Two regulatory decisions four days apart on opposite sides of the Atlantic just told us something important about how AI will actually be governed. Most coverage will miss the pattern, because the two events look unrelated. They are not.
Four days apart this past week, two regulators on opposite sides of the Atlantic intervened in frontier AI. Most of the coverage will treat them as separate stories. They are not, and the pattern between them is the more important story for Irish boards.
On the evening of Friday 12 June, a US national-security authority issued an export-control directive to Anthropic ordering it to disable global access to its newly released Claude Fable 5 and Mythos 5 models. The order, citing concerns about a discovered jailbreak method, gave no notice and no consultation period. Anthropic complied the same evening. Customers worldwide — including any Irish organisation that had built a workflow on those models in the preceding fortnight — lost access overnight. Not for breach of contract. Not for misuse. Because a foreign-policy authority somewhere decided it had to act.
Earlier today, Tuesday 16 June, the European Parliament adopted the Digital Omnibus amendments to the EU AI Act by 423 votes to 57. The deadline for high-risk system obligations under Annex III was postponed by eighteen months. A new prohibition was added — AI systems capable of generating non-consensual intimate imagery or child sexual abuse material — with a compliance deadline of 2 December 2026 and penalties at the top tier of the Act.
The first intervention was made in hours, by executive order, on a capability the regulator had not previously listed as prohibited. The second was deliberated over months, voted on in a parliamentary chamber, and folded into a statute that already runs to hundreds of pages. They look like different worlds. They are not. They are the same regulatory environment showing two faces.
The Kahneman frame
Daniel Kahneman's central distinction in Thinking, Fast and Slow is between two cognitive registers. System 1 is fast, pattern-matching, automatic. System 2 is slow, deliberate, analytical. His most uncomfortable finding was that we do not know, in real time, which register we are operating in. We assume we are reasoning when we are reacting, and assume we are reacting when we are reasoning. The errors compound from there.
The same distinction is useful for thinking about how AI will actually be regulated from this point forward.
System 2 regulation is what Brussels has been doing for decades. Long drafting cycles. Multi-stakeholder consultation. Classification schemes, conformity assessments, calendar-driven activation dates. The AI Act in its original form is System 2 to its bones. The architecture assumes you have time to classify a system before deploying it, time to document the conformity of a deployment before a regulator inspects it, time to train your staff to the literacy threshold before enforcement activates. The entire structure is paced. Predictable. Designed for organisations and regulators that can plan around it.
System 1 regulation is what happened to Fable 5 on Friday evening. A specific pattern surfaced — a jailbreak method, a security agency's threat assessment, a determination that action could not wait — and the intervention was executed at the access layer in hours. Not at the deployment layer in months. There was no Annex III analysis. There was no consultation. There was no runway. The fast register skipped the entire System 2 apparatus and intervened directly at the point of access.
The under-noticed feature of today's Omnibus vote is that Brussels itself just did something closer to System 1 in form. The new prohibition on AI systems that can produce non-consensual intimate imagery is not a deployment classification. It does not depend on what use case the system was sold for, or which Annex III category it sits in. If the system is capable of producing that output, it is in scope. Brussels delayed its System 2 architecture by eighteen months and added a System 1-shaped tool to the statute on the same day. That is not contradictory. It is bi-modal.
What both events have in common
Both interventions skip the deployment-classification model that the original AI Act was built around. Both regulate at the capability and access layer instead.
Brussels says: irrespective of how the system is classified, if it can produce this output, it is prohibited.
Washington says: irrespective of how the system is deployed, if a security authority decides the capability is unsafe, access is revoked at the provider.
In both cases, the question that the AI Act in its original form taught organisations to ask — which Annex III bucket does my AI deployment sit in? — is not the question that gets you to the right answer. The right question is what is each AI system in our stack actually capable of, and what is the access risk on the provider?
That is a different governance inventory. Most Irish boards do not yet have one.
What this means for the way boards should govern AI
The governance most Irish boards have built in the last twelve months is System 2 governance. Quarterly committee cadences. AI registers updated by the secretariat. Documented Annex III mappings. Literacy programme rollouts on multi-month timelines. All of that is necessary. None of it is sufficient on its own.
Boards now need a second register. A System 1 register. The slow register handles the work the Act tells you the cadence for. The fast register handles the work that does not appear in any statute but matters more in any given week.
The slow register asks: have we classified every AI system in scope under Annex III? Have we documented conformity? Is our literacy programme on track? Are we ready for the AI Office of Ireland when it activates on 1 August 2026? These are real questions. They have known answers. They get worked on quarterly.
The fast register asks different questions. Who, named in writing, can make a capability-restricting decision in hours if a model changes under us? What is our contingency if a frontier model we depend on is suspended by a government directive on a Friday evening? Which operational workflows are now single-provider-dependent, and what is the unwinding cost if that provider loses access? When a new capability-based prohibition is added to a statute that affects us — as Brussels did today, and may do again — what is the process by which our AI inventory is re-tested against the new prohibited-output list, and how quickly can we do it?
Those questions do not have a statutory deadline. They have a real one, which is the next time something happens. The frequency of something happens in AI regulation has shortened to roughly one event per month over the last six. That is not going to slow down.
Kahneman's deeper point
Kahneman's most useful insight was not that System 1 and System 2 exist. It was that we are bad at telling, in the moment, which one we are using. Boards governing AI run the same risk in mirror image. They have built one register — the slow one, the documented one, the one with committee minutes — and assume that constitutes governance. The events of this week made that assumption harder to defend.
A board that meets quarterly to review an Annex III map and adjourns is governing AI with one register. A board that has, in writing, a named decision-maker for capability and access events, a contingency plan for a provider-level shutdown, and a re-testing process triggered by new capability prohibitions, is governing with two. The second board will not necessarily make better strategic AI decisions. It will, however, be able to demonstrate to a regulator, an insurer, a successor board, or a claimant that it knew the question existed and had built a process for it.
That, more than the Annex III mapping itself, is what good AI governance is going to look like by the time the AI Office of Ireland activates in six weeks.
The position to take into the boardroom
If you are preparing for a board AI conversation in the next eight weeks, the three questions worth carrying into the room are these.
One. Have we mapped our AI dependencies on a second axis — capability and provider — in addition to the deployment-classification axis we have been working from?
Two. Who, named in writing, can make a capability-restricting or provider-switching decision in hours if a model changes under us? What is the contingency if that decision becomes necessary?
Three. When a new capability prohibition is added to the Act — and Brussels just signalled it will keep adding them — what is the process by which our AI inventory is re-tested, and what is the cycle time?
A board that has answers to those three questions has bi-modal governance. A board that does not is governing with one register and assuming it is enough. After this week, that is a harder assumption to hold.
If you want an independent view on whether your governance is bi-modal in shape, Acuity AI Advisory provides board-level AI governance review — fixed-fee, sized to fit Irish SMEs, and vendor-neutral.