The EU has given organizations more time to get ready for parts of the EU AI Act. Which is great, in the same way our dentist giving us another six months before a root canal is great. The pain’s not vanished. It’s just been scheduled with a little more leeway for flossing and brushing.
On May 7, 2026, the Council of the EU and European Parliament reached a provisional agreement to simplify parts of the AI Act implementation timeline. The big change: obligations for stand-alone high-risk AI systems are now expected to apply from December 2, 2027, rather than August 2, 2026. High-risk AI embedded in regulated products shifts to August 2, 2028. The agreement still needs formal adoption, but it’s now the practical planning baseline.
This shouldn’t be mistaken for permission to relax. The EU AI Act isn’t just a legal exercise. It is an operational test of whether organizations know where AI is being used, who owns it, what AI access touches, how it is supervised, and whether any of that can be proven without spelunking through four dashboards, four spreadsheets, a lot of coffee, and a Slack thread from last October, when an EU assessor asks if we can prove least privilege.
What the EU AI Act actually changes
The EU AI Act regulates AI through a risk-based model. Some uses are banned (certain AI uses are considered so risky or manipulative that they are effectively prohibited outright, except in very narrow circumstances). Some are classed as high risk. Others carry transparency duties. Many low-risk use cases remain lightly regulated.
The heaviest obligations sit around high-risk AI systems: defined as systems used in areas such as employment, education, credit, critical infrastructure, health care, law enforcement, migration, and access to essential services. These aren’t harmless autocomplete toys. These systems can affect someone’s job, benefits, medical care, loan approval, or legal status.
For organizations, the hard part isn’t reading the regulation. The hard part is proving control.
Deployers of high-risk AI systems must follow the provider’s instructions, assign competent human oversight, monitor system operation, retain logs where required, and report serious incidents. Article 26 also states that oversight needs actual authority, not just a human rubber-stamping without formal guidelines and a clear mandate.
Readiness is still thin
The delay’s a welcome one, because organizational readiness isn’t where it needs to be. PwC Ireland’s 2026 Responsible AI survey found that only 14% of organizations said they were fully prepared for the EU AI Act, while 70% said they were only partially prepared. The main blockers were limited expertise, budget constraints, and a lack of clarity around requirements.
That tracks with the broader market. Gartner expects spending on AI governance to reach $492 million in 2026 and pass $1 billion by 2030, driven by global regulation and rising operational risk.
AI governance is identity governance: inventory, ownership, access control, evidence, monitoring, and a repeatable process. The boring stuff. Naturally, the boring stuff is where breaches, fines, and late nights invariably begin.
The cybersecurity problem hiding inside AI compliance
The EU AI Act talks about safety, transparency, oversight, and accountability. Security teams should hear something else underneath that: identity.
Every AI system is surrounded by identities. Human users. Admins. Reviewers. Service accounts. OAuth grants. API keys. Cloud roles. SaaS connectors. CI/CD workflows. Data warehouse permissions. Model access. Logging access. Approval paths.
If an AI assistant can query customer data, who gave it that access? If a model workflow can trigger a cloud action, which role does it assume? If a service account feeds training data into a pipeline, who owns that account? If an employee leaves, does their AI-related access leave with them, or does it drift into the haunted attic of “we’ll clean that up later”?
This is why AI governance and cloud identity governance are now joined at the hip.
Extra time should be used to kill standing privilege
The delay gives organizations time to reduce risk before compliance becomes an audit scramble.
A practical readiness program should start with these questions:
- Who owns each AI system?
- Which humans, machines, apps, and agents can access it?
- What data can it reach?
- Which cloud and SaaS entitlements support it?
- Which permissions are standing, excessive, stale, or ownerless?
- Can access be approved with just-in-time access, time-bound, and revoked automatically?
- Can we prove all of this to an auditor?
The EU AI Act includes serious penalties: up to €35 million or 7% of global annual turnover for prohibited AI practices, and up to €15 million or 3% for many other violations. [Article 99]
But fines are only part of the risk. Failed AI governance can also slow product launches, weaken customer trust, trigger procurement friction, and create ugly conversations with regulators, boards, and erode trust with customers.
What to do before the new deadline
Use the delay to build control muscle.
Create an AI inventory. Classify systems by risk. Assign owners. Map human and non-human identities. Review service accounts, tokens, cloud roles, SaaS permissions, and privileged workflows. Replace standing access with just-in-time access wherever possible. Require approval for risky access. Expire access automatically. Keep evidence continuously, not as a panicked archaeology project two weeks before audit season.
The goal’s not just to tick a box and comply with the EU AI Act. The goal is to make AI systems governable.
That means security teams need visibility across the full access chain: from user to app, from app to cloud role, from service account to data store, from approval to expiry. AI systems shouldn’t become invisible trust chains and nebulous privileged entities floating around our enterprise architecture.
The delay is useful. The direction is unchanged.
The EU has moved part of the timeline, not the destination.
AI systems are becoming regulated assets. The organizations that handle this well will not be the ones that wait until late 2027 and then discover their “AI inventory” is a spreadsheet last updated by someone who now works somewhere else.
They’ll be the ones who treat AI readiness as an access governance problem today.
Because when an AI system can touch sensitive data, trigger workflows, influence decisions, or act through privileged identities, the question isn’t just “Is the model compliant?”
It is: Who can make it do what, for how long, and can we prove it?
If you want to get ahead of the EU AI Act deadline, now is the time to build that visibility. Start a free trial of Trustle and see every entitlement, standing privilege, service account, and approval path across your cloud and SaaS environment in minutes, before auditors, regulators, or attackers do.
