01
EU Code of Practice becomes a vendor due‑diligence anchor
An arXiv paper reports that major AI labs including OpenAI, Google, Anthropic and xAI have committed to implement an EU Code of Practice focused on transparency and copyright for advanced AI systems. The commitment gives enterprise buyers a concrete governance reference point even when vendor product announcements are limited.
- Add a procurement control: require vendors to document how they meet the EU Code of Practice on transparency, training data provenance, and copyright handling.
- Use the commitment to push for contract clauses on IP risk allocation, including indemnities, disclosure obligations, and audit/support for incident response.
- Plan for reporting: map your internal AI inventory and model usage to the disclosures the Code of Practice implies so you can respond quickly to regulator or customer requests in Czech/EU contexts.
Source — arXiv governanceEU-regulation 02
AI competition shifts from models to full-stack control
A May 12 analysis argues that the durable AI winners will be decided by control of the full stack, including infrastructure, data, orchestration, applications, and distribution. The piece frames benchmark comparisons as necessary but insufficient for enterprise vendor selection.
- Evaluate vendors on EU hosting options, IAM integration, logging/observability, and admin controls, not just model quality, because these determine deployment risk and operational overhead.
- Reduce lock-in by separating layers: standardize on an orchestration and policy layer while keeping the option to swap model providers as pricing and performance change.
- Check partner reality in Central Europe: prefer stacks that your Czech SIs can deploy and support with clear runbooks, SLAs, and escalation paths.
03
Agent incident shows how token spend can run away
AI‑Weekly described a case in which an AI agent (“Bankrbot”) interacting with xAI’s Grok API incurred nearly $200,000 in unintended token costs after misconfiguration or exploit. The write‑up emphasizes that agent autonomy expands the cost and control surface beyond typical chat use.
- Implement hard spend controls before pilots: budget caps per project, per key and per workflow, plus rate limits and real-time alerts tied to finance and SecOps escalation.
- Require API telemetry: insist on per-request usage logs, attribution to user/workflow, and export to your SIEM/FinOps tooling so you can detect loops and prompt injection-driven bursts.
- Negotiate billing dispute and incident terms: define what constitutes misuse, how quickly the vendor must provide logs, and how credits/refunds work when runaway activity occurs.
04
Local open-source LLMs strengthen hybrid deployment options
An XDA Developers hands-on review claims an open-source “Gemma 4” model running locally via llama.cpp can be competitive with cloud models for many everyday tasks. The article highlights responsiveness, privacy, and reduced dependence on external APIs as practical drivers.
- Use local models for sensitive workloads: draft a policy that routes regulated data (e.g., HR, legal, R&D) to on‑prem or private environments when quality is sufficient.
- Rebalance TCO: compare GPU/CPU capacity, support costs, and energy to per-token cloud spend so FinOps can decide where local inference is cheaper at steady-state usage.
- Avoid uncontrolled shadow AI: if you allow local models, standardize approved builds, patching, model provenance, and a security baseline to prevent untracked desktops becoming production endpoints.