The EU AI Act deadline has moved, but data lineage can’t wait
Despite moving deadlines, data lineage remains crucial for AI initiatives.
The deadline for high-risk AI compliance under the EU AI Act may well have been pushed back. And for overstretched compliance teams, that might sound like welcome relief. But the organizations that will thrive in the age of AI are the ones that understand that an arbitrary deadline was never really the point.
The race to deploy AI is already in full swing.
Models like Claude Mythos and OpenAI’s GPT-5.5, dubbed "Spud", represent extraordinary leaps in capability. In the right hands, they accelerate decisions, surface insights, and create genuine competitive advantage. In the wrong hands, or without proper oversight of the data feeding them, the consequences can be catastrophic.
As Pocket OS discovered recently when an AI agent wiped out the company’s entire database in nine seconds.
What the EU AI Act actually demands
When you strip away the regulatory language, what the EU AI Act is really asking for is provability. Article 10 sets out that high-risk AI systems, those used in credit scoring, insurance underwriting, hiring decisions, and similar consequential applications, must be built on training data that is traceable, well-governed, and demonstrably free from bias.
Organizations must document data origins, every transformation applied, the assumptions made, and how potential biases were identified and addressed.
This is not a box-ticking exercise. It is a fundamental rethinking of how organizations manage their data estates. And the penalties for getting it wrong are steep: up to €35 million or 7% of global annual revenue.
The underlying problem is that most enterprise data infrastructure was not designed with this level of traceability in mind. GDPR established guardrails around data storage and access, but the AI Act raises the bar considerably.
You now need to trace data from its original source, through every transformation, to its final impact on model outputs. Anecdotally, AI model validation can take between nine and 12 months, and that assumes you have the lineage infrastructure in place to begin with.
The financial services imperative
Nowhere is this more consequential than in financial services. Credit scoring models trained on historical data can encode the biases of the past, automating financial discrimination at scale, often without any individual in the organization realizing it is happening. A bank that cannot trace how a training dataset shaped a model’s outputs is not just exposed to regulatory risk. It is potentially perpetuating systemic harm.
The irony is that the sector has been here before. BCBS 239 already requires financial institutions to demonstrate data accuracy, integrity, and the ability to aggregate risk data on demand. The AI Act is not a new category of challenge, it is an intensification of one that rigorous data lineage was already built to address.
Data lineage as infrastructure, not compliance overhead
The organizations best positioned for this moment are those that have stopped thinking about data lineage as a compliance cost and started treating it as core infrastructure. There is a crucial distinction between these two perspectives.
The focus must now be a governance model that catches problems during design, before a model ever reaches production, rather than during an incident response. Lineage makes this kind of proactive governance practical at enterprise scale.
Bi-temporal lineage allows teams to recreate the exact data state used for model training at any point in time, which is essential for audit purposes. More importantly, it allows teams to simulate the downstream impact of a data or schema change before it happens, preventing the kind of silent model degradation that can quietly undermine ROI.
The window is shorter than it looks
The deadline extension offers time, but not as much as it might appear. US regulators are already integrating AI into supervisory examinations. Gartner predicts that by 2028, 50% of organizations will adopt zero-trust data governance as AI-generated content proliferates through enterprise data supply chains. The regulatory direction of travel is clear and consistent.
Getting AI governance right requires building the lineage layer first. That is not a project that happens in weeks. And the organizations that start building now, not because a deadline forces them to, but because they understand what is at stake, will be the ones deploying AI at scale with confidence, auditability, and genuine trust.
The EU AI Act just got a stay of execution but organizations that treat it as breathing room may be sleepwalking into a far bigger problem.
We've featured the best AI tool.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit
Share
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
