The Governance Evidence Every Board Should Demand Before August

The countdown has changed.

The EU AI Act entered into force on 1 August 2024. General-Purpose AI obligations kicked in on 2 August 2025. The next major enforcement wave — the bulk of the Act's obligations — was scheduled to land on 2 August 2026.

That date has now been deferred by the EU AI Act Omnibus. High-risk AI obligations have been pushed to 2 December 2027 for Annex III systems (recruitment, credit scoring, law enforcement, education, critical infrastructure) and 2 August 2028 for AI embedded in regulated products like medical devices and vehicles.

That sounds like relief. It isn't.

The work hasn't changed. The transparency obligations under Article 50 still take effect in August 2026. This means if your organisation is using synthetic media, AI-generated content, or customer-facing chatbots, you must be able to detect, watermark, and explicitly disclose them to users by this summer.

The penalties — up to 7% of global annual turnover for the most serious violations — remain in the statute. More importantly, the regulatory infrastructure is already live: national supervisory authorities are operational, the EU AI Office is running, and the AI Board is actively issuing codes of practice.

The question every board should be asking is no longer "are we compliant?" but rather: "What evidence do we have that we'd survive an audit tomorrow?"

The Five Pieces of Evidence Boards Must Demand

1. A documented AI risk management system (Article 9)

A risk management framework isn't a policy document. It's a living system that identifies risks from intended use and foreseeable misuse, defines mitigation measures, and demonstrates continuous monitoring.

If your board cannot point to a documented risk register that covers your AI systems, their deployment contexts, and the specific failure modes you have tested for — you do not have a governance framework. You have a slide deck.

  • What to demand: A living risk register that maps every AI system to its specific risk class, intended purpose, data sources, and automated mitigation controls.

2. Technical documentation that survives scrutiny (Article 11)

Technical documentation means system architecture, training methodology, data provenance, known limitations, and performance metrics broken down by demographic group.

This isn't documentation your engineering team writes once to pass a gate. It is a dynamic artifact that must be updated every time a model weights shift or an API updates. If your team cannot produce this on request, you are exposed.

  • What to demand: Auditable system cards or model cards for every AI system in production, complete with strict version control and cryptographic audit trails.

3. Bias audits and demographic performance testing (Article 10)

Article 10 requires rigorous examination of training data for systemic biases. That means testing model performance across protected characteristics and documenting the gaps.

Most organisations have never tested their internal AI infrastructure across distinct demographic groups. If you are deploying AI in hiring, customer lending, or any decision-making context that impacts human lives, this is no longer optional.

  • What to demand: Verification of empirical bias testing across relevant demographic segments, paired with legally reviewed remediation plans for any gaps identified.

4. Human oversight mechanisms (Article 14)

Article 14 requires that humans can understand, monitor, override, and stop AI systems entirely. This means explicitly designing user interfaces for human-in-the-loop review, giving operators the clear authority and capability to intervene when a model behaves unexpectedly.

A kill switch isn't a feature. It is a core compliance requirement.

  • What to demand: Demonstrable human-in-the-loop controls for every high-risk AI system, including a verified protocol to override AI outputs and instantly halt automated decisions.

5. Comprehensive logging and audit trails (Article 12)

Article 12 requires automatic event recording. Every single AI decision needs an unalterable log trail: inputs, outputs, confidence scores, model version, and exact timestamps.

This is the bedrock of accountability. If a board faces a retroactive class-action or a systemic bias claim years down the line, a short-term log is useless. You must be able to prove what happened, why it happened, and what your version history looked like at that exact moment in time.

  • What to demand: Automatic event recording for every AI-driven output — capturing inputs, outputs, confidence scores, and model versions — with a enterprise-grade minimum 24-month retention policy.

The real question isn't "are we compliant?"

It's: what evidence do we have that we'd survive an regulatory audit tomorrow?

The EU AI Act Omnibus has deferred some high-risk timelines to December 2027. But the governance gap hasn't moved. If your board cannot produce evidence of these five things, you are not ready — regardless of what the deadline says.

The window between now and the next deadline isn't breathing room. It is your entire runway.

Scail with AI can help

At Scail with AI, we help boards and leadership teams build the governance evidence that stands up to regulatory scrutiny. From deep-dive AI risk assessments to full ISO 42001 alignment, we work with organisations to build structural accountability into their AI operations from the ground up.

If your board is asking the right questions and you need help finding the answers, let's talk.

Get in touch →

Next
Next

Are your buyers finding you in AI search?