Skip to content
Topic pillar · 6 tracked pieces

Topic · Regulatory readiness

Tracking the agentic-AI regulatory timeline — EU AI Act, sector rules, audit-evidence obligations — and what enterprises must do before each deadline.

Pillar status. Spoke articles and tracked claims below are populated automatically. Editorial framing for this pillar is queued for the next quarterly refresh.

What survives review

What has broken

Nothing has moved to Partial or been retired in this topic yet.

Spoke articles

  • An AI tax is the wrong instrument for a real problem

    A growing camp wants to tax AI because it was built on the collective knowledge of everyone and runs on public infrastructure. Both claims are partly true and neither supports a special tax. The grievance is real; the instrument is wrong. Copyright markets, the courts, and the existing profit-and-capital tax base already fit the problem, and a dedicated AI levy would fall on buyers and workers while entrenching the incumbents it is meant to check. What a CIO should budget for instead.

  • The EU AI Act Digital Omnibus: the high-risk delay is real, and the 2 August 2026 obligations it leaves standing are not what most enterprises think

    On 7 May 2026 the European Parliament and Council reached a provisional political agreement on the Digital Omnibus, which postpones the EU AI Act's high-risk obligations to 2 December 2027 for standalone systems and 2 August 2028 for embedded systems. The trade-press framing is delay. The deployer framing is narrower. The agreement also postpones the provider watermarking duty to 2 December 2026, but it leaves the deployer transparency obligations applicable from 2 August 2026 and leaves the GPAI obligations, the governance regime, the prohibited practices, and the AI literacy duty exactly where they already are. The enterprise that reads delay as a reason to stand the programme down is reading the wrong half of the agreement.

  • The EU AI Act high-risk delay re-times the conformity work, not the foundations: the agentic-AI readiness to keep building before 2 August 2026

    The Digital Omnibus moved the EU AI Act's heaviest obligation, high-risk conformity, out to 2 December 2027 and 2 August 2028. The trade-press read it as a reason to slow down. The operational read is narrower: the delay re-times one workstream and gates none of the others. Three readiness foundations sit upstream of the high-risk deadline and are required by obligations that did not move: a current inventory of which agents run under whose authority, agent-aware vendor contract terms, and active shadow-AI discovery. Each is load-bearing for the Article 50 deployer transparency duties that still apply on 2 August 2026, and each is the evidence base the high-risk conformity work will stand on when it lands. The enterprise that pauses these three has read the delay headline, not the agreement.

  • Agentic AI for regulated enterprise: the 2026 vendor matrix for finance, healthcare, government, and energy

    The buying-committee question 'compare AI agent vendors regulated enterprise' resolves differently in each of the four major regulated verticals; the FedRAMP-and-DoD-ATO axis dominates federal, the HIPAA-plus-21-CFR-Part-11 axis dominates healthcare and pharma, the NYDFS-Part-500-plus-SR-11-7 axis dominates US financial services, and the NERC-CIP-plus-EU-NIS2 axis dominates energy. The 2026 vendor matrix is not one universal scorecard; it is four sector-specific reductions of the same agentic AI vendor landscape, with the structural disqualifications named first and the feature comparison second.

  • AI governance is data governance: mapping the seven 2026 threat categories onto HIPAA, GLBA, and SEC without waiting for new US law

    The US-facing CIO has a different and equally live AI exposure to the EU-facing one. The UK ICO's May 2026 framing names seven AI threat categories that existing US data-protection frameworks (HIPAA Security Rule, GLBA Safeguards Rule, SEC Item 106 and 8-K Item 1.05, FTC Section 5) already cover at the data layer, with no new federal AI law required. The structural pattern is that AI governance has become data governance, and the most common gap is the fragmented audit log.

  • The EU AI Act high-risk readiness gap: the budget reality enterprises haven't sized

    The high-risk-system obligations of the EU AI Act activate on 2 August 2026, under 80 days from the publication date of this piece. Most enterprise conversations about readiness still treat the gap as a legal-interpretation problem to be solved by the general counsel and outside counsel. The operational evidence from procurement, audit, and headcount data argues a different reading. The gap is not legal interpretation; it is a budget gap on a class of operating expense the chief financial officer has not yet sized: conformity-assessment headcount, audit-evidence pipeline infrastructure, model-card production cadence, and post-market monitoring telemetry. The €15 million or 3% of worldwide annual turnover figure in Article 99(4) is the worst-case downside. The mid-case downside is the operating cost of carrying the readiness gap through 2027, which most enterprises have not modelled.

What we're watching next

Forthcoming content and open questions for this pillar will appear here on the next quarterly refresh.

Primary sources we trust for this topic

A curated list of primary research, regulator guidance, and vendor documentation for regulatory readiness. Populated on the quarterly refresh — not a link dump, not competitors.

This pillar page is refreshed quarterly. Last refresh: 19 Apr 2026. Next refresh: 18 Jul 2026.

Vigil · 44 reviewed