Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Why do delayed AI Act deadlines not reduce…
Governance, Ownership & Risk

Why do delayed AI Act deadlines not reduce governance pressure?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

Because the amendments change timing, not the underlying obligations. Organisations still need to prove classification, oversight, documentation, and accountability for high-risk AI systems. The delay only reflects that standards and conformity processes are still maturing, which means the implementation burden remains, even if the statutory clock has moved.

Why This Matters for Security Teams

Delayed AI Act deadlines change the compliance calendar, not the risk profile. Security teams still have to classify systems, document controls, define human oversight, and show accountability for high-risk uses. That work does not pause just because standards, conformity assessment paths, or technical guidance are still maturing. The practical pressure is also widening because AI systems are already tied to NHI risk, which is why NHIMG continues to track breach patterns in Top 10 NHI Issues and the Ultimate Guide to NHIs — Regulatory and Audit Perspectives.

What changes is the amount of time available to build evidence, not the amount of evidence needed. Organisations still need traceable decisions, policy ownership, and a defensible audit trail that can survive legal review and operational scrutiny. That is especially true where AI systems touch identity, secrets, or privileged actions, because those controls are assessed long before a formal deadline arrives. In practice, many security teams encounter the missing evidence during procurement, incident response, or board reporting, rather than through intentional readiness testing.

How It Works in Practice

The AI Act delay can create a false sense of breathing room, but governance teams should treat the period as a build window. The core obligations remain anchored in risk classification, documentation, oversight, and post-deployment monitoring. NIST’s NIST Cybersecurity Framework 2.0 and NIST SP 800-53 Rev 5 Security and Privacy Controls remain useful references for translating those obligations into operating controls, even though they are not AI Act substitutes.

In practice, teams should align the delayed timeline to concrete deliverables:

  • Maintain a current inventory of AI systems, use cases, owners, and risk classifications.
  • Map each high-risk system to documented controls, approval paths, and evidence sources.
  • Define human oversight roles that can actually intervene, not just sign off.
  • Record model changes, retraining events, and supplier dependencies for auditability.
  • Connect ai governance to NHI governance, because privileged agents and automated workflows often inherit the same control gaps tracked in NHIMG research such as the 2024 ESG Report: Managing Non-Human Identities.

That linkage matters because AI systems often rely on service accounts, tokens, API keys, and other secrets to function. If those identities are weakly governed, the organisation may fail both operational security expectations and compliance evidence requirements. Current guidance suggests treating the delay as a chance to close control design gaps, not as permission to postpone classification or documentation. These controls tend to break down when AI is embedded in fast-moving product teams with unclear ownership and no central evidence register, because accountability fragments across engineering, security, legal, and procurement.

Common Variations and Edge Cases

Tighter compliance timelines often increase coordination overhead, requiring organisations to balance implementation speed against evidence quality. That tradeoff is real, especially where model inventories are incomplete or where suppliers will not provide the documentation needed for downstream assurance.

Best practice is evolving for frontier and embedded AI use cases, and there is no universal standard for this yet. Some organisations will face higher pressure from sector rules, contractual obligations, or internal risk committees even before the AI Act applies in full. Others will discover that delayed deadlines do little to simplify adjacent obligations under privacy, security, or operational resilience regimes. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because many of the same lifecycle controls apply to AI-adjacent identities and access paths.

The edge case to watch is when an organisation assumes that “not yet required” means “not yet reviewable.” Regulators, auditors, customers, and insurers often evaluate governance maturity well before statutory deadlines. That is why delayed deadlines usually shift the sequence of work, but not the operational burden. If a system cannot produce a clear classification, oversight model, or evidence package now, the organisation should assume that weakness will surface later under less forgiving conditions.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST AI RMFGOVERNGovern function covers accountability, policy, and oversight for AI systems.
NIST CSF 2.0ID.GV-1Governance policies must define roles, responsibilities, and oversight for AI risk.
NIST SP 800-63IAL2Identity assurance matters when humans approve or intervene in AI decisions.
OWASP Non-Human Identity Top 10NHI-01AI systems often depend on NHIs whose ownership and lifecycle must be controlled.
CSA MAESTROGOV-1MAESTRO addresses governance for agentic and autonomous AI operating environments.

Assign owners, maintain AI inventory, and tie each high-risk system to governance evidence.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org