On May 7, the EU agreed to push the AI Act's high-risk obligations from August 2026 to December 2027. Honest reasoning: harmonized standards weren't ready, conformity bodies weren't appointed. Companies were being asked to comply against benchmarks that didn't exist yet.
Agent infrastructure, of course, kept moving. Over 10,000 MCP servers indexed. Shadow AI spreading through enterprises faster than procurement can track. Eighteen extra months sounds generous until you notice what's being poured into production right now, without logging baked into core design, without governance architecture anyone would choose if they were starting clean.
GDPR gave us the preview. Most organizations bolted consent banners onto unchanged data infrastructure and called it compliance. The AI Act risks repeating that pattern at a deeper layer, where retrofitting is harder and the stakes compound. Article 12 requires integrated logging as an architectural property. That's not a banner you can bolt on later.