Editorial analysis: Practitioners responsible for compliance, assurance, and evaluation should treat the current moment as one where vendor-created definitions and tests will materially shape what "compliant" AI looks like in the short term. That increases the importance of rigorous, reproducible documentation for metrics, test suites, and challenge cases, and it raises the stakes for independent auditability.
What happened
According to Just Security, the harmonized technical standards the EU AI Act expects standards bodies to publish were not delivered by their August 2025 deadline. Just Security reports that the European Commission proposed delaying parts of the Act's application into 2027 and 2028 because of that delay. The article states that, in the interim, providers are developing their own definitions of what satisfying legal requirements such as accuracy, fairness, robustness, and human oversight entails, supplemented at most by sectoral guidance from non-AI regulators.
Industry context
Editorial analysis: The gap between legal requirements and operational definitions is a recurring pattern when policy specifies high-level outcomes but delegates technical detail to standards bodies. Practitioners face comparable frictions in other regulated domains where technical committees lag. The Just Security piece highlights a structural disconnect between the technical risk-framing used by engineers and the rights-and-process framing used by legal regulators, creating room for divergent operational interpretations.
Implications for teams
Editorial analysis: Engineering and compliance teams should assume increased responsibility for defensible metrics and testing protocols. Where public standards are absent, internally consistent evidence, versioned test suites, benchmark distributions, provenance for training/validation data, and documented human-in-the-loop processes, will be the primary artifacts that auditors and sector regulators examine. The absence of harmonized standards also elevates the role of third-party testing and sector-specific guidance during audits.
What to watch
Editorial analysis: Observers should track:
- •publications from standards bodies for any interim technical specifications
- •sectoral regulator guidance that may establish de facto norms
- •third-party audit frameworks and major providers' whitepapers that could become de facto standards if adopted widely. According to Just Security, the timing of the European Commission's staggered application proposal (into 2027 and 2028) will shape how long provider-defined norms persist
Reported facts in this summary are drawn from Just Security's June 30, 2026 article "The Handover of AI Standard-Setting."
Key Points
- 1Industry observation: With formal standards delayed, provider-defined tests and metrics will temporarily determine practical compliance norms for AI systems.
- 2Industry observation: The technical-legal vocabulary gap makes it hard for regulators to critique provider self-assessments without stronger, shared specifications.
- 3Industry observation: Independent test suites and third-party audits become more consequential when harmonized standards are absent or delayed.
Scoring Rationale
The EU AI Act Annex III deferral to December 2027 creates an 18-month window where provider-defined tests and metrics will shape compliance, directly affecting practitioner decisions on evaluation, documentation, and procurement. Well-corroborated by the official EU Council decision and legal analysis.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
