Reader

From the Editor

Welcome to the fifth issue of Signals & Soapboxes. Every week covers a signal shaping our future, a candid opinion, a risk on the horizon and a question you should be asking. Short, sharp and straight to the point.

Kerry Knight Chart.PR

📡 The Signal

Finland became the first EU member state to activate full AI Act enforcement powers in January 2026. Every other member state is required to have equivalent infrastructure in place by 2 August 2026. Penalties become enforceable in 94 days. For organisations that aren't compliant yet, is that enough time?

Crucially, the act applies beyond EU borders. Under Article 2, it covers:

providers or deployers of AI systems that have their place of establishment or are located in a third country, where the output produced by the AI system is used in the Union;

This means: any organisation whose AI systems produce outputs affecting EU residents must comply, regardless of where it is headquartered. The concern lies with organisations that don't know they need to be compliant.

For businesses operating across European markets, this is not a regulation to monitor from a distance. For organisations deploying AI in hiring, credit decisions, biometric identification, critical infrastructure or education, the obligations are specific: documented risk management, data governance controls, human oversight mechanisms and conformity assessments, all audit-ready by the deadline. The penalty ceiling is €15 million or 3% of global annual turnover (whichever is higher). The Secure Privacy EU AI Act Implementation Guide notes that over half of organisations lack a systematic AI inventory, and without one, risk classification and compliance planning is impossible.

Sources:

Finnish Government: National supervision of EU Artificial Intelligence Act to begin - laws on powers of authorities to take effect at start of the year
EU Artificial Intelligence Act: Chapter I: General Provisions - Article 2: Scope
Secure Privacy: EU AI Act Implementation Sprint: A 90-Day Playbook for Enterprise Compliance

🎙️ The Soapbox

Déjà vu, anyone? We've been here before.

GDPR arrived in 2018 with the same sense of occasion: compliance deadlines, legal scrambles, consultants everywhere. Eight years later, countless organisations still have opt-out checkboxes that violate the rules, convoluted cookie banners and privacy notices that people rarely read. The regulation didn't fail; the response to it did.

Analysis of EU AI Act readiness shows most organisations haven't classified their AI systems, haven't built the required documentation, and in many cases don't have a complete inventory of what they're running. Or, don't even realise they need to comply. The August 2026 deadline is 13 weeks away. (Ominous.)

What happened with GDPR is happening again: legal teams working in isolation, boards not driving it, and a compliance deadline being treated as the starting point instead of the finish line. The AI Act deserves better, and so do the people affected by the systems it's designed to scrutinise.

Do you have a soapbox you stand on? Or an opinion worth airing? The soapbox is open to contributors. Get in touch: soapbox@kerrybknight.co.uk

🛡️ The Insurance Brief

Organisations reviewing AI exposure are focused on regulatory risk. Fewer are checking whether their existing insurance policies actually cover what they think they do.

Aon's 2026 AI risk analysis confirms that insurers are responding to AI-related claims by issuing endorsements on existing cyber, errors and omissions, and directors and officers policies. Some endorsements add affirmative AI coverage, whilst others introduce exclusions that silently narrow what was previously covered.

The accelerating role of artificial intelligence in organisational decision making in 2026 is redefining exposure – from fraud to operational resilience. Leaders must strengthen controls, build clear accountability, and ensure their risk and insurance programs keep pace with AI-driven threats.

The pattern mirrors what happened with 'silent cyber' a decade ago, where organisations assumed coverage existed, only discovering otherwise when they made a claim.

Most existing contracts were not drafted with AI loss scenarios in mind. If your organisation hasn't reviewed its policies against current AI deployment, the gap between what you're running and what you're insured for may be wider than you realise.

Source:

Aon: AI Risk 2026: What Business Leaders Need to Know

🤔 The Question

Is your organisation compliant and covered?

Signals & Soapbox Editor

Kerry is a Chartered PR Practitioner specialising in crisis preparedness, reputation management and AI governance.

As a strategic communications advisor, her day-to-day work focuses on translating complex or contested subject matter into clear, credible positioning that strengthens decision-making. She has advised on public scrutiny, misinformation, employee disputes and complex reputation challenges, providing the insight leaders need to maintain clear, defensible positions under pressure.