The Exchange

Congress’ defense bill becomes the new battleground for AI preemption

House leaders are exploring whether to attach AI preemption language to the annual defense policy bill, using it as a vehicle to curb or delay state AI laws. At the same time, a bipartisan coalition of state attorneys general and members of Congress is urging leadership to reject any move that would strip states of their ability to regulate high-risk uses of AI.

For executives, this is a live fire test of AI governance. Your risk and compliance roadmap may need to support either a single national baseline or a patchwork of state rules, with real implications for model deployment, vendor selection, and disclosure practices.

• Federal lawmakers are considering AI preemption language tied to the Pentagon policy bill.

• State attorneys general and the Congressional Progressive Caucus have publicly opposed the effort.

• Outcomes range from a unified national standard to prolonged regulatory uncertainty.

Sources:

• https://techcrunch.com/2025/11/28/the-race-to-regulate-ai-has-sparked-a-federal-vs-state-showdown/

• https://www.reuters.com/legal/litigation/dozens-state-attorneys-general-urge-us-congress-not-block-ai-laws-2025-11-25/

• https://progressives.house.gov/press-releases?ID=4F626000-6953-4D29-BE64-41A97C556C3C

• https://www.americanprogress.org/press/release-congress-must-reject-effort-to-block-states-from-regulating-ai/

Virginia moves toward sector-specific AI rules for hospitals and health systems

Virginia’s Joint Commission on Technology and Science has endorsed recommendations for a slate of twenty-six bills focused on clinical AI. Draft concepts would require healthcare organizations to set internal standards for AI systems, publish clear transparency and data handling rules, and ensure humans remain firmly in the loop for key care decisions.

Even if you never operate in Virginia, this is an early blueprint for health sector AI governance. It offers a practical checklist for integrating innovation, patient safety, and regulatory readiness in clinical environments.

• Commission recommendations target AI used in diagnosis, treatment support, and patient engagement.

• Proposals emphasize internal AI policies, risk management, and human oversight.

• Other states are likely to borrow pieces of this framework as they write their own health AI laws.

Sources:

• https://www.vpm.org/generalassembly/2025-12-01/jcots-generative-artificial-intelligence-patient-health-provider-care

AI data center build-out runs into a grassroots backlash

A wave of community opposition is reshaping the AI data center map. In rural Pennsylvania, hundreds of residents are fighting a significant data center project that would rezone farmland and consume large amounts of power and water. At the national level, Data Center Watch reports that tens of billions of dollars in U S projects have been blocked or delayed by local resistance.

For technology and finance leaders, the message is that infrastructure risk now includes politics, permitting, and public sentiment. Capacity, latency, and cost assumptions tied to specific regions can change quickly when communities push back.

• Residents are challenging data center projects over land use, water, and utility rates.

• Research shows billions in AI-linked data center projects delayed or canceled after local opposition.

• Enterprises should stress test plans that rely on hyperscaler expansion in specific geographies.

Sources:

• https://www.reuters.com/business/retail-consumer/trumps-push-more-ai-data-centers-faces-backlash-his-own-voters-2025-12-01/

• https://www.datacenterwatch.org/report

• https://www.wired.com/story/the-data-center-resistance-has-arrived

Monday AI Market Maker – AidKit’s AI for public benefits and disaster cash assistance

AidKit, a public benefit corporation focused on cash assistance and benefits delivery, has been named a Gold winner for Best Use of Artificial Intelligence at the twenty-twenty-five Globee Awards for Impact. Its platform helps governments and nonprofits screen eligibility, route payments, and spot potential fraud more efficiently during disasters and economic shocks.

For public-sector CIOs and large nonprofits, AidKit offers a concrete example of AI-native operations. Governance and human judgment remain central, but AI accelerates the entire benefits lifecycle from intake to reporting.

• AI supports eligibility checks, document review, and fraud analytics for aid programs.

• AidKit positions itself as a transparency-focused, audit-friendly benefits platform.

• The model is portable to other high-volume, rule-heavy programs beyond disaster relief.

Sources:

• https://www.prnewswire.com/news-releases/aidkit-wins-best-use-of-artificial-intelligence-at-the-2025-globee-awards-for-impact-302627136.html

https://www.aidkit.com

CISA flags actively exploited OpenPLC ScadaBR flaw in KEV

The Cybersecurity and Infrastructure Security Agency has added a cross-site scripting flaw in the OpenPLC ScadaBR stack to its Known Exploited Vulnerabilities catalog. Hacktivists recently abused the bug to deface a honeypot human–machine interface, disabling logs and alarms in the process.

For operators of industrial control systems and building automation environments, this is a reminder that even lab or test components can become real attack surfaces. If they are reachable from the internet or shared networks, they belong in your vulnerability and segmentation plans.

• The vulnerability, CVE-2021-268292, affects a settings page in ScadaBR.

• CISA’s listing indicates active exploitation in the wild.

• Organizations should inventory any OpenPLC or ScadaBR components and prioritize remediation.

Sources:

• https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerabilities-catalog

• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

• https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html

• https://www.securityweek.com/cisa-warns-of-scadabr-vulnerability-after-hacktivist-ics-attack/

New Android “Albiriox” malware-as-a-service targets banking and crypto apps

Security researchers have detailed a new Android malware family dubbed Albiriox, sold as a malware-as-a-service to criminal groups. Instead of simply stealing credentials, it enables attackers to stream the device's screen, abuse accessibility services, and apply overlays to more than 400 financial and crypto applications.

For financial institutions and any enterprise that treats mobile apps as a primary customer channel, Albiriox is another step in the shift toward full-on device fraud. Defense strategies need to assume compromised endpoints and focus on behavior, context, and transaction risk.

• Albiriox is delivered through social engineering lures and droppers.

• It supports real-time device control and on-device transaction execution.

• Mobile app hardening and fraud analytics must evolve to handle these techniques.

Sources:

• https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets

• https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html

Coupang breach exposes personal data of nearly 34 million customers

South Korean e-commerce giant Coupang has disclosed a data breach affecting nearly thirty-four million customers, making it one of the country’s largest incidents in years. Attackers accessed names, contact details, addresses, and some order information over a multi-month window before detection.

Regulators and police are now investigating whether a former employee’s credentials or authentication key were misused. For global digital commerce leaders, the case highlights the importance of controlling internal keys and aggressively monitoring for large-scale data access.

• The incident involves tens of millions of affected customer records.

• Stolen data includes identity and contact details, though not payment card data.

• Authorities are probing potential insider involvement and disclosure practices by former employees.

Sources:

• https://www.reuters.com/sustainability/boards-policy-regulation/south-korean-police-probe-massive-data-leak-coupang-2025-12-01/

• https://techcrunch.com/2025/12/01/koreas-coupang-says-data-breach-exposed-nearly-34m-customers-personal-information/

Topics We’re Tracking (But Didn’t Make the Cut)

Dropped Topic: Former congressmen launch super PACs backing AI safeguard candidates

• Why It Didn’t Make the Cut: Interesting for political strategy, but indirect for near-term enterprise risk and implementation decisions.

• Why It Caught Our Eye: Signals growing electoral organizing around AI safety and could shape the long-term policy environment in which your organization operates.

Dropped Topic: New data center resistance flashpoints beyond Pennsylvania

• Why It Didn’t Make the Cut: Closely overlaps with today’s primary data center backlash segment and would have been duplicative for this edition.

• Why It Caught Our Eye: Confirms that organized opposition to AI-related data center growth is emerging across multiple states, not just a one-off local fight.

Quick Disclaimer and Sources Note: The author used AI in part to create this newscast. Our goal is to be transparent and show you how we sourced the info we used.

This newscast was developed using only public sources of information.

The Exchange Daily is a production of Metora Solutions. For more information about how to participate in this daily newscast, contact us at podcasts@metorasolutions.com.