AI Rules, GitHub Defaults, and TSMC's Big Bet

Welcome to AI News in 10, your top AI and tech news podcast in about 10 minutes. AI tech is amazing and is changing the world fast, for example this entire podcast is curated and generated by AI using my and my kids cloned voices...

It’s Monday, April 6, 2026... here’s what’s shaping AI and tech today.

California’s Senate is set to hear a cluster of AI bills that could ripple nationwide. GitHub is walking back those Copilot pull request promos — while quietly locking in a new default data-for-training policy. Chip giant TSMC is reportedly gearing up for a huge Arizona build-out, even as capacity is spoken for through 2028. Apple is backporting iPhone security fixes amid the so-called "DarkSword" exploit saga. And Microsoft just pushed an out-of-band Windows 11 patch while warning admins about Office preview-pane bugs that tie right back to AI-assisted workflows.

Let’s dive in...

[BEGINNING_SPONSORS]

Story one — California’s big AI hearing day

If you care about how AI is governed in the U.S., watch Sacramento today. California’s Senate Committee on Privacy, Digital Technology, and Consumer Protection is scheduled to hear multiple AI bills.

Among them: Senate Bill 867, which would prohibit companion chatbots in toys. Senate Bill 1050, which would require disclosures about the use of AI in advertising. Senate Bill 1146, which would add AI provisions to false advertising rules for health-related products. And Senate Bill 1159, which would clarify that "person," "participant," or "member of the public" does not include AI systems for the purposes of open meeting and public records laws.

California bills often become de facto national standards because companies don’t build fifty different compliance stacks — they align to the toughest rule set. We’ll watch for votes and any amendments out of committee later today.

Why this matters: If these advance, they’ll shape everything from kids’ toys and mental-health tools to the labels on AI-infused wellness products. And because California regulates a market of nearly 40 million people, product teams everywhere tend to follow.

Story two — GitHub backtracks on pull request promos, sets default data-for-training policy

Developers revolted last week after seeing "tips" and promotional blurbs injected into pull requests that used Copilot. GitHub disabled the behavior and blamed a "programming logic" issue — but the flap crystallized a bigger shift.

Starting April 24, Copilot interaction data — prompts, accepted outputs, code context, repository structure, and even thumbs-up or thumbs-down — will be used by default to train models unless you opt out. Free education plans are exempt, and enterprises can set their own policies, but for many open-source maintainers, that’s a sea change.

If you maintain repositories on GitHub, check your organization-level switches now and decide your posture before the new policy kicks in.

What to watch: Expect clearer guidance on opt-outs and auditability — and pressure on rival hosts to declare their own training defaults. The immediate lesson is simple: even small UX experiments, like pull request "tips," land differently in code review... where trust is everything.

Story three — TSMC: Arizona mega-build rumors as capacity sells out to 2028

Hardware drives AI — and AI is devouring hardware. Fresh reports suggest TSMC is considering as many as twelve fabs, plus multiple advanced-packaging facilities, in Arizona, on top of the existing Fab 21 campus — an extraordinary scale-up aimed at U.S. supply resilience.

At the same time, coverage late last week said TSMC capacity is effectively "sold out" through 2028, while capital-expenditure plans for 2026 are expected to run between 52 and 56 billion dollars.

Treat the Arizona numbers as preliminary — they’re not an official TSMC announcement — but they align with relentless AI demand and the scramble for CoWoS and SoIC packaging. If these moves proceed, the U.S. could see a true advanced-node cluster with domestic packaging at scale... and a lot of hiring.

Why this matters: Model-training roadmaps increasingly hinge on packaging bottlenecks, not just transistor density. More U.S. capacity could ease some of the worst lead times — but not overnight. Watch for land-acquisition filings, utility build-outs, and tool-installation permits as early indicators.

[MIDPOINT_SPONSORS]

Story four — Apple rushes security fixes amid "DarkSword" fallout

Apple quietly widened the availability of iOS 18.7.7 on April 1, backporting protections to more devices in response to recent web-exploitation campaigns. Security trackers have tied parts of the activity to an exploit toolkit nicknamed "DarkSword," overlapping with earlier Coruna-related iOS attacks that CISA flagged in early March.

The upshot: even if you’re not on the latest iOS 26 branch, Apple wants older devices to auto-receive critical WebKit and kernel hardening. Enterprises got an extra nudge via a CISA-style, 21-day compliance drumbeat in late March — patch, or be ready to explain why not.

If you or your fleet stalled on updates, this is your sign... move.

Practical takeaway: Prioritize devices used for messaging, browsing, and any privileged admin access. And for BYOD — bring-your-own-device — environments, communicate that "Background Security Improvements" can now land without a full OS jump. The goal is coverage, not UI novelty.

Story five — Microsoft ships emergency Windows 11 fix; Office preview-pane bugs linger

After a bumpy March, Microsoft pushed an emergency Windows 11 update to resolve install and sign-in issues tied to the late-March preview build. But the security team’s attention should stay on Office.

March Patch Tuesday included multiple preview-pane vulnerabilities in Office and Excel — including remote code execution and data exfiltration angles that researchers say can pair with indirect prompt injection to siphon information via AI copilots.

If your organization tests updates slowly, consider fast-tracking the Office patches, reviewing mail-gateway policies that strip active content, and limiting what copilots can see in risky contexts.

Why this matters: As more workflows route through AI assistants, old-school file-preview bugs have a new blast radius. Defense in depth isn’t optional — think least privilege for copilots, DLP tuned for generated content, and user training that treats "harmless" spreadsheets like they’re executable code.

Quick recap

California’s Senate is test-driving a fresh batch of AI rules today that could set national norms... GitHub reversed those pull request promos but is defaulting to training on your Copilot interactions by April 24 — check your settings... TSMC’s reported Arizona expansion underscores just how compute-hungry AI has become... Apple’s widening iOS security coverage is your cue to patch older phones now... and Microsoft’s emergency Windows 11 fix should be paired with Office hardening as preview-pane exploits meet the age of copilots.

Thanks for listening and a quick disclaimer, this podcast was generated and curated by AI using my and my kids' cloned voices, if you want to know how I do it or want to do something similar, reach out to me at emad at ai news in 10 dot com that's ai news in one zero dot com. See you all tomorrow.