65 days until the EU AI Act becomes fully operational on August 2nd. Almost every enterprise I’m talking to is now treating the deadline as a project. That’s the first error.

The deadline is not the work. The deadline is what gets the work funded. The work itself is what changes the organization, and that work continues long after August 2nd has come and gone.

We learned this from GDPR. The companies that hit the May 25th, 2018 GDPR deadline as a project absorbed the fine risk and got back to business as usual. The companies that treated GDPR as the start of a multi-year reorientation of how they handle data are the ones whose data governance now looks credible to a board, a regulator, and a customer.

The Promise

The EU AI Act is the most coherent piece of AI regulation any major economy has produced. It distinguishes between risk tiers, between providers and deployers, between general-purpose and high-risk systems. It requires what governance maturity should require: an inventory of AI systems, a documented risk management process, demonstrable literacy among the people who use it, and accountability that travels with the deployment rather than stopping at the vendor boundary.

Companies that adopt the Act’s framework as their internal standard — rather than as a foreign compliance overlay — get something useful. They get an inventory of AI use across the organization, which most don’t currently have. They get a risk taxonomy that aligns with how regulators in multiple jurisdictions are now thinking. They get an accountability structure that survives staff turnover and vendor changes. This is the promise.

The Risk

The risk is what GDPR taught us. The fines are not the cost. The cost is what the fines fail to prevent.

Three risks worth pricing in. First, inventory debt. Most organizations cannot enumerate the AI systems they’re already running, including the agentic ones, including the third-party tools that have AI built in, including the developer tools, including the marketing automation. The inventory exercise is the first 60 days of work, not the deliverable.

Second, vendor concentration. Three or four foundation model providers underpin most enterprise AI workflows. The Act creates obligations on the deployer, not just the provider, which means that “we just used what they offered” stops being a defense. Organizations need documented assessments of each foundation model in use, including its EU AI Act classification.

Third, the literacy gap will start showing up where you can’t outsource it. Boards. Senior executives. People who sign procurement contracts for AI tools without reading the model card. Article 4 requires literacy across the organization. The board minutes from your June 2026 meeting will be a discoverable document if something goes wrong in 2027.

The Verdict

The Promise & Risk needle leans toward Promise — because the framework is good and adoption is feasible — but the verdict comes with a caveat. Hitting the deadline is not the win. Hitting the deadline while building the operational muscle that the deadline existed to force is the win.

The companies who treated GDPR as the start of a journey are the ones who absorbed the EU AI Act with weeks of work, not months. The companies who treated GDPR as a one-time compliance event are now starting the AI Act exercise from a cold start, again, eight years later.

In 2034, after the next regulation arrives, the same conversation will repeat. The only question is which side of it you want to be on.

For the longer analysis → I wrote a deeper piece comparing the GDPR pattern to the EU AI Act, with three specific risks to plan for in the next 65 days.

Read What GDPR Taught Us About How the EU AI Act Will Actually Bite