The deadline moved. The exposure didn't.
Thirty days from now, on August 2nd, the part of the EU AI Act that most boards spent the past year preparing for will not arrive on schedule.
The obligations for high-risk systems listed in Annex III have been pushed to December 2, 2027: the inventory, the risk-management system, the human-oversight and logging duties that compliance teams built their 2026 plans around. Systems embedded in regulated products under Annex I move to August 2, 2028. The change came through the Digital Omnibus, provisionally agreed on May 7th and confirmed by Member State representatives days later. Formal adoption and publication in the Official Journal are expected before August 2nd. Until that publication lands, the original dates are still the law on the books, which means a board planning around the delay is planning around an agreement that is not yet final.
Last month I marked August 2nd as the milestone that mattered this year. The milestone moved. That movement is the story, because of what it does to the room.
A sixteen-month slip reads, to most management teams, as relief. The board paper gets reordered. The budget line gets deferred. The governance work that was urgent in May becomes a 2027 problem. That is the trap. The deadline is a calendar entry. It is not the control. The question the Act was forcing does not move when the date moves: what AI are we running, what does each system do, and can we show a regulator we understood the risk before we approved it. An organization that cannot answer "what AI are we using" in July cannot answer it any better in December 2027. The clock changed. The exposure did not.
And August 2nd, 2026 is not empty. Three things still happen on that date. The AI Office's enforcement powers over general-purpose AI providers activate, so the models most enterprises now build on come with a regulator that can issue fines, demand information, and order changes. The transparency obligations under Article 50 apply. And two new prohibitions added to Article 5 take effect on December 2nd: a ban on AI systems that generate non-consensual intimate imagery, and on AI-generated child sexual abuse material. The duty to mark synthetic content lands the same day. The penalty ceiling for prohibited practices is already in force at 35 million euros or 7 percent of global revenue, higher than GDPR ever reached. Non-compliance on high-risk systems carries up to 15 million euros or 3 percent.
So the board question for July is not "have we made our August 2nd deadline." For most of you, that deadline just became a 2027 deadline. The sharper question is whether anyone in the room can tell the difference between a date that slipped and a risk that didn't. If the AI inventory was worth building for August 2026, it is worth finishing on the original clock. The boards that treat the extension as time to do the work will be ready. The ones that treat it as permission to stop will be answering for the same gap eighteen months from now, in front of a regulator that has spent the interval building the muscle to ask.
Breach Brief — Klue / Icarus
At least fifteen companies exposed. Several of them sell security or compliance for a living. The way in was one credential nobody turned off.
On June 11th, an attacker reached the integration systems of Klue, a Vancouver competitive-intelligence platform used by more than 250,000 people. Klue detected the activity the next day, revoked the affected credentials, disabled its connections to Salesforce and other platforms, and brought in CrowdStrike. By June 19th an extortion group calling itself Icarus had claimed the attack and set a June 22nd deadline to publish what it took.
What it took was other companies' data. The credential the attacker used was a legacy key Klue had created to prototype a third-party integration, then abandoned. The project ended. The credential stayed live. From that foothold the attacker harvested the OAuth tokens Klue used to connect to its customers' systems, then used those tokens to query the customers' Salesforce environments directly and pull the records out. The roster of firms that have confirmed exposure includes HackerOne, Huntress, Tanium, Snyk, Recorded Future, Jamf, OneTrust, Gong, LastPass, and BeyondTrust. Huntress, one of the first to disclose, described itself as one of "hundreds of Klue customers" affected — a vendor estimate, not an independently confirmed count. Every disclosure made the same point: the intrusion was confined to data reachable through the Klue connection, with no breach of the companies' own products, passwords, or payment systems. Attribution rests on Icarus's own claim and on victims confirming the leaked data matches theirs, not on independent forensic confirmation of who Icarus is.
Here is the part a board should sit with. The list of victims is a directory of companies that sell trust. OneTrust sells privacy and compliance software. HackerOne runs the bug-bounty platform much of the industry depends on. Tanium, Huntress, and Snyk are security vendors. Every one of them could pass a third-party risk questionnaire. Several of them sell the questionnaire. And the control that would have stopped this was not a policy or an attestation. It was operational hygiene: decommission a credential when the project that needed it dies, and keep an enforced inventory of which outside applications hold live tokens into your CRM. The breach is the difference between compliance and security in one sentence. You can attest that your vendors were assessed. That is compliance. Whether an abandoned token can still reach your data is security. Klue's customers learned the gap between the two from a stranger's email.
After 25 years in cybersecurity I have watched this exact failure move from servers to cloud to SaaS, and it is now arriving on agentic AI. Klue was an identity-and-access story: inherited trust, an unaudited integration, an attacker who logged in rather than broke in. Every AI agent your organization connects to a CRM, a data store, or a third-party tool receives the same kind of token and the same inherited trust, granted at machine speed, across systems nobody has inventoried. Most organizations cannot list the OAuth grants already live in their environment today. They are about to add a generation of agents that run on exactly that mechanism.
So the Caremark question is not "were we exposed through a vendor." It is whether, when management reports that third-party risk is managed, the board sees evidence of a credential and OAuth inventory with revocation when a project ends — or accepts that the vendors were assessed and the questionnaires came back clean. Ask which one you are being shown, before the next abandoned key gets used.
Two for the board's desk
1. AI oversight is now a line on the proxy ballot. On June 5th, Alphabet shareholders voted on Proposal 12, a request to write formal oversight of AI development and deployment into the Audit Committee charter. It was filed by the Shareholder Association for Research and Education together with Parnassus Investments and PFA Pension, and it did not pass. The board recommended against it, arguing its existing multi-layered committee structure already covers AI risk. Read past the result. The proponents' case was that expanding AI without chartered board-level oversight "diffuses accountability," and a related Alphabet proposal drew close to 48 percent support among Class A holders two years ago. Shopify faced a comparable filing the same season. These proposals are becoming an annual fixture, and the institutional money behind them is the same money that votes on director re-election. The failed vote is not the signal. The recurring filing is. When a quarter to a half of your shareholders are willing to put AI oversight on the ballot, the question of who owns it has already left the management team.
2. The SEC is reading the gap between your 10-K and your proxy. For the first time, cybersecurity and AI displaced cryptocurrency as the top theme in the SEC's examination priorities for fiscal 2026. The exposure for most public companies is not a dramatic failure. It is an inconsistency. Only 28 percent of S&P 100 companies disclosed both board-level AI oversight and a formal AI policy in their 2025 proxy statements. A company that lists AI as a material risk factor in its 10-K and then shows no oversight structure in its proxy has published a contradiction, and proxy advisors and SEC staff are now looking for exactly that seam. The agency's 2024 AI-washing charges against Delphia and Global Predictions set the template: the claim does not have to be fraudulent to be a problem, only inconsistent with what the company can actually show. The board action is to read your own two filings side by side before someone else does.
Since the last Memo
Everything that has gone live on fredriklindstrom.info, with this issue's new piece at the top.
You Are Not Buying a Model. You Are Underwriting a Bet. → (July 3, new today) Where the US, EU, and Chinese AI vendors are heading over the next eighteen months, and what each choice commits your enterprise to.
Cyber Risk in the SEC 10-K Era — and What's Coming for AI → (June 26) A 2017 read on cyber risk in 10-K filings (TJX, Target, Home Depot) set against the 2023 SEC cyber disclosure rule, with a forecast for AI-specific 10-K disclosure inside the next eighteen to twenty-four months. The backdrop to this issue's second board item.
The Unmonitored Supply Chain: AI's Next Governance Gap → (June 17) The third-party integration risk that the Klue breach made concrete two weeks later. Written before the news, describing the news.
The Call No One Wants. The Call Is Now Coming for AI. → (June 12) My 2016 essay on the breach-notification call, reissued for the moment when the call is about an AI system the board approved and no longer fully understands.
The Governance Game
Reading about oversight and practicing it are different things. The Governance Game puts you through five governance situations built from real director decisions, each scored against the three frameworks boards are measured against: NIST AI RMF, ISO 42001, and the EU AI Act. Roughly fifteen minutes, no login, your answers stay in your browser. The deadline just moved. Your instincts didn't. This is the fastest honest read on where they land.
Forward this to a director who should be reading it.
— Fredrik