Not at the Frontier. In Your Inbox.
Google argued this month that existing law is enough to govern AI. The same day, it switched on face-and-voice capture across Workspace, on by default. One of those was going to be a problem.
On June 25, 2026, Google published a white paper, “A Pragmatic Approach to AI Governance in America.” Its position is blunt. For widely-deployed AI, the paper states, “the federal government does not need new regulatory regimes,” because, in its own words, “if something is illegal to do without AI, it’s illegal to do with AI.” Existing law, Google argues, is enough.
That same day, an email landed in my inbox. Not as someone who reads policy papers, but as a Google Workspace administrator. It announced a new feature in Google Vids: personal avatars, built from a user’s own face and voice. Rolling out July 14, 2026. On by default for every eligible user. I could turn it off, but only if I knew to look, and only if I understood why it mattered.
Illinois and Texas have laws that govern exactly this kind of data collection. Illinois’ Biometric Information Privacy Act and Texas’ Capture or Use of Biometric Identifier statute both require affirmative, informed consent before collecting biometric identifiers, which include face geometry and voiceprints. Default-on with an administrative opt-out does not satisfy either statute. Consent must be prior and affirmative. (Note: this is not legal advice. Organizations with users in Illinois or Texas should consult counsel before July 14.)
Now hold Google’s own standard against Google’s own product. The paper says if something is illegal without AI, it is illegal with AI. Collecting face geometry and voiceprints without prior, affirmative consent is illegal without AI in Illinois and Texas. Switching it on by default does not become lawful because the feature is powered by AI. By the paper’s own rule, the policy argument and the product notice, published the same day, point in opposite directions.
Before setting that contradiction aside, it is worth examining the frontier solution Google is proposing. The paper calls for a Frontier AI Regulatory Organization, modeled on FINRA and NERC. The governance design is in the paper’s own language: “The FARO board would include a combination of independent directors and industry representatives.” Companies with frontier models would become FARO members. FARO would draw its standards from bodies like the Frontier Model Forum, which Google co-founded alongside Microsoft, OpenAI, and Anthropic. The baseline framework FARO would audit against is explicitly modeled on Google DeepMind’s own Frontier Safety Framework. Audit reports would be submitted confidentially to FARO, not released publicly.
Read the structure. Google proposes the body, Google funds it as a member, Google sits on its board as an industry representative. Google co-founded the standards body whose guidelines FARO would apply. Google’s own safety framework is the explicit template. Audit results stay inside the structure.
This is not a regulatory design that holds frontier labs accountable to an external standard. It is a regulatory design that seats frontier labs inside the accountability structure itself. The “independent” part of the board is balanced, by design, against industry voices who have an explicit interest in speed to market. That phrase appears verbatim in the board composition paragraph.
The body that would govern the most powerful AI systems would be funded by those systems’ developers, staffed from the same talent pool, governed by frameworks those developers wrote, and answerable to a board those developers help populate.
This is not primarily a story about Google. It is a story about the governance gap.
Every enterprise Google Workspace administrator who received that email has until July 14 to act. Most won’t recognize the legal exposure. Not because they are negligent, but because they don’t have an internal system that connects a product rollout notice to a biometric consent obligation. That connection requires someone who understands both the product and the law simultaneously, knows which states your employees are in, and has authority to act before the default kicks in. Most organizations don’t have that person, that process, or that infrastructure.
Google’s paper proposes solving the governance problem at the federal level, through a frontier regulatory body focused on the most advanced AI models. What arrived in my inbox is not a frontier problem. It is an organizational problem. The risk arrived as a routine admin notice, with a two-week window to act.
The governance framework that would have caught this doesn’t live in Washington. It lives inside the organization, in the layer between the tool and the people responsible for using it responsibly. It is a policy layer, a workflow control, an ownership structure, an escalation path. It is the system that asks, when a vendor pushes a new feature: what does this collect, where does it go, what law governs it, and who in this organization is accountable for the answer?
Most organizations don’t have that system. Google’s paper doesn’t propose building it. And a frontier AI regulatory organization, if it ever materializes, won’t require it.
The governance gap isn’t at the frontier. It’s in the inbox.
Sources
Google, “A Pragmatic Approach to AI Governance in America,” June 25, 2026. The paper argues existing law is sufficient for widely-deployed AI: “the federal government does not need new regulatory regimes” (p.13), and “if something is illegal to do without AI, it’s illegal to do with AI” (p.13). It proposes a Frontier AI Regulatory Organization (FARO) modeled on FINRA and NERC, industry-funded, with a board combining independent directors and industry representatives. https://blog.google/company-news/outreach-and-initiatives/public-policy/white-paper-ai-regulation/
Google Workspace admin notice, received June 25, 2026 (archived .eml). Google Vids personal avatar feature, built from a user’s face and voice, default-on July 14, 2026. Public corroboration: Google Workspace Updates. https://workspaceupdates.googleblog.com/2026/06/enhanced-ai-avatars-vids.html
Illinois Biometric Information Privacy Act (740 ILCS 14) and Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code 503.001). Both require informed, affirmative consent before collecting biometric identifiers, including face geometry and voiceprints.
When a vendor pushes a new feature into the tools you already run, who in your organization connects that notice to the law that governs it, and has the authority to act before the default kicks in? Tell me in the comments.
This is the question my work begins with. The governance gap is rarely at the frontier. It is in the layer between the tool and the people accountable for using it. That gap is what I help close.


