36 Comments
User's avatar
ToxSec's avatar

now that i've published enforcement timelines for three separate regulatory deadlines, i fully expect all of them to get delayed by at least six months. you're welcome. consider this article a public service.

John Holman's avatar

Lol yep they are already talking 2027 or 2028

ToxSec's avatar

love the new avatar. yeah december 2027. by the time they launch it will be outdated or too late lol. good luck regulating these local models if you kick the can any more..

John Holman's avatar

Buddy the audit trail gap you described is real…

so we built something about it.

Compliance Labs produces mechanistic interpretability audits of fine-tuned AI models — basically, we open the model, measure every internal feature the fine-tuning created, modified, or eliminated, and produce a signed technical document of what the model actually learned. Layer by layer. Statistically validated. PhD-signed and ready to file.

The thing your readers are going to hit: Article 13 doesn't just want a policy document. It wants technical documentation of what changed between your base model and your deployed version. Most teams have no idea how to produce that. We do.

Our methodology just went into NeurIPS 2026 review. One of our core findings is that output testing alone isn't enough — a model can show major internal reorganization while outputs look totally normal on standard evals. Neither measurement alone is sufficient. (We call it the two-measurement requirement, because naming things is fun.)

If you've got readers staring down August 2 with a fine-tuned model and no documentation — http://compliance-labs.ai. The math against €35M works out pretty fast.

Great breakdown as always. The shadow AI inventory problem is going to age like milk.

Erik Boehm's avatar

What you built is not runtime governance. You cannot regulate autonomy or autonomous agents before or even after the moment of decision arrives... You have to build something that enforces choices in ai agents in real time, forcing them to either act or stop. Nothing else is permitted, ever. My system is flawless in execution and unique in innovation. Nothing like it exists yet on this planet. Maybe we can team up in the near future. My MVP is almost complete so you will know soon exactly what I've created.

John Holman's avatar

I never said it was runtime governance. We created an accurate survey and accounting of what's changed and the results its creating in a finetuned or lora specific model.

jaycee's avatar

“You can build whatever AI you want, but you must prove you understand the risks, control them, and can audit your decisions.”

ToxSec's avatar

i wonder how many can actually do this. hah.

ToxSec's avatar

yeahhhhhhhh.

I actually had a couple of lines in the piece originally that joked about this. Thanks for the follow up, it's honestly not surprising, just disappointing.

Francois (Korzibsky’s Ghost)'s avatar

Disappointing...and dangerous!

Bad actors have been given a blank check to keep on scamming and stealing.

The NatSec implications should be obvious...except in DC, of course!

Robert C Culwell's avatar

Central Planning and Free Markets in the Surveillance Economy and the age of AGI:

https://claude.ai/public/artifacts/4a13a9dd-ec74-4ce5-89f1-f9a7c49dc9b2

.....to live in interesting times, Amigos! 🌐🐲📜⚖️🦅

Robert C Culwell's avatar

Thank you!

ToxSec's avatar

😁🙏

Philip C's avatar

Enforcement is set to be an interesting issue under the EU AI Act, as most of the 'high risk' systems that you mention will only be subject to self-assessment and self-declaration (of conformity). Yes, manufacturers will need to have their documentation "ready for inspection" well before deadline day (whenever that turns out to be!) but who is going to be doing the inspecting?

ToxSec's avatar

it’s going to be interesting for sure. i’m hoping it gets taken seriously, and they spin up actual inspectors and not just a bunch of self attestation and box checking. we’ve seen both these patterns before.

Clint Cain's avatar

I hope these would actually be enforceable.

The "Shadow" has already broken out! lol

ToxSec's avatar

no kidding lol. i’m hoping it lands strongly like GDPR. but time will tell.

Dheeraj Sharma's avatar

Wow.. a treasure trove list in 2026 for AI Governance, thanks for sharing!!

ToxSec's avatar

really appreciate that Dheeraj. let’s hope they don’t keep getting kicked down the road!

Jonatan's avatar

Solid overview. Enterprises with compliance experts and budgets will figure this out. It'll be painful and expensive, but they'll get there. What I keep thinking about is the gap below: SMEs and solo developers shipping or deploying increasingly capable AI systems without meaningful governance infrastructure. If those systems land in high-risk territory under the EU AI Act, they'll need the high-risk compliance stack across the system's lifecycle. The Act has sandboxes and microenterprise carve-outs, but no blanket SME exemption. When enforcement hits, flying without governance becomes bet-the-company.

ToxSec's avatar

really appreciate that Jonatan. i think you hit on an interesting perspective. ai coding is enabling a lot of smaller organizations to ship and deploy with less people. they aren’t going to have the same expert GRC staff available.

and from what i can tell, these have teeth. will be interesting to watch this unfold.

MetaCortex Dynamics's avatar

Discussed this in Thunderous applause. It's not enough.

ToxSec's avatar

haha great reference. these are deranged compared to their first iterations. it’s better than nothing, but i think FOMO keeps them from getting too aggressive.

MetaCortex Dynamics's avatar

This is going to be an aggressive game of whack-a-mole

ToxSec's avatar

I literally have no doubt lol. and with the U.S. one, the federal government is trying to override California's authority. and now EU is talking about a delay to Dec 2027.

MetaCortex Dynamics's avatar

The preemption fight is the tell. When the federal response to fragmented enforcement is 'let us override the states' instead of 'here's a coherent standard,' you know nobody has the architectural answer yet. Delay doesn't fix the substrate problem, it just moves the fine date.

ToxSec's avatar

and i think the problem compounds with the speed of ai innovation. by the time these hit, they will be outdated.

MetaCortex Dynamics's avatar

Bingo, reminds me of the anti-virus industry in the 90's always one mutation behind.

Erik Boehm's avatar

None of you are building what I'm building. I've got all the deadlines beaten. Remember my name and remember MirrorOS. The future of runtime governance is coming soon. Patience is a virtue, so rush nothing my friends. Someone needs to save the world. I guess that would be me ...

User's avatar
Comment removed
Apr 10
Comment removed
ToxSec's avatar

fair. i do think they are kicking the can a bit, but the 7% fine is pretty serious at least. we’ve seen the GDPR get some respect once it issued google and apple hefty fines.

i’m thinking we are going to see some of the same.

User's avatar
Comment removed
Apr 10
Comment removed
ToxSec's avatar

I still remember the google street wifi sniffing incident from 2010. illegal, but they just kept paying the 25k fine and selling the data for $$$.

Jonatan's avatar

Fair instinct that the EU AI Act has gaps worth criticizing, but I'd push back on the specifics.

On the delay: the Digital Omnibus proposal to push high-risk obligations to December 2027 may well land. That's the current direction of travel. But it's still a proposal in negotiation, not adopted law. Relying on legislative rescue isn't a compliance strategy, and that's why enterprises are scrambling toward the August 2, 2026 operative date despite the Omnibus. Worth remembering too that the Act's prohibitions on unacceptable-risk practices have been in force since February 2025. The Act isn't a future event in the abstract as parts of it are already live.

On data handling: I'd read that as mostly GDPR territory if you mean personal data: purpose limitation, retention, access, deletion are covered there, with their own penalties. For non-personal data, the EU has so far left that largely to contractual freedom rather than building a GDPR-style regime. So it's less an AI Act gap than a choice about where to constrain freedom of contract.

On "watered down": I'd agree the GPAI compromise is a fair target for that critique. But conformity assessments, risk and quality management systems, technical documentation, human oversight, and post-market monitoring aren't a light lift for the organizations actually implementing the high-risk stack.

ToxSec's avatar

really interesting point on data handling. i think we are going to see some enterprise get burned from Aug 2.

seems like some of this is compromise, but some of it really does have some good direction.

but i’d rather have something than nothing at this point.