Insights

May 22, 2026: A Crowell & Moring team represented Kanders & Company in a complex carveout transaction in which Kanders acquired the biosecurity business of publicly traded Ginkgo Bioworks. The resulting company, Perimeter Systems, has launched as the world’s first integrated biosecurity infrastructure platform, designed to transform biological signals into real-time intelligence and accelerate decisive response. At closing, Perimeter secured $60 million in growth capital, led by Kanders in partnership with SCS Financial, Goldcrest Capital, Four Cities Capital, and the Safe Artificial Intelligence Fund (SAIF).

Colorado’s original AI Act (SB 24-205), signed in May 2024, imposed broad obligations on developers and deployers of “high-risk AI systems” — including requiring risk management programs, impact assessments, and affirmative steps to prevent algorithmic discrimination across employment, housing, lending, insurance, health care, and education decisions. The operative date for SB 24-205 was extended twice, and a court temporarily suspended enforcement in early 2026, following a lawsuit filed by xAI, which the U.S. Department of Justice (DOJ) intervened to support. Industry feedback on SB 24-205 was generally negative. In response to this environment, Colorado’s legislature undertook a rewrite, drafting and passing SB 26-189 in a matter of weeks. SB 26-189 reflects the legislature’s effort to preserve the policy goal of filling the AI oversight vacuum given the lack of a comprehensive federal law, but within a more workable compliance framework.

On May 5, 2026, CISA announced CI Fortify — an initiative directing critical infrastructure owners and operators to prepare for geopolitical conflict in which OT networks are actively targeted while communications infrastructure is simultaneously degraded.

Several recent class actions filed against Tempus AI, Inc., a health care technology company that combines AI with molecular and clinical data to develop precision medicine services, are the latest in a series of cases illustrating a fast-growing legal risk: the repurposing of genetic and clinical data — collected for diagnostic or treatment purposes — for artificial intelligence (AI) model training, analytics, and downstream commercialization following corporate acquisitions. At the same time, state genetic privacy regulation is expanding rapidly, with Utah and South Dakota being the most recent states to enact new statutes, and legislation advancing in several additional states. Organizations holding genetic datasets need to treat data governance as a core enterprise risk issue, not a downstream compliance matter.

State privacy law developments continued on a similar trajectory as previous years, marked by a legislative focus on data privacy issues. At the beginning of the 2023 legislative session, five states (California, Colorado, Virginia, Utah, and Connecticut) passed comprehensive privacy laws, all of which are now effective and enforceable.