In short: The Trump administration is waging a multi-front campaign to prevent states from regulating AI, using a DOJ litigation task force, Commerce Department evaluations of “burdensome” state laws, and a legislative framework urging Congress to preempt state-level regulation with a “minimally burdensome national standard.” But states have accelerated in the opposite direction – 1,208 AI bills introduced in 2025, 145 enacted – and Congress has rejected preemption twice, including a 99-1 Senate vote to strip an AI moratorium from the One Big Beautiful Bill Act.

Doug Fiefia is a first-term Republican state representative from Herriman, Utah, and a former Google salesperson who managed a team working on the company’s early AI model implementation. Earlier this year, he introduced House Bill 286, the Artificial Intelligence Transparency Act, which would have required frontier AI companies to publish safety and child-protection plans and included whistleblower protections for employees who report safety concerns. It passed a House committee unanimously. Then the White House killed it.

On 12 February, the White House Office of Intergovernmental Affairs sent a letter to Utah Senate Majority Leader Kirk Cullimore Jr. stating: “We are categorically opposed to Utah HB 286 and view it as an unfixable bill that goes against the Administration’s AI Agenda.” Officials held several conversations with Fiefia over the preceding two weeks urging him not to move the bill forward. They did not offer specific changes that could make it acceptable. The bill died in the Senate.

Fiefia’s response was pointed. He said it was especially important to stand up for states’ rights when a fellow Republican was in power, to demonstrate that the principle was not partisan. His bill targeted only “frontier developers,” companies using at least 10^26 floating-point operations to train a model, and carried a $1 million penalty cap. It was, by the standards of AI legislation, modest. The White House treated it as existential.

The federal architecture

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The Trump administration’s campaign against state AI regulation has three components, each building on the last.

The first was Executive Order 14365, signed on 11 December 2025, titled “Ensuring a National Policy Framework for Artificial Intelligence.” It created an AI Litigation Task Force within the Department of Justice, operational from 10 January 2026, to challenge state AI laws in federal court on grounds of unconstitutional burden on interstate commerce or federal preemption. It directed the Secretary of Commerce to publish by 11 March a comprehensive evaluation of state AI laws identifying “burdensome” ones, and instructed the FTC to issue a policy statement on when state laws are preempted by the FTC Act. It conditioned access to federal broadband funding on states’ willingness to avoid enacting what the administration considers onerous AI laws. The executive order carved out child safety protections, data centre zoning authority, and state government procurement from preemption.

The second was the Commerce Department’s evaluation, published on the March deadline, which flagged laws in Colorado, California, and New York for particular scrutiny. The evaluation feeds into the DOJ task force, which is expected to begin filing federal legal challenges by summer 2026. Cases are projected to take two to three years to resolve.

The third was a National Policy Framework for AI released on 20 March, containing legislative recommendations organised around seven pillars: child protection, AI infrastructure, intellectual property, censorship and free speech, innovation, workforce preparation, and preemption of state AI laws. The framework states that “Congress should preempt state AI laws that impose undue burdens to ensure a minimally burdensome national standard consistent with these recommendations, not fifty discordant ones.” The administration’s position on copyright is that training AI models on copyrighted material “does not violate copyright laws.” On content moderation, it urges Congress to prevent the federal government “from coercing technology providers, including AI providers, to ban, compel, or alter content based on partisan or ideological agendas.”

David Sacks, who served as AI and crypto czar until transferring to a presidential advisory committee role in late March, framed the logic bluntly: “You’ve got 50 different states regulating this in 50 different ways, and it’s creating a patchwork of regulation that’s difficult for our innovators to comply with.” On Colorado’s algorithmic discrimination rules, he said they raised “very serious First Amendment concerns.” On blue states more broadly: “We don’t like seeing blue states trying to insert their woke ideology in AI models, and we really want to try and stop that.”

What the states have done

The states have not been idle while Washington argues about whether they should be allowed to act. In 2023, fewer than 200 AI bills were introduced across state legislatures. In 2024, the number rose to 635 across 45 states, with 99 enacted. In 2025, 1,208 AI-related bills were introduced across all 50 states, the first year every state introduced at least one, and 145 were enacted into law. In the first two months of 2026 alone, 78 chatbot-specific safety bills were filed across 27 states.

California’s Transparency in Frontier Artificial Intelligence Act took effect on 1 January 2026. Texas’s Responsible Artificial Intelligence Governance Act became effective the same day. Colorado’s AI Act, which bans algorithmic discrimination, had its effective date delayed to 30 June 2026. The volume of legislation reflects a bipartisan consensus at the state level that AI regulation cannot wait for a Congress that has repeatedly failed to act.

Utah Governor Spencer Cox, a Republican, has asserted that states should retain the power to regulate AI. “Let’s use this technology to benefit humankind, and let’s regulate it to make sure they don’t destroy humankind,” he said. “I don’t think that’s a contradiction.” He warned that if AI companies “start selling sexualised chatbots to kids in my state, now I have a problem with that,” and announced a “pro-human” AI initiative with $10 million for workforce readiness.

Congress cannot agree

The administration’s framework requires Congressional action to gain legal force. The executive order itself does not preempt, repeal, or invalidate any state AI law. Until courts rule on specific challenges, regulated parties must continue to comply with state regulations.

The most comprehensive federal AI bill is Senator Marsha Blackburn’s TRUMP AMERICA AI Act, a 291-page discussion draft released on 18 March. It would impose a duty of care for high-risk AI systems, require developers to publish training and inference data use records, repeal Section 230 of the Communications Decency Act, and create an AI liability framework enabling the Attorney General, state attorneys general, and private actors to sue AI developers. It would preempt state laws on frontier AI catastrophic risk management and largely preempt state digital replica laws. It remains a discussion draft and has not been formally introduced.

The One Big Beautiful Bill Act originally included a provision for a ten-year moratorium on state AI regulation, later reduced to five years tied to federal broadband funding. The Senate voted 99 to 1 to strip the AI preemption provision, with only Senator Thom Tillis of North Carolina voting to keep it. The bill was signed into law on 4 July without any restrictions on state AI legislation. Congress’s message was unambiguous: the guardrail question is not settled.

The money behind the fight

The lobbying infrastructure on both sides has scaled to match the stakes. Leading the Future, a super PAC launched in August 2025 by Andreessen Horowitz and OpenAI president Greg Brockman, raised $125 million in 2025 and had $70 million on hand at year end. It supports candidates favouring AI-friendly policies and uniform federal regulation over state-by-state approaches.

On the other side, Anthropic donated $20 million in February 2026 to Public First Action, a bipartisan group that plans to back 30 to 50 candidates from both parties who support AI safeguards. Public First’s broader network of super PACs has pledged $50 million for pro-regulation candidates. The tech industry reportedly spent more than $1 billion in total efforts to prevent states from regulating AI.

A bipartisan coalition of 36 state attorneys general sent a letter to Congress opposing AI preemption, arguing that risks including scams, deepfakes, and harmful interactions, especially for children and seniors, make state protections essential. Colorado’s attorney general has committed to challenging the executive order in court.

The precedent that matters

The administration revoked Biden’s Executive Order 14110 within hours of taking office on 20 January 2025, calling it “unnecessarily burdensome.” That order had required developers to conduct pre-release safety evaluations and share findings with the government. Its replacement, signed three days later, was titled “Removing Barriers to American Leadership in Artificial Intelligence.” The trajectory from revoking federal safety requirements to attempting to prevent states from creating their own has a logic: if the federal government will not regulate AI, and it will not allow states to regulate AI, then AI will not be regulated.

The contrast with Europe is instructive. The EU AI Act entered full enforcement in January 2026, creating a single regulatory framework across 27 member states. The US approach is the inverse: no binding federal standard and an active campaign to prevent the states from filling the gap. The result is that AI governance in America is being determined not by legislation or regulation but by litigation, executive orders, and the political leverage of the companies that stand to benefit most from the absence of rules.

Doug Fiefia, the Utah Republican who watched his transparency bill die after a White House letter, is now running for state senate. His opponent, the incumbent who helped kill the bill, reportedly said it “would have driven Utah out of the AI innovation business.” Fiefia co-chairs the AI task force of the Future Caucus alongside Monique Priestley, a Vermont Democrat with 24 years in technology. They represent a generation of state lawmakers who have worked in tech, understand what AI can do, and believe that understanding should inform regulation rather than prevent it. The question is whether the regulatory vacuum they are trying to fill will last long enough to become permanent.

At a glance, it’s doing the same job as 2023’s Ultion Nuki Plus: pairing Brisant Secure’s Ultion 3 Star PLUS cylinder and UK-specific door furniture with Nuki’s Smart Lock Pro and platform. In practice, though, this version looks more cohesive, feels quicker to respond and is better aligned with how people actually use a front door every day.

Built-in Wi-Fi removes the hassle of extra bridges. Matter support makes it much easier to fit into a wider smart-home setup. The improved motor means locking and unlocking feel quicker, quieter and less clunky. While the overall design is cleaner and more refined than previous models.

Just as importantly, there are sensible fallbacks everywhere. You can still use a physical key, operate it manually from inside, and include a biometric keypad or keyfob if you want different ways in.

The latest episode of The Leaders’ Room podcast season four features Peter Lantry, managing director of Equinix Ireland. This series is created in partnership with IDA Ireland.

Once again in season four of The Leaders’ Room podcast, we get to know the leaders of some of the most influential multinationals in tech, life sciences and innovation, as well as getting insights into their leadership styles and the high-tech trends they see coming down the line.

In this latest episode, we speak to Peter Lantry, managing director of Equinix Ireland, about the intersection of energy, digital infrastructure and sustainability – and about what Ireland’s digital future could look like if we get the balance right. It’s a wide-ranging and eye-opening conversation about the global data centre giant that sits at the heart of Ireland’s digital ecosystem, and about a man whose career trajectory is decidedly well-matched to the task at hand.

Equinix is the world’s leading co-location retail data centre provider – something Lantry describes, cleverly, as akin to being a “digital airport”, connecting networks, cloud platforms, content providers and enterprises across more than 280 data centres in 35 countries. It works with major players from Nvidia and AWS to Google, as well as with smaller retail clients.

In Ireland, while Equinix has been here 10 years, many of the data centres it now owns, like those of Telecity, have been operating since 1998. The Irish operations have grown significantly since, most recently with the acquisition of two BT data centres and a new Blanchardstown facility, DB7X, now under construction.

What strikes you listening to Lantry is the sheer scale of what Equinix does – more than half a million direct connections between businesses globally, and more than 90pc of all internet traffic in the world flowing through their data centres. The subsea cables that connect Ireland to the rest of the world terminate in Dublin, most of them into an Equinix data centre.

The energy and sustainability conversation is where this episode really catches the imagination. Lantry and his team are doing genuinely pioneering things at Equinix Ireland – hydrogen fuel cells already operating at one of their Dublin sites, solar canopies going in, and an innovative grid solution planned working with the IDA, EirGrid and ESB Networks.

Lantry believes Ireland has a real opportunity, with its ambition to have 22GW of renewable power connecting to the grid by 2030. The question, he says, isn’t whether Ireland can become a leading sustainability hub, but whether we have the collective will to all work together and make it happen.

His vision of data centres that can flex dynamically with the grid – stepping in to support it when needed, rather than adding to its burden – is a compelling one. If we export our data and digital services rather than our electricity, he argues, we could generate perhaps 10 times the value for the Irish economy, so it is crucial, he believes, that we get our digital infrastructure right.

Lantry’s career trajectory means it’s easy to see why Equinix came calling. Starting as a civil and structural engineer with Arup, moving into management science and then consultancy with PwC and IBM, followed by 17 formative years with EirGrid – where he was connecting data centre customers, wind farms and working on the design and implementation of the Irish single electricity market. This was followed by a spell as managing director of Hitachi Energy, where he grew their global data centre business from €350m to €750m in a single year.

It is a CV that makes you understand why his Equinix colleagues remarked, with some amusement, that he was “fairly unique” when the energy crunch hit. He brings something genuinely rare to the role – a deep, practical understanding of both utilities and digital infrastructure, earned over several decades.

On leadership, Lantry talks about Level 5 leadership, referencing James Collins’ book ‘Good to Great’ – leading by example, listening deeply, supporting others and removing the barriers that stop teams from delivering. What comes through clearly is his sense of purpose: the utility-like nature of what Equinix does, connecting everyone and everything in a sustainable way, gives the whole team something genuinely meaningful to rally behind, he says.

I found his emphasis on being fully present in every conversation particularly striking – that good leadership means making the people you are talking with feel truly heard and understood. He describes himself as something of a translator, someone who has spent a career connecting the dots between brilliant people with different expertise and different drivers. Perhaps that instinct was shaped early he says. Lantry grew up moving between countries with his parents – the Netherlands, England, France, Colombia, and back to Ireland – learning to navigate different cultures and ways of engaging. Whatever its roots, it is clearly central to how he leads today.

We’re grateful to all our interviewees again this season, for taking the time out of busy schedules to come into the studio and share their insights and their intelligence with us. And a big thanks as ever to our partners IDA Ireland who make this series possible.

The Leaders’ Room podcast is released fortnightly and can be found by searching for ‘The Leaders’ Room’ wherever you get your podcasts. For those who prefer their audio with visuals, filmed versions of the podcast interviews are all available here on SiliconRepublic.com.

Check out The Leaders’ Room podcast for in-depth insights from some of Ireland’s top leaders. Listen now on Spotify, on Apple or wherever you get your podcasts.

Apple account change notifications are being abused to send fake iPhone purchase phishing scams within legitimate emails sent from Apple’s servers, increasing legitimacy and potentially allowing them to bypass spam filters.

A reader shared an email with BleepingComputer that appeared to be a standard Apple security notification that stated their account information had been updated.

However, embedded within the message was a phishing lure claiming that an $899 iPhone purchase had been made via PayPal, along with a phone number to call to cancel the transaction.

“Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel 18023530761,” reads the Apple account phishing email.

“The following changes to your Apple Account, hxfedna24005@icloud.com, were made on April 14, 2026 at 7:01:40 PM GMT:”

“Shipping Information”

These emails are designed to trick recipients into thinking their accounts were used for fraudulent purchases and scare them into calling the scammer’s “support” number.

When calling the number, scammers typically try to convince victims that their accounts have been compromised and may instruct them to install remote access software or provide financial information.

In previous callback phishing campaigns, this remote access has been used to steal funds from bank accounts, deploy malware, or steal data.

Abusing Apple account notifications

While the phishing lure is not new, the campaign illustrates how threat actors continue to evolve their tactics by exploiting legitimate website features to conduct attacks.

The phishing email was sent from Apple’s infrastructure using the address appleid@id.apple.com and passed SPF, DKIM, and DMARC authentication checks, indicating it was a legitimate email from Apple.

dkim=pass header.d=id.apple.com header.i=@id.apple.com header.b=o3ICBLWN
spf=pass (spf.icloud.com: domain of uatdsasadmin@email.apple.com designates 17.111.110.47 as permitted sender) smtp.mailfrom=uatdsasadmin@email.apple.com

Further analysis of the email headers shows that the message originated from Apple mail infrastructure and was not spoofed.

Initial server: rn2-txn-msbadger01107.apple.com
Outbound relay: outbound.mr.icloud.com
IP address: 17.111.110.47 (Apple-owned)

To conduct the attack, the threat actor creates an Apple ID and inserts the phishing message into the account’s personal information fields, splitting the text across the first and last name fields.

BleepingComputer was able to replicate this behavior by creating a test Apple account and adding similar callback phishing language to the first and last name fields. This is because each field cannot contain the entire scam message.

To trigger the Apple account profile change notification, the attacker modifies the account’s shipping information, which causes Apple to send a security alert notifying the user of the change.

Because Apple includes the user-supplied first and last name fields within these notifications, the phishing message is embedded directly into the email and delivered as part of a legitimate alert.

While the target of the attacks received the message, the email was initially sent to an iCloud email address associated with the attacker’s account. This email address is also included in the notification email, making the email look more concerning and potentially leading someone to believe the account was hacked.

Header analysis shows that the original recipient differs from the final delivery address, indicating that the attacker is likely using a mailing list to distribute the emails to multiple targets.

This campaign is similar to a previous phishing campaign that abused iCloud Calendar invites to send fake purchase notifications through Apple’s servers.

As a general rule, users should treat unexpected account alerts claiming purchases or urging them to call support numbers with caution, especially if they did not initiate any recent changes or if they contain unusual email addresses.

BleepingComputer contacted Apple on Friday about this campaign, but did not receive a response, and the abuse is still possible.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.

Claim Your Spot

Every time I’ve written about Meta’s AI-enabled glasses, I invariably get asked these questions: Why do you even want these? Why do you want smart glasses that can play music or misidentify native flora in a weirdly cheery voice? I am a lifelong Ray-Ban Wayfarer wearer, and I’m also WIRED’s resident Meta wearer. I grab a pair of Meta glasses whenever I leave the house because I like being able to use one device instead of two or three on a walk. With Meta glasses, I can wear sunglasses and workout headphones in one!

Meta sold more than 7 million pairs in 2025. Take a look at any major outdoor or sporting event, and you’ll see more than a few people wearing these to record snippets for Instagram or TikTok. Meta’s partnership with EssilorLuxottica has made smart glasses accessible, stylish, and useful and is undoubtedly the reason why Google, and now Apple, are trying to horn in on the market. After the notable flop that is the Apple Vision Pro, Apple is recalibrating its face-wearable strategy, moving away from augmented reality (AR) toward simpler, display-less, and hopefully good-looking glasses.

That’s not to say that you shouldn’t be careful how you use these glasses. Meta doesn’t have the greatest track record on privacy, and the company has continued to push forward with policies that are questionable at best. Even if you’re not concerned that face recognition will allow Meta to target immigrants or enable stalkers to find their victims, at the very least, people really do not like the idea that you could start recording them at any moment.

Probably the biggest hurdle to wearing Meta glasses is that even doing so seems like a gross violation of the social contract. After all, these are Mark Zuckerberg’s “pervert glasses.” When I pop these on my head, I’ve had friends (and my spouse) recoil and say, “I have apps to warn me away from people like you.” The best part, though, is that Oakley and Ray-Ban already make really great sunglasses. Even if the battery runs out or you don’t use Meta AI at all, these are stellar at shading your eyes from the sun.

Anyway, if you decide to try them, here’s what you should get. If you do chicken out, check out our buying guides to the Best Smart Glasses or the Best Workout Headphones for more.

Best Overall

Last year, Meta upgraded the original Meta Ray-Ban Wayfarers that became a smash hit. These are Meta’s entry-level glasses, and they come in a variety of lens styles. You can order them with clear lenses, prescription lenses, transition lenses, or the OG sunglass lenses, as well as in a variety of fits, including standard, large, or high-bridge frames. Improvements to this generation include an upgrade to a 12-MP camera and up to eight hours of battery life; writer Boone Ashworth’s testing clocked in at five to six hours.

The National Institute of Standards and Technology will stop assigning severity scores to lower-priority vulnerabilities due to the growing workload from rising submission volumes.

Starting April 15, the service will only analyze and provide additional details (e.g., severity rating, product lists) for security issues that meet specific criteria related to the risk they pose.

The National Vulnerability Database (NVD) will still list all submitted vulnerabilities, but those considered low priority will have a severity rating only from the CVE Numbering Authority (CNA) that evaluated and submitted it.

In an announcement this week, the non-regulatory federal agency said it will only provide additional details for vulnerabilities that meet one of the following criteria:

• are in CISA’s Known Exploited Vulnerabilities (KEV) catalog
• affect the U.S. federal government software
• involve critical software as per Executive Order 14028

NIST explained that the decision was driven by the large number of submissions, which grew by 263% recently and continued to accelerate in 2026. The organization enriched 42,000 CVEs in 2025, but it can no longer keep up with the increasing volume.

NIST NVD is a public, centralized database of known software and hardware vulnerabilities, which also provides additional descriptions and analyses on top of the unique identifiers (CVE IDs) assigned by CNAs, such as vendors and the not-for-profit The MITRE Corporation.

The point of enriching vulnerability details is to make CVE entries usable for risk management, including assigning severity scores, identifying affected product versions, classifying weaknesses, and providing links to advisories, patches, or related research.

NIST NVD is used universally by security researchers, software vendors, government agencies, IT professionals, journalists, and regular users seeking more information about a specific security issue.

“All submitted CVEs will still be added to the NVD. However, those that do not meet the criteria above will be categorized as “Not Scheduled,” explains NIST.

“This will allow us to focus on CVEs with the greatest potential for widespread impact. While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.”

NIST admits that the new rules allow some potentially high-impact CVE slip through. For this reason, the agency accepts enrichment requests for “any lowest priority CVEs” via email messages at ‘nvd@nist.gov.’

The lack of enrichment or notable delays was noticeable since 2024, but the organization has now formally declared that it will focus on the most important entries.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.

Claim Your Spot