No one has been punished. Not Samsung. Not the global firms whose employees fed customer PII into ChatGPT. Deployer enforcement against employers for employee prompt leakage — as of May 2026 — does not exist. Across the United States, the EU, the United Kingdom, and China, the docket is empty.

The doctrinal scaffolding, by contrast, is finished. GDPR Articles 5/24/25/32 accountability. EU AI Act Article 4 AI literacy (in force February 2, 2025, enforcement August 2, 2026) and Article 26 deployer obligations (deferred to December 2, 2027 by the Digital Omnibus). FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) — the U.S. reasonable security floor. California's CPPA ADMT regulations (OAL approved September 22, 2025; in force January 1, 2026). China's PIPL Article 51. EDPB Opinion 28/2024 (December 17, 2024) explicitly lays the deployer-controller responsibility groundwork. The weapons are all in place. The empty docket is not regulatory absence — it is regulatory patience, a strategic silence awaiting the first paradigmatic case. Thaler v. Perlmutter's silence (130 F.4th 1039, D.C. Cir. 2025; cert. denied March 2, 2026) confirmed consensus. This silence prepares it.

Why the Docket Is Empty

Three causal layers overlap. First, the catalyst case came too early. Samsung Semiconductor's three engineers fed source code, yield-measurement code, and internal-meeting transcripts into ChatGPT in March-April 2023. Economist Korea broke the story on March 30; Samsung banned generative AI company-wide on May 1. But the EDPB Taskforce Report (May 23, 2024) and Opinion 28/2024 (December 17, 2024) came after the fact. The AI-specific doctrinal hook didn't yet exist. Korea's PIPC fined OpenAI KRW 3.6 million on July 26, 2023 — a provider action, not a deployer one. Second, provider-first preempted deployer. Italy's Garante fined OpenAI €15 million on December 20, 2024 — annulled by the Court of Rome on March 18, 2026 (Judgment No. 4153/2026). Six days earlier, the Luxembourg Administrative Court of Appeal annulled Amazon's €746 million GDPR fine (case 52757C). European courts braked first-mover ambition. Third, the Article 4 grace period is designed-in. AI literacy obligation in force February 2, 2025; enforcement August 2, 2026 — eighteen months by design. The European Commission's January 2025 Q&A signaled the first case's fact pattern explicitly: "more likely if there is proof of an incident due to lack of appropriate training and guidance of employees."

Four Patterns, One Floor

Four jurisdictions, four vocabularies, one functional floor. Unfairness (US, FTC Act § 5 + Wyndham), controller obligation (EU, GDPR Arts. 5/24/25/32), appropriate measures (UK, UK GDPR), 合理的措施 (China, PIPL Art. 51). Different words, same content. Employees feeding trade secrets into ChatGPT triggers, in every jurisdiction, the same conclusion — the deployer should have had technical and organizational measures in place. DPIA, DPA, DLP controls, AI literacy training, audit logs become the universal compliance toolkit.

The convergence rests on three doctrines meeting in the AI domain. Accountability (GDPR Article 5(2), PIPL Article 9) places the burden of proof on the controller. Reasonable security (Wyndham, GDPR Article 32, PIPL Article 51) sets the floor. Vicarious liability — respondeat superior — connects employee conduct to the employer. The three have separate origins — the 1995 Data Protection Directive, 1990s U.S. data-security enforcement, nineteenth-century common law — and accidentally meet on deployer responsibility internalization. Thaler had two doctrines converge on AI authorship rejection; this has three, in a less stable but more powerful configuration.

The Industry That Silence Built

Counterintuitively, the compliance industry forms anyway. Thaler's uncopyrightability spawned the vendor-indemnification industry and C2PA. Prompt leakage's possibility of enforcement is doing the same. Enterprise-tier defaults shifted — Microsoft Copilot Enterprise, OpenAI ChatGPT Enterprise, Anthropic Claude for Work, Samsung Gauss, JPMorgan's LLM Suite. The NIST AI RMF + ISO/IEC 42001 + C2PA stack standardized — Colorado's AI Act bridged soft law to hard law by making NIST adoption a rebuttable presumption of reasonable care. (The Colorado instrument is now politically unstable: federal magistrate stay on April 27, 2026; SB 189 replacement bill passed May 7-9 awaiting Governor Polis's signature.) The Big Four built a new practice line — EY, KPMG, Deloitte, and PwC stood up AI Governance Advisory as separate practices, and Credo AI, Holistic AI, and Anch.AI emerged as the startup tier. AI liability insurance segmented new products — Munich Re's aiSure™ (2018 pioneer), then its subsidiary HSB launching AI Liability Insurance for Small Businesses on March 18, 2026, with underwriting tied to NIST and ISO 42001 adoption. Gartner's February 17, 2026 estimate: USD 492 million in 2026, exceeding USD 1 billion by 2030.

Legal scholarship typically says law reflects society. Thaler showed the reverse — law shapes industry. The empty docket pushes it further. It is not the law but the possibility of law that shapes industry. So long as the empty docket signals institutional preparation rather than institutional absence, industry preempts the docket.

When the Docket Fills

Three tests stand out. First, EU AI Act Article 4 enforcement begins August 2, 2026 — the strongest candidate for the first paradigmatic case. The Commission has already signaled the fact pattern. Second, the first CPPA ADMT case after January 1, 2027 is the U.S. inflection point. Third, the dual-effect of the Court of Rome and Luxembourg annulments — does the provider front's judicial deflation accelerate deployer enforcement, or does first-mover cost make regulators wait for a safer case? A wild card: the CAC's first PIPL Article 51 deployer case may simply be non-public; Chinese disclosure is inconsistent.

A small fissure opened May 8, 2026, when California AG Rob Bonta announced a GM/OnStar $12.75 million CCPA settlement — the largest CCPA penalty to date and the first data minimization enforcement action. Not AI directly, but data minimization maps onto prompt leakage doctrinally. The empty docket has begun to crack.

Silence here is not the confirmation of consensus. It is the imminence of consensus. That is how to read the empty casebook of May 2026.