The EU AI Act Is in Motion: Scope, Timelines, and What Your Team Actually Has to Do
July 15, 2026
Beyond the Binary: Why Agent Governance Is an Optimization Problem
July 14, 2026
AI SOCs Need an Execution Boundary Before They Gain Autonomy
July 10, 2026
Google Dialogflow CX Rogue Agent Showed How One Playbook Editor Could Reach Every Code Block Agent
July 8, 2026
AI Agent Security in 2026: Why the Control Plane Has to Sit at the Tool-Call Boundary
July 7, 2026
Every Agent Has a Door. Most Are Unlocked.
July 3, 2026
Why We Built Prismor to Secure AI Coding Agents at the Tool-Call Boundary
June 26, 2026
143 Mastra npm Packages Backdoored via easy-day-js Dependency Swap
June 17, 2026
TrapDoor: 34 Malicious Packages Stole Crypto Wallet Keys and SSH Credentials Across npm, PyPI, and Crates.io
May 25, 2026
AntV npm Packages Compromised via Hijacked Maintainer Account
May 19, 2026
CVE-2026-42945: NGINX Rewrite Module Heap Overflow Enables Unauthenticated Code Execution
May 13, 2026
TanStack and Mistral npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack
May 11, 2026
Microsoft Patches Critical ASP.NET Core DataProtection Flaw That Breaks Cryptographic Signatures
April 23, 2026
Vercel got breached. Here is what that means for everyone downstream.
April 19, 2026
When the System Built to Warn Us Can No Longer Keep Pace
April 15, 2026
Your AI Agent Remembers Your Secrets
April 13, 2026
Your Home Directory is a Secret Goldmine for Attackers
April 6, 2026
When a core npm dependency becomes the attack path: lessons from the Axios compromise
March 31, 2026
When the AI dependency becomes the attack path: lessons from the LiteLLM PyPI compromise
March 24, 2026
When the security scanner becomes the attack path: lessons from the Trivy compromise
March 23, 2026
Critical Path Traversal Vulnerability in jsPDF Library (CVE-2025-68428)
January 6, 2026
MongoBleed: Unauthenticated Memory Disclosure in MongoDB (CVE-2025-14847)
December 27, 2025
Critical Remote Code Execution in n8n Workflow Automation: CVE-2025-68613
December 19, 2025
The Return of Shai-Hulud: npm's Worm Strikes Back
November 24, 2025
Critical Chrome Zero-Day Exploited: Google Rushes Emergency Patch for CVE-2025-0411
October 28, 2025
Critical Remote Code Execution Vulnerability in React Server Components
December 3, 2025
AI GovernanceJuly 15, 20265 min read

The EU AI Act Is in Motion: Scope, Timelines, and What Your Team Actually Has to Do

The EU AI Act regulates AI by risk tier, reaches any system that touches EU users, and fines up to 7% of global revenue. The deadlines and the team-by-team work.

A SaaS startup in Chicago screens EU-based job applicants with a model it fine-tuned last quarter. Its founders assume EU law stops at the EU border. It does not. Under the AI Act, that startup carries the same obligations as a software house in Munich, because the Act follows where the AI reaches, not where the company is headquartered.

The EU AI Act is the first comprehensive, legally binding framework for artificial intelligence, and it is already phasing in. It works the way the GDPR did: if your system touches people inside the EU, you comply. The good news for most teams is that the rules are specific enough to plan against. The hard part is that the work spans legal, product, engineering, data, and security at the same time.

The risk tiers, and what each one demands

The Act does not regulate AI as one thing. It sorts applications by how much harm they can cause, and the obligations scale with that. Four tiers matter for planning.

  • Prohibited. Some uses are off the table. Cognitive manipulation that causes harm, government social scoring, untargeted scraping for facial-recognition databases, and certain real-time biometric surveillance. The banned list now also covers “nudifier” tools that generate non-consensual intimate deepfakes.
  • High-risk. AI used for life-altering decisions: hiring, education, credit, healthcare, critical infrastructure, law enforcement. These are allowed, and they carry the heaviest load. Detailed technical documentation, data governance, event logging, risk management, and real human oversight.
  • Limited risk. Chatbots and generative tools. You have to tell people they are dealing with a machine, and AI-generated media such as deepfakes has to be marked as synthetic in a machine-readable way.
  • Minimal risk. Spam filters, recommendation features, most everyday AI. No new obligations, though the transparency habits above are worth adopting anyway.

The timeline, including the 2027 shift

The Act entered into force in August 2024 and applies in waves rather than all at once. The dates that shape most roadmaps:

  • February 2025. The bans on prohibited practices took effect, along with AI-literacy duties for staff who build or operate these systems.
  • August 2025. Obligations for general-purpose AI models began, overseen by the new European AI Office.
  • August 2026. The transparency duties for limited-risk systems apply. Chatbots must disclose that a user is dealing with a machine, and AI-generated media has to be marked as synthetic. If you ship a chatbot or a generator, this is the near-term deadline.
  • Late 2027. High-risk systems were originally due mid-2026. A legislative update, the “Digital Omnibus on AI,” deferred most of that deadline to late 2027 to give teams room to prepare. The extra time is for building, not for waiting.

Why non-EU companies are already in scope

The Act is extraterritorial. If your software is available to users in the EU, or if your model’s outputs affect people living there, you are bound by it regardless of where you sit. This is the GDPR pattern, and it caught plenty of teams off guard the first time.

The penalties are sized to get attention. Deploying a prohibited system can cost up to €35 million or 7% of global annual turnover, whichever is higher. Other violations carry lower but still serious caps. For a company with real revenue, this is a board-level number, not a line item.

The work is cross-functional, so split it by team

Hand the whole Act to legal and they drown in code repositories. Hand it to engineering and they drown in legal text. Compliance here is a team sport, and each group owns a distinct piece.

  • Legal and compliance. Build the AI inventory, including shadow AI that staff adopted without asking. Classify each system into a tier, handle filings and policy, and verify that any third-party model you deploy is compliant, since the deployer stays liable.
  • Product. Own transparency and oversight in the interface. Make it obvious when a user is talking to a machine, mark synthetic media, and design clear paths for a human to review, intervene, or override an automated decision such as a rejected credit application.
  • Engineering. Build the guardrails. Tamper-resistant logging that can reconstruct why a model made a given decision, plus a rehearsed way to disable or roll back a model that starts drifting or producing unsafe output.
  • Data science. Own data hygiene. Document where training data came from and how it was filtered, confirm the datasets are representative, and audit models for demographic or historical bias before they ship into hiring or scoring.
  • Security and IT. Govern the identity of the AI itself. Treat autonomous agents like accounts with scoped, restricted tokens, monitor what they can reach, and keep the regulator-facing logs encrypted and isolated from tampering.

What teams should do

The deadlines roll out in phases, so the useful move now is to know your exposure before the clock runs down.

  • Map your AI assets. List every model, feature, and third-party integration in use, including the tools employees adopted on their own.
  • Classify each system. Place it on the tier scale. That single answer tells you which obligations apply and how much time you have.
  • Start the paper trail. For anything high-risk or transparency-bound, begin documenting training data, testing, and safety guardrails now rather than reconstructing it under a deadline.
  • Put oversight where actions happen. Human review and audit logging matter most at the point a model turns a decision into a real-world action, so build the enforcement there.

The open era of shipping AI with no rulebook is closing, and the teams that treat governance as an engineering property will spend late 2027 shipping instead of scrambling. You can read the binding text in Regulation (EU) 2024/1689. The real question is narrower than the law: do you know, today, which of your systems would land in the high-risk tier?