AI Governance Is Collapsing. Three Stories. Nobody Connected the Dots.
On April 29, 2026, three separate events revealed the same underlying pattern. Here's what it means for your business, right now.
TL;DR
On April 29, 2026, three separate events in three different locations revealed the same underlying pattern: every governance mechanism designed “from the inside” of the AI sector is being systematically overtaken by forces moving at different speeds.
The EU AI Act is in technical deadlock. If the May 13, 2026 trilogue fails, European companies that planned their compliance roadmaps assuming a 2027 extension could find themselves in regulatory default as early as August 2026: three months from now.
These are not future scenarios. They are current operational risks. And companies waiting for regulatory clarity before making AI strategy decisions are waiting for something that will never arrive.
On April 29, 2026, three things happened simultaneously, in three different places, that change the rules for any company using AI in Europe or working with major American vendors. Nobody connected them. Let’s try.
In Washington, the White House opposed the expansion of the most dangerous AI model ever developed by a private lab. In Brussels, twelve hours of overnight negotiations ended without agreement on how to modify the world’s most ambitious AI regulatory system. And in Mountain View, over 600 Google employees signed an open letter against a military contract, only to discover that the lever that killed a similar deal eight years ago no longer works the way it used to.
Three stories that look separate. They all converge at the same point.
Mythos and the First Government Blockade in AI History
Anthropic developed, under its “Project Glasswing” program, an AI model called Mythos. Before going further, it’s worth understanding what this actually is, stripped of the hype.
Mythos can autonomously discover thousands of zero-day vulnerabilities across all major operating systems and browsers. It has a 73% success rate on expert-level CTF (Capture the Flag) tasks, the most demanding cybersecurity simulations in the field. And it became the first AI model in documented history to complete an end-to-end simulated attack on a corporate network in 32 consecutive steps, from initial access to full compromise, without human intervention at any point in between.
Anthropic itself deemed the model too dangerous for public release. Access was restricted to approximately 50 selected companies, including Apple, Microsoft, and Nvidia. The next step: expand to 70 additional organizations, bringing the total to roughly 120 accredited entities.
That’s where the White House stepped in. As reported by CNBC and The Next Web, the official justifications are twofold: the risk of misuse and Anthropic’s insufficient infrastructure to manage broader access without compromising government access to the model. National Cyber Director Sean Cairncross was named the government’s point person on the response. The administration is considering making Pentagon-conducted safety testing mandatory for all high-risk AI models before release. CEO Dario Amodei met with White House officials: the meeting was described as “productive,” which in diplomatic language typically signals a stalemate without saying so. Anthropic declined to comment publicly on the specifics.
Meanwhile, a small group reportedly gained unauthorized access to Mythos through a private online forum. Anthropic is investigating.
Simultaneously, the Eurogroup is requesting access to Mythos for European cyber defense. The model is too dangerous to expand private-sector access, yet strategic enough to become the subject of diplomatic negotiations between continents.
This is the first publicly documented case in history of a government blocking an AI model’s expansion not over privacy, not over algorithmic bias, but because of its concrete offensive capabilities. That distinction matters, because it changes the nature of the risk conversation companies need to start having about their AI vendors.
Here’s where a historical precedent helps frame where this might go.
From 1954 to 1999, the U.S. government classified strong cryptography as military munitions and tightly restricted its export. The Crypto Wars produced one certain outcome: American software companies lost ground to foreign competitors who didn’t face the same restrictions. In 1996, Clinton signed EO 13026, moving cryptography from the munitions list to the commercial list. By 1999, the restrictions were gone entirely. The lesson: attempts to control dual-use technology almost always backfire. The market finds alternatives, innovation migrates to where there are no restrictions, and the government eventually relents.
Mythos follows the same pattern. The capabilities already exist, are publicly documented, and other labs are building similar models.
Blocking access to Mythos doesn’t eliminate the risk. It redistributes it.
Toward whom? Toward less transparent actors, less willing to cooperate with regulators, less inclined to build internal oversight mechanisms like Anthropic did with Project Glasswing. The paradox is that the very policies designed to contain the risk may end up concentrating it in the least controllable hands.
The EU AI Act Can’t Agree on How to Update Itself
While Washington was dealing with Mythos, Brussels was playing out a different story, part of the same larger pattern.
On April 29, 2026, the trilogue between EU Member States and the European Parliament on the AI Act lasted twelve hours, ended at two in the morning, and reached no agreement. As documented by the IAPP, the sticking point was the AI Omnibus: the package of amendments to the AI Act, already in force since August 2024.
The technical deadlock, bureaucratic on the surface but enormous in its implications, is over Annex I of the regulation: the conformity assessment framework for AI systems embedded in regulated products, such as industrial machinery, medical devices, and in-vitro diagnostics. The European Parliament wants to shift sectoral legislation from Annex I Section A to Section B. Member States are opposed. This disagreement over where to place a few lines of text in a technical annex has blocked the entire regulatory package.
The purpose of the Omnibus was to extend compliance deadlines: from August 2026 to December 2027 for standalone high-risk AI systems, and to August 2028 for those integrated into regulated products.
The next attempt is scheduled for around May 13, 2026. If it fails, the August 2026 deadline stands. Three months from now.
European companies that built their compliance roadmaps assuming a 2027 extension would suddenly find themselves out of regulatory compliance, not because of any strategic choice they made, but because the regulatory system couldn’t reform itself on the timeline it had announced.
As I analyzed in my breakdown of AI’s geopolitical fault lines, Europe is in a structurally paradoxical position: it has the political will to regulate, it built the regulatory architecture, but its execution speed is systematically slower than the pace of the technological development it’s trying to govern.
The irony is hard to ignore: the world’s most ambitious AI governance framework can’t keep up with the models it’s supposed to regulate.
Google, the Pentagon, and the End of Employee Leverage
The third story is different. The first two are about governments and institutions. This one is about power dynamics inside companies, and what happens when that lever stops working.
Google signed a classified contract with the U.S. Department of Defense worth approximately $200 million. The scope: Gemini AI models within classified military networks, authorized under the contract terms “for any lawful purpose,” with two explicit exceptions: no development of autonomous lethal weapons and no domestic surveillance without human oversight.
Over 600 Google employees signed an open letter to CEO Sundar Pichai, as documented by the Washington Post, asking the company to walk away from the deal. Workers at Google DeepMind in the UK voted to unionize in response to the military contract. Google signed anyway.
The historical comparison is what makes this story part of the same larger pattern. As Fortune chronicles in detail, in 2018, Project Maven, a Pentagon contract for AI-assisted analysis of drone footage, was abandoned by Google after internal employee mobilization. In 2026, with over 600 signatures and a unionization vote at the company’s primary research lab, the outcome was different.
Employee leverage in tech has diminished considerably over eight years. This isn’t about corporate values. It’s about labor market dynamics and strategic priorities that have overtaken internal ethical considerations.
The contrast with Anthropic is instructive. Anthropic had previously declined similar military collaborations. Then it resumed conversations with the Trump administration on other fronts. The uncomfortable lesson: in AI, “no” is never a permanent position. Publicly stated ethical stances are opening negotiating positions, not binding long-term commitments.
The Real Problem: Governance Systems Designed for a World That No Longer Exists
Three stories. Three different actors. Three different governance mechanisms.
And yet there’s a single thread running through all of them, worth naming explicitly: every governance system designed “from the inside” of the AI sector, by its most responsible actors, is being overtaken by forces moving at a pace those systems cannot match.
Anthropic built Project Glasswing as a rigorous, well-designed internal oversight mechanism. The White House found it insufficient. Not because it was poorly constructed, but because the geopolitical context transformed while the mechanism was being built.
The EU built the AI Act as the world’s most comprehensive AI regulatory system. Now it can’t agree on how to update it fast enough to remain relevant to the models it’s supposed to govern.
Google employees built, in 2018, an internal pressure system that worked. In 2026, the same levers don’t produce the same results.
This isn’t random chaos. It’s that these governance systems, all of these governance systems, were designed for a world that no longer exists.
What This Means for Your Business, Right Now
These are not future scenarios. They are concrete operational risks, today.
If you’re a European company using frontier American AI models (OpenAI, Anthropic, Google), your compliance chain depends on decisions made in Washington, not Brussels. The Mythos blockade shows that the capabilities of the models you use can be altered or withdrawn for U.S. national security reasons, without meaningful advance notice to you.
If you’re planning your EU AI Act compliance assuming a 2027 extension: you have roughly three months to decide whether to wait for the May trilogue outcome or start preparing for the August 2026 deadline. Waiting is a strategic choice with a cost, not the absence of a choice.
If you’re evaluating AI vendors: their stance on military use and government relations is no longer an abstract ethical consideration. It’s a contractual risk factor. Google and Anthropic made diametrically opposite choices in the same week. Their choices affect your regulatory and reputational exposure. There’s a second layer of risk that almost no one puts in the contract: all the operational knowledge you’ve built inside a specific platform - configured instructions, refined prompts, processes redesigned around a single vendor - doesn’t transfer automatically when that vendor changes direction. It’s a full chapter in From User to Orchestrator, the course I built on applying AI to work without building dependencies that turn into traps.
Companies waiting for regulatory clarity before making decisions are waiting for something that will never arrive.
The point isn’t that governments don’t want to regulate. The political will is there, perhaps more than it’s ever been. The point is that the speed of development has already outpaced the institutional capacity to respond coherently. Waiting for the regulatory environment to stabilize before acting is like waiting for the sea to calm before learning to swim.
Reality Check
The AI market in 2026 looks like the derivatives market in 2006: everyone knows there are systemic risks, nobody wants to be the first to slow down. The governance mechanisms we’re seeing today, from Anthropic’s Project Glasswing to the section-by-section disputes in EU AI Act Annex I, look increasingly like pre-2008 Basel Accords: reasonable in theory, designed for a system moving more slowly than what they were meant to contain. The difference is that in 2008 the crisis came from financial markets with decades of history behind them. In AI, the governance crisis comes from the structural impossibility of institutions keeping pace with the speed of development. And the ones who pay the price are the companies that trusted regulatory timelines that the regulators themselves couldn’t meet.
Want to understand how AI can actually work for your business, beyond the hype? From strategy to implementation, I help companies turn artificial intelligence into real results. Explore my AI Consulting services or reach out directly for a discovery call.
Conclusion
AI governance is collapsing. Not because political will is lacking: there is more political will to regulate AI today than there has ever been. The problem is structural, and it’s about time.
Regulatory systems are designed on cycles of years. AI model development advances on cycles of months. This temporal misalignment isn’t a bug to fix: it’s the operating condition companies need to learn to navigate, whether they like it or not.
The organizations that will survive this period are not the ones waiting for regulatory clarity. They’re the ones building internal structures flexible enough to adapt to a regulatory framework that changes unpredictably, often in the wrong direction, and that treat uncertainty as a permanent variable in their operating model, not a temporary phase awaiting resolution.
The May trilogue will tell us whether Europe can reform itself before the August deadline turns uncertainty into emergency. The resolution of the Mythos situation will tell us whether Washington is ready to govern AI the way it eventually learned to govern cryptography: by accepting that some technologies don’t stop, they redirect.
In the meantime, decisions need to be made now.