The EU AI Act Omnibus has done exactly one thing for boards this year: bought them time. Annex III high-risk AI obligations now land in December 2027, not August 2026. Most governance briefings this month have reported that extension accurately. Almost none have flagged what it does not cover.
Article 50 was not moved.
Any new generative AI system placed on the European market after 2 August 2026 must carry watermarking and synthetic content labelling from the point of generation. For systems already on the market before that date, the same labelling obligation applies from 2 December 2026. The Omnibus extension addressed classification risk. It said nothing about disclosure obligations for generative systems, because Article 50 was never part of the Annex III postponement. It is a separate article, with its own timeline, and that timeline has not changed.
This distinction matters because of what most boards did in the first half of 2026. Generative AI deployment accelerated through Q1 and Q2. Many of those approvals went through governance committees that were, quite reasonably, focused on the Annex III question: does this system meet the high-risk threshold, and if so, what obligations follow. The Omnibus extension arrived, the high-risk question was deferred, and August came off the agenda. What did not come off the agenda, because it was never on it in the same way, is the labelling question.
Why this is a governance problem, not a technical one
Watermarking and synthetic content labelling are engineering deliverables. A development team can implement them without board involvement. That is precisely the risk. Where a technical function is treated as self-executing, the organisation loses the thing that actually satisfies Article 50 in a regulatory sense: evidence that a named individual confirmed compliance, at a point in time, before the system went live.
The question a regulator or a claimant's counsel will ask after 2 August is not "does the watermark exist in the code." It is "who confirmed that it existed, when, and where is that confirmation recorded." A system log showing that labelling functionality is present is a technical artefact. It can be checked at any time, including after the fact, and it says nothing about whether anyone with governance responsibility reviewed it before the deployment went live. A dated board minute, or an equivalent named-accountability record created at the point of decision, is a different kind of evidence entirely. One can be reconstructed after the event. The other cannot, because it did not need to be reconstructed. It was already there.
This is the same distinction that runs through every AI governance failure worth studying, from the Post Office Horizon disclosure failures to the SCHUFA and Dun & Bradstreet scoring disputes. In each case, the technical system was not the problem the regulator or the court ultimately cared about. The absence of a named individual who could be shown, contemporaneously, to have taken responsibility for a specific decision was the problem.
What exposure looks like on 3 August
Three characteristics identify the organisations carrying the sharpest version of this risk. First, a new generative AI system was placed on the EU market after January 2026. Second, the Omnibus extension was recorded internally as covering the organisation's generative AI obligations in general terms, rather than the Annex III classification obligation specifically. Third, no individual has been named, with board mandate, as accountable for confirming Article 50 compliance, and no dated record exists of that confirmation predating 2 August.
An organisation that meets even one of these criteria has three weeks to correct it before the labelling obligation for post-2-August systems becomes live and enforceable. An organisation that meets all three has a compliance gap that will not close itself, because the underlying misreading of the Omnibus has not been corrected anywhere it would reach the people who approved the original deployment.
What closing the gap requires
None of this requires new technology. The watermarking and labelling capability either exists in the deployed system or it does not, and that is an engineering question with an engineering answer. What requires board attention is the accountability layer sitting above it: a named individual, a dated confirmation, and a decision log entry that records the labelling event as a governance action taken before deployment, not a technical property discovered on inspection.
Section 174 of the Companies Act 2006 is the relevant domestic anchor. It requires directors to exercise reasonable care, skill, and diligence, and that duty does not discharge itself by delegating the question entirely to a technical team. A board that has not asked, specifically, whether its post-January-2026 generative AI deployments carry a named Article 50 accountability owner has not finished discharging that duty, whatever else it has done well on AI governance this year.
The three-week window
This week's correction has a shelf life. The value of raising the Article 50 point now, rather than after 2 August, is that boards still have time to act on it rather than explain it. Week 14 remains inside that window. By Week 15, the register changes from prevention to consequence, and the conversation with any board that missed this becomes a different, harder one.
The Omnibus bought boards genuine relief on Annex III. It did not buy them relief on Article 50. The gap between those two facts is where the next round of AI governance exposure sits, and it closes on 2 August.
The Roche-Review is the weekly publication of Dr Ivan Roche FRSS FRSA MInstP, Founder of Otopoetic Limited. Subscribe at roche-review.com.

