May saw AI developments settle into a more practical phase, with one notable courtroom exception. Musk v Altman gave the month its Silicon Valley drama, but elsewhere the more interesting stories were not only about more capable models, but about how and where those models are being deployed: in consumer journeys, board papers, classified networks, cybersecurity programmes, clinical settings and public-sector services. Regulators in the UK, EU, US and China continued to adapt existing frameworks to these new use cases, while the market’s attention remained fixed on the infrastructure needed to support them. In short, this was a month about implementation, governance and capacity, less about the promise of AI in the abstract, and more about the controls needed when AI systems are given real life tasks to perform.
What we saw in the UK
No UK AI Act, but no regulatory vacuum either
The King’s Speech confirmed the UK’s continued preference for regulating AI through existing regimes, targeted legislation and regulatory sandboxes rather than through a single horizontal AI Act. The Regulating for Growth Bill is expected to support the AI Growth Lab and cross-economy sandboxing; the Cyber Security and Resilience Bill remains central to digital infrastructure protection; and the Digital Access to Services Bill will take forward voluntary digital ID. For businesses, the practical point is that the absence of a standalone AI Act does not mean the absence of AI regulation. Depending on the use case, an AI deployment may still engage the ICO, Ofcom, CMA, FCA, employment law, product safety rules and common-law duties.
ICO automated decision-making consultation closes
The ICO’s consultation on updated automated decision-making and profiling guidance closed on 29 May. The consultation is particularly relevant for recruitment, financial services, public-sector eligibility decisions and other high-impact uses of AI. The revised UK position is not a blanket prohibition on automated decisions; it is a safeguards regime. Organisations need to be transparent when decisions are automated, identify when human intervention is required, and provide a meaningful route for individuals to contest decisions. For suppliers and deployers, this is likely to become a recurring theme in procurement, contractual warranties and internal governance documentation.
Ofcom publishes its Online Safety Act roadmap
Ofcom’s 8 May roadmap shows 2026 shifting from online-safety readiness to more active scrutiny. Generative AI, chatbots and nudification content sit within the regulator’s purview, with risk assessments, age assurance and technology-notice powers all moving up the agenda. The practical message for platforms is that AI-generated content is still content for Online Safety Act purposes. Providers integrating AI search, AI companions or user-generated synthetic media should review their risk assessments and moderation governance before Ofcom asks for them.
CMA: AI agents must know their consumer law
Although the CMA’s agentic AI paper was published before May, it remained one of the month’s more important compliance themes. The CMA’s position is that businesses remain responsible for consumer-facing AI agents, including agents built or hosted by third parties. Agents handling refunds, comparisons, recommendations, marketing claims or customer-service queries therefore need to be trained and monitored to respect statutory rights, present prices accurately, avoid manipulative design and escalate where appropriate. Separately, the CMA’s AI and collusion work continues to warn about algorithmic pricing and AI-enabled collusion, particularly where rivals rely on shared data platforms.
European Union
AI Omnibus deadlines pushed back
On 7 May, the Council and Parliament reached provisional agreement on the AI Omnibus. The main high-risk deadlines shift significantly: many standalone high-risk AI obligations move to 2 December 2027, and AI systems embedded in regulated products move to 2 August 2028. The deal also extends SME-style simplifications to small mid-caps, broadens sandbox access, clarifies overlaps with product safety law and strengthens the AI Office’s powers. It also adds a prohibition on AI systems generating non-consensual sexually explicit or intimate content, including child sexual abuse material. The important point for businesses is that the delay does not remove the need to prepare: prohibited practices, general-purpose AI obligations and transparency rules remain part of the compliance picture.
Article 50 transparency consultation underway
The Commission’s consultation on draft Article 50 transparency guidelines runs until 3 June. The rules cover disclosures when users interact with AI systems, machine-readable marking of AI-generated or manipulated content, and deployer notices for deepfakes, AI-generated public-interest publications, emotion recognition and biometric categorisation. Even with the Omnibus deferral for certain watermarking obligations to 2 December 2026, these are near-term product requirements. Product, marketing, platform and communications teams should therefore consider how disclosures will appear in practice, how they will be evidenced, and how they fit within user journeys.
Commission seeks feedback on high-risk classification
The Commission launched a call for feedback on its draft high-risk classification guidelines which go to the heart of practical compliance. Before a business can build a conformity-assessment programme, it must decide whether the system is high-risk in the first place. That assessment requires looking at use case, role in the value chain, product integration and the effect on individuals. Borderline cases are likely to arise in recruitment, workplace monitoring, credit eligibility, insurance risk, educational assessment, public-service triage and AI functions inside regulated products. The sensible starting point is to address classification during product design and procurement, not after deployment.
Claude Mythos keeps cyber risk on the EU agenda
Anthropic’s Claude Mythos Preview and Project Glasswing remained a focus of European AI-safety debate. Mythos reportedly identified thousands of severe vulnerabilities, including flaws in major operating systems and browsers, and Anthropic has limited access through a defensive consortium rather than releasing the model publicly. MEPs have pressed for a European mitigation plan and greater access for ENISA and the AI Office. The issue is a useful test of how AI Act systemic-risk rules, vulnerability-disclosure processes and critical-infrastructure regimes will work where capabilities develop quickly and the consequences may be felt across multiple sectors.
The United States and wider international developments
Five Eyes publishes guidance on agentic AI cyber controls
The Five Eyes guidance “Careful Adoption of Agentic AI Services” warns that agentic AI can expand the attack surface, accumulate excessive privileges, behave out of alignment with organisational intent and leave unclear event records that complicate audit and incident response. The recommended controls are familiar but important: least privilege, phased deployment, sandboxes, human approval for high-impact actions, continuous monitoring, logging, trusted component validation and reversibility. For businesses, the document is also a procurement signal. Buyers should ask AI vendors how agent identities, permissions, logs and kill-switches work; vendors should assume those questions are about to move from security questionnaires to board-level deal points.
Pentagon agrees frontier AI partnerships for classified use
The Pentagon announced agreements with SpaceX, OpenAI, Google, Nvidia, Reflection AI, Microsoft, Oracle and Amazon Web Services which all take frontier AI further into national-security infrastructure. The tools are intended for classified environments and “lawful operational use”, supporting data synthesis, situational awareness and decision-making. Anthropic’s absence is notable given its dispute with the Pentagon over safety guardrails. For suppliers, the contract now has to do more than open the door: it needs to define permitted use, audit and security controls, export-control limits and the triggers for pulling the plug before the model is anywhere near a classified workflow.
OpenAI succeeds in Musk litigation, with governance questions continuing
A California jury rejected Elon Musk’s claims against OpenAI, Sam Altman, Greg Brockman and Microsoft on 18 May, with timing doing much of the work and the major remedies he sought — including disgorgement and leadership changes — falling away with it. Musk had argued that OpenAI abandoned its non-profit founding mission, but the result removes an immediate legal obstacle for OpenAI’s commercial plans rather than settling the wider governance debate. For all the courtroom theatre, the useful point is more prosaic: a claim can run out of road before the bigger fight over mission, money and power in frontier AI has gone anywhere.
China sets out decision boundaries for AI agents
China’s May policy framework for AI agents is worth watching because it is unusually concrete on decision boundaries. It defines agents as systems capable of autonomous perception, memory, decision-making, interaction and execution, and distinguishes decisions left to users, decisions requiring user authorisation and decisions the agent may take autonomously. It also sits alongside rules for anthropomorphic AI interaction services, which focus on emotional dependency, minors, elderly users and human-like interaction. In agent design, the product question is quickly becoming a constitutional one: who decides, when, and with what record?
Business announcements
Cerebras IPO highlights demand for AI infrastructure
Cerebras’ Nasdaq debut on 14 May was the clearest public-market signal of the month. The AI chipmaker priced at $185, closed its first day at $311.07 and was valued at around $95 billion, raising approximately $5.55 billion. It is a reminder that AI value is being contested across the stack, not just at the model layer. Chips, inference, power, data-centre access, networking and orchestration are all now strategic assets. For enterprise customers, the procurement question is no longer simply which model performs best, but whether the buyer has capacity, pricing protection and an exit route when demand tightens.
Google I/O brings AI agents into mainstream interfaces
Google’s I/O announcements were notable for the way they pushed AI further into mainstream interfaces. Gemini 3.5 Flash becomes the default model for Gemini and AI Mode in Search; Gemini Omni pushes further into multimodal and world-modelling capabilities; Gemini Spark is positioned as a personal agent; Antigravity 2.0 expands agentic coding; and Search is being reshaped into a more conversational, AI-led experience. For publishers, brands and retailers, the shop window is becoming machine-readable: structured data, source authority, licensing, product feeds and trust signals will increasingly shape whether AI systems can find, trust and recommend them.
Anthropic and SpaceX reports highlight frontier AI compute constraints
Reports of a major Anthropic compute arrangement with SpaceX’s Colossus infrastructure were a useful reminder that frontier AI partnerships are often driven by capacity as much as by strategy. The model layer may get the headlines, but the constraints are increasingly chips, power, cooling, data-centre space and long-term inference capacity. For customers, this makes resilience planning important, particularly where a model provider becomes capacity-constrained, changes tiers, re-prices access, migrates infrastructure or loses a key compute partner. For investors, the open question is whether today’s enthusiasm is backed by demand durable enough to pay the power bill.
AI tools move into board governance
Lloyds Banking Group’s reported use of an AI “board bot” supplied by Board Intelligence is a sign of where enterprise AI is heading: from general productivity tools into governance processes. A tool that can interrogate board papers, summarise risks and test bias may be genuinely useful, but it also raises predictable questions about model training, privilege and confidentiality, reliance on summaries, and hallucination controls. Boards should set usage rules before the bot earns a standing invitation.
Other news
AI smart glasses support dementia care
CrossSense’s AI-powered smart-glasses assistant, winner of the £1 million Longitude Prize on Dementia, offers a welcome counterpoint to the month’s infrastructure and regulatory stories. The system uses an AI companion called Wispy to identify objects and guide people with early-stage dementia through daily tasks. Early testing reported that participants named 82% of household items correctly with the glasses, compared with 46% without them, though larger trials and real-world evaluation will be important. The legal and commercial issues are still real, privacy, consent, medical claims, product safety and integration with care pathways, but this is the sort of AI story the sector could use more of: technically interesting, legally complex and anchored in a recognisable human need.
Clinical AI shows promise as decision support
A Harvard-led study published in Science found that an OpenAI reasoning model performed strongly in clinical and emergency-diagnosis tasks, including text-based triage scenarios where it identified the exact or very close diagnosis in 67% of cases, compared with 50–55% for the human physician comparators. The caveat is important: text cases are not the same as real-world emergency medicine, where clinicians must assess ambiguous symptoms, visual cues, patient distress and wider clinical priorities. Still, the potential for AI-supported triage, evidence review and decision support is clear. In clinical AI, the winning answer is unlikely to be “doctor or model”; it will be how safely the model can sit beside the doctor.
Looking ahead
May’s developments point to a common practical question: when AI moves from assisting to acting, what controls need to sit around it? That question now arises in consumer journeys, boardrooms, public services, clinical settings, defence networks and critical infrastructure.
If you would like to chat about any of these developments and what they could mean for your business, feel free to get in touch with Tim Wright or another member of our Technology team.
