// AI Tangle
Governance Comes Down From the Mountain
The UN opened its first Global Dialogue on AI Governance in Geneva on July 6–7 — but the same week, the EU's new cybersecurity-and-AI action plan, the AI Act's August 2 deadline, and a fresh draft law out of Thailand showed where the governance that will actually bind your agents is really written.

Last Monday's edition told you to watch the Geneva dialogue that opened that same morning. It is over now, and the readout is worth your time — but not for the reason the headlines suggest. This week the governance conversation finally had a main stage. The UN convened its first Global Dialogue on AI Governance in Geneva on July 6 and 7, back-to-back with the AI for Good Global Summit and the WSIS Forum. But while the diplomats met, the enforceable layer moved on its own: the European Commission rolled out a July 2026 Action Plan on Cybersecurity and AI, and Thailand pushed a draft AI Act into consultation. One of those made the headlines. The other two are what will actually bind your agents — and the lesson of the week is telling them apart.
// The Big AI Story
The world held its first AI governance summit and produced a direction, not a rulebook
On July 6 and 7, Geneva hosted the first session of the UN Global Dialogue on AI Governance, the intergovernmental process mandated by the Pact for the Future and its Global Digital Compact, held back-to-back with the ITU's AI for Good summit. Secretary-General António Guterres framed the stakes in one line: the question is no longer whether AI will transform the world, but "whether we will govern this transformation together, or let it govern us." The Independent International Scientific Panel on AI — 40 experts co-chaired by Yoshua Bengio and Maria Ressa — brought its first report, published July 1 and warning of AI's potential for "catastrophic harm," into the room even as it documented the upside.
Here is the part the ceremony obscured. The Dialogue is, by design, non-binding — a forum for coherence and mutual understanding, not a treaty with teeth. Meanwhile the enforceable rules kept moving on their own clocks, and two of them moved this week. The European Commission's July 2026 Action Plan on Cybersecurity and AI sets up an EU call to build independent capacity to evaluate advanced AI models before they reach the market — the enforcement muscle behind the AI Act's high-risk obligations that take effect August 2. And Thailand moved a draft AI Act into public consultation, a reminder that the rulebooks are multiplying, not converging. One technology, a widening pile of enforceable regimes, and no agreement on which one wins.
The lesson isn't that the world finally started governing AI. It's that global governance sets the direction while the constraints that actually gate your agents get written one layer down — in enforcement deadlines, conformity assessments, and security standards. You cannot implement a communiqué. You can implement a policy that proves what your agent did, under what rules, to a regulator who has no reason to trust you. Geneva is the weather report. August 2 is the storm.
// The Number
700+
The number of separate AI initiatives the UN has now cataloged across more than 50 of its own agencies in the AI Resource Hub that anchored the Geneva talks. If a single institution needs a searchable hub just to track its own AI governance efforts, the odds of one clean global rulebook emerging from a two-day summit are exactly what the week suggested: low.
Source: ITU / UN AI Resource Hub
// 4 Quick Hits
The European Commission's new July 2026 Action Plan on Cybersecurity and AI sets out a coordinated push to help member states and businesses secure advanced models, and it launches an EU call to build independent capacity to evaluate AI models before they reach the market — expected to be operational by 2027 and feeding the AI Office's regulatory function. It lands three weeks before the AI Act's core high-risk obligations take effect on August 2. Watch this when you scope your own rollout: the binding deadline is a date, not a dialogue, and the EU is now staffing the referees.
Thailand's Electronic Transactions Development Agency released a revised draft AI Act for public consultation on July 2, part of a broader package unveiled during its AI Governance Week. It is one more risk-based regime modeled loosely on the EU's — which cuts against the tidy interoperability story the UN told in Geneva. Watch this when you operate across borders: the count of AI rulebooks your systems have to satisfy is going up, not down, and "we comply in Europe" will not cover Bangkok.
Back-to-back with the Dialogue, the ITU's AI for Good Global Summit (July 7–10) ran its Standards and Policy program — the unglamorous machinery where interoperability between national regimes actually gets negotiated. Communiqués make headlines. Standards make things testable. The signal underneath the headline: if you want to know what your auditors will ask for in two years, watch the standards bodies this week, not the heads-of-delegation statements.
CSIS read the Dialogue as a power-shift story: the Global South got an equal seat and used it, while the US pressed an innovation-first line and the EU defended its rulebook. The near-term deliverable out of Geneva is working groups and a follow-on session in New York in 2027 — process, not prohibitions. Watch this when you plan multi-year: the direction of travel is set by whoever staffs those working groups, and the enterprises that track them will see the next binding requirement coming before it is law.
// 3 AI Tools
The Big Story's implication is that you cannot wait for global governance to arrive — you enforce it yourself, at runtime. This week's picks help you do that.
Microsoft Agent Governance Toolkit — An open source, MIT-licensed layer that enforces policy on agent actions at runtime, mapped to all ten OWASP agentic risks. Why it matters this week: it turns the new taxonomy into deterministic controls you can drop next to the frameworks you already run. Right pick when you have agents taking real actions and need enforceable guardrails; wrong pick when you are only running read-only chat assistants.
Promptfoo — Open source red-teaming that tests your agents against the OWASP Top 10 for Agentic Applications before they ship. Why it matters this week: governance you cannot test is a hope, not a control. Right pick when you want repeatable pre-deployment security evaluations; wrong pick when you have no one to act on the findings.
Open Policy Agent — A CNCF-graduated policy-as-code engine that lets you write, in one place, exactly what an agent or MCP tool is allowed to do. Why it matters this week: it is the closest thing to a prove-what-it-ran control you can adopt with your existing platform team. Right pick when you already run infrastructure-as-code and want authorization decisions versioned like software; wrong pick when you have no platform engineering capacity to maintain policies.
// The Extra Watch
Two sessions from the Confidential Computing Summit
Skip the read this week and watch where the prove-it argument goes next. The keynote block runs from Alpha Compute CEO Britney Kaiser on data rights and sovereign AI to a session built on the line the whole event kept repeating — the future of AI will be built on global innovation but governed by sovereign trust. The follow-on sessions put Microsoft Azure CTO Mark Russinovich on confidential AI and a panel on the sovereign stack — nations, enterprises, and the demand for verifiable AI — alongside the chip-level attestation work from AMD and NVIDIA that makes it real. If Geneva was the diplomacy of AI governance, this is the engineering of it.
Last Monday the story was who owns the machines. This Monday it is who sets the rules for what runs on them. Geneva picked the direction and the EU picked the date — and only one of those is already on your calendar. Next week we get practical: how to write an agent policy you can actually prove.

Your AI Sherpa,
Mark R. Hinkle
Founding Publisher, The AIE Network
Follow me on LinkedIn
