4
The EU’s decision to postpone compliance with high-risk AI laws until 2027 has given organizations important breathing space, but the compliance clock is still ticking. Hexnode CEO Apu Pavithran says businesses need to act now to audit their AI systems, increase oversight, and use tools like unified endpoint management to meet future regulatory demands.
Europe is once again threading the most difficult needle between innovation and regulatory oversight. Ten years after the General Data Protection Regulation (GDPR), the bloc leads the world in regulating artificial intelligence (AI), mandating transparency, traceability and security of systems.
Despite passing the AI Act and quickly banning certain applications in 2024, the EU has just postponed compliance for “high-risk AI” until the end of 2027. This is good news for industrial operators and network administrators managing AI-enabled systems. Because following this first-of-its-kind obligation is easier said than done. This delay provides important rest space, but teams need to realize that the path to code is still shorter than it appears.
The road to regulation
Trust is the most important objective of this regulation. Broadly speaking, this law aims to protect human decision-making and build guardrails into automation. AI is not omnipotent, and there are no initial regulations that attempt to govern it. Instead, the block takes a step-by-step approach based on risk.
For example, the highest tier was enacted immediately and now prohibits practices such as social scoring, AI-based manipulation and deception, and emotional recognition in the workplace and education.
High-risk systems, the next stage on the horizon for implementation, include AI that poses significant risks to health, safety, or fundamental rights. It manages a wide range of areas including biometrics, critical infrastructure, employment decisions, and essential services. Providers (creators) of such systems must therefore demonstrate compliance across training data, technical records, and risk management.
Additionally, adopters (users) are also at risk.
Companies that use AI in a professional capacity, even if they did not build the AI, must ensure competent supervisory personnel, performance monitoring, and 15 days of incident reporting. Fines apply on both sides of the equation, with penalties of up to €15 million or 3% of global turnover for high-risk violations.
Clock to Compliance
Like the regulation itself, the timeline is ambitious. Block had hoped to be ready by August, but asked for more time by the end of March. This is because most member states have not yet established enforcement authorities and official guidance from the AI Directorate remains delayed. Regulators also needed more time, giving them until the end of next year to bring everything online. This doesn’t mean businesses should wait. Rather, the compliance clock is still ticking and companies need to rewrite their processes and log them from start to finish.
Leaders can and should look back at the past decade to consider what lies ahead. European companies spent an average of €1.3 million preparing for GDPR, yet around a third were still unsure whether they were ready before it came into force. Because these intelligent systems exist across device fleets, edge infrastructure, and network endpoints, AI is likely setting an even higher bar to clear. Teams need visibility into their entire ecosystem before they can classify, audit, and monitor it.
It’s also worth remembering that following new automation rules can go a long way toward protecting a company’s reputation beyond compliance. Air Canada learned this the hard way when its chatbot “hallucinated” and falsified fare information, leading to legal action. Under the AI Act, such incidents are subject to reporting requirements if the misinformation causes significant harm. Considering all of this, companies need to have an accurate picture of their ecosystem and the smart tools that operate within it.
Businesses need to move now
Regulatory compliance and teething pains often go hand in hand. Therefore, businesses should take advantage of this additional time and immediately re-evaluate their digital footprint.
Audit your ecosystem and understand where automation is impacting you. Many organizations don’t have a clear inventory of endpoints running AI-enabled applications (predictive maintenance, automated provisioning, network optimization tools), so this is where you need to start. A unified endpoint management (UEM) platform provides central visibility into what’s deployed where, patch status, and configuration baselines. Additionally, UEM automates the compliance documentation and logging expected by regulators. Teams can also take this a step further by layering extended detection and response (XDR) to detect and respond to what’s happening in real time.
It also creates a clear chain of command for quality control and incident detection. The law requires a human in the middle, so you must assign qualified personnel, document their training, and establish escalation paths. Essentially, regulators want to make sure that they’re not just implementing AI and leaving everything to the machines. Express your thoughts and include redundancy.
Regulations are often pioneered in Europe, so even if your company is not affected, this law is worth noting. The bloc acknowledges that AI is here to stay, but (rightly) refuses to proceed with its applications without some ground rules. Businesses around the world need to carefully consider what this means and how getting ahead of it now means complying with tomorrow’s rules and protecting their reputations tomorrow.
Apu Pavisran Founder and CEO of hex nodeis an industry-leading endpoint management solution that provides a comprehensive feature set to secure, manage, and remotely monitor devices across your enterprise. Apu is a prominent consultant, speaker, and thought leader in the IT management community with a focus on governance and information security.
