Future Proof Intelligence
No. I . MMXXVI
The Closing Window
RegulationA research paper . 30 pp

The roots of AI governance are setting now. The shape of the next decade is being decided by who is inside the standard before it hardens, not by who reads it after.

Everyone is waiting for the rules to be finished. This paper argues the waiting is the mistake. The binding text already exists. What is being decided now, quietly, is what it will mean in practice, and that layer is about to set hard. It describes the window, why it closes, and what it means to already be standing inside it.

The rules governing artificial intelligence are widely assumed to be unfinished, leaving time to position once the law is final. This paper argues the assumption is precisely inverted. The binding text of European AI law has existed since 2024. What is being decided now, in 2026, is what it will mean in practice: which technical standards carry the presumption of conformity, which conformity routes a system must pass, what an insurer will underwrite, what a certification must attest. That layer is soft, still drafted, still priced provisionally, and it is about to set hard. Grounding the argument in the real 2026 state of play, the phased AI Act timeline, the deferral of the high risk regime and what it actually reveals, the standards bodies, the relocation of liability into a strict product regime, and a hardening AI insurance market, the paper shows that governance of a general technology is decided at the root, before the visible structure exists, by whoever is operating there while it is still soft. The window for that is closing on a published schedule. This paper describes the window, why it closes, and what it means to already be inside it.

Pulled Insights, Paper No

I

The law is the part that arrives last

A statute states requirements at the level of principle. What those principles mean is decided beneath the statute, in standards and conformity and insurance, and that layer forms before the law is readable and stops changing once it is.

The deferral is not a reprieve

The high-risk regime was postponed because the load-bearing layer beneath it is not built, not because the structure is loosening. The deferral is an official, dated confirmation that the window is open and when it closes.

The standard carries the decision, the statute carries the legitimacy

A parliament can debate "appropriate human oversight." Whether that oversight is real or decorative is decided in a technical committee. The standard is not implementing a decision the legislature made. It is making the decision under cover of implementing one.

Self-assessment is exposure, not relief

When the law lets you assess yourself, it moves the burden of proof onto you, privately, in advance, with a heavy penalty tier waiting. The only thing that converts that exposure back into safety is a recognised reference to assess against, and portable proof you did.

Liability did not soften, it relocated and hardened

The bespoke fault-based AI liability instrument was withdrawn while software and AI were pulled into a strict, no-fault product liability regime with the claimant's path eased. Liability got simpler to impose and harder to escape, and it now attaches by default.

Insurance is the gate that closes first

An institution does not deploy what it cannot insure. Underwriters are deciding now what counts as adequate AI governance, ahead of any cited public standard, exactly as they once became the de facto standard-setter for cyber security.

When the layer sets, it does not record who understood it. It records who was inside it.

Request this research

The full paper, 30 pages, sent to you and yours to keep. We will know it reached someone serious.

One email. We do not add you to anything.