The EU AI Act is no longer a future concern. As of August 2026, high-risk AI system obligations are in full effect, and enterprises operating in or selling into the EU market are either compliant, in remediation, or quietly hoping nobody notices. The last category is shrinking fast as national supervisory authorities begin their first formal enforcement cycles.
I've spent the past several months helping organizations work through their AI Act readiness assessments, and the gap between what leadership thinks their compliance posture is and what it actually is tends to be significant. This post is about closing that gap practically — not rehashing the regulation's structure, which you can read in the official text.
Why Most Enterprise AI Act Assessments Are Incomplete
The first problem is scope. Most organizations have catalogued their "AI systems" based on what the IT department built or purchased as AI. That misses a large category: ML models embedded in existing enterprise software that predate the AI Act conversation entirely. Your ERP's demand forecasting module, your HR platform's resume screening logic, your credit scoring integration — these are AI systems under the Act's definition if they meet the risk classification criteria.
The second problem is the high-risk classification itself. Organizations tend to assume that if they're not building autonomous weapons or mass surveillance tools, they're in the clear. The Act's Annex III list is more mundane than that. AI systems used in employment decisions, credit evaluation, educational assessment, and critical infrastructure management all qualify as high-risk. If you're using any SaaS product with embedded AI in these domains, you have obligations even if you didn't build the model yourself.
The Risk Classification Exercise: Where to Start
Before you can comply, you need an accurate inventory. The framework I use with clients has three passes:
Pass 1: Identify All AI-Assisted Decision Points
Map every workflow where an automated or semi-automated system influences a decision about a person or a regulated process. "Influences" is deliberately broad — a system that ranks candidates for human review still influences the outcome even if a human makes the final call.
Don't rely on vendor labels here. "AI-powered" marketing copy doesn't tell you whether a system is a simple rule engine (likely out of scope) or a trained model with emergent behavior (potentially in scope). You need to ask vendors directly and get written responses you can show a regulator.
Pass 2: Apply the Risk Classification Criteria
For each system identified, work through the classification hierarchy: prohibited (ban these immediately), high-risk (Annex III), limited-risk (transparency obligations only), and minimal risk (no obligations beyond good practice).
The judgment calls are in Annex III. "Recruitment and HR management" is broad enough to cover most modern talent platforms. "Access to essential private and public services" covers credit, insurance, and benefits determinations. If you're uncertain, default to high-risk classification — the cost of over-compliance is documentation overhead; the cost of misclassification is enforcement exposure.
Pass 3: Map Obligations to System Owners
Each high-risk system needs an assigned owner who is accountable for the compliance obligations: risk management system, data governance documentation, human oversight mechanisms, accuracy and robustness testing, and post-market monitoring. These aren't one-time tasks — they're ongoing operational requirements.
The Documentation Burden Is Larger Than Expected
High-risk AI systems require technical documentation that would satisfy an audit by a conformity assessment body or national supervisory authority. The required elements include:
| Documentation Requirement | Who Owns It | Typical Effort |
|---|---|---|
| System description and intended purpose | Product/IT | Low (1–2 days) |
| Training data governance records | Data/ML team | High (weeks if not already documented) |
| Algorithmic transparency / explainability | ML team | Medium–High (model-dependent) |
| Human oversight mechanism design | Process/Operations | Medium (2–4 weeks) |
| Accuracy and bias testing results | QA/ML team | High (ongoing) |
| Incident and anomaly log | Operations | Low (if tooling exists) |
The training data governance records are where most organizations hit a wall. If you've been operating ML systems without rigorous data lineage tracking, reconstructing that documentation retroactively is painful. For third-party models, you're dependent on vendor cooperation — and not all vendors have this documentation ready.
Human Oversight: The Requirement That's Hardest to Implement Well
The Act requires that high-risk AI systems be designed to allow effective human oversight. "Allow" is the operative word — the system must make oversight practically possible, not just technically possible. A human reviewer who rubber-stamps AI decisions because the volume is too high and the interface provides no meaningful context isn't providing oversight in any sense the regulation contemplates.
What often gets overlooked is that human oversight is a process design problem, not just a software feature. It requires:
- Reviewers who have enough domain knowledge to meaningfully evaluate AI outputs
- Interfaces that surface the AI's reasoning, confidence levels, and key input factors
- Workload that's actually manageable — oversight at 500 decisions per day per reviewer isn't oversight
- Clear escalation paths and override mechanisms that are logged and auditable
In practice, most organizations will need to redesign existing review workflows rather than just adding an "AI recommended X" label to the current interface. That's a non-trivial process change that takes time and organizational buy-in.
GPAI Models: The New Frontier for Enterprise Legal Teams
The Act's General Purpose AI (GPAI) provisions add a layer of complexity for enterprises using foundation model APIs — which is now essentially every organization with a modern tech stack. If you're calling the Claude API, OpenAI, or Gemini directly, your legal team needs to understand the downstream obligations.
The short version: providers of GPAI models bear primary obligations for transparency and copyright compliance. But enterprises that deploy GPAI models in high-risk contexts bear deployer obligations on top of whatever the provider supplies. The combination of GPAI usage and high-risk deployment is where the most complex compliance questions currently live, and regulatory guidance is still evolving.
Practical Enforcement Timeline: What's Actually Happening
As of mid-2026, enforcement is uneven across EU member states. Germany's national supervisory authority (BNetzA) has been the most active in publishing guidance and beginning informal inquiry processes. France's CNIL is approaching AI Act enforcement through its existing data protection lens. Smaller member states are still building regulatory capacity.
The enforcement pattern emerging resembles early GDPR enforcement: significant initial focus on high-profile cases with clear violations, followed by gradual expansion to systemic audits of specific sectors. Financial services and healthcare are likely to see the first formal enforcement actions given the clear high-risk classification of AI systems in those sectors.
Building the Internal Governance Structure
Organizations that are handling this well have established an AI governance committee with cross-functional representation: legal, data protection, IT/engineering, business operations, and risk. This isn't a compliance team checkbox — it's an operational body that reviews new AI deployments against the risk classification criteria before go-live.
The gate review process is the critical mechanism. Every new AI system or significant update to an existing system goes through: risk classification, documentation checklist, human oversight design review, and sign-off from the committee. Without this gate, compliance becomes a retroactive audit exercise rather than an embedded operational practice.
My Take: The Compliance Cost Is Real, But So Is the Upside
I've heard CTO peers frame the EU AI Act as pure regulatory overhead with no business benefit. That's too cynical. The documentation and oversight requirements are forcing conversations that should have happened anyway: which AI systems are we actually running? Who is accountable for their outputs? How would we detect and respond to a model behaving unexpectedly?
Organizations that build this governance infrastructure properly end up with better AI reliability, clearer vendor accountability, and a defensible position when something does go wrong. The compliance cost is front-loaded; the operational benefits compound over time.
The organizations I'm most worried about are the ones treating this as a legal formality rather than an operational shift. They'll pass initial documentation reviews, but when the first incident hits — a biased HR model output, a credit scoring anomaly — they'll have no real governance infrastructure to respond with.
Key Takeaways
- Most enterprise AI Act scope assessments miss embedded ML in existing SaaS platforms — start there before looking at internally built systems.
- Deployer obligations are real: using a third-party high-risk AI system creates compliance obligations even if you didn't build it.
- Human oversight is a process design problem, not a software feature — nominal oversight mechanisms that don't work in practice will fail an audit.
- Training data governance documentation is the hardest gap to close retroactively — address this first for any high-risk system.
- Frame AI Act compliance as an extension of your GDPR framework, not a separate workstream.
- Build a gate review process for new AI deployments — retroactive compliance is significantly more expensive than embedded governance.
If you're working through an AI Act readiness assessment, what's the biggest gap you've found — scope identification, documentation, or human oversight design? I'm particularly interested in how teams are handling third-party GPAI API usage in high-risk contexts.
🚀 Want to automate your content and reporting pipelines the way I've automated mine? I built a working system for this — Check it out on Gumroad →
댓글
댓글 쓰기