Executive summary
In May 2026 the European Union agreed to delay the AI Act's high-risk obligations, including the Article 14 requirement for effective human oversight. The obligations that were due to apply from 2 August 2026 now apply from 2 December 2027 for standalone high-risk systems and from 2 August 2028 for AI embedded in regulated products.
Most organisations have read this as relief. I read it as an admission. Regulators do not defer enforcement because the rules stopped mattering. They defer because the organisations being regulated could not have complied. The delay did not close the gap between what Article 14 requires and what organisations can demonstrate. It acknowledged it.
That gap is not technical. It is human. Article 14 requires that high-risk systems can be effectively overseen by people, and a growing body of research suggests that sustained AI use erodes the very judgment effective oversight depends on. The organisations that treat December 2027 as a new date to panic about in late 2027 will repeat this spring's compliance theatre with less excuse. The ones that use the window will baseline the human layer of their AI governance now, fix what the baseline reveals, and arrive in 2027 with evidence rather than assertions.
This paper sets out what the delay actually changed, why the human layer is the binding constraint, and a practical sequence for using the eighteen months well. It is written for the people who will be asked, when the obligations bite, to prove that their organisation's humans can still govern its machines.
What changed in Brussels
The headline facts first, because most of the commentary has them only half right.
On 7 May 2026 the Council, Parliament and Commission reached provisional agreement on the Digital Omnibus, a package to simplify and re-sequence parts of the EU digital rulebook. On 16 June 2026 the European Parliament approved it, and on 29 June 2026 the Council formally adopted it. Publication in the Official Journal is expected in July, with entry into force on the third day after publication, deliberately ahead of the original 2 August 2026 date. The legislative argument is over. What remains is administrative.
The substance, for anyone responsible for AI governance:
The high-risk obligations under the AI Act, which include the Article 14 requirement for human oversight, move from 2 August 2026 to 2 December 2027 for standalone high-risk systems listed in Annex III, and to 2 August 2028 for AI embedded in products already regulated under Annex I. Most of the Article 50 transparency obligations still apply from August 2026; only the provider watermarking requirement shifts, to December 2026.
So the prohibitions and the transparency rules are largely holding. What moved is the hard part: the obligations that require an organisation to show, not state, that a person can meaningfully oversee a high-risk system. That is the part nobody was ready for, and that is the part that has been pushed eighteen months down the road.
The misreading
The reflex has been to treat the delay as a reprieve. Compliance teams have stood down. Budgets earmarked for August have been quietly reallocated. The deadline that drove every AI governance conversation this spring has dissolved, and with it, apparently, the reason to act.
This is the wrong reading, and it is wrong in a way that will cost the organisations that adopt it.
Consider why a regulator delays. Not because the risk receded. The systems being deployed in hiring, credit, healthcare triage and fraud detection are no safer in June than they were in April. Regulators delay when the machinery of compliance is not ready: national authorities not yet designated, harmonised standards unfinished, and underneath all of it, the uncomfortable recognition that the organisations in scope could not have met the obligation in time.
Read that way, the Digital Omnibus is not a gift. It is a finding. The EU looked at what Article 14 requires, looked at what organisations can actually demonstrate today, and concluded the distance between the two was too wide to enforce across. The delay bought time for that distance to be closed. It did not close it.
Which raises the only question that matters for the next eighteen months: closed by what, and by whom?
What Article 14 actually requires
Article 14 of the AI Act requires that high-risk AI systems be designed so that they can be effectively overseen by natural persons during use. The word that carries the weight is "effectively". The obligation is not satisfied by naming a human in a process diagram, nor by a policy that says a person reviews the output. It requires that the person can understand the system's capabilities and limits, can detect when something is going wrong, can interpret the output correctly, and can decide not to use the system or to override it.
That is a statement about human capability, not system design. You can build the cleanest override button in the industry, and the obligation still fails if the person holding it has stopped being able to tell when to press it.
This is the assumption buried in almost every AI governance plan I have seen: that the experienced professionals already in post will provide the oversight, because they always have. The evidence on whether they still can is where the comfort runs out.
The evidence the human layer is not ready
Four findings, taken together, describe the problem.
First, the most capable users are not always the safest. A Harvard Business School and Boston Consulting Group study of 244 consultants identified three patterns of AI use. Around 60 per cent, the researchers' Cyborgs, worked continuously alongside the tool and built new expertise. About 14 per cent, the Centaurs, used it selectively and achieved the highest accuracy of any group. And roughly 27 per cent became what the researchers call Self-Automators: they delegated entire workflows to the AI and developed neither real AI skill nor the domain judgment their role assumes. A quarter of the professionals studied had quietly automated themselves out of their own expertise. These are precisely the people an oversight regime expects to catch the machine's mistakes.
Second, the people accountable already know they cannot keep up. An IBM Institute for Business Value survey of 2,000 CIOs and CTOs, published in June 2026, found 67 per cent held accountable for AI systems they do not fully control, and 77 per cent saying AI adoption is already outpacing their organisation's governance capability. Accountability without the capability to exercise it is not oversight. It is exposure.
Third, exposure to a biased system changes the human, and the change outlasts the system. In work published in Scientific Reports in 2023, Lucia Vicente and Helena Matute had volunteers perform a simulated medical diagnosis task. One group was assisted by an AI that carried a systematic error. They reproduced that same bias in their own later decisions, even after the AI assistance was removed. The bias did not stay in the machine. It transferred to the person and persisted once the machine was gone. An oversight model that assumes the human is a neutral check on the system is assuming away the finding.
Fourth, there is a name for the underlying dynamic. In February 2026, Acemoglu, Kong and Ozdaglar described knowledge collapse: as AI substitutes for human cognitive effort, people rationally stop investing in the knowledge and judgment that the effort used to build. The longer the exposure, the thinner the capability becomes. Klein and Klein, writing in Frontiers in Artificial Intelligence, make the companion case that foundational knowledge is what lets a person recognise when an AI output is wrong, and that hollowing it out removes the very thing oversight relies on.
Put the four together and you get an uncomfortable conclusion for any compliance plan that rests on experienced staff doing the overseeing. The most exposed users may be the least equipped to catch the system's errors, they are already accountable for more than they can supervise, the errors they are exposed to follow them out of the room, and the capability they would need is eroding precisely because of the tool they are meant to police.
The gap is human, not technical
None of this is fixed by a policy document, a model card, or a better dashboard. It is a question about whether the people in the loop can still do what the loop assumes, and that question has a clock on it.
This is the distinction most AI maturity models miss. They measure technology adoption: how much AI an organisation has deployed, how mature its tooling and data foundations are, how widely it has scaled. Useful questions, but they measure the wrong layer for this obligation. Article 14 does not ask whether you have adopted AI well. It asks whether your people can still govern it. An organisation can score highly on every adoption metric and fail the only test that the regulation will actually run.
My research over the past two years has converged on that second question: not whether organisations are ready for AI, which the market already measures exhaustively, but whether AI is leaving their people capable of governing it. The evidence base is published on SSRN. The short version is that the human layer of AI governance is measurable, it is currently unmeasured in most organisations, and it is deteriorating quietly while everyone watches the adoption metrics.
What the window is actually for
Here is what the delay creates, stated plainly: close to eighteen months in which an organisation can build the thing the regulation will eventually test, rather than the paperwork that gestures at it.
There are two reasons to act inside the window rather than at the end of it.
The first is simple readiness. An organisation that baselines its human oversight capability now, fixes what the baseline reveals, and re-measures before the obligations bite will arrive in December 2027 holding evidence: this is what our people could do, here is where oversight was real and where it was fiction, here is what we changed, here is the result. That is a stronger position than any volume of policy documentation, and it is exactly what an "effective oversight" obligation is designed to reward.
The second reason is less comfortable and more important. If sustained AI use erodes the judgment of the people using it, then every month of unmeasured deployment lowers the baseline you will eventually measure against. The window for knowing what your organisation's human capability looked like before AI reshaped it is closing, and no regulator can extend that one. An organisation that waits until 2027 to measure will be measuring an already-diminished baseline and calling it normal. The honest baseline has a short shelf life, and it is shortening now.
There is a wider point here that outlasts any single regulation. The risk is not only that we lose oversight of today's systems. It is that we erode the cognitive foundations a workforce needs to recognise problems that do not yet have a name. Compliance with Article 14 is the budget line. Preserving the capacity to think independently alongside machines is the reason the budget line is worth defending. The regulation is the occasion. The capability is the point.
How to use the window
The work divides into three moves: baseline, fix, re-measure. None of them is exotic. The discipline is in doing them on the human layer, with evidence, before the deadline forces a rushed version.
Baselining the human layer means assessing oversight capability across the dimensions that actually determine whether a person can govern a system. The framework I have built for this, CHART, assesses five: cognitive readiness, whether people retain the independent judgment oversight requires; decision architecture, whether the points where a human can intervene are real or decorative; organisational honesty, whether the organisation can tell the difference between oversight that happens and oversight that is merely documented; workforce transition, whether roles and skills are changing fast enough to keep humans competent at the task; and accountability architecture, whether anyone would genuinely be answerable if an AI-assisted decision caused harm. The framework is openly published, because the value is not in keeping the questions secret. It is in the rigour of how they are assessed and acted on.
A baseline worth holding up to a regulator looks at the gap between documented governance and observed practice. Does the review actually change anything, or does it rubber-stamp? Has anyone ever used the override, and what happened to them when they did? If an AI-assisted decision caused harm tomorrow, who would answer for it under pressure, rather than on the org chart? Those gaps, between the policy and the practice, are where Article 14 readiness is won or lost, and they do not show up in an adoption metric.
Fixing what the baseline reveals is organisation-specific, but the categories recur. Where oversight is decorative, redesign the decision point so intervention is real. Where the most exposed users have deskilled, rebuild the judgment deliberately rather than assuming it survives. Where accountability is diffuse, name it and make it answerable. Where the workforce is transitioning without a plan, give it one. This is change work, not documentation work, and it takes the better part of the time the window provides. That is why starting in 2027 does not work.
Re-measuring before the obligations bite turns the work into evidence. A second baseline that shows movement is the difference between telling a regulator you take human oversight seriously and showing them you measured it, found it wanting, and closed the gap.
For UK and other readers
If you are reading this from the UK, the EU dates are not your obligation, but the logic is. The UK's assurance agenda is live, with DSIT convening an AI assurance effort and professional bodies, the BCS among them, shaping what credible assurance looks like. The question a UK regulator or a UK board will eventually ask is the same question Article 14 asks: can the humans overseeing these systems actually do it? A department or a firm that baselines the human layer now is ahead of that question by years, wherever it is eventually asked, and holds evidence rather than assertion when it comes.
The same applies to any organisation operating across jurisdictions where oversight obligations are emerging. The regulation that names the deadline will differ. The capability it tests will not.
What to do in the next ninety days
If you do nothing else with the window, do this much before the autumn:
- Decide who owns the human layer. Most AI governance has a clear owner for the technology and no owner for whether people can oversee it. Name one.
- Run an honest baseline on one high-risk use case. Not the whole estate. One system that matters, assessed for whether oversight is real or documented, while the pre-AI memory of the task still exists to measure against.
- Look specifically for the Self-Automators. Find the roles where entire workflows have been delegated to AI and the human has stopped exercising judgment. These are your highest oversight risk and they will not appear in any adoption report.
- Test one override. Pick a documented human-in-the-loop control and find out whether anyone has ever used it, and what happened when they did. The answer tells you more than the policy does.
- Write down the baseline. The value of an honest snapshot now is that it cannot be reconstructed later. Date it. You will want it in 2027.
None of this requires the final regulation to be settled, and none of it is wasted if the timeline moves again. The thesis never depended on a date. It depends on the fact that effective human oversight does not currently exist at scale, and that the capability to provide it is eroding while the deadline that would have forced the issue has just been pushed back.
The point
The deadline did not disappear. It moved to where the real work can actually be done. Brussels has handed every organisation in scope a rare thing in regulation: time, granted on the explicit understanding that the time is needed. The organisations that treat it as a holiday will arrive in December 2027 exactly as unready as they were this spring, and with one fewer excuse. The ones that treat it as a window will have spent that time measuring and rebuilding the human capability the regulation exists to protect.
The question is not whether your organisation will be compliant in 2027. It is whether, when someone asks your people to prove they can still govern the machines they rely on, the honest answer will be yes. That answer is being decided now, in the months everyone else is treating as a break.
Sources
- Digital Omnibus and AI Act high-risk timeline: European Parliament approval 16 June 2026; Council formal adoption 29 June 2026 (Council of the EU press release); deferral to 2 December 2027 (Annex III) and 2 August 2028 (Annex I). European Commission, Shaping Europe's Digital Future; White & Case and Gibson Dunn client alerts, June 2026.
- AI use archetypes (Cyborgs, Centaurs, Self-Automators): Randazzo et al., "Cyborgs, Centaurs and Self-Automators", Harvard Business School Working Paper 26-036, December 2025.
- Executive accountability and governance lag: IBM Institute for Business Value with Oxford Economics, survey of 2,000 CIOs and CTOs across 33 countries, published June 2026.
- Bias transfer and persistence: Vicente, L. & Matute, H. (2023), "Humans inherit artificial intelligence biases", Scientific Reports, DOI 10.1038/s41598-023-42384-8.
- Knowledge collapse: Acemoglu, Kong & Ozdaglar (2026), NBER Working Paper w34910, DOI 10.3386/w34910.
- Foundational knowledge and oversight: Klein, C.R. & Klein, R. (2025), "The extended hollowed mind", Frontiers in Artificial Intelligence, DOI 10.3389/frai.2025.1719019.