Handvantage

Insights · BRIEFING

The EU AI Act deadline your CISO is ignoring

August 2, 2026 is the high-risk obligations deadline. The audit window opened in Q1. Most security leaders are still treating it as a Q4 problem.

By Josh Olayemi · May 2, 2026 · 5 min read

Most CISO calendars currently show the EU AI Act as a Q4 2026 task. The reasoning is reasonable: the high-risk obligations under Articles 6-29 don't begin until 2 August 2026, so a focused effort in Q3 is mathematically sufficient. The problem is that this read of the regulation misses the audit window.

Article 99 specifies penalties up to the larger of EUR 35 million or 7% of global annual turnover for non-compliance. The penalties apply where the system fails on the day, certainly — but they also apply where contemporaneous evidence of operating controls is absent during the period leading up to the day. That period is the audit window. It opened the moment the regulation entered into force. It is open now.

What this means in practical terms: an AI system going live on 1 August 2026 that produced no contemporaneous audit evidence between February and August is a system whose technical compliance posture is, in the regulator's eyes, unverified. The technical controls might be perfect on the day. The evidence that they were operating in the run-up is absent. Article 99 is structurally indifferent to which condition triggered the penalty.

The implications for the work plan are immediate. Audit-evidence generation is not a Q3 task; it is a now task. Every prompt, tool call, and agent action that runs today against an AI system in scope of the high-risk classification needs contemporaneous evidence — identity attribution, policy version, decision record, signed timestamp — produced and retained. The platform has to do this; retrofitted monitoring against the platform's existing logs is structurally inferior because the retrofit can only cover the period from its installation forward.

The CISOs we talk to who are ahead of this curve have done two things. First, they have moved their AI platform decision earlier — pulling it out of the late-2026 budget window and into the current quarter. Second, they have requested platform-level evidence demonstrations rather than control-level demonstrations. The question is no longer 'can your platform do prompt-injection defence?' but 'can your platform produce a contemporaneous evidence record of the prompt-injection defence having operated for every event in the last 60 days?'

The answer to that question is the difference between a platform that survives the audit window and one that does not.

RELATED

BRIEFING

Why 40% of agentic AI projects fail (and the governance answer)

Gartner's number, our reading. The pattern in cancelled projects is the same one in cancelled compliance reviews: missing evidence, not missing controls.

May 2, 2026 · 7 min read

CONTINUE THE CONVERSATION

If something here is what you're working on, talk to us.

Articles like this one come out of conversations with practitioners, security leaders, and engineering teams in regulated industries. If the writing reflects your situation, the next conversation is probably worth having.

Continue the conversation →

Or write to hello@handvantage.com directly.