Focus on AI risk management

Europe’s artificial intelligence rulebook is turning risk management from a policy memo into an operating requirement for companies that build high-risk AI. (eur-lex.europa.eu) Regulation (EU) 2024/1689 entered into force on August 1, 2024, and the European Commission says the law becomes fully applicable on August 2, 2026, with some earlier deadlines already in effect. Prohibited AI practices and AI literacy duties started applying on February 2, 2025. (digital-strategy.ec.europa.eu) Article 9 says providers of high-risk AI systems must run a documented, continuous risk-management system across the system’s whole lifecycle. The text requires teams to identify known and reasonably foreseeable risks, evaluate them, adopt control measures, and test whether those measures work. (eur-lex.europa.eu) In plain terms, that means AI builders cannot stop at model training or prelaunch testing. They have to keep checking what happens after deployment, including whether the system creates safety or rights risks in real use. (eur-lex.europa.eu) The law’s timing is staggered. A widely used implementation tracker cites Article 113 to show that most of the Act applies from August 2, 2026, while Article 6(1) and some related obligations for certain high-risk systems apply from August 2, 2027. (artificialintelligenceact.eu) That timetable has helped create a market for tools that act like seatbelts and crash tests for AI systems. Vendors now sell “guardrails” that inspect prompts and responses, block prompt-injection attacks, and scan for sensitive data before an answer leaves the system. (netskope.com) Netskope said on April 22, 2026 that it expanded its Google Cloud partnership to offer Netskope One AI Guardrails for generative AI and autonomous-agent workflows. The company said the product uses Google Cloud Tensor Processing Units and Vertex AI for in-line safety checks, prompt-injection protection, and local data scanning inside customer Google Cloud environments. (stocktitan.net) Another service category is large language model penetration testing, which treats an AI system like software that an attacker will probe for weak points. Apriorit says that work now includes testing agent behavior, retrieval-augmented generation pipelines, prompt injection, and other failure modes that do not show up in ordinary app security reviews. (apriorit.com) The Commission’s framework splits AI by risk level, and the strictest operational duties fall on systems classed as high-risk, such as some uses in employment, education, critical infrastructure, and regulated products. That structure is pushing compliance, security, and product teams to work from the same checklist instead of separate ones. (digital-strategy.ec.europa.eu) By August 2026, the compliance question for many AI vendors will be less about whether they have a policy and more about whether they can show a repeatable process for finding, reducing, and tracking risk in production. (eur-lex.europa.eu)