DC Dithers Over PCAOB, State AI Laws

Time to revisit the policy-making nuttiness in Washington! Several measures relevant to compliance and audit professionals have gone through twists and turns lately as Republicans struggle to pass a budget bill that nobody likes, and we should ponder the potential implications for your compliance efforts back home.

First (and somewhat to my surprise) Senate Republicans have dropped plans to abolish the Public Company Accounting Oversight Board — or more precisely, the Senate parliamentarian ruled that including that piece of legislation in the larger budget bill would violate Senate rules, and trigger a requirement for 60 votes to pass the bill rather than a simple majority. So the PCAOB kill order is canceled.

Republicans in the House first moved to abolish the PCAOB in their version of the budget bill that they passed in May. That prompted a campaign by good governance activists and former PCAOB leaders to save the agency, which was created by the Sarbanes-Oxley Act in 2002 to oversee the audit industry. The House version assigned PCAOB oversight duties to the Securities and Exchange Commission, with extra funding so that the SEC could afford to hire PCAOB staffers under a new “Division of Audit Oversight” or some arrangement like that. The now-dead Senate version simply assigned PCAOB duties to the SEC with no supplemental funding at all.

Even as that legislative threat to the PCAOB ran aground, however, House Republicans this week raised the specter of another legislative threat to the agency. 

On Wednesday the Financial Services Committee held a hearing titled “Reassessing Sarbanes-Oxley” to ponder a few pieces of legislation, including (a) re-assigning audit industry oversight from the PCAOB to the American Institute of Certified Public Accountants; and (b) raising the threshold on SOX 404(b) audits of internal control, to exempt more companies from said audits.

This was only a hearing. No votes were cast, it’s unclear whether the House ever will move forward with either idea, and even then, the Senate would need to vote for companion legislation with many opportunities for Senate Democrats to block it. So nobody should assume these are serious challenges to the PCAOB right now. 

One of the witnesses in this week’s hearing was John Coates, professor of securities law at Harvard Law School and briefly general counsel of the SEC during the Biden Administration. His quick post-mortem, posted on LinkedIn, was that all hearing witnesses — including the Republican-called ones — agreed that a wiser course would be to keep the PCAOB, and then fiddle with audit or 404(b) issues at the regulatory level rather than by changing the law.

So all you SOX compliance and audit industry folks, watch this space. The PCAOB is likely here to stay for a while yet, even though the rules for 404(b) compliance might still change later in the year. 

Ban on State AI Laws Keeps Floundering

More relevant to corporate compliance, privacy, and legal officers, the effort to impose a 10-year moratorium on state laws for artificial intelligence still survives — even though its scope and popularity are shrinking by the day, to the point where I bet this thing either dies entirely or becomes toothless.

The original plan, as adopted by the House, was a complete 10-year moratorium on states enacting or enforcing their own laws for artificial intelligence. Then it hit the Senate and everything went to pieces. 

First, Sen. Ted Cruz (R-Texas) proposed the same complete moratorium. Then, amid rising dislike of the bill, he proposed that states could enact and enforce their own AI rules, but those states would no longer be eligible for $42 billion in federal funds to expand broadband internet access in rural areas. Then the Senate parliamentarian intervened again, telling Republicans that if they want to avoid that 60-vote filibuster threat, the funding restriction can only apply to $500 million in federal funds to build AI data centers. 

That’s where matters stand today, before any Senate voting has even begun Apparently Cruz is still fiddling with the precise language. Even after all that, however, numerous Republican senators don’t like the moratorium at all and want it killed off entirely. Back in the House, Rep. Marjorie Taylor Green (R-Kooksville), who did vote for the moratorium last month, now wants it stripped out of the final bill because she hadn’t read the House bill and didn’t know the moratorium was part of it. She now says she’ll vote against the final bill if the moratorium is included.  

(Hence we have the old saying, “Democrats can’t win, but Republicans can’t govern.”)

Meanwhile, multiple states are still moving forward with their own AI laws anyway. Texas just adopted its own sweepingly restrictive law on AI. So did New York, not to be confused with Utah, Colorado, or California, which already adopted their own AI laws months ago. Just this week Connecticut tweaked its data privacy law to require that companies disclose whether any personal data they collect from customers will be used to train AI systems. 

Arkansas Gov. Sarah Huckabee Sanders (President Trump’s press secretary in his first term, and someone he’ll remember) just wrote a column in the Washington Post calling for the AI moratorium to be dropped. State attorneys general across the country and the political aisle oppose the moratorium too. 

You get the picture: nobody likes this moratorium except for big software companies, and nobody else likes those guys. There is no strong natural constituency calling for people to have no recourse to address AI seeping into our economy and our lives.

So my bet is that the moratorium either dies outright, and good riddance to it; or it passes, but the federal funding restrictions are so weak that states will ignore it and enforce their own AI laws anyway. Keep that in mind as you ponder your privacy, security, and data management strategies for 2026 and beyond.