ADC has warned that delays to European Union rules for high-risk artificial intelligence systems could leave organisations facing higher compliance costs and expose people to poorly governed AI systems for longer.
The warning focuses on the European AI Act, under which obligations for high-risk systems have been pushed back under a provisional agreement between the European Parliament and the Council. For stand-alone systems under Annex III, the deadline moves from August 2026 to December 2027, while high-risk AI used in regulated products moves to August 2028.
The gap matters for organisations in the UK as well as the EU, because companies and public bodies that use or supply AI systems may still fall within the law's scope depending on how their systems are deployed and whom they affect. Many organisations are already embedding AI into core processes before technical standards and compliance guidance have been settled.
That creates a risk that systems will be designed, bought and integrated based on assumptions that later need to change. If organisations wait for the final rulebook before reviewing their systems, they may have to revisit architecture, suppliers and internal processes later and at greater cost.
"The delay is easily seen as breathing space," said Elianne Anemaat, Senior Manager, public & society, ADC. "But organisations that only act once all guidelines are final will create unnecessary extra work for themselves. AI systems are already running in processes that directly affect people."
Costs rise
ADC identified the lack of binding technical standards and practical guidance as a central problem. The European Commission has issued draft guidelines with examples, but they are not yet legally binding, and the exact boundaries of what counts as high-risk may still change.
Meanwhile, AI tools are being used in fraud detection, recruitment, biometric identification and credit assessment. In those areas, organisations are making early choices about data flows, governance, testing and procurement without certainty over the final compliance requirements.
According to ADC, organisations that put core controls in place early will be better positioned if the final standards shift. It highlighted transparent data flows, logging, clear lines of responsibility, and models that can be tested and reviewed as measures that could reduce later disruption.
"Organisations that already put transparent data flows, proper logging, clear roles and testable models in place now will be able to align with the final standards much more easily later, without incurring unnecessary extra costs," said Anemaat.
Human impact
ADC said the issue is not limited to compliance budgets or project delays. High-risk AI systems are increasingly being used in decisions that can affect a person's access to work, care, education and public services.
The consultancy cited uses such as medical triage, hiring, fraud checks and government service delivery. In those settings, weak oversight or flawed design can have direct consequences for individuals long before a legal deadline arrives.
"If these systems are poorly designed or insufficiently monitored, they can determine whether someone is invited for a job interview, receives care in time or gets a timely response from a public institution," said Anemaat. "Every month of delay can therefore have a major impact on this group of people."
Public sector
Public bodies may face particular pressure because AI adoption is advancing in areas where decisions directly affect citizens. Municipal authorities, benefits agencies and healthcare organisations often work within fixed procurement procedures, budget cycles and political scrutiny, making rapid changes more difficult.
Those constraints increase the risk that weaknesses in an AI system become harder to fix once the system is established. In a commercial setting, that may remain an operational or financial problem, but in government or publicly funded services the fallout can be broader.
"If an AI system fails in the private sector, that is primarily a business risk," said Anemaat. "In the public sector, the same problem can escalate into an administrative crisis."
ADC urged organisations to use the extended timetable to build a clearer inventory of where AI is already in use, including features embedded in existing software and dashboards. It also called on employers to identify systems that may be classified as high-risk, carry out impact assessments ahead of formal requirements, test for bias and explainability, document governance arrangements, and improve AI literacy among staff.
"Responsible AI use is not a one-off exercise, but a skill. And like any skill, it becomes easier the earlier you start. Organisations that begin now can embed compliance into the way they work, rather than treating it as an obligation that has to be added later," said Anemaat.