I worked at one of the largest banks in the United States. Too-big-to-fail, marble-lobbied American finance. And at some point — with what I can only assume was a completely straight face — someone in Physical Security decided that access to the restroom required a laminated pass.
Not metaphorically. A physical, scannable, forgettable-and-you'd-better-not-forget-it pass. The kind of card that, when you fumbled for it at 2pm post-coffee, made a colleague who'd seen you every day for three years watch you prove you were allowed to exist in a bathroom.
The data — billions of dollars of it, account numbers, social security numbers — lived on servers you could reach from your desk. The bathroom required a badge.
Time Was a Controlled Substance
The pass was merely the headline act. The supporting cast: logged entry times, keycard swipes forming a complete geographic map of your day — which printer, how long in the break room, when you arrived. Someone had a dashboard of your physical life.
Nobody called it behavioural analytics. It was just security. You complained about it the way you complained about the vending machine — loudly, briefly, then you moved on.
What strikes me now is how thoroughly normalised total monitoring became — because it had edges. The badge didn't follow you home. There was a door, and you walked through it, and the system stopped caring. That boundary was obvious. You could feel it.
When the Badge Became a Cookie — and Then a Model
Every debate in the EU AI Act, every scramble around data sovereignty, every anguished conversation about profiling — it is the bathroom pass problem, scaled by ten million, with the edges removed.
At the bank, the system was clunky, obvious, and legible. You knew the camera was there.
Now? The monitoring is frictionless. No clicking badge reader. No awareness of where the boundary sits. Data about where you pause, what you hesitate over, how long you looked at something before clicking away — it flows silently into systems generating inferences about you that you will never read and cannot contest.
The bathroom pass was annoying precisely because it was visible. That visibility was, it turns out, a feature.
What the Old Bank Would Make of Today's Debates
The EU AI Act's high-risk system categories? The bank had sensitive floors — extra badge, extra justification. Same idea, larger argument.
Behavioural profiling bans? The bank never inferred you were going to steal because you used the bathroom three times before 10am. There were humans applying judgment, not models applying correlation. The Act draws exactly this line — banning social scoring and risk assessment conducted purely by automated pattern-matching, without human review. The bank was accidentally compliant.
Data minimisation? The bank didn't store your elevator conversation. Not out of principle — it just didn't have the storage. Somewhere between then and now, storage became free, and minimisation had to become a deliberate choice. Here we are.
Data rights — the ability to see, query, and correct what's held about you — sit at the intersection of GDPR (which established them) and the AI Act (which extends them into automated inference). Twenty years ago this was considered absurd. In 2026 it is law. Progress is slow, then sudden.
Nordic Compliance Serenity: A Field Observation
I talk regularly with CXOs across the Nordic region. Thoughtful, globally connected, institutionally literate people. When the EU AI Act comes up, I notice something consistent enough to be its own phenomenon.
There is genuine intellectual curiosity. They have read the summaries. Some have read the act itself. No hostility, no reflexive allergy to regulation — these are people who built societies on the idea that sensible rules, properly applied, produce good outcomes.
And then — almost without exception — comes the turn. Delivered calmly, over excellent coffee:
"Yes, of course. We'll need to address it. But there is still time. The direction is right — good to have this. When it becomes mandatory, we will be ready."
I call this Nordic Compliance Serenity. It is not denial. It is not arrogance. It is a deep, almost philosophical trust that the system will signal clearly before the deadline arrives.
Historically, in Scandinavia, this has been a reasonable bet.
The problem is that the EU AI Act is not a Nordic institution. And some of its deadlines have already passed.
Prohibited AI practices and AI literacy obligations became enforceable February 2, 2025. General-purpose AI model requirements landed August 2025. The broader framework applies from August 2026. Some high-risk product categories extend to 2027 — which is perhaps why the calendar feels spacious. It isn't, uniformly.
And then there is the number that tends to rearrange furniture in boardrooms:
Non-compliance fines reach up to €35 million or 7% of global annual turnover — whichever is higher.
For context: GDPR, which everyone spent years dreading, peaks at 4%. The AI Act looked at that number and raised it. For a large Nordic enterprise, 7% of global turnover is not a compliance line item. It is an existential event dressed in regulatory language.
The curious thing is that the fine is almost beside the point. The sharper consequence is operational: authorities can require non-compliant AI systems to be withdrawn from the EU market entirely. You do not get to keep running the product while the lawyers sort it out.
The Honest Punchline
The bank employees who complained loudest about the bathroom pass had thought about the policy extensively. They had sensible views on its absurdity. What they had not done was prepare for the morning they forgot the pass and stood outside the door. That morning always came. It was never convenient.
The Nordic CXO who is calmly curious about the EU AI Act is already ahead of peers in regions who haven't looked at it at all. The literacy is there. The foundation is there. What is quietly needed — and what most of them already sense — is moving the conversation from the interesting chair to the operational one.
"Good to have" is an opinion about the regulation. "Must-have by February 2025" was a calendar entry. That one has already passed.
At NordicMojo, that gap between knowing and doing is exactly where we work. Preferably before you find yourself outside the door, looking for a pass you meant to get around to laminating.
Verified against EU AI Act Article 99 (penalties), Article 5 (prohibited practices), and the official application timeline (Regulation EU 2024/1689). GDPR comparison based on Article 83 maximum thresholds.
