The EU AI Act Is No Longer “Coming” — It’s Already Here...Why the Next 6–12 Months Matter (As of 2026)(*TL;DR at end)

As of February 2026, the EU AI Act is no longer a future consideration. With early obligations already live and enforcement approaching, organisations using AI in real operations are being pushed to treat it like any other critical system. This piece explores why AI governance is now an operational resilience issue — and what leaders need to get right before scrutiny arrives.

For a long time, the EU AI Act felt like something we could safely park under future compliance.
Important, yes — but distant. Something to revisit once guidance settled, standards emerged, and enforcement became clearer.

That window has closed.

The AI Act is now in force. Early obligations are active. National authorities are gearing up. And for organisations already using AI in real business processes, this has quietly become an operational issue, not just a legal one.

This Isn’t About AI in Theory.

One of the biggest misunderstandings we still see is treating the AI Act as a regulation about innovation or emerging technology.

It isn’t.

The Act is really about how AI behaves once it’s embedded into day-to-day operations:

  • Systems that influence decisions
  • Tools that support or automate services
  • Models that shape outcomes for customers, staff, or citizens

In other words, the AI Act is about production systems, not labs or experiments.

That’s why it lands so squarely in the same space as:

  • ICT risk management
  • Operational resilience
  • Third-party dependency oversight
  • Incident and recovery planning

The Risk-Based Model — Why It Matters in Practice

The AI Act doesn’t ask whether a system is “clever” or cutting-edge. It asks whether it’s risky.

That’s an important shift, because many organisations already have AI in place that will fall into regulated categories — even if it’s never been labelled as such internally.

The four risk tiers are well known by now:

  • Unacceptable risk (banned uses)
  • High risk (systems affecting safety, rights, or access to services)
  • Limited risk (transparency obligations)
  • Minimal risk (largely unregulated)

From an operational perspective, the key takeaway is simple:
high-risk AI systems are being treated like other critical systems.

That means expectations around documentation, ownership, controls, monitoring — and yes, recovery when things go wrong.

Why the Next 6–12 Months Matter (As of February 2026)

Although the EU AI Act formally entered into force back in 2024, its obligations have been deliberately phased in. As of February 2026, that phasing has moved decisively out of theory and into day-to-day operational reality.

Several elements of the Act are already live:

  • Certain AI use cases are now explicitly prohibited
  • Transparency obligations are no longer optional and are being applied in real deployments
  • Governance expectations around general-purpose AI have shifted from draft guidance to practical expectation

The most significant milestone is what comes next.

By August 2026, requirements for high-risk AI systems will be fully enforceable. That is now less than six months away.

This matters because the work required to comply — identifying AI systems, mapping them to business services, assigning ownership, documenting controls, and planning for failure — cannot be done properly at the last minute.

At the same time, Member States are no longer just preparing for enforcement. They are actively building supervisory capability, training regulators, and aligning AI oversight with existing ICT, cyber, and operational resilience frameworks.

The result is a subtle but important shift:
the question is no longer if scrutiny will happen, but when — and under what circumstances.

For organisations with AI embedded in critical processes, the remaining runway is short. The next 6–12 months will determine whether AI governance is embedded calmly and deliberately — or retrofitted under pressure.

Where the AI Act Meets Operational Resilience

When we look at this through a resilience lens, four pressure points show up again and again.

1. Knowing Where AI Is Actually Used

Many organisations struggle to answer basic questions:

  • Where exactly is AI in use?
  • What decisions does it influence?
  • What happens if it produces the wrong output — or stops working altogether?

If you can’t map AI to business services, you can’t assess impact. And if you can’t assess impact, you’re already behind.

2. Ownership Still Isn’t Clear Enough

AI often sits in an awkward organisational gap — owned by innovation teams, data teams, vendors, or “the platform”.

The AI Act doesn’t tolerate that ambiguity. It pushes organisations to be clear about:

  • Who owns the system
  • Who is accountable for outcomes
  • Who decides when it should be paused, overridden, or shut down

That clarity is just as important in a crisis as it is on a compliance slide.

3. AI Failures Are Incidents — Whether You Call Them That or Not

AI doesn’t fail politely.

When it goes wrong, it can:

  • Disrupt services
  • Produce unsafe or misleading outputs
  • Trigger regulatory notifications
  • Undermine trust very quickly

Yet many incident response plans still focus on cyber or infrastructure events, with no real consideration of AI-specific failure modes.

That gap will matter.

4. Third-Party Dependence Is a Bigger Risk Than It Looks

Most AI systems today depend on:

  • External models
  • Cloud platforms
  • Embedded vendor functionality

That creates concentration risk and loss of control — something regulators are increasingly uncomfortable with.

From a resilience perspective, this is familiar territory. AI just adds another layer to an already complex dependency picture.

The Trap: Treating AI Compliance as “Someone Else’s Job”

In many organisations, responsibility for the AI Act has been handed to legal teams or innovation functions.

That’s understandable — but incomplete.

When something goes wrong, the questions won’t be abstract or legalistic. They’ll be practical:

  • What happened?
  • Who knew?
  • What did you do?
  • How fast did you recover?

Those are operational questions. And they land with operational leaders.

What Good Looks Like Right Now

You don’t need perfect answers yet — but you do need movement.

Practical steps we see working:

  • Inventory where AI is used
  • Link AI systems to critical services
  • Think through failure and degradation scenarios
  • Clarify ownership and escalation
  • Update incident and continuity plans to include AI
  • Start building evidence, not just policies

None of this is exotic. It’s the same discipline organisations already apply to other critical technologies.

TL;DR — The One Thing That Matters (2 February 2026)

As of February 2026, the EU AI Act is no longer something organisations can plan around in the abstract. It is already shaping what regulators, executives, and customers expect organisations to be able to explain, control, and stand over when AI is in use.

If AI is influencing decisions, services, or outcomes in your organisation today, it needs to be treated like any other critical system — with clear ownership, documented controls, and a practical plan for what happens when it degrades, misbehaves, or fails.

The organisations that will struggle over the coming months won’t be the ones moving too slowly on AI adoption. They will be the ones caught off guard when simple questions can’t be answered under pressure: Who owns this system? How does it fail? What do we do when it does?

AI resilience is now inseparable from operational resilience.
And if it isn’t built in deliberately now, it will almost certainly be tested the hard way later this year.

Per claritatem progressus — through clarity, progress.

Morclear

TAKE ACTION

The August 2026 deadline is 4 months away.

Run your free assessment and download the playbook — both free, both ready now.

Run Free Assessment → Download Playbook
← Back to Morclear Brief