07:42, the mid-office goes quiet.
It's Monday morning. A senior agent is hand-checking a fare audit the system flagged as an exception. The gap between what the corporate contract requires and what the GDS issued is €187 per PNR. Multiplied by the month's volume, that number closes — or kills — the March RFP.
In the same moment, a competitor — the same corporate name in their portfolio — got the alert six hours ago, when an AI agent processed 14,000 transactions overnight and flagged 23 of them. Three already landed in the client's travel manager inbox with a re-issue proposal. By 09:00, their senior agent is talking strategy with the client, not chasing spreadsheets.
The difference between those two TMCs isn't the R&D budget. It's a decision made 18 months ago. One TMC decided. The other is still "evaluating vendors."
This article is not about how cool AI is. My audience — CEO, COO, IT Manager in a TMC — already knows that from LinkedIn, conferences, board pressure. This article is about the brutal cost of non-decision, about how Regulation (EU) 2024/1689 — the EU AI Act — is not what the lawyers told you (a brake) but what the consultants did not tell you (a quality filter). And why competitors who adopt on blind FOMO dig their grave just as efficiently as the ones who don't adopt at all.
Sit down. It's long. You've been warned.
The industry passed its inflection point
The public data tells the same story from three angles.
Skift × McKinsey, September 2025: 90% of travel executives report that their organisation uses gen AI "in some capacity." Sounds overwhelming. Then you read the fine print: only 22% use it widespread. Only 2% have agentic AI at scale. 38% have not touched agentic at all.
Phocuswright, 2H 2025: roughly 40% of US travellers used gen AI to plan a trip in 2025 — up 11 percentage points year-over-year. Over 80% of travel startups report meaningful AI adoption.
European Travel Commission, September 2025: 93% of European national tourism organisations have piloted AI. Piloted. Very few have anything operational.
Look at the three stats and you see the same pattern: high interest, low execution. The industry no longer debates whether AI enters travel. It debates why 88% of those who talk about AI have not reached widespread usage. And that is your window. But it's not a wide window.
McKinsey, in Remapping travel with agentic AI (2025), documents corporate clients reporting double-digit lifts on hotel attach rate and per-traveller cost reductions on AI-assisted bookings. This is not a whitepaper hypothesis. This is P&L.
The question is no longer "do we adopt or not." It's "how much of your non-decision's hidden tax does the company pay in 2026?"
Bad FOMO: noisy adoption without architecture
There's a cult in travel right now that looks like this: someone in the C-suite watches a keynote at GBTA, ITB or WTM. Comes back on Monday with a mandate — "we want AI too." Team buys the first chatbot that promises GDS integration. Pilots for two weeks. Demo looks good. Press release goes out. LinkedIn post follows.
Then:
- The chatbot has no PNR context. It answers generically to questions that depend on fare rules, baggage entitlements, the contracted corporate fare code. The agent still has to intervene. ROI = zero, plus the licence fee.
- The model hallucinates fare rules. Invents that a Y class allows full refund on an IATA carrier that doesn't. A sales executive calls at 21:00, furious.
- Duty of care: the AI tells a traveller Istanbul is safe on a day when the foreign ministry has issued an advisory. The crisis-23 team picks up the phone. Your compliance officer doesn't sleep for a week.
- PNR data flows through an LLM endpoint that isn't DPIA-ed and has no data-residency clauses. GDPR is already asking questions. The AI Act, once fully in force, doubles them.
This is what pilot purgatory means: six pilots running in parallel, zero in production, six reporting flows to the committee, zero EBITDA impact. Skift and McKinsey call the same phenomenon "AI in some capacity" — because nobody wants to admit to the board that the €200k pilot from Q3 delivered nothing measurable.
Bad FOMO is not adoption. It's adoption without architecture — no data model, no guardrails, no clear owner, no ROI metric defined before the first line of code. It's the travel-industry version of the phenomenon that killed 80% of big-data projects between 2014 and 2018. Back then we looked at Hadoop and said "we need that too." Now we look at LLMs.
The difference? Now you also have a regulator who demands proof you thought before you implemented.
Deferring the decision is still a decision — and it's the most expensive
Here is the thesis, unpacked:
In 2026, lack of a decision on AI adoption is the most expensive decision a TMC can make. The EU AI Act is not a brake. It's your quality filter. You adopt now, with guardrails, or you lose RFPs in 12-18 months — to someone who already did the work.
Let's do the simple math.
In the last three years, working inside a TMC, I've seen the same pattern three times. A corporate RFP reaches final short-list stage. Four TMCs make it into the room. On the question "what AI capabilities do you have operationalised for fare audit / duty of care / spend analytics?", two answer with strategy, two with PowerPoint. The two with strategy close the contract. The two with PowerPoint leave with the lesson. Not because AI won the RFP. Because the AI-readiness statement has become a mandatory field in any serious corporate client's RFI — alongside ISO 27001, GDPR DPIA and SLAs.
McKinsey reports in their 2025 agentic-travel piece double-digit lifts on hotel attach rate and per-traveller booking-cost reductions. That is not a whitepaper passage. That is what corporate clients see in their program-management report. And what they ask their procurement: "why isn't our current TMC delivering this?"
The real cost of non-decision is not visible in Q1. It is visible in the following Q4, when two major RFPs hit renewal, two hit compete, and your conversion rate halves. That's when you lose not just revenue. You lose reference accounts. And in B2B travel, reference accounts are the next 18 months of pipeline.
What does the competitor who adopted badly do in the meantime? They lose €200k on pilot purgatory. Then a client asks them for proof of an AI Act fundamental rights impact assessment (Art 27, where it applies). They don't have it. They also lose the contract. But their cost is €200k. Your cost is the whole portfolio.
Who pays more: the one who decides poorly, or the one who doesn't decide? The answer depends on how much longer the "evaluation" takes.
EU AI Act: not the brake, but your quality filter
Here's the part the lawyers explained to you in 47 slides and nobody understood anything.
Regulation (EU) 2024/1689 — the EU AI Act — classifies AI systems into four buckets: prohibited practices, high-risk systems, limited-transparency systems, minimal-risk systems. For a typical TMC, only the first two matter.
Article 5 — prohibited practices, in force since 2 February 2025. Means: you cannot use AI for subliminal manipulation, exploitation of vulnerabilities, generic social scoring, employee emotion inference (5(1)(f)), or biometric categorisation on sensitive attributes. For a TMC, two points are real:
- 5(1)(a) — manipulative techniques. If you ever considered using AI to "nudge" corporate travellers toward options more expensive for them without their knowledge — stop. The fine is up to €35M or 7% of global turnover. Per breach.
- 5(1)(f) — employee emotion at work. If a consultant proposes measuring "stress level" of call-centre agents via voice analytics to optimise shifts — refuse. Explicitly forbidden.
The rest of the real TMC use cases fall under Article 6 + Annex III — high-risk. Two relevant sub-categories:
- Annex III §4 — employment and workforce management. If you use AI for CV screening in recruiting, for agent performance evaluation, for case allocation by seniority — high-risk. You have concrete obligations: documentation, dataset governance, log retention, post-market monitoring.
- Annex III §5 — essential services. Creditworthiness scoring and insurance risk evaluation fall here. If for a corporate client you have an AI model deciding credit limit / payment terms — high-risk. If you resell insurance with AI underwriting — high-risk.
Then there's Article 4 — AI literacy, in force since 2 February 2025. This one applies to every TMC using any AI, even a ChatGPT subscription for marketing. You must demonstrate your staff has "a sufficient level of AI literacy." It's not a suggestion. It is a legal obligation.
Now the reframe: the AI Act doesn't stop you. It elevates you. Any competitor who doesn't understand it will send procurement vague AI-governance answers. You have a clear statement. The regulation is both a cost of market entry and a competitive advantage.
Don't take my word. Read the source directly — links out to EUR-Lex and artificialintelligenceact.eu above. Read them in one two-hour sitting. Costs less than an hour of consultancy.
The timeline that actually matters to a TMC CEO
Article 113 set the original calendar. But in November 2025 the Commission proposed the Digital Omnibus, and on 7 May 2026 the Council and Parliament reached a provisional political agreement that defers part of the obligations. Here's the real, post-Omnibus calendar:
- 2 August 2024 — the regulation entered into force. The clock has been ticking.
- 2 February 2025 — prohibited practices (Art 5) + AI literacy (Art 4) are applicable. These did not move. If you haven't appointed someone responsible for AI literacy in your organisation yet, you're already in default.
- 2 August 2025 — GPAI (general-purpose AI) rules + governance system + penalties. Your LLM vendor must comply with GPAI requirements. You, as deployer, must be able to request the documentation.
- 2 December 2027 — the bulk of high-risk obligations for Annex III systems (recruitment, employee evaluation, client scoring). Deferred from 2 August 2026 by the Digital Omnibus. Yes, you read that right: 16 extra months.
- 2 August 2028 — obligations for Annex I high-risk systems (AI components integrated into sectorally regulated products), deferred from 2 August 2027.
And here's the trap. You read "deferred by 16 months" and your brain hears "I have more time." Wrong. The regulator gave you breathing room; the competition didn't. Your client's procurement didn't. The legal deadline moved — the mandatory "AI-readiness statement" field in the RFI did not move with it. Those 16 months aren't a cushion. They're exactly the window in which a competitor who already decided compounds an advantage you can't recover before the next renewal.
The EU AI Act deferral is the best thing that could happen to the TMC adopting now with a plan — and the most dangerous trap for the one who reads it as an excuse to defer again.
What MiFID II and GDPR already taught us
This isn't Europe's first regulatory framework. And it's not the first time the industry has reacted as if the sky was falling.
MiFID II, 2018: initial costs were massive — €512-732M one-off for the sector, plus €312-586M recurring. The banking industry screamed for a year. Then something interesting happened: institutions that invested ahead of the deadline captured market share in adjacent services (collateralisation, market data services, advisory). Because they had the infrastructure. Their competitors spent two years catching up while losing clients.
GDPR, 2018: same story, with a twist. Everyone panicked in 2018. Some US vendors left the European market. By 2020-2021, the dust settled. Then research started showing what nobody anticipated: 62% of consumers feel more comfortable sharing data with a company that communicates clearly about data protection. 94% of organisations lose sales if their data-protection stance is unclear. GDPR stopped being "killer regulation." It became a sales lever.
The EU AI Act will follow the same trajectory. In 2025-2026, everybody will scream. By 2027-2028, having a clear AI Act compliance statement will be a mandatory field in RFIs. And the TMCs that treated it as a quality filter will be the ones using it as a sales lever.
It's the same pattern. For the third time. This time, let's not be last.
The real upside: what AI does inside a mature TMC
Past the rhetoric. What concretely does AI do in a well-architected TMC, with real guardrails, with AIA-ready governance:
Fare audit at scale. Bot processes 100% of issuances overnight. Compares issued vs contract fare rule vs comparable alternatives at booking time. Flags exceptions for a senior agent. Guardrail: mandatory human-in-the-loop on any action with impact > €X. Full logging per Art 12 + Art 13.
Multi-tenant BI. Spend, savings, sustainability, attendee-analytics dashboards — generated per client, logically isolated, GDPR-segregated. AI runs natural-language queries against the warehouse ("show me YoY hotel spend by city for client X"). Guardrail: strict RBAC, per-query audit trail, no cross-tenant data bleed. EU data residency, period.
Mid-office reconciliation. Automatic matching across PNR / invoice / payment / GL entries. Cuts reconciliation time from 12 days to 3. Guardrail: automatic exception routing to a human owner for delta > threshold. You don't let the LLM decide what counts as "acceptable reconciliation."
Duty of care — anomaly detection. Cross-source monitoring (live PNR + travel advisories + airport ops + weather + geopolitical feeds). Proactive alerts when a traveller enters a zone with a risk profile shift. Guardrail: clear classification of the AI's decision (informative vs recommendation vs action), human in the loop for any action.
RFP response generator. Assistant that pre-fills 60-70% of a standard RFP response based on your history of won bids, adjusted to the current RFI's specifics. Saves 20-30 hours per RFP. Guardrail: mandatory human validation pass on any factual claim and any SLA commitment.
Notice the pattern: every use case ships with an explicit guardrail. That's the difference between "we do AI" and "we do AI with an architecture that survives an AIA audit on 2 December 2027." One loses the RFP. The other wins it.
Over the last three years, I've seen each of those five use cases implemented in-house. Not on slides. In production. On real volume. Month-6 ROI ranged from 1.4x to 3.2x on the ones architected with guardrails. Month-6 ROI on the guardrail-less pilots was negative — because we shut them down.
Monday morning: 5 things you do in 90 days
If you're a TMC CEO, COO or IT Manager reading this, here are five concrete actions for the next 90 days. None require large budget. All require a decision.
1. Appoint an AI Literacy Owner. Article 4 has required this since 2 February 2025. It's not a new function — it's a mandate assigned to an existing function (typically IT Manager or Operations Director). This owner is accountable for: minimum 4 hours/year internal training for any AI-touching role, annual evaluation, audit documentation. Cost: minimal. Risk of non-execution: enormous.
2. AI-touchpoint inventory + Annex III classification. One Excel sheet. Columns: AI system name / vendor / purpose / risk category (prohibited / high-risk / limited / minimal) / data flow / DPIA status / data residency. Mark everything you touch — including ChatGPT Enterprise for marketing copy. Your surprise: you have between 8 and 25 AI touchpoints already active that HR or Marketing never told you about.
3. One mid/back-office process. One ROI metric. Pick a single process from the list above (fare audit, mid-office reconciliation, multi-tenant BI) and define a clear ROI metric before buying any solution. "60% reduction in reconciliation time" is a metric. "We're adopting AI to be more efficient" is not. Pilot for 60 days. Decide go / no-go on the metric, not on vibes.
4. Vendor due-diligence template. One template, two pages, seven sections: DPIA, AIA risk category, data residency, sub-processors, retention, contractual right to audit, exit clause. Every new AI vendor goes through this. The ones that don't pass — no exceptions — are eliminated from shortlist. Including the vendor recommended by the board member.
5. Kill one shadow-AI tool publicly. Strongest organisational signal. Identify an AI tool used by a team without official approval (you have at least three — I promise). Shut it down publicly, with justification. It's not discipline — it's signalling: AI governance is real, not rhetoric. The next shadow-AI tool won't get installed.
Five things. 90 days. Aggregate budget: under €20,000. Impact: you set the foundation for any other AI decision in the next two years. Plus, you have something to answer with on the next RFP.
The call is yours. The competition already made theirs.
Go back to 07:42 Monday morning, where the article opened.
In the scenario where you read this article and put those five things in next month's calendar, your mid-office in October 2026 looks different. The senior agent walks in at 09:00 and runs strategy with the client. Exceptions were processed overnight. The Q4 RFP carries an AI-readiness statement on page 3. And you can look at your competitors and say — without emotion, just math — "we decided a year ago, they're still evaluating."
In the scenario where you read this article and closed the tab, your mid-office in October 2026 looks exactly like today. With the difference that two major RFPs went to someone who decided. And that the AI Act deadline — even deferred to December 2027 — is closing in with no documentation ready.
The cost of a poor decision is finite. With a decent guardrail, you burn €200k on a pilot and learn. The cost of non-decision is exponential. And it doesn't show up in Q1. It shows up in Q4 — when it's too late.
The EU AI Act doesn't stop you. Competitors running on blind FOMO don't stop you. The only thing stopping you in 2026 is the impression you still have time.
You don't. And they know it.
---
Marian Matinca is an AI Adoption Lead with 15+ years in the travel industry. The article reflects observations from three years working at the intersection of travel management, business intelligence and AI governance. Counter-arguments, comments and concrete examples are welcome at mmatinca.eu.