Skyflow and the EU AI Act: Ready for August Deadline?
Most of the EU AI Act's hardest obligations come down to one thing: proving you control sensitive data wherever your AI touches it.
What Does the EU AI Act Actually Require for Sensitive Data?
Agents break traditional data security. The instinct is to strip sensitive data out before it reaches a model. As a backstop, that's sensible. As a strategy, it breaks.
A clinical assistant that cannot see the record cannot triage. A servicing agent that cannot see the account cannot resolve the case. The high-value use cases are exactly the ones that need the data.
So the goal isn't to remove sensitive data. It's to keep it usable while keeping it controlled, at the moment an agent or model touches it.
Most Compliance Programs Stop at Documentation
Most compliance programs write a policy: Support agents see the last four digits of a card number, never the full card number. Whether that policy holds depends on every code path that touches that card number checking the rule before returning data, every time. That is documented control.
Built control removes that dependency: The full card number never exists in plaintext outside the one system authorized to unmask it. A support agent's query returns a token. A model's prompt returns a token. There is no code path left that can hand back the real number to an unauthorized caller, because the architecture never puts the real card number within the agent or user’s reach.
That's the difference a regulator or an incident actually tests, not whether a policy exists, but what happens when someone tries to get the data without authorization. Article 10, Article 10(5), and Article 15 are three versions of that same test.
Here is how Skyflow’s runtime AI data control platform handles each of the obligations that matter:
What Counts as Good Data Governance Under the AI Act?
The requirement: Under Article 10, training, validation and testing data must be relevant, representative and documented, with traceable provenance across collection, labelling, cleaning and enrichment. Where that data is personal data, the GDPR applies in full.
How Skyflow helps: Isolate sensitive data and replace the values with format-preserving tokens. Skyflow detects and transforms sensitive values from structured data and unstructured information before the values reach training, validation, or testing pipelines.
- One governed copy and one audit trail, regardless of how many models or agents touch the data.
- De-identified data flows to models by default; actual values stay protected at the source
- Tokens keep referential integrity, so workflows still work.
How to Use Sensitive Data for Bias Detection?
The requirement: Article 10(5) permits processing to detect and correct bias, but only where strictly necessary, with pseudonymisation, access controls and deletion once done, for special categories of personal data such as health, race, etc.
How Skyflow helps: This is a governed, minimised, auditable pipeline by definition.
- Expose sensitive attributes only under policy, only for the bias-testing purpose.
- Log every access for the record a regulator will ask for.
- Pseudonymisation is the default, not an extra step.
What Are Security Requirements Across the AI Lifecycle?
The requirement: Under Article 15, high-risk systems must be accurate, robust and secure across their lifecycle. This maps directly onto GDPR Article 32, which requires pseudonymisation and encryption of personal data, the ability to restore access after an incident, and regular testing of safeguards.
How Skyflow helps: Centralising sensitive data shrinks the surface that has to be secured.
- Raw values never enter logs, prompts or vector stores.
- Re-identification happens only for entitled callers, at the point of need.
"Block an agent from sensitive data and it can't do its job. Unblock it completely and any prompt it processes can leak that data somewhere it shouldn't go. Neither is a real option once the agent is deciding what to look up in real time." - Anshu Sharma, Co-Founder & CEO, Skyflow
Did the EU AI Act Deadline Actually Move?
The May 2026 Digital Omnibus deferred the heavy high-risk obligations — Annex III systems now apply from 2 December 2027, Annex I product AI from 2 August 2028. The headline was that the EU delayed the AI Act.
But three things did not move:
- Transparency (Article 50) still applies from 2 August 2026.
- Watermarking and a new prohibition on non-consensual intimate imagery apply from 2 December 2026
- GDPR was never delayed. The EU AI Act sits on top of it. If a system processes personal data of someone in the EU today, GDPR applies today.
The high-risk compliance deadline moved, from August 2026 to December 2027 and August 2028. The data exposure underneath it did not.
What Should Enterprises Do Before the Next Deadline?
Find where sensitive data enters your AI systems, including unstructured data sources like PDFs, images, and call recordings.
Tokenize it once. Govern it everywhere it goes next, including every agent and tool that touches it.
Use the deferral as time to build the durable version, not to wait.
What This Will Look Like in Practice
For a multinational health system running an AI assistant that triages incoming patient messages across several EU markets:
- The assistant needs the clinical history to triage correctly. It does not need the patient's name, national ID, or insurance number.
- Skyflow tokenizes those three fields before the patient message reaches the model.
- The assistant reasons over a record that is clinically complete and free of PHI.
- When an authorized clinician opens the case, the name, ID, and insurance number are rehydrated under policy, and the access is logged.
Nothing else about how the system works changes. That is what Article 10's provenance requirement and Article 15's lifecycle security requirement look like in practice.
What's the Bottom Line on EU AI Act Data Compliance?
Keep the data usable but controlled: tokenized at the source, governed by policy, rehydrated only for the right caller at the right moment. That satisfies the Act's data obligations as design rather than as a promise.
The high-risk deadline moved. The data problem did not.
Beyond the AI Act: Where does your data live?
None of this answers a related question: engineering, data and security teams are asking: Who can access sensitive data, and where it has to live? Data residency and sovereign AI mandates run on a separate compliance track from the AI Act, and the same instinct that breaks EU AI Act compliance, bolting on a control after the fact, breaks sovereignty too.
Where sensitive data lives, and who can reach it, are two versions of the same architectural question. Get the architecture right once, and both answers fall out of it.
Skyflow CEO Anshu Sharma unpacks that second question in this upcoming webinar: What sovereign AI actually means for enterprises, and what a pragmatic, architecture-first approach to data sovereignty looks like. Sign up now.