AI Agent Meetup Field station · est. 2026
Sign in Join free

EU AI Act High-Risk Obligations Take Effect August 2 — What's Actually Due

May 12, 2026

The EU AI Act's high-risk system obligations become fully applicable on August 2, 2026 — twenty-four months after the Act's entry into force, and the date by which providers and deployers of qualifying systems must have a defensible compliance posture in place. Most large organizations have known the date for two years; the scramble now is about evidence rather than awareness.

What flips on August 2

  • High-risk system requirements — risk management, data governance, technical documentation, record-keeping, transparency, human oversight, and accuracy/robustness/cybersecurity controls — become enforceable for systems in scope.
  • Article 50 transparency obligations apply to systems that interact with people, generate synthetic content, or perform emotion recognition or biometric categorisation.
  • GPAI obligations already in effect since August 2025 continue, with a final compliance cliff for pre-August-2025 models landing in August 2027.

The framework stack practitioners are settling on

The emerging consensus among compliance leads is to run one program that satisfies multiple frameworks simultaneously rather than treat them as separate workstreams. The typical pattern:

  1. Use NIST AI RMF 1.0 and its Generative AI Profile as the risk-management spine — voluntary, US-anchored, well-documented, and increasingly recognised by procurement teams.
  2. Build toward ISO/IEC 42001 certification for an externally verifiable AI Management System. Gartner has forecast that the majority of enterprises will adopt a governance standard like 42001 by year-end 2026.
  3. Layer EU AI Act documentation on top for any system in scope — risk impact assessments, system cards, change logs, and the human-oversight design that auditors will want to see.

What changed in the US picture

The state-level patchwork shifted in May. Colorado's original AI Act, which would have made the state the first US jurisdiction with comprehensive AI antidiscrimination obligations on June 30, has effectively been replaced by a narrower notice-and-transparency bill (SB 26-189) after a federal court stayed the original and the legislature passed a replacement on May 9. The replacement, if signed by Gov. Polis, would take effect January 1, 2027, and removes the original's risk-management program, annual impact assessment, and duty-of-care provisions in favour of consumer-notice and developer-documentation requirements.

For multinationals, the practical message is unchanged: build the program for EU AI Act and ISO 42001 and the state-by-state US obligations slot in cleanly underneath. For US-only deployments, the timeline just got slightly more forgiving — but only slightly, and the underlying expectation that you can show your work has not moved.