On 29 June the Council gave its final green light to the Digital Omnibus on AI. Boards across Europe, and a good number in the United States, heard one word. Delay. AI governance moved quietly back down the priority list, into the pile of things that can wait until 2027.
What actually moved is narrow. Stand-alone high-risk systems shift to 2 December 2027, and high-risk systems embedded in regulated products to 2 August 2028. What did not move is the part arriving first. The Commission's enforcement powers over general-purpose AI models activate on 2 August 2026, ending the one-year adjustment period in which the obligations applied but nobody could be fined. Article 50 transparency obligations apply the same day. The analysts at EWSolutions call this the two-clock problem, and they put the inventory gap underneath it. Most organizations are reading the wrong clock.
Before the legal reading, though, something I saw first hand more than a decade ago.
I worked on the cookie law from the start, first as a consultant helping organizations prepare before it came into effect, later leading the implementation inside a large multi-brand retailer, first in the Netherlands and then across its European brands.
The law never used the word. The Dutch provision sat in telecom law and covered storing information on, or reading information from, a user's device, whatever the technique. Technology-neutral, by design. Everyone called it the cookie law anyway, the press first and then the rest of us, and the name did the scoping. So organizations built inventories of their cookie use. They did not inventory web beacons, tracking pixels, or fingerprinting, all of which the rule covered. Moving a large organization from "only cookies" to "all tracking technologies" took months, and until then, every list produced was confidently incomplete.
Then we finished. Someone marked it v1. Within weeks a marketing team added a tag, a partner updated a script, a campaign shipped with an embedded video, and the register described a website that no longer existed. Compliance became a game of catch-up against colleagues building faster than we could inventory them. The register was never wrong on the day it was written. It was wrong on every day after.
Which is why correcting the two-clock misreading does not fix much. Ask a leadership team whether Article 50 applies to them and watch what happens. Article 50 is not about high-risk systems. It covers systems that interact with people, generate content, or infer things about them. Every chatbot on a service page. Every generated product description. Every synthetic image in a campaign. The question is not whether the rule is hard. The question is whether anyone can hand you the list of systems it touches.
In most organizations, nobody can, and it fails in the same place the cookie register failed. At the definition. Say "AI" in a room of twenty people and some hear ChatGPT and Claude. Others hear machine learning. Does the vendor's recommendation engine count? Does the scoring rule someone wrote in SQL nine years ago? The AI Act has a formal definition and it is broader than most of the room assumes, but circulating the legal text resolves nothing. This gets resolved the way data management has always resolved it, by agreeing what a thing is before you try to count them, and by making that definition hold across brands, markets, and business units that have every reason to interpret it differently. A single team settles this in an afternoon. A federated organization does not settle it at all unless someone is accountable for the answer and has the authority to make it stick.
Which brings me to the part of the Omnibus almost nobody discussed. Read the Commission's own reasoning for the deferral. Implementation was off track. Harmonized standards were not finished. National competent authorities were not designated. Compliance tooling did not exist. The regulator did not decide the risk was lower. It decided that the machinery required to make compliance possible was not ready, and that rules should not land before the support for them exists.
That is a public admission that compliance is a capability with dependencies, not a date. The regulator itself found out how difficult those dependencies can be, and moved its own deadline. Boards read the headline and concluded they had been given permission to stop.
Not everyone thinks the deferral was benign. The Jacques Delors Centre argues the Omnibus makes substantive changes without impact assessment or public consultation, weakening oversight while producing legal uncertainty rather than reducing complexity. If the dates can move once, they can move again. A program built around a date stops the day the date moves. A capability does not.
So the sixteen months change nothing on their own. They are time, and time only counts for organizations that were already doing something with it. The rest arrive in December 2027 exactly where they stand today, because the deadline was the only thing making the work happen, and the deadline is what moved.
We did eventually get the cookie register to hold. Not by trying harder. We closed the door. Tracking code could only reach production through a tag manager run centrally by a team reporting to me. External scripts that could change what was tracked were removed, down to hosting the share buttons ourselves. A committee of legal and data people assessed every new request before it shipped. The register stopped decaying because deploying something and registering it became the same act. Discipline was not required. Bypassing was.
There is no tag manager for AI. It arrives through procurement, through your own data science team shipping a feature, through a line in a vendor's release notes on a Tuesday, through a model embedded in software you bought three years ago, through a colleague with a browser and a deadline. The door does not exist, and it cannot be built. Whatever keeps an AI register current, it will not be control.
That leaves one mechanism. Scope the register to the legal definition and you have produced a compliance artifact, and compliance artifacts go stale because nobody needs them between audits. Scope it wider than the law requires, to everything someone in another business unit would want to find before building something similar, and it becomes a place people go to look for things. Registers people use stay current, because the people using them notice when they are wrong. Control would have been the clean answer. Between shadow AI, vendors shipping on their own schedule, and tools entering through every corner of the business, we do not have that luxury this time. The only option left is to build a register people have a reason to open.
In under three weeks the first clock strikes. The enforcement actions land in the autumn, and they will show who could produce the list on the day it was asked for. The harder test comes later. The organizations that can still produce it in December 2027 will be the ones who built something the business actually uses. Building to the deadline is a mistake. Building for business relevance is what makes it last.