EU Delays High-Risk AI Rules to December 2027. This Is the Only Extension You Will Get.
On 7 May 2026, the European Parliament and the Council reached political agreement on the "AI Act Omnibus" — targeted amendments that reshape the compliance timeline for high-risk AI systems across every sector.
The core change: stand-alone high-risk AI systems under Annex III — including credit scoring, employment screening, biometric identification, and law enforcement AI — now have until 2 December 2027 to comply, a 16-month postponement from the original August 2026 deadline. AI systems embedded in regulated products — medical devices, machinery, toys — get until August 2028.
The extension was driven by a practical reality: the technical standards and compliance tools needed for implementation were not going to be ready by August. The co-legislators opted for fixed dates rather than floating deadlines tied to standards readiness, choosing clarity over flexibility.
The deal also introduces a new prohibition: AI systems generating non-consensual intimate imagery — "nudifier" applications — are banned from December 2026, with fines up to €35 million or 7% of global turnover. An industrial AI carveout exempts applications regulated under the Machinery Regulation.
As one analysis put it: "the goalposts have stopped moving." This is almost certainly the only delay. The extension is not an invitation to wait — it is time to build governance frameworks, risk classifications, and documentation. Companies that use these 18 months strategically will be in the strongest position. Those that treat December 2027 as a future concern will face the same scramble, just 16 months later.
Transparency Obligations Still Take Effect in August. Draft Guidelines Published.
While the Omnibus delays high-risk rules, Article 50 transparency obligations remain on schedule: 2 August 2026. Deployers must disclose when users interact with AI and label emotion recognition, biometric categorisation, and deepfake content.
On 8 May, the Commission published draft guidelines interpreting these obligations, with consultation running until 3 June. The guidelines create an enforcement incentive: Code of Practice signatories "benefit from increased trust" from regulators — creating a two-tier supervisory approach. Pre-August GenAI systems have until 2 December 2026 for watermarking.
For customer-facing AI — chatbots, virtual assistants, AI advisory tools — the August deadline is unchanged and imminent. Audit every customer-facing AI interaction for disclosure compliance now. If a customer can interact with AI without being informed, that is a violation from 2 August, regardless of the Omnibus delay on other provisions.
The Fed Rewrites Model Risk Guidance for the First Time in 15 Years. GenAI Is Carved Out.
On 17 April, the Federal Reserve, OCC, and FDIC jointly issued SR 26-2, replacing SR 11-7 — the guidance governing model risk at every major US bank since 2011. The revision reflects fifteen years of supervisory experience alongside the emergence of machine learning and generative AI.
SR 26-2 explicitly excludes generative AI and agentic AI from its scope — they are "novel and rapidly evolving." But banks are instructed to apply existing risk management practices to govern them. This creates the "GenAI Gap" — responsibility pushed onto enterprise risk frameworks that do not yet exist at most banks. The broader shift: annual revalidation is out, risk-based oversight tied to model materiality is in.
Fed Vice Chair Bowman addressed an FSOC roundtable on AI cybersecurity on 27 April, signalling active regulatory engagement with AI risk in financial systems — particularly around third-party AI vendor management.
The GenAI carveout is not a free pass — it is a gap banks must fill themselves. Institutions deploying agentic AI in credit decisioning, fraud detection, or compliance monitoring need a parallel governance framework now. The banks that build this proactively will shape eventual guidance; those that wait will be subject to it.
South Korea, Singapore, and the Global Regulatory Fragmentation
South Korea's AI Basic Act took effect in January 2026 — the second comprehensive AI law globally after the EU AI Act. It applies to foreign entities with more than one million daily users in South Korea, introducing a third jurisdictional layer for banks with Asian operations.
Singapore launched the world's first agentic AI governance framework in January 2026, emphasising auditable autonomy, human oversight, and adaptive safeguards. China embedded AI into national law via Cybersecurity Law amendments with mandatory algorithm registration, content labelling, and immediate severe fines for data leaks.
The broader picture: over 72 countries, more than 1,000 AI policy initiatives, no convergence in sight. For multinationals, the old approach — comply with whichever jurisdiction shouts loudest — is structurally broken. A unified governance architecture is the only viable path.
AI Use in Finance Doubles. Governance Lags Behind. The Numbers.
The KPMG 2026 Global AI in Finance survey (1,013 leaders, 20 countries) finds that 71% say AI meets or exceeds ROI expectations. But assurance-ready organisations — those able to produce audit evidence and explain AI-enabled outcomes — report three to six times higher error reduction than peers. The biggest barrier is data: 36% cite data quality as both their biggest obstacle and opportunity.
The Cambridge/BIS/IMF 2026 Global AI in Financial Services Report finds GenAI now more widely used than supervised learning. 53% of respondents spend under $100,000 annually on AI yet report high maturity — raising questions about deployment depth. Data quality remains the top barrier since 2020.
The gap between adoption speed (75%) and assurance readiness (42%) is the defining risk of this moment. Regulators — under the EU AI Act, DORA, or SR 26-2 — are converging on one expectation: if you deploy AI, you must explain and audit it. Organisations that treat governance as a post-deployment concern are building a liability, not an asset.
Anthropic, OpenAI, and PwC Race to Embed AI Inside Banking Infrastructure
Anthropic launched 10 FS-focused AI agents for underwriting reviews, financial modelling, KYC checks, and pitchbook preparation. Goldman Sachs, Visa, Citi, and Mastercard are among early adopters. Separately, FIS partnered with Anthropic to build AI-driven financial crime monitoring systems. The same week, OpenAI partnered with PwC on forecasting, procurement, reporting, treasury, and finance operations.
The pattern is clear: AI vendors are no longer selling into banking — they are embedding inside of it. This positioning touches systems institutions rely on to manage risk, capital allocation, and regulatory obligations — deeper than retail chatbot adoption.
Embedding creates concentration risk. Evaluate vendor dependency carefully — exit costs, audit rights, and the regulatory obligation that remains with the deployer regardless of what the vendor provides. Under both the EU AI Act and DORA, the deployer bears the compliance burden.
Agentic AI Moves from Experiment to Architecture Decision
The Cambridge/BIS/IMF report confirms: 81% expect agentic AI meaningfully achieved by 2030, making it the clearest growth frontier. Institutions are actively designing multi-agent systems for customer onboarding, compliance monitoring, and internal operations. The Model Context Protocol gains traction as a connectivity standard. Enterprises are now hiring dedicated AI security engineers for MCP review and secure SDLC — roles that did not exist twelve months ago.
ISO/IEC 42001, the first certifiable AI management system standard, is gaining adoption as the governance baseline. Organisations with existing ISO 27001 have a structural head start — many clauses overlap, enabling integrated rather than parallel implementation.
The convergence of EU (AI Act + DORA + NIS2), US (SR 26-2 GenAI carveout), and Asia-Pacific (Singapore agentic framework) regulatory signals all point in one direction: agentic AI governance is an urgent gap, not a future consideration. Organisations deploying agents today without a governance framework are building on sand.
What to Watch
AI Act transparency guidelines — final version
Consultation closed 3 June. Final guidelines shape deployer disclosure and synthetic content labelling.
Colorado AI Act takes effect
First comprehensive US state AI law. Algorithmic discrimination prevention required.
AI Act Omnibus — formal adoption
Political agreement reached 7 May. Formal adoption expected before original August deadline.
AI Act — transparency obligations enforceable
Article 50 takes effect. Chatbot disclosure, deepfake labelling. Not delayed by Omnibus.
Nudifier prohibition + watermarking deadline
New ban on non-consensual intimate AI content. Watermarking grace period ends for pre-August GenAI systems.
AI Act — high-risk Annex III enforceable
Stand-alone high-risk AI systems — credit scoring, employment, biometrics. The new fixed deadline.
New York RAISE Act effective
AI training data transparency and incident reporting required. US state-level momentum.
- Council of the EU — Omnibus Agreement
- Latham & Watkins — AI Act Update
- Hogan Lovells — High-Risk Delay
- Pinsent Masons — Omnibus
- Dastra — Omnibus Analysis
- Modulos — Deal Analysis
- Global Policy Watch — Art. 50
- EC — AI Act Platform
- Federal Reserve — SR 26-2
- Domino — SR 26-2
- Cutover — SR 26-2 + Agentic
- Lumenova — SR 26-2 Guide
- Vice Chair Bowman — FSOC
- KPMG — AI in Finance 2026
- Cambridge/BIS/IMF Report
- PYMNTS — AI in Banking
- AskAjay — Global Comparison
- GDPR Local
- BD Emerson — ISO 42001
- PrivaLex — ISO 42001
- Model Context Protocol
- Regulation (EU) 2024/1689