If you work in surveillance, records or risk at a financial services firm operating in or adjacent to the EU, you have probably spent recent months watching the EU AI Act’s August 2026 deadline slowly shift.
According to Wordwatch, the Digital Omnibus on AI — currently in trilogue — is widely expected to push substantive obligations on standalone high-risk systems to December 2027, with embedded systems following in August 2028. The temptation to breathe a sigh of relief is understandable. It would also be a mistake.
Wordwatch recently delved deep into the topic of what the EU AI Act actually asks of firm’s recording estates.
The timelines may be moving. The obligations are not. Communications surveillance tools that score, prioritise or close alerts based on staff communications still fall squarely within the Act’s high-risk classification. Three obligations in particular are most consequential for this space: traceability of decisions, documentation of training and review data, and auditability of every alert, dismissal and escalation. Each one runs directly through the recording layer — and each one takes considerable time to address properly.
Traceability is a data-layer problem before it is a model problem
Article 12 of the Act requires high-risk systems to log events automatically throughout their lifecycle. Article 13 requires that deployers can meaningfully interpret what those systems produce. Taken together, they pose a single operational question: can you explain how a model reached its conclusion, and can you point to the underlying record it drew from?
For a communications surveillance tool, that explanation must trace back to the original conversation — preserved in its native format, with timestamp, channel, participants and chain of custody all intact. If audio was transcoded during ingestion, if chain of custody is reconstructed from spreadsheets following a regulator’s request, or if the underlying record sits on a recorder that has been out of support for two years, the model’s output is not defensibly explainable. The Act provides no vendor cover for an inadequate data layer.
The practical implication is straightforward. Surveillance vendors will face procurement questions about their underlying recording assumptions. The institutions running those tools should expect the same questions internally — from their own second line of defence — before they arrive from a regulator.
Documentation: provenance is now a regulatory artefact
Article 11 and Annex IV require technical documentation covering the data and data-governance practices used to train, validate and operate a high-risk system. For communications surveillance, this means provenance of training data and provenance of the data the model is run against in production.
Recordings that lack chain of custody, are missing original-format integrity, or were sourced from a recorder whose vendor lifecycle has lapsed represent weak links in that documentation chain. A model can be technically excellent and still fail audit if the documentation surrounding it is inadequate. This is not a hypothetical scenario. FINRA’s 2026 Annual Regulatory Oversight Report and the SEC’s 2026 examination priorities both ask organisations to demonstrate provenance of training and review data. Regulatory expectations are converging across jurisdictions, not diverging.
It is also worth noting that the Omnibus does not soften documentation duties. The compliance standards work that has slipped is the work that supports compliance — not the work that defines it.
Auditability is operational, not architectural
Article 14, covering human oversight, and Article 17, covering quality management, require that every alert, dismissal and escalation can be reviewed and accounted for. This is a daily-workflow obligation, not a design-time consideration. Reviewer actions must be timestamped and attributable. The underlying record being examined must be retrievable on demand, in its original form.
Three areas where organisations most commonly feel this gap: legacy data estates, where recordings exist but lineage is undocumented; mixed-vendor estates, where reviewers move between consoles and lose the audit thread; and off-channel capture. All three are fundamentally data-layer problems, and all three surface predictably the first time an investigation or regulator’s request arrives.
The recording estate is now the regulatory artefact
Surveillance AI is only as defensible as the records it operates on. Three of the Act’s most consequential obligations — traceability, documentation, auditability — run through the recording layer. The financial organisations most exposed when the high-risk regime applies, whenever that turns out to be, are not those without surveillance AI. They are those whose recording estate cannot evidence the integrity of what the model saw, scored or dismissed.
The Omnibus delay is not a reprieve from the underlying expectation. It is a window. The data layer is now the regulatory artefact. Plan for it accordingly.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
