The EU AI Act's Deadline Just Moved. That's Not a Reason to Wait.

The EU AI Act's high-risk requirements have just been delayed until December 2027. I think a lot of companies are taking away the wrong message from that announcement. A later deadline doesn't reduce the work – it simply gives organizations the opportunity to build AI governance deliberately instead of rushing at the last minute.

The EU AI Act is the European Union's first comprehensive framework for regulating artificial intelligence. It establishes expectations for how AI systems are developed, deployed, and governed, with requirements around transparency, human oversight, cybersecurity, and demonstrating that AI is being used responsibly.

If you're a U.S. company using AI, don't assume this only applies to European businesses. The Act's reach depends on where your AI is being used and who it's affecting, not where your headquarters are. If you have customers or employees in the EU, you may already be in scope.

Another common misconception is that only companies building AI models need to pay attention. That's not the case, as the Act distinguishes between providers, who build or place AI systems on the EU market, and deployers, who use AI in their operations. If you're using a third-party AI tool to screen job applicants or support business decisions involving people in the EU, you may already have obligations under the Act.

When GDPR was approaching, many organizations believed they had plenty of time. The companies that struggled weren't necessarily the ones that started late – they were the ones that treated compliance as a project with a deadline instead of building it into the way they operated. I think we'll see the same pattern with AI governance.

The biggest challenge won't be writing an AI policy – it will be proving your governance actually works. Regulators will increasingly ask for evidence: How was risk assessed? Who approved the system? What vendor documentation exists? Where is the record of human oversight?

That's an audit question, and it's where many organizations are less prepared than they realize. In my experience, most companies already have many of the right controls. They conduct vendor reviews, manage access, require approvals, and have change management processes. Because of this, the gap isn't usually the controls themselves, it's the evidence that those controls were consistently followed.

If you're deciding where to spend the extra time this delay provides, I'd focus on five things:

- Build one inventory of every AI system in use, whether it's internally developed, customer-facing, or purchased from a vendor.

- Determine whether you're acting as a provider, a deployer, or both, and classify each system against an established framework such as ISO/IEC 42001 or the NIST AI Risk Management Framework.

- Assign clear ownership. AI governance almost always breaks down when everyone assumes someone else owns it.

- Ask vendors for documentation now – not when an auditor or regulator asks for it.

- Build evidence as you go. It's far easier to create documentation alongside the work than to reconstruct it later.

The companies that will be ready in December 2027 won't necessarily be the ones that started first. They'll be the ones that use this extra runway to build governance into the way they operate and turn policy into proof. I'm curious to know many organizations have actually inventoried every AI system in use today? My guess is far fewer than most people think.

In this post:

Stay Connected

Subscribe to receive new blog articles and updates from Thoropass in your inbox.


Eva Pittas

See all Posts

Related Posts

No items found.

Stay connected

Subscribe to receive new blog articles and updates from Thoropass in your inbox.


Want to join our team?

Help Thoropass ensure that compliance never gets in the way of innovation.

View Open Roles

Have any feedback?

Drop us a line and we’ll be in touch.

Contact us