Weekly AI Governance Brief: 25–31 May 2026

Bringing you the latest developments in the AI governance world.

Spain moves to formal national AI Act implementation

Spain took a significant step toward implementation of the EU AI Act when the Council of Ministers approved the Proyecto de Ley Orgánica para el buen uso y la gobernanza de la inteligencia artificial ("Draft Organic Law for the proper use and governance of artificial intelligence") on 26 May 2026 and transmitted the draft legislation to the Congress of Deputies.

The proposed law establishes Spain's domestic governance architecture for AI oversight. It identifies the country's notifying and market surveillance authorities and allocates supervisory responsibilities among the Spanish Agency for the Supervision of Artificial Intelligence (AESIA), the Spanish Data Protection Agency (AEPD), and the General Council of the Judiciary according to sector and use case.

The draft also creates coordination mechanisms across authorities and designates AESIA as a single supervisory contact point. In addition, it establishes a sanctions regime under which the most serious infringements may be subject to penalties of up to €35 million or 7% of global annual turnover.

Beyond implementing EU-level requirements, the proposal introduces additional public-sector governance measures. These include an inventory of AI systems used in administrative procedures, the creation of an AI delegate function, and a framework for national and sectoral regulatory sandboxes.

Why this matters

The proposal provides a clearer picture of how supervisory responsibilities may be allocated at the national level under the EU AI Act. For organisations operating in Spain, the draft identifies potential points of regulatory engagement and clarifies the institutional structure through which oversight may be exercised.

The inclusion of public-sector governance obligations also illustrates how Member States may supplement EU requirements with national governance mechanisms. This has practical relevance for public authorities deploying AI systems as well as organisations interacting with public-sector AI processes.

CNIL fines IQVIA over health-data warehouse governance

On 28 May 2026, the French data protection authority (CNIL) announced a €5 million fine against IQVIA OPERATIONS FRANCE. The public announcement relates to a decision adopted by the CNIL restricted committee on 26 May 2026 concerning two authorised health-data warehouses known as LRX and EMR.

According to CNIL, IQVIA failed to comply with the conditions attached to the authorisations governing the warehouses. The authority identified shortcomings relating to transparency obligations, the effective exercise of data-subject rights, security measures, and privacy-by-design requirements.

CNIL also ordered corrective measures to be implemented within six months. Failure to comply may result in an additional penalty of €10,000 per day.

A central element of the decision concerns the status of the data contained within the warehouses. CNIL concluded that the datasets remained pseudonymised rather than anonymised because re-identification could reasonably occur through the combination of the data with publicly available information, taking into account the unique identifiers used and the depth of the datasets.

Why this matters

The decision reinforces the distinction between pseudonymised and anonymised data in environments involving large-scale data analytics. Organisations relying on sensitive datasets for AI development, training, or analytical purposes remain subject to regulatory obligations where re-identification risks persist.

The enforcement action also highlights the importance of governance controls surrounding transparency, access rights, security measures, and privacy-by-design requirements. For operators of large data infrastructures, these controls remain a central focus of supervisory scrutiny.

IOSCO issues a supervisory toolkit for AI in capital markets

The International Organization of Securities Commissions (IOSCO) published its Supervisory Toolkit for AI Use in Capital Markets on 25 May 2026 alongside a standalone toolkit intended for direct supervisory use.

According to IOSCO's published materials, the toolkit is designed to support risk-based and proportionate supervision of AI systems used within capital markets. The framework applies across traditional machine learning systems, generative AI models, and emerging agentic AI techniques.

IOSCO also launched a survey connected to the initiative, with responses scheduled to be collected until 26 June 2026.

Why this matters

The publication represents a shift from broad policy discussion toward more operational supervisory practices. For financial institutions operating in jurisdictions influenced by IOSCO standards, the toolkit provides an indication of the areas supervisors may examine when assessing AI governance arrangements.

The development is also relevant to compliance and risk functions because it places AI oversight within established supervisory processes rather than treating AI governance as a separate or purely experimental domain.

South Korea sets privacy conditions for Naver's personalised AI search agent

South Korea's Personal Information Protection Commission (PIPC) approved the outcome of a prior adequacy review concerning Naver's personalised AI search service, AI Tab, on 31 May 2026.

AI Tab is described as a personalised AI search agent that presents information through a one-to-one conversational interface. PIPC's approval was accompanied by several conditions relating to privacy governance and data protection controls.

The commission stated that users must be clearly informed of their right to refuse the use of their personal data for personalisation purposes. Naver must also provide transparency regarding the categories and principal contents of the personal data used by the service.

Additional requirements include safeguards against misuse and data leakage. The service must also prevent the inference or use of sensitive information and avoid including unique identifiers, bank account information, and credit card information in AI-generated outputs.

PIPC stated that implementation of these measures would be verified following the service's formal launch.

Why this matters

The decision provides an example of ex ante governance applied to a personalised AI service before full deployment. Rather than relying solely on post-deployment enforcement, the review establishes operational conditions that must be satisfied as part of deployment governance.

The measures identified by PIPC focus on transparency, user choice, data handling practices, and safeguards against inappropriate outputs. These areas are increasingly relevant for organisations deploying AI systems that rely on personalised user data.

South Korea creates a prime minister-led data governance mechanism for the AI transition

On 28 May 2026, South Korea convened its first Data Ministers Meeting under the leadership of the Prime Minister and established the body as a cross-government mechanism for coordinating national data policy.

At the same meeting, the government published Data Policy Directions in the Era of AI Transformation. The policy package outlines plans for AI-ready public datasets, sector-specific and benchmark datasets, government-wide data pipelines, expansion of the AI Hub training-data platform, and cloud-linked trusted data zones.

The government also identified legislative work involving the Personal Information Protection Act, the Digital Healthcare Act, and the Copyright Act as part of efforts to address legal uncertainty surrounding data use.

According to the announcement, the new governance mechanism will be used to support the development of detailed implementation plans and future statutory policy frameworks.

Why this matters

The initiative illustrates a governance approach that treats data policy as a cross-government responsibility linked directly to AI development and deployment.

For organisations operating in data-intensive sectors, the announcement is relevant because it connects data infrastructure, privacy governance, health-data regulation, copyright policy, and public-sector data initiatives within a single coordination framework. It also highlights the role of institutional coordination in shaping the broader governance environment surrounding AI systems.

Looking ahead

Several developments this week focused on the institutional structures through which AI governance is being implemented. Spain's draft legislation concentrated on supervisory responsibilities and enforcement arrangements, while South Korea introduced new coordination mechanisms linking AI policy with data governance.

At the same time, enforcement and supervisory activity continued to emphasise operational governance requirements. CNIL's action against IQVIA focused on data governance obligations in sensitive data environments, while IOSCO's toolkit reflected growing attention to practical supervisory approaches for AI systems used in regulated sectors.