The most repeated sentence in European AI compliance this spring is "the deadline got pushed to 2027." It is true, it is reassuring, and for most people building agents it is the wrong deadline. The one that was actually going to apply to them did not move at all.

Here is what happened. Implementation of the AI Act's hardest tier had visibly stalled — the standards, the notified bodies, the conformity-assessment plumbing were not going to exist in time. So the Commission tabled a "Digital Omnibus" simplification package in November 2025, and on 7 May 2026 the Parliament and Council reached political agreement on it. Formal adoption is expected before the original August date. The headline change: the high-risk obligations for stand-alone Annex III systems slide from 2 August 2026 to 2 December 2027, and the embedded Annex I rules to 2 August 2028.

That is a real, roughly sixteen-month reprieve — for the systems it covers. The trap is assuming yours is one of them.

The Act never regulated "AI agents." It regulates what you point them at.#

There is no chapter of the AI Act about agents, or about LLMs, or about any technology at all. The whole structure is a risk pyramid: a handful of unacceptable practices are banned outright; a defined set of high-risk uses carry the heavy obligations; everything that merely talks to people sits in limited risk with transparency duties; the rest is minimal. The classification attaches to the use case, not the code.

This is why "does the Act apply to my agent?" has no answer in the abstract. The identical agent framework is unregulated as an internal coding copilot, transparency-only as a support chatbot, and fully high-risk the moment you deploy it to screen job applicants, score creditworthiness, or triage students — the Annex III list. You don't inherit a risk tier from your model; you choose one with your deployment.

The deadline that didn't move is the one most agents hit#

For the great majority of agent products — the chatbots, the assistants, the content generators — the binding obligation was never the high-risk regime. It was Article 50 transparency, and the Omnibus left Article 50 exactly where it was: 2 August 2026.

Article 50 is short and concrete. If your system interacts with people, it has to disclose that they're dealing with an AI, unless that's already obvious. If it produces synthetic audio, image, video, or text, that output has to be marked — in a machine-readable form — as artificially generated or manipulated. That's it. No conformity assessment, no notified body, no EU database registration. But it lands on nearly every customer-facing agent, and it lands on schedule.

The reprieve covers the tier most builders were never in. The deadline they're actually subject to is still circled on the calendar.

And underneath all of it, two things have been live for a while and were never in scope for delay: the prohibited-practices ban since February 2025, and the general-purpose AI model obligations since August 2025. The GPAI rules mostly bind the model labs — documentation, a copyright policy, a training-data summary, and for the largest models (trained above 10^25 FLOPs, the systemic-risk threshold) evaluations, adversarial testing, and incident reporting. You feel them indirectly, as the paperwork your provider must now hand down so you can do your own compliance on top.

The part the statute wasn't built for#

Here's the wrinkle that makes agents genuinely harder to classify than the database-era software the Act was drafted around. A static system has a fixed purpose; you assess it once. An autonomous agent's purpose drifts at runtime. A tool you ship and document as a "general assistant" doesn't stay limited-risk because a user can point it at a hiring decision — and the Act fixes your obligations by what the system does, not by the label in your terms of service.

The same drift can flip your legal role. Most agent builders are deployers, with the lighter duties; the providers are the labs. But substantially fine-tune a model, ship a high-risk system under your own brand, or repurpose someone else's for a high-risk use, and you become a provider, with the full obligation set — at the moment of that act, not at contract signing. An agent that rewrites its own prompts and selects its own tools is a system designed to do exactly the kind of repurposing that moves the line.

This is the real reason the static-classification model strains against agents, and why runtime governance — knowing what your agent is doing now, not what you intended at launch — is becoming a compliance primitive and not just a safety one. The same logging and oversight you'd build to stop a prompt-injected agent from exfiltrating data is what lets you demonstrate which tier a shape-shifting system was operating in when a regulator asks.

What to do before August#

Skip the relief and do the triage. Map each agent to a risk tier by its actual deployment, not its codebase. If anything touches an Annex III domain, you have until December 2027, but you have it only if you've correctly identified it now. If an agent talks to people or makes content — and almost all do — treat 2 August 2026 as the live date it is: ship the AI disclosure, mark the synthetic output, and write down why you classified the system the way you did. The penalty ceiling for getting the banned-practices line wrong is €35 million or 7% of global turnover. The penalty for misreading a headline is quieter, and it arrives in August.