Michigan has recently become the 48th state to enact laws addressing deepfakes, making it illegal to create AI-generated sexual imagery of individuals without their consent. Under this law, offenders can face misdemeanors punishable by up to one year in prison and fines up to $3,000 if they knew or should have known their actions would cause harm to the depicted individual. Governor Gretchen Whitmer emphasized the serious consequences of such deepfakes, which can damage a person’s reputation and personal life. With these new regulations, all but two states in the U.S. now have laws against deepfakes, reflecting a growing trend to combat nonconsensual abuse imagery. The laws can escalate to felonies if the depicted person suffers financial loss or if the intent was to cause harm.
The U.S. Department of the Treasury has announced sanctions against two individuals and two entities linked to North Korea’s remote information technology worker scheme, which has generated illicit revenue for the regime’s weapons programs. The individuals targeted include Russian national Vitaliy Sergeyevich Andreyev and North Korean official Kim Ung Sun, with the operations reportedly facilitating financial transfers of nearly $600,000 since December 2024. The sanctions expand on previous actions taken against Chinyong Information Technology Cooperation Company, known for deploying North Korean IT workers to engage in freelance work and cryptocurrency theft. The Treasury Department highlighted that these workers often use fraudulent documents and artificial intelligence tools to secure employment in legitimate companies, raising significant security concerns for American businesses. Over $1 million in profits has been generated by one of the front companies since 2021, underscoring the scale of this ongoing threat.
The U.S. Cybersecurity and Infrastructure Security Agency has released updated guidelines for software bills of materials to enhance transparency among software vendors. While experts express cautious optimism about these new rules, they also highlight significant concerns regarding implementation and standardization. The updated guidelines require software bills of materials to include specific information such as component hashes and licenses, alongside the tools used to create them. One notable improvement is the requirement for these documents to be produced in machine-readable formats, which is expected to drive automation. However, experts warn that without actionable intelligence and practical guidance, the regulations could become burdensome for cybersecurity teams, echoing concerns raised since the initial guidelines were introduced in 2021.
Why do we care?
Three stories, one theme: risk is moving faster than the rules.
Michigan’s new deepfake law? Sure, now 48 states have them. But a fine or misdemeanor after the fact doesn’t undo reputational damage. That’s where customers will look to their IT providers for guardrails and training before things go wrong.
Treasury sanctions on North Korea? No surprise—they’re using fake docs and AI tools to sneak IT workers into legitimate businesses. That’s a supply-chain problem hiding in plain sight. If you’re not screening subcontractors and tightening access, you’re leaving a door wide open.
And SBOMs—now with machine-readable formats. Sounds great, but only if vendors actually align. Otherwise, it’s just another compliance checklist dumped on MSPs.
The through line: regulation is reactive, not proactive. If you’re waiting for the law or vendors to protect your customers, you’re already behind. The value you bring is turning messy compliance into real-world resilience.