The AI Transparency Deadline That Wasn't Moved

When the EU institutions reached agreement on the Digital Omnibus on 7 May 2026, moving the high-risk AI deadline from August 2026 to December 2027, the compliance industry exhaled. Coverage was nearly unanimous: the AI Act has been deferred. Management companies and TCSPs planning their AI governance programmes circled December 2027 on their calendars.

That reading is incomplete. The Omnibus deferred the Annex III high-risk obligations. It did not defer Article 50. The EU AI Act's transparency requirements for AI systems take effect on 2 August 2026, eight weeks from today. For management companies and TCSPs using digital onboarding, AI-assisted client communication, or any AI system that generates content for clients or regulators, August 2026 is not a deadline that moved.

What the Omnibus Actually Changed

The Digital Omnibus agreement, provisionally agreed on 7 May and confirmed by Member State representatives on 13 May, introduced targeted amendments to the EU AI Act. The headline change was the deferral of Annex III high-risk obligations for standalone use-case-based AI systems from 2 August 2026 to 2 December 2027. For AI embedded in regulated products under Annex I, the deadline moved from August 2027 to August 2028.

The Omnibus also introduced a grace period: AI systems already deployed before 2 August 2026 have until 2 December 2026 to comply with the watermarking requirement under Article 50(2), which requires providers to embed machine-readable markers in AI-generated synthetic content. That grace period shrank from the Commission's originally proposed six months to four months in the final agreement.

As Gibson Dunn noted in their 27 May client alert, "2 August 2026 remains an active compliance date." Article 50, in its primary disclosure provisions, was not amended by the Omnibus. The obligations covering disclosure of AI interaction, biometric categorisation, emotion recognition systems, and AI-generated content all land on 2 August 2026.

What Article 50 Actually Requires

Article 50 of the EU AI Act establishes transparency obligations for both providers and deployers of AI systems. It sits in a separate chapter from the high-risk provisions and has its own applicability date. Four obligations are relevant to the management company and TCSP context.

Disclosure of AI interaction (Article 50(1)): Providers of AI systems that interact directly with natural persons must ensure those persons know they are interacting with an AI system. The exemption is narrow: it applies only where this is obvious from context, or where the system is used for law enforcement purposes.

Machine-readable content markers (Article 50(2)): Providers of AI systems that generate synthetic audio, image, video, or text must ensure outputs are marked in machine-readable format as AI-generated. Existing systems deployed before August 2 have the four-month grace period introduced by the Omnibus.

Biometric categorisation and emotion recognition disclosure (Article 50(3)): Deployers of systems that use emotion recognition or biometric categorisation must inform the natural persons exposed to the system of its operation. This obligation sits with the deployer, not the provider, and carries no grace period in the Omnibus agreement.

Deepfake and AI-generated content disclosure (Article 50(4)): Deployers of systems that generate or manipulate deepfake content must disclose that the content is AI-generated. For text content "published with the purpose of informing the public on matters of public interest," deployers must disclose that the text is AI-generated unless a human has reviewed it and holds editorial responsibility for the publication.

Which of These Apply to Management Companies and TCSPs

The relevance of Article 50 to this audience is not hypothetical. It maps directly to three workflows that have been widely adopted across management companies and TCSPs over the past three years.

Digital KYC with biometric verification: Most management companies and TCSPs offering digital onboarding now use AI-powered identity verification workflows that include facial recognition matching, liveness detection, or biometric document authentication. These are biometric categorisation systems under the Act. Article 50(3) requires deployers to inform clients being processed through these systems of the system's operation. That is a disclosure obligation at the point of onboarding, with no grace period, effective 2 August 2026.

AI-assisted client-facing tools: Any firm that has deployed an AI-powered chatbot, virtual assistant, or automated response tool through which clients can submit queries, request documents, or receive compliance information is operating a system that directly interacts with natural persons under Article 50(1). The disclosure requirement does not depend on whether the system does something consequential. It depends on whether a natural person interacting with it would not otherwise know they are talking to an AI.

AI-generated regulatory and client communications: Article 50(4) requires deployers to disclose AI-generated text published with the purpose of informing the public on matters of public interest. Regulatory filings, investor reports, and client communications drafted substantially by AI tools may fall within this scope depending on their purpose and audience. The exception is meaningful and documented: if a compliance officer or legal counsel reviews the content and holds editorial responsibility, the text disclosure obligation does not apply. That exception requires a traceable review process, not a workflow assumption.

The AMLR Layer That Sits Beneath

Article 50's disclosure obligations operate alongside, not instead of, the AMLR requirements that apply from July 2027. Where AI is used in the KYC or CDD workflow, two separate obligations attach to the output.

The AMLR requires that AI-assisted compliance decisions be traceable, auditable, and backed by documented human oversight. The compliance file for a KYC case handled through an AI-powered verification workflow needs to show what the system processed, what output it produced, and what the human reviewer decided. That is an AMLR obligation about internal audit trail and accountability.

Article 50 operates differently. Its obligations are about external disclosure to the person affected by the AI system, or about labelling outputs as AI-generated for the record. These are not the same requirement as the AMLR audit trail. They are parallel obligations from two different instruments, with different purposes, different addressees, and different timelines.

A TCSP that has built its AMLR audit trail correctly will not automatically have satisfied its Article 50 obligations. And a TCSP that deploys the Article 50 disclosure mechanism at the point of biometric verification will not automatically have the AMLR case file linking that verification to a documented risk assessment. The two frameworks require separate, coordinated responses.

The Exception That Requires Evidence

Article 50(4) includes an exemption for AI-generated text that "has undergone a process of human review or editorial control" where a natural or legal person holds editorial responsibility for the publication. This is a substantive exemption, not an administrative one. It requires a documented process, not just theoretical oversight.

For management companies using AI to draft client letters, quarterly reports, or regulatory disclosures, this exemption may apply if the process includes genuine human review and a named responsible person. The key question is whether that review is documented and attributable. Firms whose AI-assisted drafting workflow routes through a formal approval step, records the reviewer's identity, and retains the reviewed version in the compliance file can rely on the exemption. Firms where AI-drafted text flows to distribution without a traceable review step cannot.

This is the same documentation discipline the AMLR requires for AI-assisted CDD decisions. Firms that have built their AMLR compliance infrastructure around documented human oversight already have the architecture the Article 50 exemption requires. The firms that have not are exposed under both frameworks, with the AI Act exposure arriving first.

The Position

The Omnibus deal gave compliance teams 16 additional months to prepare for Annex III high-risk AI governance. It did not give them any additional time on disclosure. The transparency obligations that apply to biometric verification in digital KYC, to AI-powered client communication tools, and to AI-generated content in regulatory filings all land on 2 August 2026.

The Omnibus reduced the compliance scope for most AML AI under the high-risk framework, because Recital 58 exempts AML and fraud detection AI from the Annex III classification. What it did not change is the transparency obligation that applies where AI is visible to the people it affects, whether in a biometric check at digital onboarding or in content that carries the firm's name and a regulatory purpose.

Compliance programmes built around December 2027 as the central AI Act horizon may have missed a more immediate obligation. The question to answer before August is not whether your AML screening model is high-risk. Most are not. The question is whether your digital onboarding system, your automated client communication workflow, and your AI-generated compliance documents carry the disclosure mechanisms Article 50 requires, and whether those mechanisms are documented well enough to survive an examination.

If your firm is mapping which Article 50 obligations apply to its current AI tools before the August deadline, we can help.