# The Algorithmic Duty of Care: What the SEC, FTC, and EU Are Demanding Simultaneously

**Category:** White Paper Article | Touch Stone Publishers
**Author:** Glenn E. Daniels II
**Word Count:** ~1,450

Three enforcement regimes are requiring the same thing from every enterprise with AI deployment. They are not coordinating. Each is responding independently to a different regulatory mandate. The result is a convergence that enterprises have not modeled: a simultaneous demand, from three enforcement bodies, for documented proof that the organization understands what its AI is doing.

The SEC’s Division of Corporation Finance has issued over 40 comment letters in 2025-2026 demanding that public companies quantify their reliance on third-party foundational models as a material supply-chain risk in their 10-K filings. (SEC EDGAR, Division of Corporation Finance Comment Letter Guidance, 2025-2026) The enforcement theory does not require that the AI failed. It requires that the AI dependency was material and undisclosed. A company that describes its AI capabilities as “proprietary” while those capabilities are built on OpenAI, Anthropic, or Google foundational models is holding a disclosure that the SEC has made clear it will treat as materially misleading when the next material AI failure produces a stock drop.

The Federal Trade Commission and the Department of Justice have designated algorithmic pricing as a 2026 enforcement priority under a legal theory that most in-house counsel have not yet fully internalized. The theory is per se illegal horizontal price-fixing: the same legal category as a back-room agreement among competitors to fix prices: applied to dynamic pricing systems that use shared competitor data from common third-party providers. The per se standard means no rule-of-reason analysis, no consideration of innocent intent, no pro-competitive justification. When multiple competitors use the same third-party revenue management platform that aggregates competitor pricing data, each competitor’s algorithm responds to the same market intelligence and produces coordinated price movement. That is the exposure. (Freshfields, “2026 Enforcement Priority: Algorithmic Pricing”; DOJ enforcement posture, 2026)

The EU AI Office has set August 2, 2026 as the hard deadline for conformity assessments of high-risk AI systems. A conformity assessment is not a self-certification. It is a structured evaluation by an independent notified body that verifies whether the organization can produce documented evidence of: the system’s design specifications; the training data’s provenance and known limitations; performance testing results; and human oversight mechanisms at the decision points the Act designates as requiring human review. The consequence of failing this deadline is not a fine. It is market lockout: the system cannot be placed on the EU market. For any organization whose AI-dependent products or services reach EU customers, August 3, 2026 is a revenue event. (EU AI Act, Articles 16-17; Bird & Bird, February 2026)

The convergence point is transparency. All three enforcement regimes are demanding, in their own regulatory language, that enterprises prove they understand what their AI is doing: where it comes from, what data it uses, how it makes decisions, and who is responsible for what happens when it operates. The 62% of executives who have acknowledged their data architecture will fail EU conformity audits are, by implication, also the 62% who cannot fully satisfy the SEC’s supply chain quantification demand and cannot produce the documentation that protects them from the FTC’s per se theory. (Gartner Q2 2026 Executive AI Readiness Survey)

## Why the Convergence Was Predictable

The three enforcement regimes arrived at the same demand through different analytical pathways, but the endpoint was always the same. The SEC’s disclosure framework has always required that material supply-chain risks be disclosed with specificity: the AI supply chain is a supply chain, and foundational model dependency is concentration risk. The FTC’s antitrust framework has always treated shared intelligence that produces coordinated market behavior as horizontal coordination: the algorithmic mechanism is new, but the economic analysis is not. The EU’s AI Act has been in development since 2021: the August 2026 deadline has been visible for five years.

What was not predictable was that all three would arrive at enforcement priority simultaneously, creating the compounding pressure that boards are now navigating. Each enforcement regime requires its own documentation. But the underlying governance architecture that satisfies all three is the same: an AI supply chain registry that maps every third-party dependency, a data provenance record that documents training data lineage, and a human oversight architecture that designates where human review is required.

## The Data Provenance Debt

The most consequential operational consequence of this convergence is what the research identifies as “data provenance technical debt”: the documentation that enterprises failed to produce when they deployed AI systems in 2023-2025 under competitive pressure to deploy first. Provenance documentation: the record of where training data came from, how it was processed, what its known limitations are: is the specific documentation that EU conformity assessors examine first and that the 62% compliance failure rate shows is most commonly absent.

The enterprises that are now attempting to reconstruct provenance documentation for AI systems deployed two years ago are incurring a remediation cost that is orders of magnitude larger than the cost of producing the documentation at deployment. This is not a compliance observation. It is a capital allocation observation: the CFO who treated data provenance documentation as a deferrable expense in 2024 made a capital allocation decision that is producing a compounding cost in 2026. The organizations that invested in auditable data pipelines before the enforcement pressure arrived are the 38% that will pass conformity assessments.

## The Governance Architecture That Resolves All Three

The governance architecture that resolves the three-regime convergence is not three separate compliance programs. It is one documented governance discipline with three regulatory benefits.

The AI supply chain registry satisfies the SEC’s supply-chain disclosure requirement, supports the FTC’s antitrust audit documentation, and provides the foundational documentation for the EU’s conformity assessment. The algorithmic antitrust audit: conducted annually, under attorney-client privilege, in conjunction with outside antitrust counsel: satisfies the FTC’s per se defense requirement and, incidentally, produces the data source documentation that the EU conformity assessment requires. The human oversight designation: the document that specifies which AI-operated decisions require human review before finalization: satisfies the EU Act’s human oversight requirement and provides the operational evidence that the organization’s AI governance is substantive rather than declarative.

The board that establishes these three governance instruments as standing institutional requirements: maintained regardless of regulatory pressure, updated quarterly, reviewed annually by the Audit Committee: has built the governance architecture that the convergence demands. The board that waits for the first SEC comment letter to build the supply chain registry is building it in the worst possible circumstances: under regulatory scrutiny, on the regulator’s timeline.

This piece is drawn from a broader body of work on the Algorithmic Duty of Care, developed in the Executive Leadership Playbook and six functional White Papers available at [Touch Stone Publishers’ Algorithmic Duty of Care research hub](https://touchstonepublishers.com/algorithmic-duty-of-care/).


*Glenn E. Daniels II | Touch Stone Publishers Limited*