | Jun 2026 | FERC granted Constellation a PJM-rules waiver on 1 June 2026 to transfer 760 MW of capacity interconnection rights to the Crane (Three Mile Island Unit 1) restart, but PJM's required 765-kV / 500-kV transmission upgrades to fully deliver the nuclear unit's output aren't expected before December 2030; Constellation has a 20-year deal to sell all the energy to Microsoft for AI data centres. |
| Environmental Law Institute, Data Centers and Water Fact Sheet - January 2026 | Tier 2 | Jan 2026 | U.S. data centres directly consumed ~66 billion litres of water in 2023 (up from 21.2 billion in 2014) and indirectly consumed ~800 billion litres via electricity generation; Lawrence Berkeley National Lab projects data centres will reach 6.7%-12.0% of total U.S. electricity by 2028; roughly two-thirds of data centres built since 2022 sit in water-stressed regions. |
| Electric Power Research Institute (EPRI), Powering Intelligence 2026: Updated Scenarios of U.S. Data Center Electricity Use and Power Strategies - Executive Summary | Tier 2 | Apr 2026 | EPRI projects U.S. data centres will consume 9%-17% of national electricity by 2030, a 60% upward revision from prior scenarios; a single 100-1,000 MW facility represents the load of an 80,000-800,000-home neighbourhood, but unlike neighbourhoods can be built in a few years while the grid cannot. |
| North American Electric Reliability Corporation (NERC), reported via Utility Dive, NERC forecasts peak demand to rise 24% on new data center loads (Long-Term Reliability Assessment, January 2026 release) | Tier 1 | Jan 2026 | NERC's 2025 Long-Term Reliability Assessment forecasts summer peak demand to grow 224 GW over 10 years, a 69% jump over the 2024 LTRA forecast and a 24% rise on 2025 peak, with new data centres driving most of the increase; MISO, PJM, ERCOT and parts of the Pacific Northwest at high risk of insufficient reserve margins within five years. |
| TransnetBW (joint statement of German TSOs: TransnetBW, 50Hertz, Amprion, TenneT), Übertragungsnetzbetreiber führen 'Reifegradverfahren' für Netzanschlussanträge von Speichern und Großverbrauchern ein | Tier 1 | Feb 2026 | Germany's four TSOs are ending first-come-first-served grid connections for data centres, large battery storage and electrolysers; at end-Q3 2025 they held 717 connection requests totalling ~270 GW (versus ~94 GW needed by 2037 in the official scenario), forcing a new 'maturity-stage' rationing process from 1 April 2026. |
| Fortune, America's data centers are thirsty. Rural towns are paying the price | Tier 3 | May 2026 | In May 2026 two data-centre developments (Project Blue in Tucson, Arizona; a QTS/Blackstone-owned 'Project Excalibur' campus in Fayette County, Georgia) were caught taking public water without authorisation (~650,000 gallons via an unauthorised contractor meter in Tucson; ~29 million unmetered gallons in Georgia); more than 50 US cities have enacted bans or moratoria on new data-centre construction. |
This appendix declares the analyst-side calls in this briefing, separately from the sourced findings. It is rendered as an appendix to the Source Confidence Register and is not one of the eight numbered sections.
Analyst extrapolations beyond what any single source literally says. The five-month assembly of the agent transaction stack (IMDA, OECD, UNCITRAL, Visa, IMF, BIS, Mastercard) is an analyst synthesis; no single source describes the cross-layer assembly as a single phenomenon. The framing of "allocated residual risk" as the binding constraint on enterprise AI deployment is an analyst integration of Munich Re, Lloyd's Market Association, Captive.com, D&O Diary, Insurance Journal and Pillsbury commentary; no single source makes that integrative call. The characterisation of "physical infrastructure replaces capital as the binding constraint" on AI scaling integrates IEA, NERC, EPRI, TransnetBW, ELI and Utility Dive evidence; the integration is the analyst's. The estimate that the open-vs-closed model gap has narrowed to 4 months / 8 ECI points is faithful to Epoch AI; the further inference that "the moat is now deployment, identity and data" goes beyond Epoch's own claim.
Weak signals are analyst extrapolations by design. The four weak signals (multi-agent systems crossing into production faster than oversight assumptions update; the insurance market becoming the de-facto AI regulator; sovereign compute concentration appearing in credit-rating methodology notes; behind-the-meter AI infrastructure being tested for utility classification) are deliberately analyst-projected. Each is supported by partial evidence within the cycle's sourced base but is articulated as a forward-looking pattern the consensus has not yet named. They are surfaced to discipline next-cycle horizon scanning, not as sourced findings.
Editorial framing the analyst owns. The cycle's central thesis (the boundary between AI-as-tool and AI-as-counterparty is breaking down on five compounding legs) is an analyst frame, defended across the five theme evidence bases but not stated by any single source. The pull-quote, the sit-up statement and the "After the Copilot" editorial title are analyst constructions intended to land the cycle's central tension at board level. The four-cell scenario matrix (pace of agentic-AI maturation against regulator stance) is a planning aid, not a forecast.
Cycle-over-cycle continuity. This is cycle 2 of the AI & Automation thread for Shaping Tomorrow. Cycle 1 (When AI Joins the Org Chart, 12 May 2026) framed AI entering organisations as participating workforce, with themes on agent deployment, verification-stack procurement, AI's haves-and-have-nots, the entry-level reset and the capex reckoning. Six weeks on, three of those themes have hardened in identifiable ways: the agent deployment shift is now an explicit transacting-counterparty question, the verification stack has moved from "procurement requirement" to "insurance pre-condition" and the capex reckoning has shifted from a capital constraint to a physical-infrastructure constraint. Two themes (AI haves-and-have-nots; entry-level reset) remain live in the labour-and-skills snapshot lens but are not the spine of cycle 2. The cycle 1 "Decide" implications around agent-governance policy and verification procurement are now embedded in cycle 2 Strategic Implications 1 and 3. Next cycle will assess whether the 2 August 2026 EU AI Act application date and Q3 2026 financial-supervisor outputs (FSB October consultation close, BoE follow-up roundtables) have moved against this cycle's reading.
Prepared by Shaping Tomorrow: 22 June 2026