The EU AI Act, in force since August 2024 and phasing in through 2027, is the first comprehensive AI regulation in any major jurisdiction. Here is what it actually requires, who it applies to, and what organisations should be doing now.

Pre-LLM phishing was constrained by language. Post-LLM phishing is not. The result is a measurable upgrade in lure quality, a wider reach into non-English-speaking markets, and an emerging class of personalised attacks that were previously economically unviable.

AI is now in nearly every security product’s marketing copy. Some of it has changed the game; some of it has not changed anything. Here is a category-by-category honest assessment of where machine learning has actually moved the security needle and where the marketing has run ahead of the technology.