Pre-Mortem: The EU AI Act’s Accountability Gap


On 2 August 2026, the EU AI Act gives the EU AI Office the power to fine the developers of general-purpose AI models up to three per cent of global annual turnover, demand documentation, and commission independent access to source code. Three weeks before that date, the high-risk AI compliance deadline moved from August 2026 to December 2027, enacted as binding law on 29 June. The two facts share a date. They do not share a plan.

This is the ninth piece in the Pre-Mortem series. Five questions, applied to the public record, before a programme has had the chance to succeed or fail.

 

The Bet

The EU is betting that extending the deadline for high-risk AI compliance by 16 months, agreed in May 2026 and enacted on 29 June, produces better enforcement outcomes than a met deadline inside a half-prepared enforcement architecture. The logic holds. As of August 2026, only nine of 27 member states have shown advanced public implementation of enforcement infrastructure. Germany has designated the Bundesnetzagentur as its market surveillance authority and adopted draft transposition legislation. Spain built the AESIA, a dedicated supervisory agency, from scratch. Ireland deployed fifteen coordinated authorities under a central National AI Office. Those are genuine structural commitments. Eighteen member states have not reached that point. The extension gives them time. Whether they use it is the bet.

 

The Assumption

The entire framework rests on this: that national competent authorities, operating under 27 different legal frameworks, will converge on consistent enforcement before December 2027. The AI Act is a directly applicable regulation. Its enforcement infrastructure is not. The regulation sets the rules uniformly across the bloc. The authorities responsible for applying them have been built at very different speeds, under very different political conditions. That divergence is the risk the extension is buying time to close. There is no public commitment that the time is sufficient.

 

The Sequence

The AI Act entered into force in August 2024. Member states were required to designate their national competent authorities by August 2025. At least twelve missed that deadline. Seven months later, in May 2026, the Council and Parliament agreed to simplify the rules as part of the Digital Omnibus package. On 29 June, the high-risk AI deadline moved. What remains in force on 2 August is a narrower set: general-purpose AI model obligations and transparency requirements for new deployments. The high-risk AI rules, the Act’s original centre of gravity, are no longer in that set. Governance was adjusted to fit the readiness gap. That is not the order in which enforcement architecture is supposed to be built.

 

The Pager

Lucilla Sioli, Director of the EU AI Office, carries accountability for general-purpose AI enforcement from 2 August. For high-risk AI systems, including credit-scoring models, recruitment tools, and systems used in border control, healthcare, and law enforcement, accountability rests with national competent authorities. In 17 of 27 member states, no public designation exists. The Act names the category. Seventeen member states have yet to name the person.

 

The Proof

The measure that would settle this in 2028 is year-one enforcement consistency: the share of member states that have conducted at least one formal high-risk AI enforcement action, under the same evidentiary standard, in the first twelve months after the December 2027 deadline. No EU institution has publicly committed to publishing that figure. The AI Office’s annual progress reporting is the closest mechanism on the public record. It tracks activity. No published mechanism commits to measuring whether enforcement actions are consistent across member states.

 

Verdict

If the Commission designates a public accountability owner in each member state before December 2026 and commits to publishing year-one enforcement data by name, the 16-month extension holds up as a governance decision made under realistic conditions. Without that, a framework that took two years to reach enforcement hands itself an extension with nobody carrying it.

Plans Don’t Deliver Outcomes. Decisions Do.

The biggest myth in project management is not that it is only about schedules and budgets. That myth was debunked so long ago it barely warrants a mention.

The real myth is more dangerous: that a good plan delivers an outcome.

It does not.

A plan is the document everyone agrees on before the work starts. Delivery is determined by the thousand decisions that happen when that plan meets reality.

 

What a Plan Actually Is

A project plan is a structured expression of intent. It represents the best thinking of a group of people, at a specific point in time, about how they expect work to unfold.

The moment work starts, the plan begins diverging from reality. Not because the planning was poor. Because work is complex, environments shift, and the future is not fully knowable in advance.

The plan does not respond to those divergences. People do.

Someone decides what gets prioritised when two workstreams compete for the same resource. Someone decides what gets descoped when the timeline compresses. Someone decides what gets told to the sponsor and what gets managed quietly at team level. Someone decides whether to hold to the original scope or absorb a late change request that no one has formally costed.

These are not project management artefacts. They are leadership decisions. They happen every day, in every programme, at every level, and the cumulative quality of those decisions determines the outcome, not the quality of the plan that preceded them.

 

What the Data Shows About Plans and Outcomes

McKinsey’s research with Oxford’s Global Projects programme, originally published in 2012 and still McKinsey’s standing figure on its current insights page, based on more than 5,400 IT projects, found that just one in every 200 large IT projects meets all three basic measures of success: on time, on budget, and delivering intended benefits. The same research found that 17 per cent of large IT projects go so badly they threaten the very existence of the company delivering them. Bain’s January 2026 research on reorganisations, based on a survey of nearly 1,000 global executives and employees, found that 88 per cent of company leaders believe their new organisational structure will achieve its goals. Only 36 per cent of the employees actually working inside those structures agree.

These are organisations with project plans. Most of them had quite detailed ones.

The plan was not the variable that determined whether the transformation succeeded. The decisions made inside the transformation were.

McKinsey has been explicit on this, in its analysis of large technology programme management: traditional project management is not built for the complexity of managing a large number of interdependent workstreams. What that observation is really describing is a decision-making capacity problem, not a planning methodology problem.

When multiple workstreams intersect, when dependencies conflict, when assumptions that underpinned the plan prove false, the organisation needs fast, well-informed, appropriately escalated decisions. The project plan cannot make those decisions. A governance structure can enable them, but only if the people inside it are willing and able to act.

 

The Organisations That Deliver

I have worked across a wide range of organisations and programmes. The ones that consistently deliver are not the ones with the most sophisticated planning tools or the most comprehensive project documentation.

They are the ones with a leadership culture that makes fast, honest decisions when the plan diverges from reality.

That culture has specific characteristics. Issues get escalated without penalty. Status reporting reflects what is actually happening, not what the sponsor wants to hear. Scope changes get properly evaluated and decided, rather than quietly absorbed and then discovered six months later as the reason for a cost overrun.

Decisions about resources, priorities, scope, and timing get made by the right people at the right level, at the point when the decision matters, not deferred until the situation has become a crisis requiring emergency intervention.

This is not about removing the plan. A plan is genuinely useful. It creates shared understanding, allocates resources, sequences work, and provides a baseline against which reality can be measured. All of that matters.

But the plan is the starting point, not the delivery mechanism.

 

The Governance Gap Nobody Names

Most programme governance is designed to review progress against plan. Status reports, RAG ratings, milestone trackers, action logs. These are retrospective instruments. They tell you where you have been relative to where you intended to be.

They do not, by themselves, generate decisions.

A programme with robust governance can still fail because the governance structure reports on problems without resolving them. The issues log fills up. The risk register grows. The steering committee meetings run to time, and the programme slides, week by week, toward a late and over-budget delivery, or a cancellation that could have been a scope-reduced success.

The missing element is decision velocity, the willingness and authority to make the calls that change the trajectory, rather than the calls that record that the trajectory has changed.

 

What Good Actually Looks Like

The shift required is not from planning to improvisation. It is from planning-as-delivery to planning-as-baseline.

Build the plan. Use it. Measure against it. But invest as heavily in decision-making culture as in planning rigour. Who has authority to make what decision at what level? How fast can an escalation reach someone with genuine authority? What happens to the person who brings a difficult problem to the steering committee: are they received as someone providing valuable intelligence, or treated as someone who has failed to manage their workstream?

The organisations with the best project outcomes have thought hard about these questions. They are not the ones with the best plans.

They are the ones that can make the right call at 9am on a Tuesday when the plan says one thing and reality says another.

That capacity is the real delivery engine.

Deploy Now, Govern Later as a Strategy Just Expired

.

Nearly three-quarters of companies are planning to deploy agentic AI within two years. Only 21% of them report having a mature model to govern it.

That gap, not a headline percentage on its own, is the structural condition enterprise AI now operates under, according to Deloitte’s 2026 State of AI in the Enterprise report. The same report found that sanctioned AI tool access has grown 50% in a single year, from under 40% to around 60% of workers. Read those two findings together and the picture is not ambiguous: deployment is accelerating faster than governance can follow, and roughly four in ten workers still operate without any sanctioned AI tool at all, which is exactly the population most likely to reach for something unapproved.

Framing this as a planning problem, something to address in the next cycle, stopped being an accurate read of the situation in the first week of July 2026.

 

Why the Timing Changed, Not the Substance

The EU AI Act’s Article 50 transparency obligations take effect on 2 August 2026. The Five Eyes intelligence alliance issued a joint statement on 29 June warning that frontier AI could transform both cyber offence and defence “in months, not years,” with attackers already moving from initial access to data theft in under 72 minutes. Available coverage of the statement does not indicate that it singles out enterprise AI tools by name as an attack surface. What both point to is the same underlying condition: the assumptions organisations built their cyber-risk models on are ageing out faster than those models are being revised, and AI deployment is a large part of why.

None of these three developments is new information arriving out of nowhere. Article 50 was always coming, and its requirements have been public for months. What changed is the simultaneity: a regulatory deadline with a fixed date, an intelligence community warning about compressed attack timelines, and a governance maturity figure that puts a number on the gap between what is deployed and what is actually controlled. Those pressures used to arrive on separate timelines. In July 2026 they are concurrent.

 

The Decision Behind the Gap Was Rational

The governance gap did not happen through neglect. Most organisations deploying agentic AI without a mature governance model made a deliberate trade-off: move now, build the governance model once the technology and the internal use cases stabilise. That calculation made sense through most of 2025. Early movers captured a real advantage, and governance frameworks built around technology that was still changing weekly risked being obsolete before they were finished.

That trade-off does not survive contact with August 2026 intact. The regulatory deadline is fixed. The security environment has compressed. And the governance figure, 21% with a mature model against a 75% deployment intention, is no longer a benchmark to compare against competitors. It is a description of where the exposure actually sits inside your own organisation.

 

What Actually Needs to Happen Now

For transformation leaders, this does not resolve into a disclosure for the board. It resolves into a specific, immediate piece of work: an accurate inventory of what AI is actually running across the organisation, not what was approved on a policy document, but what is deployed and in active use. The distance between those two lists is precisely the exposure that Article 50 and the current threat environment are now positioned to surface.

That inventory has to happen before the governance model gets built, not alongside it. You cannot govern a system whose actual footprint your organisation has not yet measured, and by the time an auditor, a regulator, or an attacker measures it for you, the cost of closing the gap has already changed.

The deployment number will keep climbing. The governance number moves only when someone decides to move it. Right now, for most organisations, no one has.

The AI Model Was Never the Hard Part

Three of the world’s largest AI vendors have spent the past ten days admitting something enterprise buyers have suspected for a while: the model was never the hard part.

On 30 June 2026, AWS committed $1 billion to a new Forward Deployed Engineering unit, sending pods of engineers directly into customer organisations to build and deploy agentic AI systems on-site. Three days later, Microsoft answered with Microsoft Frontier Company, a $2.5 billion commitment embedding 6,000 industry and engineering experts inside client organisations to co-design, deploy, and run AI systems against measured business outcomes. Combined, that is 3.5 billion dollars committed by two vendors in under two weeks, and neither of them spent a cent of it on a better model.

They spent it on people, sent to sit inside your organisation and do the work your own team was supposed to already be doing.

 

This Is Not Two Companies. It Is a Pattern.

Treat this as an isolated Microsoft-versus-Amazon story and you miss what is actually happening. Both moves followed a pattern already set earlier in 2026 by the AI labs themselves. Anthropic and OpenAI both launched joint ventures for enterprise AI deployment on the same day, 4 May 2026. Anthropic’s is a $1.5 billion venture backed by Blackstone, Hellman & Friedman, and Goldman Sachs. OpenAI’s is The Deployment Company, a $10 billion vehicle anchored by TPG. The technique itself, forward-deployed engineering, sending a vendor’s own technical staff to embed inside a customer’s operations rather than selling software and walking away, was not invented in 2026 either. Palantir built its entire early growth on exactly this model more than a decade ago.

What changed in the space of two months is who is now doing it. Every major AI vendor, model builders and cloud hyperscalers alike, has independently reached the same conclusion at the same time: licensing the technology and leaving customers to figure out deployment is no longer a viable strategy for demonstrating that AI investment produces returns.

 

Why Now, and Why All at Once

The timing is not a coincidence, and the reason is uncomfortable for anyone who has spent the last two years running an internal AI programme on the assumption that the tooling was the hard part.

MIT’s Project NANDA research, based on 150 leadership interviews, a survey of 350 employees, and an analysis of 300 public AI deployments, found that 95% of organisations deploying generative AI saw zero measurable business return, despite an estimated 30 to 40 billion dollars in enterprise investment. The same research found that internal builds succeed at roughly a third of the rate of purchased tools paired with a genuine implementation partnership, and that the deployments which did work shared one trait: ownership sat with the domain leaders actually running the process, not with a centralised AI lab several layers removed from where the work happens.

That is the number every AI vendor is now responding to. A 95% pilot failure rate cannot be fixed by shipping a better model. It is an execution problem, and for the first time, the vendors are the ones saying so, with their own balance sheets rather than a slide in a sales deck.

 

What 3.5 Billion Dollars of Vendor Behaviour Actually Tells You

If AWS and Microsoft believed their own customers could close this gap with the tools already on the market, they would not be spending a combined 3.5 billion dollars putting engineers on the ground to do it for them. Vendors do not fund headcount at this scale to solve a problem their existing product already solves.

That is the signal worth sitting with if you are running, sponsoring, or governing an AI programme right now. The two organisations with the clearest commercial incentive to tell you that your existing licence is sufficient are instead telling you, with 3.5 billion dollars of capital allocation, that it is not.

 

What This Means for Your Own Programme

None of this means the answer is to wait for a vendor’s forward-deployed team to arrive and do the work instead of building the capability internally. Vendor-embedded engineers close the gap for as long as they are in the building, and then they leave, taking the capability with them unless the organisation has built something durable underneath it.

What it does mean is that the excuse most transformation programmes have been running on, that the tooling was not yet mature enough to deliver value, is no longer available. The vendors have just spent 3.5 billion dollars telling the market that the tooling works. The 95% failure rate MIT documented was never about the model. It was about exactly the things forward-deployed engineering exists to fix: ownership sitting in the wrong place, workflows that were never redesigned around the tool, and outcomes that were never defined before the build started.

Those are governance problems, sitting inside the organisation rather than inside the platform, and vendors were never going to be the ones to fix them permanently. They can staff their way around the symptoms for the length of an engagement. Your organisation has to solve the underlying problem itself, and the sooner that distinction is made explicit at the programme level, the less it will cost to fix later.

The model was never the hard part. The vendors just spent 3.5 billion dollars confirming it.

Handling Stakeholder Expectations in Digital Transformation: The Honesty Problem

 

Most failed digital transformations were not derailed by technology.

They were derailed by a gap between what was promised at the start and what was achievable in reality. That gap existed from day one, embedded in the business case, and neither the sponsors nor the delivery team chose to address it directly until the programme was already in trouble.

The stakeholder expectation problem in digital transformation is routinely framed as a communication challenge. Better updates. More frequent steering committee engagement. Clearer reporting. These are sensible practices. They are also, in most cases, insufficient, because the problem is not that stakeholders were not kept informed. It is that they were kept informed using numbers and timelines that were not honest about the uncertainty behind them.

That is an honesty problem, not a communication problem. And the fix for it happens at the beginning, not during delivery.

 

The Business Case That Everyone Signed Off On

Digital transformation business cases are almost universally optimistic. Not because the people who write them are dishonest, but because the incentive structure in most organisations rewards ambition and penalises conservatism. A realistic business case, one that acknowledges uncertainty ranges, models downside scenarios, and commits to fewer benefits with higher confidence, is harder to get approved than an ambitious one. So the ambitious one gets written.

The consequence is that the business case becomes a set of commitments rather than a set of hypotheses. By the time the programme moves into delivery, the numbers in the original document are treated as targets rather than as estimates, even when the assumptions underlying them have already been revised. The expectation gap was always there. It was just papered over.

BCG’s analysis of more than 850 companies found that only 35% reach their stated digital transformation goals. Gartner’s October 2024 survey of more than 3,100 CIOs found only 48% of digital initiatives meet or exceed their business outcome targets. The gap is not primarily a delivery capability problem. It is a framing problem.

 

Scope at Altitude

The second structural cause of expectation gaps is scope defined at too high a level of abstraction. Transformation programmes are typically scoped during a phase when the delivery architecture is not yet understood, which means scope boundaries are drawn based on intent rather than on a detailed model of what delivery will actually require.

Both sides, sponsor and delivery team, leave the scoping phase with genuine but different understandings of what is included. Neither party is misrepresenting anything. They simply have not gone deep enough to discover the ambiguity. That ambiguity is then carried into the contract, into the programme plan, and eventually into the steering committee deck, where it will surface as a scope dispute at the moment least convenient for everyone involved.

The fix is not to define scope more tightly in the abstract. It is to define scope at a level of specificity that forces the ambiguity into the open before commitments are made. That is harder and slower than moving quickly to contract. It is also significantly less expensive than managing the dispute six months into delivery.

 

What the Programme Board Actually Hears

Stakeholder management, in practice, often means giving senior sponsors the confidence to remain supportive rather than giving them the information they need to make good decisions. Status reporting in large programmes tends to converge toward reassurance. RAG ratings stay amber longer than conditions warrant, because the consequences of going red feel disproportionate in the moment. Risks that have materialised are carried as risks rather than re-classified as issues. Forecasts are revised gradually rather than reset to reflect the actual picture.

This is not cynical. It is human. Nobody wants to be the person who delivers bad news. The programme team has worked hard. The delays feel temporary. There is always a reasonable argument for holding the line a little longer.

The problem is that by the time the gap between expectation and reality is reported honestly, it is too large to close without a significant reset. The reset conversation is much harder than it needed to be, because the sponsor was not kept informed of how the gap was developing.

 

The Expectation Reset Conversation

When the gap surfaces, and it always surfaces, the response that preserves the programme is not to defend the original business case. It is to reframe the conversation around what is still achievable, with what degree of confidence, on what timeline. That requires the delivery team to be willing to put a revised view in front of the sponsor, acknowledge that the original framing was overoptimistic, and propose a credible path forward.

That conversation is significantly easier when the relationship between sponsor and delivery has been built on honest reporting from the start. It is significantly harder when the sponsor has been receiving optimistic status updates and now feels misled, not because anyone intended to mislead them, but because the communication was shaped by the desire to maintain confidence rather than the obligation to maintain accuracy.

 

Less Ambiguity, Earlier

The conditions that produce the stakeholder expectation problem are well understood: optimistic business cases, scope defined at altitude, and status reporting shaped by the incentive to maintain confidence. None of these are inevitable.

The organisations that manage stakeholder expectations well are not the ones with the best communication strategies. They are the ones with the discipline to be specific about uncertainty before programmes begin, to define scope at a level of detail that surfaces ambiguity early, and to build reporting practices that give senior sponsors the information they need to make real decisions rather than the reassurance they want to maintain support.

Less ambiguity earlier. Fewer numbers presented as certain when they are estimated. Fewer commitments made before the delivery architecture is understood.

That is the fix. It is harder to sell at the outset and significantly easier to live with throughout delivery.

The AI Infrastructure Race Has Already Been Decided, Just Not Where You’re Looking

 

Four companies have committed more capital to a single region’s AI infrastructure than most countries spend on national defence in a year.

AWS, Google, Microsoft, and Oracle have collectively committed more than 160 billion US dollars to building AI infrastructure across Asia-Pacific between January 2024 and May 2026, according to McKinsey’s analysis of the region’s data centre demand. That is not a forecast or an aspiration. It is capital already committed, over a 28-month window, by the four organisations best positioned in the world to judge where AI compute demand is actually heading.

Most enterprise conversations about AI strategy still treat the geography of AI capability as fixed, anchored in North America and Europe. That assumption stopped being accurate somewhere in the last two years, and the redrawing is happening in Asia-Pacific, largely unnoticed by the boardrooms it will eventually affect.

 

The “Follower” Narrative Was Already Wrong

The conventional framing of AI outside North America and Europe has always been one of catching up, adopting capability built elsewhere, closing a gap set by others. That framing was already inaccurate before this capital started moving, and the UAE is the sharpest evidence of it. Microsoft’s AI Economy Institute put the UAE’s working-age AI adoption at 70.1 per cent in its Q1 2026 diffusion report, the highest of any economy measured, against a global average of 17.8 per cent. Abu Dhabi is also home to Stargate UAE, a 5-gigawatt AI campus built with OpenAI, Oracle, and Nvidia that is now the largest AI infrastructure deployment outside the United States. Neither of those is a country catching up. That is a country leading.

The hyperscaler capital now moving into Asia-Pacific specifically, the $160 billion figure McKinsey tracks across AWS, Google, Microsoft, and Oracle, sits in a different regional bucket to the UAE in most analysts’ own classifications, McKinsey included, which places the Gulf within EMEA rather than APAC. But read together, the pattern is bigger than either region’s infrastructure story on its own. AI leadership has already decentralised away from North America and Europe in adoption terms. The capital now following it into Asia-Pacific is the same shift playing out in infrastructure terms, just in a different part of the map. The four largest cloud infrastructure providers on earth are not building in Asia-Pacific because the region is catching up. They are building there because the assumption that AI capability originates in the West and diffuses outward has already been disproven elsewhere, and they are positioning for where demand actually sits next.

That distinction matters for anyone making a ten-year technology strategy decision today. Compute infrastructure built now does not simply serve current workloads. It becomes the physical foundation that shapes what is commercially viable to build on top of it for the following decade. The parallel worth drawing is North American cloud infrastructure investment around 2015, which quietly determined which companies had a structural cost and latency advantage for the cloud-native decade that followed. Most of those advantages were locked in years before most executives recognised the pattern.

 

Building Faster Than Anyone Can Govern

What makes this moment genuinely worth attention is not just the scale of the capital commitment. It is the gap between that commitment and what has followed it.

The physical infrastructure, the data centres, the compute capacity, the power agreements, is being built at a pace the market has not seen before. The governance, integration, and organisational capability needed to actually use that infrastructure well has not kept pace at anything like the same speed. This is the same structural gap showing up across every AI signal this year: deployment and physical capacity moving faster than the organisational readiness required to extract value from either.

For enterprises operating in or adjacent to Asia-Pacific markets, this creates a specific and immediate strategic question, not a hypothetical one for next year’s planning cycle. The infrastructure being built now will define whose AI workloads run cheaply, quickly, and reliably in the region from 2027 onwards. Enterprises without a considered position on that infrastructure are not neutral bystanders. They are watching the operating environment for their future competitors being constructed, largely without their input.

 

What This Actually Requires From Leadership

Chasing every regional infrastructure headline is not the answer. Two things are.

The first is a straightforward board-level question that most technology strategy committees have never actually asked: does our AI roadmap account for where the compute capacity underneath it is being built, and by whom? Most enterprises with APAC exposure have not asked this, because compute geography has always been treated as an IT procurement detail rather than a strategic input.

The second is timing discipline. The infrastructure decisions with the longest shelf life, cloud provider selection, data residency architecture, regional partnership structures, are being made now, this year, by enterprises that recognise the window. Wait for the 2027 competitive gap to become visible and the decision will already have been made, by whichever provider has the compute capacity and the customer relationship in the region first.

The infrastructure race rarely announces itself as urgent while it is still open to influence. It only looks urgent in hindsight, once the capital is spent and the advantage is locked in. Right now, for Asia-Pacific, it is still open.

Your Enterprise Architecture Is Built on a Map That No Longer Exists

Most enterprise technology decisions are made on a map that no longer reflects the territory. Vendors occupy defined positions. ERP here, CRM there, ITSM in its lane, workflow tooling beneath. Procurement, architecture, and integration planning all proceed on the assumption that those positions are reasonably stable.

Two announcements made within days of each other in May 2026 did not just shift those positions. They rendered the map itself unreliable.

At Knowledge 2026, ServiceNow unveiled Autonomous CRM, covering sales, service, quoting, order fulfilment, invoice disputes, renewals, and the full customer lifecycle. A direct entry into Salesforce’s core market from a vendor whose identity has been workflow and ITSM. At Sapphire 2026, SAP declared itself a business AI company, launched its Autonomous Enterprise vision, in which AI agents execute end-to-end business processes, with humans directing strategy rather than managing individual steps, and acquired Reltio to make enterprise data AI-ready. An ERP vendor positioning as an AI orchestration layer across the entire enterprise.

Most commentary has treated these as two separate vendor stories. They are not.

 

Two Announcements. One Signal.

What ServiceNow and SAP announced is not primarily about features. It is about boundaries, and the dissolution of them.

For the past decade, enterprise technology portfolios have been built on a category model. You choose an ERP, a CRM, an ITSM platform, a workflow layer, and you integrate them. Vendors in each category compete within it. The architecture question is mostly about how the categories connect, not whether the categories themselves hold.

That model has broken. ServiceNow is not extending into adjacent territory around the edges. It is standing directly in Salesforce’s most defensible ground, covering sales pipeline, quoting, order management, and customer lifecycle, with AI as the differentiator. SAP is not adding AI features to its ERP. It is repositioning as the orchestration intelligence for the entire autonomous enterprise, with a master data acquisition to back it.

The category model that procurement teams, architecture boards, and technology roadmaps are built on is now operating on assumptions that neither vendor supports.

 

The Roadmap Problem

This matters less as a vendor story and more as a planning problem.

Enterprise technology decisions have long lag times. A CRM strategy agreed in 2023 reflects assumptions about what Salesforce competes with and how. An ERP consolidation approved in 2024 was scoped against SAP doing one thing and other vendors doing adjacent things. Integration architectures designed eighteen months ago were designed for a world where the platforms stayed in their lanes.

None of those assumptions survived May 2026. And the organisations currently finalising multi-year enterprise software contracts, negotiating renewal terms, or approving architecture blueprints need to know that before they sign.

The problem is not that ServiceNow and SAP have made bold moves. Vendors always make bold moves. The problem is that decisions downstream of those moves, about what to buy, what to build, what to integrate, and which vendor relationships to deepen, are still being made against the old map.

Two specific conversations are worth having before any major enterprise software decision closes in the next twelve months.

The first is the vendor dependency audit. When your workflow vendor is also your CRM, and your ERP vendor is also your AI orchestration layer, the concentration risk in your technology portfolio changes. So does the negotiating leverage. So does the cost and complexity of exit if you need it later. These are not hypothetical concerns. They are the direct consequence of vendors collapsing categories.

The second is the integration investment review. Integration work designed to connect cleanly bounded platforms does not simply carry across when those platforms expand into each other’s territory. Some of it becomes redundant. Some of it creates conflict. Some of it was justified by a separation of function that no longer exists. If your architecture team has not reviewed integration design against what ServiceNow and SAP announced in May 2026, that is a gap worth closing quickly.

 

What the Briefing Should Have Said

Technology updates for executive teams and programme boards tend to cover vendor announcements as market news. ServiceNow does this, SAP does that, here is what it means for the industry. That framing is too distant to be useful.

The briefing transformation leaders needed, and in most cases did not receive, is this: the vendor categories on which your enterprise architecture is built are collapsing. Two of the largest platform vendors are now competing directly across the boundaries that your current roadmap treats as fixed. The decisions you need to revisit are specific, and the window before contracts close is finite.

That is a different conversation from a product announcement. It requires someone in the organisation to have read the news, synthesised its implications, and brought it to the table as a strategy question rather than a technology update.

Most organisations are not structured for that kind of synthesis. Technology teams report on what vendors do. Strategy functions rarely track vendor positioning in this level of detail. The CIO’s office is often the only place where the two sets of knowledge meet, and it is frequently operating at capacity on current programmes rather than monitoring future architecture exposure.

The gap this creates is real, and it has a cost. Not immediately, but at contract renewal, at architecture review, at the moment an integration investment turns out to have been built against a boundary that no longer exists.

The ServiceNow and SAP announcements are not the story. The story is that the category model your technology decisions are built on changed, and most of the people who need to know have not been briefed. That is an organisational problem, not a technology one, and the organisations that address it before the next contract closes will be in a materially different position from the ones that address it after.

Pre-Mortem: Eight Companies, No Published Accountability Standard

The Pre-Mortem is a weekly series on this blog. Each piece applies five questions to a major technology commitment before the outcome is known.

In February 2026, the United States Department of War signed agreements with eight of the world’s leading artificial intelligence companies, OpenAI, Google, Microsoft, SpaceX, Oracle, Amazon Web Services, NVIDIA, and Reflection, to deploy their advanced AI models inside its classified networks. Impact Level 6 (IL6) covers data classified at the Secret level. Impact Level 7 (IL7) covers compartmented intelligence and the most sensitive operational systems, where the United States military runs its actual warfighting decision support. This is the first time that large language models have operated within IL7 environments. What has not been published is who carries accountability when one of them gets something wrong.

 

The Bet

The Department of War’s stated aim is to establish the United States military as an AI-first fighting force, achieving what its AI Acceleration Strategy calls decision superiority across all domains of warfare. The eight agreements are the mechanism. The AI systems will summarise surveillance feeds, synthesise intelligence data, and suggest tactical options to human operators. The Department of War’s five AI ethics principles, responsible, equitable, traceable, reliable, and governable, are on the record. The bet is that those principles are sufficient architecture for what happens inside a classified environment.

 

The Assumption

The whole bet turns on this: that “humans remain accountable for AI outcomes” as a stated principle is equivalent to a published accountability framework.

That distinction is where there is a gap. The Department of War’s Responsible AI Strategy and Implementation Pathway establishes process. It does not name the specific individual, command role, or governance layer accountable when an AI-assisted intelligence summary inside an IL7 environment shapes a decision that turns out to be wrong. Principle and framework are not the same thing, and in a classified environment that distinction cannot be tested publicly.

 

The Sequence

In July 2025, Anthropic’s Claude became the first frontier AI model approved for use on classified networks. The Pentagon subsequently sought to renegotiate those terms, demanding Anthropic permit its models to be used for all lawful purposes without limitation. Anthropic declined, citing concerns about mass domestic surveillance and autonomous weapons. On 27 February 2026, President Trump ordered all federal agencies to stop using Anthropic. The following day, OpenAI signed its classified deal with commitments that included prohibitions on domestic mass surveillance and human responsibility for the use of force, positions that aligned with the guardrails Anthropic had sought to retain. By May 2026, the remaining seven of the eight, Google, Microsoft, SpaceX, Oracle, Amazon Web Services, NVIDIA, and Reflection, had signed equivalent agreements.

The sequence reveals something structural. The accountability architecture for classified military AI was settled by commercial negotiation and political designation, not by a published governance framework.

 

The Pager

Legal scholars on autonomous weapons identify the same accountability fracture that applies in the decision-support context here. When an AI-assisted output causes harm in a classified environment, accountability distributes: software developers could not have anticipated all operational contexts, commanding officers disclaim responsibility for machine-generated outputs, vendors invoke contractual limitation of liability. The human-in-the-loop design means a person reviews AI suggestions before acting. It does not mean accountability for acting on a wrong AI output has been named anywhere in the command chain.

No published document names the specific individual role, command layer, or governance body accountable for a wrong AI-assisted output inside an IL7 environment. No congressional oversight mechanism covers classified operational AI use. No published error reporting standard exists. By the nature of classified operations, none can.

 

The Proof

Eight companies, the highest classification levels, large language models operating on top-secret data for the first time: the scale of the commitment is confirmed. The outcome data will not follow. Classified operational AI performance is not publicly reviewed, by design. This is the only deployment in this series where the proof question cannot be answered from the outside, not because the data is not collected, but because it cannot be published.

The accountability question is not whether humans are in the loop. They are, by stated commitment. The question is whether the framework for who carries it specifically, when they get something wrong, inside a system that cannot publish what it got wrong, exists in any enforceable form.

 

The Verdict

If the Department of War’s five principles are operationalised into a named, enforceable command accountability chain for AI-assisted decisions at every classification level, if the commercial guardrails in all eight agreements are independently verifiable by a body with appropriate clearance, and if a congressional oversight mechanism specific to classified AI operational failure is established, then this is what responsible military AI deployment at scale should look like.

Without all three, eight of the most powerful AI systems on earth are running inside the most classified networks in the world. The decisions they shape will not be publicly reviewed. The wrong ones will not be counted.

The accountability is a principle. The framework has not been built yet.

Workplaces Don’t Just Pay You. They Shape You

There is a version of career advice that treats every job as essentially equivalent, a set of roles, responsibilities, and remuneration packages to be evaluated primarily on their individual merits. You assess what the role requires, what it pays, and what it advances you toward. This is a reasonable framework. It is also incomplete.

The workplace you spend three or five years in does not just pay you. It shapes you. It forms the decision-making patterns, the risk tolerance, the communication instincts, and the professional identity that you carry into every subsequent role. Often in ways you cannot fully see until you have left.

 

How Environments Form Capability

The formation happens gradually and mostly below the surface. In an organisation with strong analytical discipline, you learn, often without realising it, to interrogate assumptions before committing to a course of action. In an organisation where pace is valued above rigour, you learn to move quickly and make decisions with incomplete information. In an organisation where challenge is welcomed, you develop the confidence to push back. In one where it is not, you develop the habit of working around problems rather than confronting them.

None of these formations is necessarily good or bad in isolation. All of them travel with you.

The professional who has spent five years in a high-accountability, high-clarity environment arrives in their next role with a set of instincts (about what questions to ask, what risks to flag, what evidence to require before deciding) that their counterpart from a lower-accountability environment simply does not have. The gap between them is not qualifications or experience in any formal sense. It is formed professional judgement.

That formation is not something a training course produces. It is the cumulative output of the environment itself: the decisions you are asked to make, the standard your work is held to, the conversations you are included in or excluded from, the quality of the thinking you are surrounded by.

 

What the Research Confirms

LinkedIn’s 2025 Workplace Learning Report found that 88 per cent of organisations say employee retention is a concern, and that providing learning opportunities is their top retention strategy. That finding is usually read as an HR insight. It is also a signal about what people themselves understand: the environment you work in is the primary determinant of your professional growth, and its absence is what drives capable people out of the door.

The same research found that only 36 per cent of organisations qualify as genuine career development champions, with robust and actively used development programmes in place. Thirty-three per cent have no meaningful initiatives at all, or are just beginning to build them.

The gap between those two groups is not a gap in intention. Most organisations understand that development matters. It is a gap in practice. Capable people read the environment accurately. When it stops investing in them, they leave for ones that do. The organisations that cannot close that gap are not simply struggling with retention. They are handing their best people, already formed by the investment made in them, to the competitors who will benefit from what that formation produced.

 

The Compound Effect

Development is not linear. The professional who is given increasing challenge, exposed to better quality thinking, and held to a rising standard does not improve at the rate of their individual training investments. They compound. Each year of a strong environment builds on the previous one in ways that create something qualitatively different from the sum of the parts.

The professional who spends the same years in a low-challenge environment is not standing still. They are becoming expert at a narrower set of conditions. They are developing the instincts that environment rewards and allowing the ones it does not reward to atrophy. They will be competent within those conditions for as long as they apply, and brittle when they change.

This is not a moral observation about which organisations are virtuous. It is a structural one about how professional capability is formed. The environment is the curriculum.

 

The Decision You Are Actually Making

When you accept a role, you are making two decisions. The explicit decision is about the role: the responsibilities, the scope, the compensation. The implicit decision is about the environment: who you will learn from, what standard you will be held to, what kinds of problems you will be asked to think about, and who will be in the room when consequential decisions are made.

That first decision shapes the next two or three years. The second shapes the decade that follows.

Most career conversations focus almost entirely on the explicit decision. Salary, title, scope, promotion trajectory. These are real considerations. They are also the shorter-term ones.

The question worth asking, and the one asked too rarely, is what this environment will make of you. Not what you will do in it. What it will do in you.

An organisation that invests seriously in the development of its people, one that exposes them to hard problems, holds them to high standards, and creates the conditions for genuine challenge, is offering something that does not appear in the compensation package. It is offering the formation of a professional who will be more capable, more resilient, and more effective in every role that follows.

 

What This Means for Leaders

For leaders, the obligation this creates is clear. You are not simply extracting the capability your people currently have. You are shaping the capability they will have. The quality of that formation is your responsibility.

The organisations that take this seriously produce people others want to hire. That is a leading indicator, not a lagging one. If the market consistently values what comes out of your environment, you are building something. If it does not, the environment is telling you something.

Choose the environments you build as carefully as you choose the people you put in them.

The EU AI Deadline Your Compliance Team Probably Missed

The EU AI Act enforcement date most organisations have been tracking is not 2 August 2026. They have been watching the high-risk provisions, the conformity assessments, the prohibited applications. Those timelines stretch into 2027 and beyond, and enterprise compliance teams have planned accordingly.

Article 50 has a different clock. It takes effect in 31 days, it applies to a far wider population of organisations than most realise, and for most of its obligations there is no grace period.

 

Not the Regulation You Were Watching

For the past two years, enterprise AI governance conversations have centred on the Act’s high-risk classifications. Which systems require conformity assessments? Which use cases are prohibited outright? The questions were legitimate, and the extended timelines attached to those provisions created a reasonable sense of runway.

That runway does not apply to Article 50.

Article 50 covers transparency obligations, and it lands on 2 August 2026. It requires any organisation deploying customer-facing AI systems to disclose to users that they are interacting with an AI. It requires providers of generative content tools to implement machine-readable marking on AI-generated outputs. Operators running emotion recognition or biometric categorisation systems must notify the individuals affected. And for any new system entering the EU market on or after 2 August, compliance is required from day one.

One aspect of the regulation that most compliance programmes have not fully processed: Article 50 is not jurisdictional. Article 50 follows the user, not the provider. That is how the Act defines its own scope. A company headquartered in Dubai, Singapore, or New York that deploys AI-generated content visible to EU users is in scope. Where the output lands determines the obligation. The practical consequence is that Article 50 applies to any organisation with a customer base that includes EU residents, regardless of where that organisation is incorporated or where its AI systems are built and operated.

The organisations that will be caught short are not the ones building prohibited systems. They are the ones that assumed the regulation was still in the planning stage, or that it would only apply to organisations based in Europe.

 

The GDPR Comparison That Matters

GDPR was announced in 2016 and took effect in 2018. Two years of awareness campaigns, legal seminars, board-level briefings, and vendor remediation work. The compliance industry built an entire ecosystem around it. Privacy officers were hired. Data mapping exercises ran for months. By the time enforcement began, organisations at least understood what was expected of them, even if some were still catching up.

GDPR also reached beyond EU borders from the start. Any organisation processing the personal data of EU residents was in scope, regardless of where it was based. Article 50 operates on the same principle: it reaches wherever EU residents are on the receiving end of AI-generated content or AI-driven interactions.

Article 50 does not have that context. Most enterprise compliance functions have been tracking the Act’s overall timeline without separating out which provisions take effect when. The transparency obligations were not deferred. They were always scheduled for August 2026. But because the high-risk provisions dominated the conversation, the transparency rules arrived quietly, and they arrive soon.

Thirty-one days is not a planning horizon. It is an implementation sprint, or it is already a compliance gap.

 

What Article 50 Actually Requires

The obligations are more specific than the general framing of “AI transparency” suggests, and that specificity matters for scoping the work.

The most broadly applicable obligation is disclosure. If a user is interacting with a chatbot, a virtual assistant, or any automated system capable of conversation or personalised response generation, they must be told. The requirement is not a buried terms-and-conditions clause. It is a functional disclosure at the point of interaction. This applies from 2 August, to all systems, with no transitional provisions.

Generative content carries a second obligation. Organisations using generative AI to produce content distributed in EU-market contexts must ensure outputs carry machine-readable markers indicating AI generation. This applies to text, images, audio, and video. The AI Omnibus agreement provisionally agreed in May 2026 and expected to be formally adopted before 2 August extends this specific requirement to 2 December 2026 for systems already on the market before 2 August. For any new system entering the market from that date, the obligation is immediate. The extension is not a signal to deprioritise: December 2026 is not far away, and the technical implementation is not trivial.

Emotion recognition and biometric categorisation carry a third obligation, active from 2 August with no transitional period. Individuals must be informed when these systems are operating on them.

None of these obligations are complex in isolation. The difficulty is that most organisations have not mapped which of their current systems fall within scope, and that mapping exercise takes longer than 31 days when it is starting from scratch.

 

What to Do in the Next 31 Days

Non-compliance carries fines of up to €15 million or 3% of global annual turnover, whichever is higher. This is not a planning conversation. It is a board conversation.

Article 50 requires operational change: disclosure mechanisms built into interfaces, technical markers implemented in content pipelines, notification processes embedded in operational workflows. A policy document does not close this gap.

The practical starting point is a scoping exercise, and it needs to happen this week, not at the end of July. Three questions define the scope: Which customer-facing systems use AI in any form of interaction or response generation? Which content production workflows use generative AI to produce material distributed in EU-market contexts? Are any systems using emotion recognition or biometric categorisation?

If the answer to any of those questions is yes and the disclosure or notification mechanism is not already live, that is an Article 50 compliance gap.

Once the scope is clear, triage by exposure. Not every system carries the same risk. Externally facing consumer products in regulated sectors carry a different risk profile than internal productivity tools. Sequence the remediation by audience, jurisdiction, and volume of interaction.

Confirming the mechanisms actually work is where most programmes get caught. A disclosure notice that technically exists but is not surfaced at the point of interaction does not satisfy the requirement. The same applies to machine-readable markers that are added to some content outputs but not systematically applied across all generative workflows. Implementation is not the same as compliance.

 

31 Days Is Not a Problem. 32 Days Is.

There is still time to close this gap for organisations that act now. August 2026 is not GDPR day one, when regulators were finding their feet. It is an enforcement event in a regulatory framework that has had two years of published timelines. Regulators will not be looking the other way.

The organisations that treated the high-risk provisions as the whole story now have 31 days to correct that assumption. Wherever they are based.