The Regulators Have Stopped Waiting.

Three things happened in the first half of 2026 that the market has not fully connected.

In February, COSO published its first formal internal control guidance for generative AI. In March, four UK regulators, the ICO, CMA, FCA, and Ofcom, published a joint paper on the future of agentic AI. And the enforcement deadlines under the EU AI Act shifted, though not in the way the headline coverage suggested.

Each one looked like a regulatory update. Read together, they describe a pattern.

Regulators have stopped waiting for new AI laws. They are applying the frameworks that already exist and expecting firms to do the same. The COSO guidance gives external auditors a reference point they did not have a year ago. The UK joint paper signals an alignment across four separate regulators on the same view, which does not happen often. The EU AI Act deadline shift gave firms a calendar extension but did not soften the underlying obligations. Procurement teams at EU banks and insurers are not slowing down. They are tightening.

This matters in three different ways for three different audiences. The second is the part the market is missing most.

For regulated firms, the immediate change is that AI governance has moved from "future thing we should think about" to "current thing internal audit will ask about in the next cycle." Boards that approved AI initiatives on commercial merit are now being asked to evidence the controls behind them. Heads of internal audit are updating their work programmes. Heads of operational risk are updating their RCSAs. Heads of compliance are updating their policy registers. None of this was happening twelve months ago. The scale has shifted.

The honest read for the second line of defence is that the timeline has compressed. Firms that planned to operationalise AI governance over 2027 are now being asked to evidence it in 2026. That is not the regulator's fault. It is the natural consequence of COSO publishing guidance that external auditors can cite, and four UK regulators publishing a joint paper that confirms the existing rulebook already applies. The work has moved forward.

For vendors selling AI into regulated firms, the change is sharper, and it touches a question procurement teams should be asking themselves more honestly.

I have sat through enough vendor selection processes to recognise a pattern that plays out repeatedly. The challenger loses to the incumbent. Not because the challenger has the weaker product. Often the opposite.

The differentiator is not the technology. The challenger often has the better product on a feature for feature basis. They are quicker to onboard. They are easier to integrate. They can be meaningfully cheaper. None of that is the deciding factor.

The deciding factor is that the incumbent has invested in the governance assets that procurement and risk teams can actually evaluate. Documented control frameworks. Evidenced human oversight. Defined incident playbooks. Mapped data flows. Tested guardrails. A risk register the buyer can review without having to construct it themselves.

The challenger often has the same controls operating in practice. They just cannot evidence them at the level a regulated buyer requires. Their internal documentation lags behind their engineering. Their security posture is real but undocumented. Their human oversight exists but is not formalised. Their guardrails are deployed but not catalogued.

The result is that procurement teams, applying the framework they have, choose the vendor they can evidence over the vendor they would prefer. The incumbent wins on something the challenger could have built and chose not to.

There are two ways to read this outcome.

The first is that procurement is working as intended. Risk and controls matter. The incumbent invested in the assets a regulated buyer needs to see, and that investment deserved to win. The challenger had not done the work and lost accordingly. The lesson for challengers is to do the work.

The second is less comfortable. Procurement processes in regulated firms have built up over decades of vendor evaluation. They are calibrated for traditional technology purchases where incumbency usually meant safety. Applied to AI vendors, those processes are selecting for vendor scale and documentation maturity rather than for risk reduced outcomes. The challenger with the better product and undocumented controls may be the safer choice on every measure except the one the procurement template asks.

For risk and compliance professionals more broadly, this is the moment where the work matters in a way it has not for years. AI governance is not a separate discipline. It is the application of existing risk management, internal control, third party risk, and operational resilience expertise to a class of technology that is moving faster than the frameworks were designed for. The professionals who can translate COSO into AI operational controls, who can evidence human oversight in a way internal audit will accept, who can update an RCSA to reflect agentic risk patterns, are doing work that did not exist as a defined role twelve months ago.

That work is going to be done by someone. The question is who, and in what timeframe.

The firms still treating this as a future problem are the ones whose internal audit team will have a conversation with them in the fourth quarter. The vendors still treating their controls evidence as a procurement nuisance rather than a sales asset are the ones losing deals they should be winning. The risk professionals waiting for clearer guidance before they engage are the ones working around the edges of decisions being made by others.