If you were counting on the EU to blink, stop counting.
Negotiations to delay the EU AI Act's high-risk system compliance deadline through the Omnibus package collapsed this week. August 2, 2026 is back as the hard deadline — and it applies to systems that are already in production at your bank.
What's actually due
Annex III of the EU AI Act classifies these as high-risk AI systems:
- Credit scoring and creditworthiness assessment — any automated model that informs a lending decision
- Fraud detection — real-time transaction monitoring using ML models
- Customer onboarding — identity verification and KYC systems with AI components
If your institution uses AI in any of these workflows and you serve EU customers or operate in EU jurisdictions, you have roughly 90 days to demonstrate conformity.
What conformity actually requires
The EU AI Act's high-risk requirements aren't a checkbox — they require:
- Risk management system — documented, ongoing risk assessment for each high-risk AI system
- Data governance — documented training data provenance, bias testing
- Technical documentation — sufficient to allow post-market surveillance
- Transparency and logging — audit logs that demonstrate the system's behavior and decisions
- Human oversight — mechanisms that allow a human to monitor, override, and correct the system in real time
- Accuracy, robustness, cybersecurity — validated performance and security controls
Requirement 4 and 5 are the ones most financial institutions are unprepared for. The regulation doesn't specify how you implement real-time human oversight — but it does require you to prove you can do it.
The governance gap Anthropic and OpenAI aren't solving
This week, both Anthropic and OpenAI announced PE-backed joint ventures to embed engineers inside financial institutions and deploy Claude and GPT into core workflows. That's a deployment story, not a governance story.
The question those ventures don't answer: once the model is running in your fraud detection pipeline, who is monitoring it for policy violations, logging its decisions for regulators, and enforcing the override mechanism required by Article 14?
That's the layer the EU AI Act actually mandates — and it's the layer that has to run at the proxy level, not in a consulting engagement.
What 90 days looks like in practice
For most mid-sized financial institutions, 90 days is not enough time to build a governance layer from scratch. The realistic path:
- Inventory which AI systems touch Annex III categories — this alone takes 2–3 weeks if you don't already have a model registry
- Assess gap against Articles 9–15 requirements — technical documentation, logging, oversight mechanisms
- Implement or procure real-time policy enforcement and audit logging for each system
- Run internal conformity assessment (or engage a notified body for certain systems)
- Register in the EU AI Act database (required for high-risk systems before market deployment)
Step 3 is where most institutions stall. Building a compliant audit trail and real-time override mechanism for a production model is not a weekend project.
The practical takeaway
The EU gave financial institutions more than two years from the Act's passage to prepare. The delay speculation was always a hedge, not a plan. If you've been waiting for the Omnibus to move the goalposts, the goalposts just moved back.
August 2 is 90 days. The institutions that started this work in Q1 will be ready. The ones that didn't are now buying governance tools under deadline pressure — which is the worst time to evaluate anything carefully.
If you're in the second group: Containment.AI enforces AI usage policies in real time, logs every interaction with full audit trail, and provides the human oversight controls that Articles 9 and 14 require — without requiring a six-month implementation engagement. Start a free trial before your conformity window closes.
Containment.AI is an AI governance platform for regulated enterprises. We monitor, enforce, and audit AI usage in real time — at the proxy layer and in the browser.