On May 7, 2026, the European Council and Parliament reached a provisional agreement to simplify the EU AI Act. The headline makes it sound like relief. The details tell a more complicated story for enterprises with operations in — or selling into — the EU.
What Actually Changed
The sandbox timeline moved. The deadline for EU member states to establish national AI regulatory sandboxes was postponed from August 2, 2026 to August 2, 2027.
High-risk AI rules got a conditional delay. The Commission proposed adjusting the timeline for high-risk AI system rules by up to 16 months — but only once the Commission confirms that required standards and supporting tools are actually available. That confirmation is not automatic. The original August 2, 2026 deadline for high-risk AI systems remains the planning baseline until it formally shifts.
Transparency rules got tighter, not looser. The grace period for AI-generated content transparency solutions was shortened — from 6 months to 3 months. The new deadline is December 2, 2026. If your organization operates generative AI tools that produce customer-facing content, this window just closed faster.
A new prohibition was added. The agreement includes a new provision explicitly banning AI practices that generate non-consensual sexual and intimate imagery — sometimes called "nudification" apps. This adds to the existing list of eight prohibited AI practices that took effect in February 2025.
SME protections extended to small mid-caps. Simplified documentation requirements, previously available only to SMEs, now extend to small mid-caps as well — a meaningful change for companies in the 250–1,500 employee range.
What Didn't Change
The governance obligations that matter most to large enterprises were not relaxed.
High-risk AI applications — including AI used for credit scoring, employment decisions, educational access, critical infrastructure, and essential services — still face requirements for:
- Adequate risk assessment and mitigation systems
- High-quality datasets to minimize discriminatory outcomes
- Logging of activity to ensure traceability of results
- Detailed technical documentation
- Clear and adequate information provided to deployers
- Appropriate human oversight measures
- High standards for robustness, cybersecurity, and accuracy
The General-Purpose AI (GPAI) model obligations have been in force since August 2, 2025. They are not affected by today's agreement. If your organization deploys or builds on top of foundation models — which now describes virtually every enterprise with an active AI program — those obligations are live right now.
The Gap Between Compliance Documentation and Runtime Enforcement
The provisional agreement doesn't change the underlying logic of why enterprises need runtime AI governance.
The EU AI Act's requirements for "logging of activity," "human oversight," and continuous monitoring are not satisfied by a SOC 2 report or an ISO 42001 certification alone. Those standards help you demonstrate that governance policies exist. But the EU AI Act cares about whether governance is actually operating — whether policies are being enforced at the point where employees and AI tools interact, whether violations are detected in real time, and whether audit trails capture what actually happened, not just what was planned.
That distinction matters because the compliance automation market was built to help organizations collect evidence and pass audits. The leading platforms automate the documentation of governance. The EU AI Act's runtime requirements need something different: enforcement at the point of interaction, not just documentation after the fact.
When an employee pastes proprietary data into ChatGPT, or a customer service rep types a patient's name into Claude, a SOC 2 audit trail doesn't capture that event. A runtime enforcement layer does.
What Enterprises Should Do Now
The provisional agreement is not a reason to slow down governance work. It's a reason to focus:
Map your high-risk AI applications now. The conditional delay only applies if standards aren't ready. You don't control that determination. Build your inventory and classification schema now so you're prepared for either scenario.
Treat the December 2 transparency deadline as firm. The agreement shortened this window. If you deploy generative AI in customer-facing contexts, your disclosure and labeling obligations land in seven months.
Audit your GPAI obligations. These are already in effect. If you use or deploy general-purpose AI models, your obligations under the AI Act are not theoretical — they're current.
Get the runtime layer right. Policy documents and compliance dashboards show intent. Audit-ready evidence of actual enforcement is what regulators and enterprise procurement teams increasingly require. Proxy-layer monitoring, browser-level interception, and real-time policy checks close that gap between intent and evidence.
The deal that landed today was designed to buy time for standards to catch up to legislation. It wasn't designed to relieve enterprises of the underlying obligation to govern AI responsibly. The governance infrastructure you build over the next 90 days will matter whether the August 2026 deadline holds or shifts by 16 months.
The companies that use this window to build runtime enforcement capability will have a defensible audit trail. The ones that wait for certainty will be scrambling regardless of which deadline eventually lands.
Containment.AI enforces AI governance policies in real time — at the proxy layer, in the browser, and in the admin dashboard — giving enterprises audit-ready evidence of AI policy enforcement, not just policy documentation. Get started free.