The Rules Are Getting Real
What the new wave of AI laws asks of you, and the five-minute move that gets you ahead of it.
“Good governance isn’t a wall you build at the end. It’s a shape you give the thing while it’s still soft.” — Nadina D. Lisbon
Hello Sip Savants! 👋🏾
The scaffolding around AI got a little more solid this month. On July 6, Illinois signed the Artificial Intelligence Safety Measures Act, described as the nation’s strongest framework for AI safety and transparency [1]. Around the same time, the FTC opened public comment on how it will treat AI accuracy [2], and Europe published a coordinated plan connecting cybersecurity and advanced AI [3]. None of this is cause for worry. It’s a good sign that the ground rules are settling, and a nice moment to see where your own house already lines up. The three items below are worth a few minutes this week.
3 Tech Bites
⚖️ Illinois sets a marker
The new law asks developers of the largest AI systems to publish their safety practices, report serious incidents within 72 hours, and complete annual third-party audits [1]. Its obligations begin phasing in from 2027, so there’s runway. If your organization builds or heavily customizes large models, it may be worth seeing which of these habits you already keep.
📝 The FTC wants to hear from you
The FTC is taking public comment through July 31 on a policy statement about the truthful outputs of AI models [2]. Comment windows like this rarely stay open long, and they’re one of the few moments a practitioner’s view actually reaches the people writing the rules.
🌐 Europe links AI and security
The European Commission’s new action plan pairs cybersecurity with advanced AI, including plans for a secure platform where critical-sector organizations can test AI safely before deploying it [3]. It’s a useful preview of where third-party evaluation is heading.
5-Minute Strategy
🧠 Borrow the 72-Hour Clock
Illinois now asks its largest developers to report serious AI incidents within 72 hours [1]. You don’t have to be regulated by it to find out whether you could meet that clock, and this is a walk worth taking yourself rather than delegating:
Pick one AI system in your own area of ownership that’s running in production.
Ask the question you’d have to answer first: if it produced a harmful or clearly wrong output right now, who on your team would notice?
Walk the path yourself, from that person to whoever can pause or fix the system, and count the handoffs.
Mark where the path breaks, stalls, or depends on one person being awake.
Decide, on the spot, one change you’ll own to close the widest gap.
If the path to “we know, and we’ve acted” is longer than three days, you’ve found something worth a real conversation.
1 Big Idea
💡 Rules as a Shared Language
It’s easy to read a new law as a fence, something that narrows what you’re allowed to do. The more useful reading is that a good rule is a shared vocabulary. When Illinois defines what counts as a serious incident, or the FTC describes what a truthful output looks like, they’re giving a lot of people who were each improvising a common set of words. That makes conversations across companies, teams, and even competitors a little easier, because everyone is finally pointing at the same thing.
Most of what these frameworks ask for is what careful teams were already reaching toward. Write down how you assess risk. Notice when something goes wrong and tell the right people quickly. Let an outside set of eyes check your work once in a while. Read that way, the new laws feel less like a surprise and more like someone tidying up a room you’d already started to organize.
The timing here is gentle on purpose. Illinois built in runway before its rules begin phasing in [1]. The FTC is still gathering opinions [2]. Europe is building test platforms before it demands anyone use them [3]. That runway is a quiet invitation to get your own thinking in order while the stakes are still low, rather than during an audit.
There’s also something worth noticing about who these rules are ultimately for. Behind every incident-reporting requirement is a person who might be affected by a system they never chose to interact with. Governance, at its best, is just a structured way of keeping those people in view. It turns “we meant well” into something you can actually point to.
So the frame I’d offer is not compliance, which sounds like homework, but legibility. A system whose rules you can state plainly is one you can explain to a regulator, a customer, and yourself. That clarity tends to make everything downstream calmer, and calm is a competitive advantage most people overlook.
I’d love to hear which of these frameworks feels closest to how your team already works. I read every response.
P.S. If a peer is quietly wondering whether their AI governance would hold up to a second look, share this newsletter and help brew up stronger customer relationships.
P.P.S. If you found these AI insights valuable, a contribution to the Brew Pot helps keep the future of work brewing.
Resources
[1] Illinois General Assembly, SB 315 (Artificial Intelligence Safety Measures Act) bill status
[3] European Commission action plan on Cybersecurity and AI
Sip smarter, every Tuesday. (Refills are always free!)
Cheers,
Nadina
Host of TechSips with Nadina | Chief Strategy Architect ☕️🍵


