The EU’s decision to delay high-risk AI Act compliance until 2027 gives organisations crucial breathing room, but the compliance clock is still ticking. Apu Pavithran, CEO of Hexnode, says companies must act now to audit AI systems, strengthen oversight, and use tools like unified endpoint management to meet future regulatory demands.
Once again, Europe is trying to thread that most difficult of needles between technological innovation and regulatory oversight. A decade after the General Data Protection Regulation (GDPR), the bloc is leading the world in regulating artificial intelligence (AI) and mandating that systems are transparent, traceable, and safe.
Despite passing the AI Act and quickly banning certain applications in 2024, the EU just pushed compliance back for “high-risk AI” to the end of 2027. This is good news for industrial operators and network admins managing AI-enabled systems because following the first-of-its-kind mandate is easier said than done. The delay offers important breathing room but teams should know that the runway for getting up to code is still shorter than it looks.
The pathway to regulation
Trust is the overarching aim of this regulation. At a high level, the act seeks to protect human decision-making and bake in guardrails amid automation. AI isn’t one-size-fits-all and neither is the first regulation trying to govern it. Instead, the bloc is taking a tiered approach based on risk.
For example, the highest tier was enacted straight away and now prohibits practices including social scoring, AI-based manipulation and deception, and emotion recognition in workplaces and education.
The next tier on the horizon for implementation – high-risk systems – includes AI that poses serious risks to health, safety, or fundamental rights. It governs a broad range of areas, including biometrics, critical infrastructure, employment decisions, and essential services. The providers (creators) of such systems must therefore demonstrate compliance across training data, technical records, and risk management.
Further, the deployers (users) are also on the hook.
Companies using AI in a professional capacity – even if you didn’t build it – must ensure competent oversight personnel, performance monitoring, and 15-day incident reporting. Fines apply to both sides of the equation with penalties up to €15M or 3% of global turnover for high-risk non-compliance.
A ticking clock to compliance
The timeline, much like the regulation itself, is ambitious. The bloc hoped to be ready by August but, by the end of March, requested more time. This is because most member states have yet to set up enforcement authorities and official guidance remains lagging from the AI Office. Regulators, too, needed more time and gave themselves until the end of next year to get everything online. This doesn’t mean companies should wait. Rather, the compliance clock is still ticking and companies need to rewrite processes and log them from start to finish.
Leaders can and should look back to the last decade for an idea of what’s to come. European firms spent an average of €1.3 million preparing for GDPR and, still, about one-third were unsure whether their stack was ready before enforcement began. AI arguably sets an even higher bar to clear because these intelligent systems live across device fleets, edge infrastructure, and network endpoints. Teams need visibility across the ecosystem before they can classify, audit, and monitor them.
It’s also worth remembering that, beyond compliance, following the new automation rules can go a long way to protecting company reputations. Air Canada learned this the hard way when its chatbot “hallucinated” and falsified fare information, leading to legal action. Under the AI Act, such incidents trigger mandatory reporting if the misinformation results in serious harm. All of this requires companies to have a finger on the pulse of their ecosystem and the smart tools operating within it.
Companies need to move now
Regulatory compliance and teething pains often go hand in hand. This is why companies need to take advantage of this additional time and immediately reassess their digital footprint.
Audit the ecosystem and understand which parts of it automation touches. Many organizations don’t have a clear inventory of which endpoints are running AI-enabled applications (predictive maintenance, automated provisioning, network optimization tools) and should start here. Unified endpoint management (UEM) platforms provide centralized visibility into what’s deployed and where, patch status, and configuration baselines. Plus, UEM automates the compliance documentation and logging that regulators expect. Teams can also take this a step further by layering in extended detection and response (XDR) to detect and respond to what’s happening in real time.
Also create a clear chain of command for quality control and incident detection. The act mandates the human in the middle and therefore requires assigning competent personnel, documenting their training, and establishing escalation paths. Regulators essentially want to see that you’re not just implementing AI and leaving everything up to the machine. Show your thinking and build in redundancies.
Europe’s often a regulation bellwether and this act is worth watching even if your company isn’t impacted. The bloc acknowledges that AI is here to stay but (rightly) refuses to let its application go ahead without some ground rules. Companies everywhere should take a close look at what this entails and consider how getting ahead of it now could mean complying with future rules and protecting tomorrow’s reputations.
Apu Pavithran is the founder and CEO of Hexnode, an industry-leading endpoint management solution that provides a comprehensive set of features to secure, manage, and remotely monitor devices across the enterprise. Apu’s a recognized consultant, speaker, and thought leader in the IT management community with a focus on governance and information security.
