The EU AI Act delay does not remove the controls problem
As of June 2026, the EU AI Act timeline is moving. The Council and Parliament reached a provisional agreement to simplify implementation, and the Commission says rules for many high-risk systems used in areas such as biometrics, critical infrastructure, education, employment, migration, and essential services will apply from December 2, 2027. High-risk systems embedded in products move to August 2, 2028.
That delay helps. It does not make this a legal-only exercise.
Security teams still need the same basic control foundation: an inventory of AI systems, risk classification, owners, logging, human oversight, data governance, model documentation, vendor evidence, and a way to prove the workflow actually operates as described.
The biggest gap I see is inventory. You cannot classify risk you have not catalogued. That includes vendor tools, product features, analytics models, AI-enabled security tools, and business-unit purchases that may never have gone through central review.
Once the inventory exists, the control questions become practical:
- Where are inputs, outputs, and decisions logged?
- Who owns model/version changes?
- What evidence proves human oversight happened?
- Which vendors process sensitive data or produce operational decisions?
- What residual risks were accepted, and by whom?
This maps well to security work companies already understand: SOC 2 readiness, NIST 800-53 control evidence, vendor risk reviews, data governance, and access logging. The hard part is not translating the regulation. The hard part is finding every AI system and getting control evidence before audit pressure arrives.
The better move is to treat the extra time as remediation time, not waiting time.