One hundred and sixteen days.
That’s how long organizations have until the EU AI Act’s high-risk obligations become enforceable on August 2, 2026. Conformity assessments completed. Technical documentation finalized. CE marking affixed. EU database registration done. The clock started ticking when the regulation entered into force. Most organizations haven’t started the work it’s counting down to.
The enforcement infrastructure isn’t ready either. Only eight of the EU’s twenty-seven member states have designated their AI Act enforcement authorities — a requirement that was due by August 2, 2025. Seven months late. The regulators tasked with enforcing the rules haven’t all been named yet.
CEN and CENELEC, the European standardization bodies responsible for producing the technical standards companies need to demonstrate compliance, missed their 2025 deadline. They’re now targeting the end of 2026 — months after the enforcement date they’re supposed to support.
Read that again. The regulation is enforceable. The standards aren’t written. The regulators aren’t appointed. And most organizations don’t have a governance model for their AI systems.
The Readiness Problem
Deloitte’s 2026 State of AI in the Enterprise report found that only 21% of organizations have a mature governance model for autonomous agents. Technical infrastructure readiness is at 43%. Data management readiness at 40%. Governance readiness — the part that maps directly to regulatory compliance — sits at 30%.
The infrastructure to run agents is ahead of the decisions about what agents should do. Organizations have the engines. They don’t have the rules of the road.
Meanwhile, agent deployment hasn’t slowed down. Seventy-five percent of businesses plan to deploy agents by end of 2026. Arkose Labs reports that 97% of enterprise leaders expect a material AI agent security incident within twelve months. The systems are shipping. The governance design that would make them compliant — and defensible — isn’t.
What the Regulation Actually Requires
The EU AI Act doesn’t require specific technology. It requires governance decisions. Risk classification. Documentation of how AI systems make decisions and what boundaries they operate within. Conformity assessments that demonstrate the system’s design reflects its risk profile.
For high-risk AI systems under Annex III — employment decisions, credit scoring, education, law enforcement — these aren’t optional. They’re legal requirements with real penalties. Up to €15 million or 3% of global annual turnover.
The Digital Omnibus proposal floated in late 2025 could push the deadline for Annex III systems to December 2027. Organizations banking on that extension are making a bet. The proposal requires European Parliament and Council approval. It hasn’t been enacted. Prudent compliance planning treats August 2 as the binding date.
The Design Layer Problem
The market has responded to the enforcement need. Microsoft’s Agent Governance Toolkit, open-sourced April 2, covers all ten OWASP agentic AI risks. Okta ships agent identity management this month. Cisco, CrowdStrike, ServiceNow — more than a dozen named players building runtime enforcement.
Every one of these tools enforces policy at runtime. Every one ships with a policy input slot — a place where governance rules load. Every slot needs governance decisions to fill it.
Those decisions — what the agent is allowed to do, what data it can access, what triggers escalation, what constitutes a boundary violation — are governance design. The work that happens before enforcement. The work the enforcement stack assumes someone else did.
In 79% of organizations, nobody has.
One Hundred and Sixteen Days
Finland has full AI Act enforcement powers since December 2025. Germany, Italy, and others are setting up sector-specific surveillance authorities. The enforcement apparatus is materializing — unevenly, slowly, but it’s coming.
The organizations that designed their governance early won’t be scrambling to document what their agents are allowed to do while regulators are asking for the documentation. The organizations waiting for the standards to be published, for the enforcement authorities to be named, for the Digital Omnibus extension to be ratified — they’ll be designing governance under deadline pressure, which is how governance gets done badly.
August isn’t a deadline for buying enforcement tools. It’s a deadline for having made the governance decisions those tools need.
The tools are ready. The slot is empty. One hundred and sixteen days.
Sources:
- European Parliament Research Service, "Enforcement of the AI Act," March 2026 (8/27 member states designated)
- CEN/CENELEC harmonized standards — missed 2025 deadline, targeting end of 2026
- Deloitte, "State of AI in the Enterprise," 2026 (21% mature governance, 30% readiness)
- Arkose Labs, "2026 Agentic AI Security Report," March 31, 2026 (97% expect incident)
- Enterprise Management Associates, 2025 (79% deployed without written policies)
- OneTrust, "EU Digital Omnibus Proposes Delay of AI Compliance Deadlines," 2025
- World Reporter, "EU AI Act August 2026 Deadline: Only 8 of 27 EU States Ready," 2026