EU bought you 16 more months on AI Act compliance. Don't pause.
The news: On May 7, the Council of the EU and the European Parliament reached provisional political agreement to defer the AI Act's high-risk obligations under Annex III from August 2, 2026 to December 2, 2027, with embedded systems under Annex I pushed to August 2, 2028.
Why it matters: The delay is real but partial. GPAI obligations have been in force since August 2025, and the Commission's enforcement and fine authority over GPAI providers still kicks in August 2 this year, so any enterprise fine-tuning a foundation model for production use can land in scope as a provider itself on the original calendar. The reason Brussels moved the goalposts was that national competent authorities and harmonized standards for high-risk systems were not ready, which means the regulator-side readiness gap has widened, not closed. Trade press is already reporting US enterprises pausing AI Act preparation on the assumption that further extensions will arrive; legal commentators are uniform that this is the deal.
What to do: Ask your compliance lead this morning whether anyone on your team has slowed AI Act conformity work since May 7, and pull the Annex III scoping memo from your August preparation forward into the December 2027 plan so the work continues, not the date.
Anthropic shipped 10 financial agents with full Microsoft 365 access
This week Anthropic launched 10 Claude-powered agents for investment banking workflows including pitch books, financial statement review, and regulatory compliance, and announced a $1.5 billion joint venture with Blackstone, Hellman & Friedman, and Goldman Sachs for enterprise AI distribution. The agents run on Claude Opus 4.7 and connect natively to Microsoft 365 with a Moody's data partnership behind them. Two things to do this week: pull the inventory of which Claude or competitor agents already have production credentials in your Finance org, and confirm M365 admin consent posture for new agent integrations before Procurement signs the paperwork. The Anthropic-Microsoft tie-up means agents land inside enterprise environments faster than the IGA conversation can catch up.
SAP S/4HANA has a critical SQL injection. Every recent release.
SAP disclosed CVE-2026-34260 on May 12, a CVSS 9.6 SQL injection in S/4HANA from missing input validation that lets a low-privileged authenticated attacker dump database contents and crash the application. Affected versions span SAP_BASIS 751 through 758 and 816, which is effectively every recent S/4HANA release in production. The fix is SAP Security Note 3724838, with a companion bug CVE-2026-34263 in SAP Commerce Cloud released the same day. Authentication is required, which keeps these off most external-facing CVE radars, but a low-privileged credential inside the system is enough. Pull S/4HANA admins into a one-hour patch window this week and audit which service accounts hold the low-privileged role that triggers the bug.
Watch This
72% of enterprises run agentic AI in production today and 60% lack any formal governance framework, per Deloitte's latest State of AI in the Enterprise. The 16-month EU regulatory cover is the moment governance teams either catch up to the AI Ops teams that beat them to production, or get their headcount reallocated to the next sprint. Have that budget conversation this month, not December 2027.
This week, DoGood network members are using the EU's deadline shift to recheck which AI projects had executive sponsorship tied to August 2 versus underlying business value. If you're rebudgeting AI governance work for the rest of 2026, that is the conversation your peers are already having.
Know a CIO who needs this? Forward it and they can subscribe here.
Enterprise IT leader at a $100M+ company? Apply to join DoGood.