Notifications
Clear all
Topic starter
02/06/2026 12:58 pm
TL;DR: The EU AI Act applies to organisations that place AI systems or general-purpose AI models on the EU market, put them into service, or use them in the EU, and it sets staggered obligations from February 2025 through August 2027, according to Delinea. Policy alone is not enough; identity visibility, access control, and auditability now determine whether AI can be governed in motion.
NHIMG editorial — based on content published by Delinea: EU and AI, what you need to know about AI regulations
By the numbers:
- 56% of organizations reported that shadow AI incidents are occurring on a monthly basis.
- The EU AI Act entered into force on August 1, 2024, with most of the broader regime applying from August 2, 2026.
- The Regulation sets thresholds up to €35 million or 7% of worldwide annual turnover for certain infringements.
Questions worth separating out
Q: How should security teams govern AI systems that can act on sensitive data?
A: Security teams should treat AI systems as non-human identities with scoped access, named ownership, and full logging.
Q: Why do AI systems complicate IAM and NHI governance?
A: AI systems complicate IAM and NHI governance because they blur the line between user, workload, and automated actor.
Q: What breaks when AI agents are not inventoried or classified?
A: When AI agents are not inventoried or classified, organisations lose the ability to assign risk, apply the right obligations, and prove control to auditors.
Practitioner guidance
- Inventory every AI touchpoint Map internal assistants, embedded SaaS features, developer tools, and third-party models to business owner, data scope, and regulatory role.
- Bind each AI workflow to a named identity Use scoped non-human identities, temporary tokens, and identity-context logging so every AI action can be traced back to an owner and purpose.
- Classify use cases before you classify tools Start with the business function, the sensitivity of the data, and the consequence of failure, then decide whether the AI activity falls into transparency, deployer, or high-risk obligations.
Teams should prepare for AI identities to be reviewed like privileged workloads, not like policy exceptions?
👉 Read Delinea's analysis of the EU AI Act and AI governance controls →
Explore further
02/06/2026 1:00 pm
The EU AI Act is forcing identity teams to treat AI as an access-bearing actor, not a policy topic. The law pushes organisations toward proof of control, which means AI systems need inventory, ownership, scoped access, and auditability. That shifts AI governance out of legal-only workflows and into operational identity controls. Practitioners should assume the governance model now includes every AI system that can act on data or make requests.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: How do organisations prepare for the EU AI Act without slowing AI adoption?
A: They should start with visibility, then classify use cases, then enforce access and logging. That sequence lets teams keep moving while reducing surprise exposure. The objective is not to stop adoption, but to make every AI workflow explainable, owned, and reviewable.
👉 Read our full editorial: EU AI Act turns AI governance into a control challenge
