In November 2025, the European Commission proposed pushing high-risk AI obligations under Annex III from August 2026 to December 2027. The political agreement that followed made it official. For organizations watching the AI Act closely, the message landed with a familiar sense of relief: more time.
That relief is misplaced, and it is also an opportunity. The deadline moved. The risk did not.
The models in production this morning still produce outcomes that affect policyholders, premiums, and access to coverage. State insurance regulators are not delaying. The NAIC Model Bulletin is in force. Colorado SB 21-169 is in force. NYDFS Circular Letter No. 7 is in force. Plaintiffs are not delaying. Boards are not delaying. AI exposures don't follow a regulator's calendar. They follow the controls that were, and weren't, in place when the model ran.
What the European Commission did give the market is sixteen months to choose the right governance stack and let it run. The requirements ahead are specific, and the tooling that meets them is not interchangeable with traditional risk and compliance platforms. The runway is a chance to evaluate purpose-built options, deploy them, and operate long enough to produce real evidence that the controls work. Programs that use the time this way will arrive at December 2027 with operating history behind them. Without that history, even a thorough program is hard to defend.
Here is how to spend it.
The most common gap across carriers and enterprises in regulated industries is the same. No one can produce a defensible list of the AI systems in production.
A reconciled, business-owned inventory that includes embedded vendor models, third-party tools used by underwriting and claims, and the homegrown work that quietly became production.
This is not a months-long undertaking when it is approached as a control rather than a project. One Monitaur customer, a Fortune 200 financial services company, reached a published AI policy in 32 days and a working risk framework in 46. The inventory was the first deliverable, and the rest of the program was built on it.
Most organizations have an AI policy. Fewer have controls. Almost none have evidence that the controls operate. That is the chain regulators, auditors, and boards are going to ask about, and it is the chain that separates a governance document from a governance program.
AI policy defines the risk. Controls mitigate it. Evidence proves the controls worked.
Monitaur translates written policy into running controls, captures evidence of those controls in production, and produces the documentation that a regulator, an auditor, or a board can read without translation. The artifact that comes out the other side is not a binder. It is a defensible record of how a model behaved, who reviewed it, and what changed when the answer was wrong.
A governance program that documents risk without reducing it is not a governance program. It is a filing cabinet. This is the most important distinction between the GRC platforms that many organizations already license and the work that the EU AI Act, the NAIC Model Bulletin, and Colorado SB 21-169 are actually asking for.
GRC platforms organize and document risk. They do not move it.
Monitaur was built around a different premise.
A governance program should guide teams toward risk-reducing actions and produce measurable evidence that residual risk has, in fact, gone down. That measurement is the difference between explaining what you tried to do and demonstrating what you actually did.
For insurance, Brussels is one clock among many. The NAIC Model Bulletin is now adopted in more than two dozen states. Colorado SB 21-169 is in force. NYDFS Circular Letter No. 7 is in force. A growing list of state Departments of Insurance and European supervisors all expect something specific, and increasingly aligned.
The work to satisfy any one of these frameworks overlaps substantially with the work to satisfy the others. A program designed for the EU AI Act in isolation is a program designed twice. A program designed around a common control set, mapped once to each regulatory framework, is a program designed once. This is why Monitaur is purpose-built for insurance and regulated industries specifically, and not adapted from a general-purpose platform.
The fastest-growing source of model risk in most carriers right now is not the model the data science team built.
It is the model embedded in a vendor product.
Underwriting platforms, claims tools, fraud detection systems, and customer service bots. Each of these increasingly ships with AI inside, and the obligations sit with the deployer, not the provider. In fact, Verisk has already adopted effective governance to support the growth of its underwriting product, Discovery Navigator, to streamline record review.
The next 16 months are an opportunity to establish a vendor AI standard. What documentation is required at intake:
Doing this before procurement velocity outruns governance capacity is much easier than doing it after.
Carriers that used the runway well will arrive in December 2027 with the picture finished, and be confidently deploying AI to drive their top-line growth without increasing expenses. They will have:
This is because the work will have already been built into the operating model rather than assembled in a race to deliver before the deadline.
The question is, when we get to the deadline:
OR
A delay in the EU AI Act is not a delay in AI risk. It is the opportunity to build the governance program your business needs, with the time to do it well.
