The AI Act’s False Reprieve

Cyber Governance in the AI Era | Edition 5 | July 2026

In brief

In May, Brussels signalled a delay to parts of the EU AI Act. On 29 June, the Council gave the package its final green light, and the headlines wrote themselves: Europe blinks, compliance pressure eases, boards can breathe. Read the actual text and a different picture emerges. The obligations most boards were quietly deprioritising were deferred, yes. But on 2 August 2026, one month from now, the Commission's penalty powers over providers of general-purpose AI models enter into application, and the Act's transparency obligations take effect on schedule. The delay is real. The reprieve is not.

The position of this edition is one sentence, and it is testable. Boards that treat the Omnibus as permission to slow down will spend the next eighteen months rebuilding, under enforcement pressure, the governance they could have built now at their own pace.

Board takeaway: The Omnibus moved some deadlines, not the accountability problem. Before 2 August, ask management for three things: an AI-system register, an EU-touchpoint map, and written confirmation that Article 50 disclosure duties are covered for every customer-facing system.

What actually changed, and when it became final

On 7 May 2026, the European Parliament and the Council reached provisional agreement on the Digital Omnibus on AI, a package that reshapes the Act's timeline without touching its architecture. Parliament endorsed the text on 16 June, and on 29 June the Council gave it the final green light. The remaining step is publication in the Official Journal, after which the act enters into force three days later. Three changes matter at board level.

First, obligations for stand-alone high-risk AI systems under Annex III, the category covering AI used in hiring, credit, essential services, and critical infrastructure, move from 2 August 2026 to 2 December 2027. AI embedded in regulated products under Annex I moves further, to August 2028.

Second, the watermarking obligations for providers of generative AI systems are postponed to 2 December 2026.

Third, two new prohibited practices enter the Act, both effective 2 December 2026: AI systems that generate non-consensual intimate imagery, and AI-generated child sexual abuse material.

The Council's own summary is plain about what moved: the application dates for high-risk systems. The Act's architecture, and the August clock, stand. That is the delay. Now look at what did not move.

What still happens on 2 August

Two things remain live, and both matter.

The Commission's enforcement powers over providers of general-purpose AI models enter into application. The obligations themselves have applied since August 2025; what changes now is that non-compliance carries penalties: up to 15 million euros or 3 percent of global annual turnover for GPAI providers, and up to 35 million euros or 7 percent for prohibited practices. Most readers of this newsletter are deployers, not model providers. But enforcement rarely stops at the supplier. It travels through contracts, procurement questionnaires, audit rights, documentation requests, and indemnity clauses. A rule without active penalty powers is often treated as guidance. On 2 August, that posture becomes harder to defend.

The transparency obligations under Article 50 also take effect as originally scheduled. If your organisation deploys a chatbot, a synthetic-content tool, an emotion-recognition system, or a biometric categorisation system in a way that falls within EU scope, the duty to disclose that people are interacting with a machine begins within the month. This is not only a website notice problem. It is a customer journey problem: chat interfaces, support scripts, generated content, onboarding flows, and public-facing AI outputs all need to be checked.

And the Act's reach has not narrowed. It applies to providers and deployers outside the Union where the system's outputs are used in the EU. A board in Port of Spain, Toronto, or Singapore can be in scope through EU users, EU customers, EU deployment, or AI-system outputs used in the Union. Edition 4 flagged this date. This edition is the one-month check.

The misreading

Here is the governance failure already forming, and it is behavioural rather than legal.

The Omnibus was reported as relief, and relief is how most boards filed it. The real risk is not legal misunderstanding. It is board psychology. A moved deadline creates permission to postpone, and permission to postpone compounds: inventories slip a quarter, vendor questions wait for the next contract cycle, the budget line migrates, and the December 2027 plan becomes a Q4 2027 scramble. The deferral also applies to the obligations that required the deepest operational work: conformity assessments, risk management systems, data governance documentation for high-risk systems. The obligations arriving in August are the ones that require something harder to retrofit: knowing what AI you actually run, what it touches, and being able to say so honestly.

There is a second layer. As of June, many member states had still not designated their national enforcement authorities. Practitioners call this the enforcement gap, and some boards will read it as further licence to wait. That is the wrong lesson. Enforcement capacity arriving late does not mean it arrives never, and regulators who start behind tend to make examples early. The organisations that fare worst in any new enforcement regime are rarely the most exposed. They are the least prepared.

The December 2027 deferral is not a gift of time. It is a test of whether your institution uses time it was given, or only time it is denied.

Why this sits with the board, not only counsel

Three features move this from the legal department's inbox to the board agenda.

First, scope is a business question before it is a legal one. Whether your AI systems touch the EU market is determined by your customer list, your vendor stack, and your product roadmap, all of which the board oversees and counsel does not control. Deloitte board-governance research has found that 66 percent of boards have limited or no knowledge of AI. A board that cannot describe its own AI footprint cannot know whether a European regulator considers it in scope.

Second, the deferral creates a planning decision only the board can make. Eighteen months of recovered runway on high-risk compliance is a resource. It can fund a deliberate readiness programme, or it can evaporate into deferred meetings. Management will not choose the harder path without a mandate.

Third, transparency obligations are reputational before they are regulatory. The August rules formalise something customers already expect: knowing when they are talking to a machine. An organisation that cannot meet that expectation has a trust problem that predates any fine.

The small-state dimension

For small island developing states and emerging economies, the Omnibus carries a sharper lesson, because most of us are rule-takers in this regime. No Caribbean state sat at the table on 7 May. The timeline moved, and our institutions must move with it.

But rule-takers are not required to be late adopters. The extraterritorial mechanics of the Act mean a regional bank, a government platform vendor, or an exporter of digital services inherits European obligations through its contracts, quietly and without ceremony. The institutions that map that exposure now, while the enforcement machinery is still assembling, convert a compliance burden into a market signal: we are safe to build with. In a region competing for digital investment, demonstrable AI Act readiness is a differentiator few neighbours will hold. Small states cannot outspend larger jurisdictions on compliance. They can out-prepare them.

A thirty-day readiness model

Five actions fit inside the month remaining, and none requires a consultancy engagement to begin.

  1. Build the inventory. One register of every AI system in production or procurement, including the models inside vendor products. You cannot assess scope against systems you have not counted. Edition 2 called the uncounted ones shadow AI; the Act now prices them.

  2. Map EU touchpoints. For each system, one question: do its outputs reach the EU market through customers, users, or partners? Mark yes, no, or unknown. The unknowns are the work.

  3. Check the August duties. For any customer-facing AI, verify that disclosure is in place: people must know when they are interacting with a machine and when content is synthetic. This is the obligation that lands within the month, and it is the cheapest to meet.

  4. Interrogate the vendor chain. Ask every material AI vendor two questions in writing. Which of your obligations under the Act do you carry, and which do you pass to us? Silence is an answer. Treat it as one.

  5. Set the 2027 clock now. Assign a named owner, a budget line, and a quarterly board checkpoint for high-risk readiness, dated backwards from December 2027. Eighteen months is enough time to do this well exactly once.

None of this is European bureaucracy for its own sake. It is the same discipline this newsletter has argued for since Edition 1: know what acts in your name, and be able to answer for it.

Signal of the month

Palo Alto Networks reports, in its 2026 Identity Security Landscape published in May, that machine identities including AI agents now outnumber human identities 109 to 1 in the average enterprise, up from 82 to 1 a year earlier; the company attributes 79 of the 109 to AI agents. Vendor research tied to a product launch deserves a discount, but the direction is unambiguous. Read it alongside the regulatory clock: at the moment lawmakers are formalising accountability for AI systems, the population of those systems inside the enterprise is compounding at a pace few boards have registered. The workforce your governance was designed for is no longer the workforce you have.

What boards and executives should ask in July 2026

  1. Can management produce, this month, a complete register of AI systems in production, including those embedded in vendor products?

  2. Do any of our AI outputs reach the EU market through customers, vendors, or partners, and who verified that answer?

  3. For every customer-facing AI we run, is machine-interaction disclosure in place before 2 August?

  4. What did we do with the eighteen months the Omnibus returned to us, and who owns the December 2027 plan?

  5. If a regulator asked tomorrow how many AI systems and agent identities operate under our name, would the answer be a number or an estimate?

The mandate

Edition 4 asked who answers when the agent acts. This edition asks whether you will still control the timetable when the law starts asking. The Omnibus did not soften the AI Act. It re-sequenced it, and in doing so it sorted boards into two groups: those who heard a deadline move and stopped preparing, and those who heard a deadline move and kept building. Only one of those groups will meet December 2027 on its own terms. The month ahead will show which group your board has chosen. In governance, the most expensive answer is not "no." It is "we do not know yet."

Executive question of the month

Without checking, can you say whether any AI system your organisation runs reaches the EU market? If the honest answer is "I would have to ask," that is the work.

Sources

  • Digital Omnibus on AI: provisional agreement 7 May 2026; European Parliament endorsement 16 June 2026; Council final green light 29 June 2026 (Council of the EU press release); entry into force three days after Official Journal publication; high-risk Annex III obligations deferred to 2 December 2027, Annex I to 2 August 2028 (Gibson Dunn; White & Case; Covington)
  • EU AI Act Article 101: Commission fines for providers of general-purpose AI models apply from 2 August 2026, up to EUR 15M or 3% of global annual turnover; Article 99: prohibited-practice violations up to EUR 35M or 7% of global annual turnover
  • EU AI Act Article 50 transparency obligations, applicable from 2 August 2026; watermarking obligations postponed to 2 December 2026
  • New prohibited practices (AI-generated non-consensual intimate imagery and CSAM), effective 2 December 2026
  • Deloitte 2026 State of AI research: 21% of organisations report a mature governance model for AI agents; Deloitte board-governance research: 66% of boards report limited or no knowledge of AI
  • Palo Alto Networks, 2026 Identity Security Landscape (May 2026): machine identities including AI agents outnumber humans 109 to 1; 79 of 109 attributed to AI agents in the company's Idira launch analysis

Dr. Inshan Meahjohn is Founder and CEO of DAG (Digital Alliance Global Group), a global cybersecurity and digital transformation platform operating across global markets under the operating posture Protect and Transform. He holds a PhD in Entrepreneurship from the University of Trinidad and Tobago and previously served as CEO of iGovTT, Trinidad and Tobago's national ICT agency. Subscribe to Cyber Governance in the AI Era for monthly, board-level analysis on AI governance, cyber risk, and operational resilience.

Next
Next

Who Answers When the Agent Acts