Skip to content
Topic pillar · 9 tracked pieces

Topic · Regulatory readiness

Tracking the agentic-AI regulatory timeline — EU AI Act, sector rules, audit-evidence obligations — and what enterprises must do before each deadline.

Pillar status. Spoke articles and tracked claims below are populated automatically. Editorial framing for this pillar is queued for the next quarterly refresh.

What survives review

What has broken

Nothing has moved to Partial or been retired in this topic yet.

Spoke articles

  • The EU AI Act's two-clock enforcement: why your vendors are regulated before you are

    The popular read on the EU AI Act in mid-2026 is that the Digital Omnibus relaxed everything. The calendar says otherwise. Enforcement against general-purpose AI model providers goes live on 2 Aug 2026, finable up to 3% of global turnover, while the provisionally agreed delay pushes high-risk deployer obligations to 2 Dec 2027. The two clocks run at different speeds, and the gap lands on enterprise buyers first.

  • The 2 Jun White House AI order: what it actually requires

    The 2 Jun AI executive order leans on voluntary frontier-model review but hard-wires the federal side: CISA binding directives and an NSA/CISA AI clearinghouse, both within 30 days.

  • There is no federal AI floor coming: what Colorado's retreat and the stalled preemption fight mean for enterprise compliance planning

    American enterprises waiting for the US AI regulatory picture to settle before they build their compliance posture got two answers in the first half of 2026, and both point the same way. The federal floor most boards assumed was coming is not coming on a plannable timeline: the White House framework of 20 March 2026 is explicitly non-binding, and the proposed moratorium on state AI laws was not enacted. Meanwhile the most-watched comprehensive state law moved backwards, not forwards: on 14 May 2026 Colorado gutted its own AI Act and pushed it to 2027. The lesson is not that regulation is going away. It is that there is no single regime to build to, and waiting for one is now the riskier choice than building to the obligations that already apply.

  • An AI tax is the wrong instrument for a real problem

    A growing camp wants to tax AI because it was built on the collective knowledge of everyone and runs on public infrastructure. Both claims are partly true and neither supports a special tax. The grievance is real; the instrument is wrong. Copyright markets, the courts, and the existing profit-and-capital tax base already fit the problem, and a dedicated AI levy would fall on buyers and workers while entrenching the incumbents it is meant to check. What a CIO should budget for instead.

  • The EU AI Act Digital Omnibus: the high-risk delay is real, and the 2 August 2026 obligations it leaves standing are not what most enterprises think

    On 7 May 2026 the European Parliament and Council reached a provisional political agreement on the Digital Omnibus, which postpones the EU AI Act's high-risk obligations to 2 December 2027 for standalone systems and 2 August 2028 for embedded systems. The trade-press framing is delay. The deployer framing is narrower. The agreement also postpones the provider watermarking duty to 2 December 2026, but it leaves the deployer transparency obligations applicable from 2 August 2026 and leaves the GPAI obligations, the governance regime, the prohibited practices, and the AI literacy duty exactly where they already are. The enterprise that reads delay as a reason to stand the programme down is reading the wrong half of the agreement.

  • The EU AI Act high-risk delay re-times the conformity work, not the foundations: the agentic-AI readiness to keep building before 2 August 2026

    The Digital Omnibus moved the EU AI Act's heaviest obligation, high-risk conformity, out to 2 December 2027 and 2 August 2028. The trade-press read it as a reason to slow down. The operational read is narrower: the delay re-times one workstream and gates none of the others. Three readiness foundations sit upstream of the high-risk deadline and are required by obligations that did not move: a current inventory of which agents run under whose authority, agent-aware vendor contract terms, and active shadow-AI discovery. Each is load-bearing for the Article 50 deployer transparency duties that still apply on 2 August 2026, and each is the evidence base the high-risk conformity work will stand on when it lands. The enterprise that pauses these three has read the delay headline, not the agreement.

  • Agentic AI for regulated enterprise: the 2026 vendor matrix for finance, healthcare, government, and energy

    The buying-committee question 'compare AI agent vendors regulated enterprise' resolves differently in each of the four major regulated verticals; the FedRAMP-and-DoD-ATO axis dominates federal, the HIPAA-plus-21-CFR-Part-11 axis dominates healthcare and pharma, the NYDFS-Part-500-plus-SR-11-7 axis dominates US financial services, and the NERC-CIP-plus-EU-NIS2 axis dominates energy. The 2026 vendor matrix is not one universal scorecard; it is four sector-specific reductions of the same agentic AI vendor landscape, with the structural disqualifications named first and the feature comparison second.

  • AI governance is data governance: mapping the seven 2026 threat categories onto HIPAA, GLBA, and SEC without waiting for new US law

    The US-facing CIO has a different and equally live AI exposure to the EU-facing one. The UK ICO's May 2026 framing names seven AI threat categories that existing US data-protection frameworks (HIPAA Security Rule, GLBA Safeguards Rule, SEC Item 106 and 8-K Item 1.05, FTC Section 5) already cover at the data layer, with no new federal AI law required. The structural pattern is that AI governance has become data governance, and the most common gap is the fragmented audit log.

  • The EU AI Act high-risk readiness gap: the budget reality enterprises haven't sized

    The high-risk-system obligations of the EU AI Act activate on 2 August 2026, under 80 days from the publication date of this piece. Most enterprise conversations about readiness still treat the gap as a legal-interpretation problem to be solved by the general counsel and outside counsel. The operational evidence from procurement, audit, and headcount data argues a different reading. The gap is not legal interpretation; it is a budget gap on a class of operating expense the chief financial officer has not yet sized: conformity-assessment headcount, audit-evidence pipeline infrastructure, model-card production cadence, and post-market monitoring telemetry. The €15 million or 3% of worldwide annual turnover figure in Article 99(4) is the worst-case downside. The mid-case downside is the operating cost of carrying the readiness gap through 2027, which most enterprises have not modelled.

What we're watching next

Forthcoming content and open questions for this pillar will appear here on the next quarterly refresh.

Primary sources we trust for this topic

A curated list of primary research, regulator guidance, and vendor documentation for regulatory readiness. Populated on the quarterly refresh — not a link dump, not competitors.


This pillar page is refreshed quarterly. Last refresh: 19 Apr 2026. Next refresh: 18 Jul 2026.

Vigil · 09 reviewed