On 2 August 2026, the EU AI Act's high-risk provisions become enforceable. That date is not a prediction. It is a deadline inscribed in law, and it applies to every organisation deploying AI systems in domains the Act classifies as high-risk: credit scoring, employment, benefits eligibility, access to essential services, critical infrastructure, and education.

The boards of those organisations face a specific question they have not yet been asked publicly, but will be asked by regulators: at the moment each AI-assisted decision was made, what did the board know, and how do we know they knew it?

That question is not about policy. It is about records.

Articles 9, 12, 13, 14 and 19 of the EU AI Act establish a layered obligation. Each provision imposes a distinct requirement.

Article 9 requires a risk management system that is not a one-time exercise but a continuous process, maintained throughout the system's operational life.

Article 12 requires logging capability sufficient to enable post-hoc reconstruction of the system's operation, including the inputs, transformation steps, and outputs produced at each decision point.

Article 13 requires transparency sufficient for deployers to interpret outputs correctly, not merely to receive them.

Article 14 requires human oversight measures that are not merely documented in policy but implemented in the system's operation.

Article 19 requires conformity assessment documentation that reflects the system as deployed, not the system as it appeared when it first passed review.

Taken together, these provisions require something most governance frameworks do not yet produce: a complete, time-stamped record of the information picture available to the decision-making process at the moment each decision was made.

There is a difference between documenting that a governance process existed and being able to demonstrate what that process produced at a specific point in time.

Most organisations have the former. Risk committees have met. Policies have been approved. AI ethics statements have been published. None of that answers the question a regulator will ask about a specific adverse outcome: what was known at T-zero, the moment the system produced its output?

A board that cannot answer that question has not failed to comply. It has failed to govern. The distinction matters because the legal exposure is different. Compliance failure attracts regulatory sanction. Governance failure attracts director liability under Companies Act 2006 section 174, which requires that a director exercise the care, skill and diligence of a reasonably diligent person with the general knowledge, skill and experience that the director has. A director with knowledge of AI deployment who cannot reconstruct the decision moment is exposed on both counts.

Seventy-seven days is not enough time to build a compliant AI governance architecture from nothing. It is enough time to conduct an honest assessment of whether the architecture that exists can produce the records the Act requires.

The assessment has four questions.

If the answer to any of these is no, the 2 August date is not an administrative inconvenience. It is a liability event.

The boards that will emerge from August 2026 in a defensible position are not those that have the best AI systems. They are those that can prove what their AI systems did, when they did it, and what was known at the moment they did it.

The record either exists or it does not. Seventy-seven days is the interval between uncertainty and finding out which is true.