Saharnaz Dilmaghani, Advisory Manager, AI & Data Analytics,  PwC Luxembourg

 

AI governance in 2026 is no longer centred on principles alone, it is increasingly about proof. Organisations are being asked to demonstrate what AI systems they use, how those systems are classified, who is accountable, and what controls, documentation and oversight mechanisms are in place.

Globally, responsible AI programmes are maturing from policy frameworks into operational capabilities. In the EU, the AI Act has moved from political agreement to phased application, shifting attention towards implementation planning and supervisory preparedness. At the same time, Luxembourg is advancing its national oversight architecture, positioning a lead authority to coordinate enforcement across sectoral regulators.

Taken together, 2026 marks a decisive transition: governance credibility will depend less on stated commitments and more on demonstrable readiness.

 

Global overview: Responsible AI & AI governance

Recent PwC research reinforces a practical shift: Responsible AI is increasingly positioned as a value enabler, not only a risk-control function.

· In PwC’s 2025 Responsible AI survey, 58% of respondents say Responsible AI initiatives improve ROI and organisational efficiency, while 55% report improvements in customer experience and innovation.

· Value-driven outcomes dominate executive priorities: improved return on AI investment (58%), enhanced customer experience (55%) and enhanced innovation (55%) rank ahead of traditional compliance-related benefits.

· By comparison, fewer respondents identify reduced compliance or regulatory risk (39%) or brand protection (35%) as the primary benefit, indicating that Responsible AI is increasingly viewed as a growth lever rather than purely a safeguard.

· Governance maturity drives effectiveness: 61% of organisations report Responsible AI is now at an embedded or strategic stage. Those at the strategic level are 1.5–2x more likely to consider their AI governance capabilities effective than those still in training or foundational phases — suggesting that operational integration, not policy alone, delivers results.

· In a separate PwC study, “Value from Responsible AI” a five-year simulation compared companies meeting minimum AI compliance requirements with those investing an additional 10% of their AI budget in more comprehensive Responsible AI programmes. In the model, the latter group experienced adverse AI incidents at up to half the rate, alongside higher simulated valuations (up to +4%) and revenue gains (up to +3.5%) compared with compliance-only peers.

· When incidents did occur, Responsible AI-oriented organisations recovered value more rapidly, returning to ~90% of pre-incident value within seven weeks and ~95% within 13 months.

 

Taken together, the evidence points to a structural shift in how Responsible AI is understood and implemented. Executive perception data shows value creation now outweighs pure compliance benefits. Maturity data demonstrates that effectiveness scales with operational integration. And economic modelling suggests that investing beyond minimum requirements may materially strengthen resilience, valuation and growth outcomes.

For 2026, the signal is clear: Responsible AI is moving from policy ambition to operational discipline, and organisations that embed it strategically across development, procurement and deployment are positioning governance not as a constraint, but as a performance multiplier.

The EU context: from adoption to enforceable reality

By early 2026, organisations across the EU are operating in a structured implementation phase of the AI Act. The Regulation entered into force in August 2024 and is now applying progressively, with certain obligations already in effect and others approaching their application dates. Supervisory structures, including the European AI Office and designated national authorities are being established and strengthened to prepare for full enforcement.

 

Key timeline signals for 2026:

· February 2026: The Commission was expected to issue guidance clarifying practical implementation aspects, including risk classification under Article 6. Guidance relating to high-risk classification has been delayed beyond the initial target date.

· August 2026: Most remaining provisions of the AI Act begin to apply, while core high-risk obligations follow their later application date in 2027. Member States must also have at least one AI regulatory sandbox operational by this point.

 

Where we are with the AI Act today

As of early 2026, three practical realities define the current phase:

1. Risk classification must be operationalised. Organisations are expected to determine whether systems fall under prohibited, high-risk, transparency or minimal-risk categories and to document and justify those determinations.

2. High-risk readiness is under preparation scrutiny. Although the full high-risk regime applies from 2027, organisations are expected to build the necessary foundations now, including documentation structures, logging, human oversight design and post-market monitoring planning.

3. Transparency obligations are becoming operational. Requirements concerning AI systems that interact with individuals or generate synthetic content increasingly need to be reflected not only in policy documents, but in user interfaces and workflows.

To conclude, the real shift now required is from interpretation to demonstrable implementation. The strategic question is no longer whether organisations understand the AI Act, but whether they can evidence governance in operation, through defensible risk classification, embedded controls, effective human oversight and traceable decision-making. The transition period should therefore be approached as an operational build phase, in which policy frameworks evolve into auditable processes, structured controls and measurable accountability.

 

AI Act Omnibus proposal – what is actually changing?

As implementation of the EU AI Act progresses, the Commission has put forward a proposal under the broader “Omnibus” simplification agenda to amend certain provisions of the Act.

The proposal does not reopen the risk-based structure of the AI Act. It introduces targeted amendments relating to timing, administrative burden, supervision and proportionality.

 

The following changes are proposed:

· AI literacy (Article 4). The proposal would replace the current direct obligation on providers and deployers to ensure AI literacy with a provision requiring the Commission and Member States to encourage providers and deployers to take AI literacy measures. Until any amendment is adopted, the existing Article 4 obligation remains applicable.

· Application of high-risk AI requirements (Chapter III, Sections 1–3). The proposal would modify the application timeline of high-risk AI obligations. Instead of a fixed application date, the obligations for:

o Annex III high-risk AI systems (Article 6(2)) would apply six months after the Commission confirms that relevant harmonised standards or common specifications are available; and

o Annex I product-related high-risk AI systems (Article 6(1)) would apply twelve months after such confirmation.

 

The proposal also introduces backstop dates of 2 December 2027 (Annex III systems), and 2 August 2028 (Annex I systems), after which the obligations would apply regardless of the availability of standards.

· Processing of special categories of personal data for bias detection (new Article 4a, replacing Article 10(5)). The proposal would introduce a new provision allowing, under strictly defined conditions, the processing of special categories of personal data where strictly necessary for the purposes of detecting and correcting bias in certain AI systems. The provision includes safeguards such as necessity, proportionality, data minimisation, security measures, access restrictions, documentation, and deletion after use. The proposal provides that this possibility may apply to providers of high-risk AI systems and, under specific conditions, also to certain other providers or deployers where necessary to ensure bias monitoring, detection and correction.

· Registration of certain Annex III systems. The proposal would remove the requirement for providers to register AI systems in the EU database where the provider concludes, under Article 6(3), that an Annex III use-case does not qualify as high-risk. In such cases, providers would still be required to document the assessment and make it available to national competent authorities upon request.

· Proportionality measures for SMEs and Small Mid-Caps (SMCs). The proposal would extend certain existing SME-related simplifications to Small Mid-Cap enterprises (SMCs). This includes, for example:

• The possibility to provide elements of technical documentation in simplified form;
• Clarifications regarding proportionate implementation of quality management systems; and
• Adjusted considerations in relation to administrative fines for SMEs and SMCs.

· Supervision, AI Office competence and regulatory sandboxes. The proposal would adjust supervisory competences. In particular, it would grant the AI Office exclusive competence in specific circumstances, including: AI systems based on a general-purpose AI model where both the model and the AI system are developed by the same provider (excluding Annex I product-related AI systems); and AI systems that constitute or are integrated into a designated Very Large Online Platform (VLOP) or Very Large Online Search Engine (VLOSE). The proposal would also expand regulatory sandbox arrangements, including the possibility of EU-level sandboxes managed by the AI Office for certain systems, and adjustments to real-world testing provisions.

 

Overall, the Omnibus proposal seeks to recalibrate certain horizontal and procedural aspects of the AI Act without altering its risk-based architecture. It would shift selected obligations from operators to public authorities, link the application of high-risk requirements to regulatory readiness (subject to fixed backstop dates), introduce a narrowly framed legal pathway for bias testing, reduce administrative steps in specific borderline cases, extend proportionality measures to Small Mid-Caps, and centralise supervision for certain AI systems. The direction of the proposal is simplification and implementation support, rather than substantive deregulation.