A joint Five Eyes statement reframes AI cyber risk as an immediate leadership responsibility on a months-not-years horizon. The defence is unglamorous basic hygiene plus AI-aware threat modelling. We translate it into the EU frame of NIS2, DORA and the AI Act, and the questions a board should ask now.
British AI use just hit a tipping point, and the same week a survey found one in five organisations had already had an AI incident. Adoption tipped; control did not. This is the governance debt that builds when AI moves from pilot to production, and how to stay ahead of it.
Canada has tabled Bill C-36, a GDPR-style privacy overhaul. For organisations already under European rules it reads as convergence but works as divergence: a second regulator, second thresholds and a second set of rights to map across adequacy, automated decisions and transfers.
CADA defines four assurance levels for cloud and AI sovereignty, up to EU ownership at Level 3 and full supply-chain control at Level 4. The proposal is not law yet, but the levels already work as a scoring frame. Five procurement and due diligence changes to make this quarter.
In one week the US chose voluntary, standards-referenced AI oversight while the EU adopted CADA’s graded sovereignty test. A deployer operating across both cannot run on a single mental model. Here is one control map, with two triggers per control, that answers the European and American regimes at once.
The moment you move from buyer to builder, provider obligations, auditability, logging and exit discipline become yours. Here is how a mid-market organisation keeps a proprietary or co-developed AI tool governable, without a large-firm budget, and where the Cyber Resilience Act starts to bite.
