The EU AI Act Was Written for a World That Has Already Passed

Agentic AI, autonomous decision-making, and multimodal reasoning were research concepts when the Act was drafted. They are production realities now, and the law does not yet know their names.

Video summary: https://youtu.be/hEHdO8ugNqg

Sign up for my Substack daily AI newsletter here.

See my AI Training course portfolio for corporate Business Leaders here.

Article link: https://open.substack.com/pub/johanosteyn/p/the-eu-ai-act-was-written-for-a-world?r=73gqa&utm_campaign=post&utm_medium=web&showWelcomeOnShare=true

Follow me on LinkedIn: https://www.linkedin.com/in/johanosteyn/

In the early hours of 7 May 2026, after marathon overnight negotiations that nearly collapsed entirely the week before, the European Parliament and the Council of the European Union reached a provisional agreement on the Digital Omnibus amendments to the EU AI Act. The headline outcome was a 16-month delay: high-risk AI obligations covering biometrics, employment, education, critical infrastructure, and border management will now apply from 2 December 2027 rather than 2 August 2026.

The official justification was technical: harmonised standards and compliance tools were not ready in time, and organisations needed more runway to meet obligations that required infrastructure that did not yet exist.

Both of those things are true. Neither of them is the most important thing to understand about what happened.

CONTEXT AND BACKGROUND

The EU AI Act was conceived and drafted during a specific moment in the development of artificial intelligence. Large language models had demonstrated remarkable capability but operated in a relatively contained way: a user submitted a prompt, the model generated a response, a human reviewed it. The technology was impressive. It was also, in retrospect, relatively legible. You could draw a boundary around it. You could ask who was responsible for the output. You could design a risk framework around it that distinguished between low-risk and high-risk applications and assigned obligations accordingly.

That moment has passed. The AI of 2026 is not the AI the Act was designed to govern. Gartner projects that 40% of enterprise applications will embed AI agents by the end of 2026, up from less than 5% in 2025, and the agentic AI market is forecast to grow from 7.8 billion dollars today to over 52 billion dollars by 2030. These are not systems that wait for a prompt. They plan, decide, and execute across complex enterprise environments with minimal human intervention. They initiate real-world actions, manage multi-step workflows, and operate continuously across organisational systems in ways that make the concept of a single identifiable decision-maker increasingly difficult to locate.

The EU AI Act’s Annex III, which lists the high-risk use cases subject to the most stringent obligations, covers AI systems used in recruitment, performance evaluation, task allocation, worker monitoring, and decisions on promotion or termination. These categories were written when those functions were performed by discrete, identifiable AI tools. An applicant tracking system. A performance scoring module. A scheduling algorithm. What they did not anticipate was a world in which an agentic AI system might perform all of those functions simultaneously, autonomously, and in ways that make it genuinely difficult to determine which regulatory category any given action falls into.

INSIGHT AND ANALYSIS

The 16-month delay is being framed, officially, as an administrative correction: the standards were not ready, the national competent authorities had not been designated, the compliance infrastructure did not exist. All of this is accurate. But it obscures a more fundamental problem, which is that the delay is not the cause of the mismatch between the Act and the technology it governs. It is a symptom of it. The Act was always going to struggle to govern a technology that was evolving faster than the legislative process that produced it.

I have previously written about this dynamic in the context of AI and democratic governance: the question of who is accountable when AI participates in the writing of law is one that democratic institutions were not designed to answer, and the pace of AI development is making that design gap increasingly consequential. The same structural problem applies here, in reverse. The EU AI Act is a democratic institution’s attempt to govern AI. The challenge is that the technology has moved so quickly that the law risks governing an AI that no longer represents the frontier of what is actually deployed.

The industry lobbying that preceded the agreement is instructive in this regard. Executives from companies including ASML, Airbus, Ericsson, Nokia, SAP, Siemens, and Mistral AI publicly warned that Europe risked over-regulating itself out of the global AI race. That pressure worked. The delay is, in part, the product of it. Officials maintain the extension is about timing rather than substance, and the core risk-based architecture of the Act remains intact. Both things can be true: the architecture survives, and the industry learned that sustained pressure on the implementation timeline produces results.

For organisations outside the European Union, including South African companies with exposure to EU markets or with European clients and partners, the practical implications of the amended timeline are significant. The EU AI Act has extraterritorial reach: it applies to any organisation offering AI systems in the EU market, regardless of where it is headquartered. A South African company providing AI-driven HR tools, credit scoring, or biometric verification services to European clients is within scope. The 16-month extension provides additional runway, but it does not change the underlying obligation, and organisations that treat the delay as a reason to pause compliance preparation do so at considerable risk.

IMPLICATIONS

South Africa’s Draft National AI Policy, gazetted on 10 April 2026 and open for public comment until 10 June 2026, explicitly draws inspiration from the EU AI Act’s risk-based framework (before it was pulled back to be reissued) . That is a reasonable starting point. The EU model is the most comprehensive AI governance architecture in the world, and its core principles, transparency, human oversight, accountability, and proportionate risk classification, are sound regardless of where the technology goes next. What South African policymakers and business leaders need to understand, however, is that they are benchmarking against a document that is itself in flux, written for a technological moment that has already been superseded, and now subject to a delay that reflects the difficulty of governing at pace.

The more important lesson from the EU experience is not which specific obligations apply when. It is that AI governance frameworks must be built with structural adaptability as a design principle, not an afterthought. A framework that classifies AI systems by use case and assigns obligations accordingly will struggle to keep pace with agentic systems that blur the boundaries between use cases in real time. The Act was written for a world of discrete tools performing discrete functions. The AI being deployed today operates as an infrastructure layer across an organisation, making it harder to apply categories that assume a bounded, identifiable system performing a bounded, identifiable task.

For boards and executives, the practical question is not whether the EU AI Act’s high-risk deadline is August 2026 or December 2027. It is whether your organisation’s AI governance framework was designed for the AI you have today, or for the AI that existed when you built the framework. If the answer is the latter, the EU’s experience offers a clear lesson: the gap between the technology and the governance does not close by itself.

CLOSING TAKEAWAY

Europe spent years producing the most ambitious attempt in history to govern artificial intelligence through law. The result is a framework of genuine intellectual rigour, built on sound principles, passed through democratic institutions, and designed with the protection of citizens at its centre. It is also a framework written for a world that has already changed, subject to a delay driven partly by the absence of the infrastructure needed to implement it and partly by the lobbying power of the industries it was designed to regulate. Neither of those facts invalidates the effort. They do, however, illuminate the scale of the challenge.

For business leaders navigating AI governance in South Africa and across the continent, the EU experience is not a cautionary tale about European bureaucracy. It is a preview of the structural tension that every jurisdiction will face when it tries to write permanent rules for a technology that does not stay still. The answer is not to stop trying. It is to build governance frameworks that are designed to learn and adapt, rather than frameworks that assume the technology they govern has already taken its final form. It has not. It never will.

Johan Steyn is a prominent AI thought leader, speaker, and author with a deep understanding of artificial intelligence’s impact on business and society. He is passionate about ethical AI development and its role in shaping a better future. Find out more about Johan’s work at https://www.aiforbusiness.net