Russell Buzby

The European Union’s AI Act sets 2 August 2026 as the enforcement date for high-risk AI system obligations on deployers. The deadline is nine weeks away. Multiple studies published in late May found that the public sector organisations who will need to comply are nowhere near ready, and that the gap between having a governance framework on paper and being able to demonstrate compliance is much wider than the regulatory discourse has been suggesting.

A pre-enforcement audit by Sajja and colleagues, deposited on Zenodo on 21 May 2026, examined documentation of deployer obligations across three workstreams: Estonian public-sector AI deployment records, EU procurement notices for AI products and services, and AI policy documents adopted at member-state level. The obligations under audit are the ones the Act will start enforcing in August. They cover data governance and operational logging on one side, the deployer’s transparency to affected persons (and the human oversight that has to be meaningful rather than nominal) on the other, and fundamental rights impact assessments for sensitive use cases on top of both. The documentation in support of these obligations is sparse across all three workstreams. The Estonian case study is not chosen because Estonia is laggardly. It is chosen because Estonia is one of the most digitally mature public sectors in Europe and has the institutional infrastructure to do this well if anyone does. The finding that documentation remains sparse is therefore a strong signal about the readiness gap across the broader European public sector, not a comment on Estonia specifically.

A complementary OECD study published in the Observatory of Public Sector Innovation evidence base covered one hundred and forty-three public-sector AI cases across member countries. The findings are the same shape. Persistent barriers across the case base include data gaps and skills shortages (with legal uncertainty close behind), and the OECD authors note that the skills shortage is the most frequently cited single barrier. Institutional and human capacities shape AI outcomes more strongly than the underlying technology selection. The policy implication the authors draw is that capacity building should be treated as an iterative, adaptive process rather than a fixed prerequisite. The compliance implication is sharper. Organisations that lack the underlying capacity to operate AI responsibly will not be made compliant by an enforcement deadline. They will be made non-compliant on the record, which is a different problem.

An Australian study by Pan and colleagues at the University of Wollongong, deposited on arXiv on 28 April 2026, mapped the variation in quality of government AI Transparency Statements across the AITS-101 dataset of one hundred and one Australian public-sector statements. The finding is substantial variation. Some agencies have done the work and have the artefacts to show for it. Many have produced statements that disclose less about AI use, fewer specifics about risk treatment, and looser detail about review mechanisms than the cross-jurisdictional comparators suggest is achievable. The Australian Transparency Statement regime is a useful natural experiment in what voluntary-disclosure-with-quality-variation looks like in practice. It also gives the Commonwealth a clear baseline against which the EU Act’s mandatory regime can be compared.

A Brazilian study by de Lima and colleagues (deposited on Zenodo on 18 May 2026) surveyed one hundred and twenty-three public-sector AI practitioners on the gap between ethical principles and technical requirements. The findings are blunt. Over seventy-five per cent of respondents reported that they struggle to translate ethical principles into technical requirements. Fewer than a quarter perceive alignment across the technical and legal teams (and the managerial layer above them) that would be expected to operationalise AI governance together. Extrinsic drivers (legal compliance) outweigh intrinsic ones (organisational motivation). The Brazilian study is the most readable as a diagnostic. It locates the implementation gap precisely where it sits in practice: in the relationship between the team that builds the system, the team that signs off the compliance documents, and the team that owns the operational accountability when the system produces an output.

The common thread is the gap between rhetorical commitment to responsible AI and demonstrable evidence of compliance. The Act assumes that public-sector deployers will have processes that produce evidence. The studies cited above suggest that, ten weeks out, the processes are still being built or have only partially been operationalised. An IAPP analysis in early May noted that most SMEs and many public-sector deployers will miss key evidence requirements before the August 2026 deadline. A political agreement reached on 7 May 2026 to defer high-risk enforcement to 2 December 2027 has not yet been formally adopted; the binding date remains 2 August 2026. The shape of the implementation gap does not depend on which deadline finally applies.

On paper the EU regime is straightforward. The regime requires deployers to retain logs, comply with transparency obligations, conduct fundamental rights impact assessments for sensitive use cases, and ensure human oversight is meaningful rather than nominal. The regime also covers legacy high-risk AI systems placed on the market before the August 2026 date; these must be brought into compliance or retired by August 2030 under Article 111(2). The regulatory architecture of the regime is clear. The institutional capability inside deployer organisations to meet it is not.

For the consulting market the implication is clean. There is a near-term advisory opportunity at scale across European public-sector deployers, Australian agencies running parallel readiness work for domestic regulation, and any organisation with a European nexus that has not yet mapped its deployer obligations against its actual operational practice. Rapid compliance assessments and gap analyses sit alongside deployer obligation mapping (with FRIA scoping and audit-readiness work attached) in the same gap. The work is not glamorous. It is the kind of methodical institutional analysis that the consulting industry has delivered for environmental compliance and financial services regulation in earlier regulatory waves (with the workplace health and safety wave before both as the longer-running analogue). The shape is recognisable.

The political reading is different. The studies I have cited above, together, frame the readiness gap as an institutional capability problem, not a technology problem. That distinction matters because the policy response to a technology problem tends to be a procurement decision (buy a better system, buy a better tool, buy a better consultancy package), while the response to an institutional capability problem is a longer-cycle investment in the staff and processes (and the oversight architecture wrapped around them) that produce evidence reliably over time. I have written separately about the same shape showing up in Australia’s AI governance reality check, in the Commonwealth’s AI procurement rule tightening, and in the launch of AI.gov.au. The pattern is consistent: the rules are getting clearer faster than the agencies’ capability to comply with them is being built.

The deeper question is whether the EU AI Act’s enforcement date will be treated by public sector deployers as a deadline (with an enforcement risk that motivates investment) or as a symbolic milestone (after which the policy framework continues to evolve but the underlying operational practice remains unchanged). The studies suggest the second outcome is the more likely one without targeted intervention. Rhetorical commitment to responsible AI is not the same as demonstrable compliance. Enforcement is weeks away. The advisory work has to start now to arrive in time to make any difference at the August date, and the procurement work to acquire that advisory capability is its own delay function on top.

References

Çelik, T. et al. (2026, 19 May). Human and Institutional Capacity in Public Sector AI Adoption: Evidence from OECD OPSI Cases. Igdir Sosyal Bilimler Dergisi. https://doi.org/10.54600/igdirsosbilder.1874248

de Lima, R. et al. (2026, 18 May). Operationalizing AI Ethics in the Brazilian Public Sector: An Empirical Study of Practitioners’ Motivations, Perceptions, and Expectations. Zenodo. https://doi.org/10.5281/zenodo.20262393

European Commission. AI Act implementation timeline. AI Act Service Desk. https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act

Pan, S., Gong, X., Xia, F., Sun, J., Xu, Z., & Zhu, L. (2026, 28 April). The Creation and Analysis of Government AI Transparency Statements in Australia. arXiv:2604.26075

Sajja, R. et al. (2026, 21 May). Public evidence for AI Act deployer obligations before enforcement: A baseline from Estonia, EU procurement, and AI policy documents. Zenodo. https://doi.org/10.5281/zenodo.20329189