Blog

AI verification remains an architecture question — even as the AI Act deadline moves

The Digital Omnibus shifts the EU AI Act's high-risk obligations to 2027 and 2028. Why verification, logging and human oversight remain an architecture question.

July 17, 2026 · Victor Angelier

On 7 May 2026, the Council and the European Parliament reached a political agreement on the Digital Omnibus: the EU AI Act's heaviest obligations for high-risk AI systems shift from 2 August 2026 to 2 December 2027, and to 2 August 2028 for AI embedded in regulated products (European Commission, 2026). The Article 50 transparency obligations, however, still take effect on 2 August 2026, as does the start of penalty enforcement for providers of general-purpose AI (GPAI) models, with fines of up to €15 million or 3 per cent of global annual turnover (European Commission, 2026; Galstian, 2026). At the same time, research shows that state-of-the-art language models hallucinate in roughly 15 to 20 per cent of their answers, rising to 16.7 per cent in legal AI applications (Joshi, 2025; Stanford HAI, 2024). Anyone reading the delay as a reason to relax is missing the point: the obligations have not disappeared — only the date on which non-compliance starts to hurt has moved.

The gap between policy and evidence

Many organisations now have an AI policy on paper. That is not what the law asks for. For high-risk systems, the AI Act requires technical documentation that exists before deployment, automatic logging built into the architecture itself, and human oversight in which a designated person can interpret outputs, disregard them and stop the system (Galstian, 2026). Bolting an audit layer onto an existing system afterwards does not satisfy this, because logging and oversight must be present as a property of the system rather than added later as a separate reporting layer (Galstian, 2026).

The real danger arises when organisations assume their standard AI assistant is out of scope and therefore record nothing. For most applications that assessment is formally correct: ordinary AI assistance generally falls outside the Annex III categories. But the classification can tip quickly — for instance, the moment AI output starts influencing employee evaluation or becomes part of services delivered to third parties (Galstian, 2026). And regardless of the legal classification: anyone using AI output in legal, medical or financial work carries the professional responsibility for errors the model presents with great confidence (Joshi, 2025).

Why a model cannot check itself

The core of the hallucination problem is architectural. Language models generate text based on probability, not factual verification; the generation process itself lacks a mechanism for fact-checking (Joshi, 2025). A model reviewing its own output therefore relies to a significant degree on the same blind spots that caused the error in the first place (Joshi, 2025).

The research also points to a way out that matters to professionals: multi-model verification. Ensemble approaches in which independent models cross-validate each other's output substantially reduce errors according to the literature cited in Joshi, while so-called guardian agents — models configured specifically as reviewers — can bring hallucination rates below 1 per cent in experimental settings (Joshi, 2025; Kerner, 2025). At least as important for compliance is that such a chain produces an inspectable trail of checks, corrections and sources for every answer. Exactly the kind of evidence Articles 11 and 12 demand then emerges as a by-product of the workflow rather than as a separate administrative burden (Galstian, 2026; Joshi, 2025).

Verification as infrastructure

That is the thinking behind Vera: a verification console in which every answer is checked by multiple independent models for facts, reasoning and sources — with every intermediate step visible and traceable. For sensitive documents, the Semantic Privacy Shield anonymises the content on EU infrastructure before any external model sees it.

Honesty demands two caveats that should apply to every provider in this segment. No system eliminates hallucinations entirely, and the final professional judgement remains with the user (Joshi, 2025). Verification reduces the risk of undetected errors; it does not replace expertise (Joshi, 2025).

What organisations can do now

Anyone taking the new timeline seriously starts with three steps. Classify every AI use in the organisation against Annex III — most applications fall outside it, but you want that documented (Galstian, 2026). Then choose AI workflows that have verification and logging as an architectural property, not as bolted-on reporting (Galstian, 2026). And keep the human demonstrably in the loop: who approved which output, based on which checks (Galstian, 2026; Joshi, 2025).

The Omnibus agreement still requires formal adoption and publication in the Official Journal, expected before 2 August 2026 (European Commission, 2026). The extra time until December 2027 is meant for building compliance properly, not for postponing it. Documentation, logging and human oversight as architectural properties are not built in the final weeks before a deadline — and the organisations that get this right end up with something more valuable than a ticked checklist: AI output they can actually trust, because they can see why (Galstian, 2026; Joshi, 2025).

Sources: European Commission, Guidelines for providers and deployers of AI high-risk systems, accessed 17 July 2026; A. Galstian, The 2026 EU AI Act and AI-Generated Code: What Changes for Dev Teams, Augment Code, 20 April 2026; S. Joshi, Comprehensive Review of AI Hallucinations: Impacts and Mitigation Strategies for Financial and Business Applications, International Journal of Computer Applications Technology and Research, 2025, 14(6), pp. 38–50; S.M. Kerner, Guardian agents: New approach could reduce AI hallucinations to below 1 percent, VentureBeat, May 2025; Stanford Institute for Human-Centered AI, ← All articles