Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

EU AI Act delay: is your AI inventory ready for high-risk controls?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: The EU AI Act’s high-risk deadlines were pushed back to December 2027 for standalone systems and August 2028 for product-embedded systems, but the underlying obligations for risk management, data governance, logging, transparency, and human oversight did not change, according to JupiterOne. The delay buys time only for organisations that use it to build live AI inventory and evidence-ready controls, not for those treating compliance as a filing exercise.

NHIMG editorial — based on content published by JupiterOne: The AI Act Slowed Down. Your AI Didn't

By the numbers:

  • Standalone high-risk systems (Annex III) now have until December 2, 2027 instead of this August.
  • 9), e high-risk obligations themselves are unchanged: a documented risk management system (Article 9), data governance (Article 10), technical documentation (Article 11), automatic logging (Article 12), transparency (Article 13), and human oversight (Article 14).

Questions worth separating out

Q: How should organisations prepare for AI Act high-risk obligations while the deadline is delayed?

A: They should use the extra time to build a live inventory of AI systems, map data flows, and verify which identities can reach each model or pipeline.

Q: Why do AI governance programmes fail when the inventory is incomplete?

A: Because every downstream obligation depends on asset context.

Q: What do security teams get wrong about AI Act compliance evidence?

A: They often treat evidence as a snapshot collected for an audit.

Practitioner guidance

  • Create a continuous AI asset inventory Track models, datasets, APIs, cloud services, and business-unit deployments as a single governed inventory so that every high-risk obligation has a visible asset to attach to.
  • Map AI systems to identity reachability Identify the human users, service accounts, workload identities, and third-party integrations that can invoke, retrain, or modify each AI system.
  • Shift from point-in-time evidence to continuous control checks Use automated tests to verify logging, documentation, and oversight against live production state instead of relying on weekly or pre-audit exports.

What's in the full article

JupiterOne's full blog post covers the operational detail this post intentionally leaves for the source:

  • The control mapping between EU AI Act articles and live Continuous Controls Monitoring checks across AI environments.
  • The specific J1QL tests used to validate model documentation, logging, and guardrail coverage in production.
  • The AI-SPM versus governance-platform distinction with examples of where each category fits in the readiness stack.
  • The way JupiterOne maps asset relationships across AWS Bedrock, SageMaker, and Azure OpenAI environments.

👉 Read JupiterOne's analysis of the EU AI Act delay and AI inventory gaps →

EU AI Act delay: is your AI inventory ready for high-risk controls?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

AI Act readiness is an inventory problem before it is a compliance problem. The article is right to frame the deadline extension as a window, not relief. High-risk obligations depend on knowing which AI systems exist, where they operate, and which assets and identities they depend on. Without that foundation, conformity, logging, and oversight become assertions rather than controls, which makes the real governance failure the absence of continuous discovery.

A question worth separating out:

Q: Who should own AI governance when models are reached through cloud identities and service accounts?

A: Ownership should sit across AI, security, and identity teams, with clear accountability for asset registration, access control, and evidence collection. If models are reachable through service accounts or workload identities, then IAM and PAM controls are part of AI governance, not separate from it.

👉 Read our full editorial: EU AI Act delay exposes the AI inventory gap in enterprise governance



   
ReplyQuote
Share: