Few topics generate more noise and less clarity than AI compliance. The conversation tends to swing between two unhelpful extremes. One is alarm: the EU AI Act is coming, the penalties are enormous, and any organisation touching AI is about to be caught out. The other is a shrug: the rules keep slipping, nobody fully understands them yet, so why not wait?

May 2026 handed both camps fresh material. EU institutions agreed to push back the AI Act's high-risk obligations, moving the main use-based (Annex III) requirements from August 2026 to December 2027, with product-embedded systems following in 2028 (Gibson Dunn, 2026). Cue relief from one side and confusion from the other. But the deadline shuffle is precisely the wrong thing to organise around. The date has moved before, and it may move again. What hasn't changed, and won't, is that AI introduces real risks that someone in your organisation has to manage, law or no law.

That's the practical starting point. Strip away the hype and AI compliance isn't an exotic new discipline. It's governance, applied to a new and unusually fast-moving class of asset.

What the rules are actually asking for

It helps to know what you're aiming at. The EU AI Act (Regulation (EU) 2024/1689) takes a risk-based approach rather than regulating "AI" as a single monolithic thing (European Parliament & Council of the European Union, 2024). It sorts systems into tiers: a small set of prohibited uses; a high-risk category, think AI used in recruitment, credit scoring, education, or critical infrastructure, that carries the heaviest obligations; a limited-risk tier that mainly requires transparency, such as telling people when they're dealing with AI or AI-generated content; and everything else, which is largely unregulated. Separate obligations apply to general-purpose AI models, which began phasing in from August 2025.

The Act's underlying logic is worth internalising even if you never have to comply with it directly: proportionality. Not every use of AI deserves the same scrutiny. A model that screens job applicants is not the same risk as one that drafts email subject lines, and a sensible approach treats them differently.

You don't have to derive any of this from scratch, either. Two mature, voluntary frameworks already translate "manage AI risk" into concrete practice, and both align with where regulation is heading:

• The NIST AI Risk Management Framework (AI RMF 1.0, published January 2023) organises the work into four functions, Govern, Map, Measure, and Manage, applied across an AI system's whole lifecycle (National Institute of Standards and Technology, 2023).

• ISO/IEC 42001:2023, the first international AI management-system standard, sets out requirements for building and continually improving a structured AI governance system, with a path to third-party certification (International Organization for Standardization, 2023).

Neither is law. Both are useful precisely because they give you a defensible, recognised structure to point to, and they overlap heavily with what the AI Act expects.

A practical framework

You can collapse all of this into four steps any organisation can begin now, regardless of which deadline applies to it.

1. Know what you have. You cannot govern AI you can't see. Most organisations underestimate how much AI is already in use, embedded in vendor products, adopted by individual teams, quietly switched on inside tools you already pay for. The first, unglamorous task is an inventory: where is AI being used, by whom, on what data, and to what end?

2. Classify it by risk. With an inventory in hand, sort it. Borrow the AI Act's tiers: is anything prohibited, high-risk, or subject to transparency duties, and what is genuinely low-stakes? This is where proportionality earns its keep. It tells you where to concentrate effort and, just as usefully, where not to.

3. Put ownership and controls in place. For anything that matters, decide who is accountable, and apply controls proportionate to the risk: human oversight of consequential decisions, documentation of how a system works and was tested, data governance, bias and performance checks, and assessment of the third-party models you depend on. This is the Govern function doing its job.

4. Monitor and review. AI systems are not static. Models drift, data shifts, vendors push updates, and the regulatory picture keeps moving. Compliance is a standing process, not a certificate you earn once and file away.

None of these steps requires a finished law or a particular piece of software. They require someone to own the work and a structure to do it within, the same thing sound security and risk governance has always required.

The hype fades; the governance remains

Here's the through-line the noise obscures: the organisations that handle AI well are not the ones that bought the cleverest compliance tool or guessed the deadline correctly. They're the ones that know what AI they're running, understand the risk it carries, and have someone accountable for keeping it in check. When the rules firm up, and they will, those organisations adjust a working system instead of building one under pressure.

This is the layer we work in at CTRL Disrupt: bringing AI governance and compliance into a managed security and risk program, so that adopting AI becomes a decision you can make with confidence rather than anxiety. But the framework above stands perfectly well on its own. You can take the first step, finding out where AI already lives in your organisation, this week, without waiting for anyone's permission or any final text from Brussels.

AI compliance, beyond the hype, is unspectacular in the best way. It's knowing what you have, deciding what matters, and keeping an eye on it. Start there.

References

European Parliament & Council of the European Union. (2024). Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj

Gibson Dunn. (2026). EU AI Act omnibus agreement — Postponed high-risk deadlines and other key changes. https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/

International Organization for Standardization. (2023). ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system. https://www.iso.org/standard/42001

National Institute of Standards and Technology. (2023). Artificial intelligence risk management framework (AI RMF 1.0) (NIST AI 100-1). U.S. Department of Commerce. https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf