Table of Contents
Summary
The EU AI Act becomes fully applicable in August 2026, requiring organizations to inventory AI systems, assign risk tiers, and build governance infrastructure before deployment. High-risk systems demand documented risk management, bias mitigation, audit logs, human oversight, and conformity assessments. GPAI model integrators must verify provider compliance and establish downstream governance. Organizations need cross-functional teams, employee training, and incident response plans in place before enforcement begins.
Key Points:
- Inventory every AI system and classify by EU AI Act risk tier before August 2026
- High-risk AI requires documented risk management, human oversight, and audit trails
- GPAI integrators must confirm provider obligations and govern their own deployment layer
- Prohibited AI practices have been banned since February 2025 — act immediately if applicable
- Compliance is ongoing — monitoring, documentation, and governance must be maintained post-deployment
August 2026 is closer than it looks.
The EU AI Act — the world’s first comprehensive legal framework for artificial intelligence — reaches full applicability in just months. For organizations that build, deploy, or use AI systems in or affecting the EU, the window to get compliant is narrowing fast.
The challenge isn’t just understanding the law. It’s translating legal obligations into operational reality: inventorying your AI systems, assigning risk tiers, building documentation, standing up governance processes, and making sure the humans in your organization actually know what they’re responsible for.
This checklist walks you through 12 concrete steps to get your organization EU AI Act-ready — organized in the order you should tackle them.
Why You Need to Start Now
Many organizations assume EU AI Act compliance is a legal project. It isn’t. It’s an operational transformation.
The high-risk AI obligations alone — risk management documentation, training data governance, audit logging, human oversight mechanisms, conformity assessments — require infrastructure changes that can take months to design, build, and validate. Organizations that wait for final regulatory guidance before acting will run out of runway.
Key EU AI Act timeline milestones:
- February 2025: Prohibited AI practices ban took effect
- August 2025: GPAI model obligations and governance rules apply
- August 2026: Full applicability — all high-risk AI system obligations enforced
- August 2027: High-risk AI systems embedded in regulated products must comply
If your organization hasn’t started, start today. Here’s how.
The EU AI Act Compliance Checklist
Step 1: Build Your AI Inventory
You cannot govern what you cannot see.
The first step in EU AI Act compliance is knowing exactly what AI systems your organization uses, builds, or deploys — including systems embedded in third-party software, SaaS tools with AI features, and AI used by individual employees outside IT-approved channels (shadow AI).
Your AI inventory should capture:
- System name and vendor (if third-party)
- Core functionality and intended use case
- Data inputs and outputs
- Deployment context — who uses it, for what decisions
- Whether the system is in-house built, fine-tuned, or third-party
- Current documentation status
This inventory becomes the foundation for every subsequent compliance step. Without it, you’re making risk classification decisions without the full picture.
Action: Assign an owner to the AI inventory. Schedule a cross-functional discovery exercise involving IT, security, legal, procurement, and business unit leads. Use AI discovery tooling to surface shadow AI touchpoints that manual interviews will miss.
Step 2: Classify Every System by Risk Tier
Once you have your inventory, every system needs a risk classification under the EU AI Act’s four-tier framework: Unacceptable, High Risk, Limited Risk, or Minimal Risk.
Classification criteria to apply for each system:
- Does it fall into a prohibited use case? (Annex I) — If yes, it cannot be deployed in the EU
- Does it fall into a high-risk category? (Annex III) — If yes, full compliance obligations apply
- Does it interact with users in ways requiring disclosure? — If yes, limited risk transparency rules apply
- Does it fall outside the above? — Minimal risk, no specific obligations
Common classification traps:
- A system used for multiple purposes may be high-risk for some uses and minimal risk for others — classify by the highest-risk use case
- Embedded AI in regulated products (medical devices, vehicles, industrial machinery) follows a dual compliance path — both the AI Act and the product’s sectoral regulation
- AI systems that evolve or expand scope over time may move risk tiers — classification is not a one-time exercise
Action: Document the classification rationale for every system, especially those near the boundary between tiers. Err toward higher risk classification when uncertain.
Step 3: Immediately Audit for Prohibited Practices
The prohibited AI practices ban has been in effect since February 2025. If your organization is running any system that falls into a prohibited category, you are already non-compliant.
Prohibited practices to audit for:
- Social scoring systems that affect individuals’ access to services or rights
- Real-time biometric identification in public spaces (outside narrow law enforcement exceptions)
- Subliminal or manipulative AI targeting behavioral vulnerabilities
- AI exploiting vulnerabilities of children, elderly, or disabled individuals
- Emotion recognition in workplace or educational settings (outside safety exceptions)
- Predictive policing based solely on profiling
Action: Conduct an immediate legal review of any AI system that touches biometrics, behavioral analysis, emotional inference, or individual scoring. Engage outside counsel if scope is unclear. This is not a step to defer.
Step 4: Establish a Cross-Functional AI Governance Team
EU AI Act compliance cannot be owned by legal alone, or IT alone, or compliance alone. It requires sustained collaboration across functions.
Your AI governance team should include:
- Legal/Compliance — regulatory interpretation, obligations mapping, documentation standards
- IT/Security — technical implementation of requirements, access controls, audit logging
- Data/Privacy — training data governance, data quality standards, privacy integration
- HR/People — employee training, policy enforcement, oversight of HR-facing AI tools
- Business Unit Leads — context on how AI systems are actually used in production
- Executive Sponsor — accountability, resourcing, and escalation authority
Action: Charter the team formally with defined scope, meeting cadence, decision rights, and executive sponsorship. Assign a named AI Compliance Lead responsible for coordinating obligations across functions.
Step 5: Conduct Risk Management Documentation for High-Risk Systems
For every system classified as high-risk, the EU AI Act requires a documented risk management process — not a one-time assessment, but an ongoing system maintained throughout the AI lifecycle.
Your risk management documentation must cover:
- Identification and analysis of known and foreseeable risks the system poses
- Estimation and evaluation of risks that may emerge in intended use and reasonably foreseeable misuse
- Evaluation of risks based on post-market monitoring data (once deployed)
- Adoption of risk mitigation measures proportionate to the risk identified
Action: Build a risk management template specific to each high-risk system. Document risks at the design stage, update at each significant change, and establish a review cadence for post-deployment monitoring. This documentation must be available to regulators on request.
Step 6: Establish Training Data Governance
High-risk AI systems must be trained and tested on data that is relevant, representative, and free from errors — and you must be able to prove it.
Training data governance requirements include:
- Documentation of data collection methodology and sources
- Analysis of possible biases and steps taken to mitigate them
- Evidence that data is sufficiently representative of the intended use population
- Data quality assessments before training and before significant model updates
- Lineage tracking — knowing where your data came from and how it was processed
Action: If your organization fine-tunes models or trains custom AI on internal data, establish a formal data governance process that produces auditable documentation. For third-party models, obtain and review available model cards and data sheets. Flag gaps where provider documentation is insufficient.
Step 7: Implement Technical Documentation and Audit Logging
The EU AI Act requires detailed technical documentation for high-risk AI systems — sufficient for regulators to assess compliance. This documentation must be created before deployment and kept up to date.
Technical documentation must include:
- General description of the system and its intended purpose
- System architecture and design choices
- Training methodologies and data used
- Validation and testing procedures and results
- Known limitations and foreseeable misuse scenarios
- Monitoring, maintenance, and update procedures
- Cybersecurity measures
In addition, high-risk systems must generate audit logs automatically — records of system operation that allow post-hoc review of outputs, decisions, and anomalies.
Action: Implement logging at the model inference level — capturing inputs, outputs, timestamps, user identifiers, and confidence signals where available. Ensure logs are tamper-evident, retained for at least the period specified by applicable regulation, and accessible for regulatory review.
Step 8: Build Human Oversight Mechanisms
This is one of the most operationally demanding EU AI Act requirements — and one of the most commonly underprepared.
High-risk AI systems must be designed and deployed so that natural persons can effectively oversee them. Human oversight isn’t satisfied by having a human nominally “in the loop.” The human must be capable of:
- Understanding the system’s capabilities and limitations
- Detecting and responding to anomalies and unexpected outputs
- Overriding or stopping the system when necessary
- Refusing to act on system outputs when appropriate
Action: For each high-risk system, define the human oversight role explicitly: who is responsible, what they review, how often, and what escalation path exists. Design system interfaces that surface uncertainty and anomalous outputs to reviewers rather than burying them. Document that human oversight is operational — not just described in policy.
Step 9: Address Transparency and Disclosure Obligations
Transparency obligations apply broadly across the EU AI Act — not just to high-risk systems.
Key transparency requirements to implement:
- Chatbots and conversational AI: Users must be informed they are interacting with an AI system at the start of every interaction
- Emotion recognition and biometric categorization: Individuals must be notified when these systems are operating
- AI-generated content: Synthetic media must be labeled as AI-generated, with machine-readable disclosure markers for deepfakes and synthetic audio/video
- High-risk system users: Deployers must receive clear information about system capabilities, limitations, and oversight requirements
Action: Audit every user-facing AI touchpoint for disclosure compliance. Implement disclosure language and UI elements. For synthetic media, implement technical watermarking or metadata tagging where required. Document all disclosure implementations.
Step 10: Manage GPAI Model Dependencies
If your organization integrates General-Purpose AI models — GPT-4, Claude, Gemini, Llama, or similar — into your products or workflows, you have GPAI-specific obligations to address.
As a GPAI deployer, you must:
- Verify that your GPAI provider is meeting their obligations under the EU AI Act (documentation, copyright compliance, systemic risk obligations where applicable)
- Understand the terms under which the provider shares information required for your downstream compliance
- Ensure your own deployment layer — prompts, retrieval systems, output handling, access controls — meets applicable requirements
- Document how GPAI capabilities are used and what safeguards are in place
Action: Request and review your GPAI provider’s EU AI Act compliance documentation. Identify gaps between what providers disclose and what you need for your own compliance. Build your deployment layer with governance controls that don’t depend entirely on provider-level safeguards.
Step 11: Prepare for Conformity Assessments
Certain high-risk AI systems require a conformity assessment before deployment — a formal evaluation confirming the system meets EU AI Act requirements. For some categories, this must be conducted by an accredited third party.
Conformity assessment requirements vary by system type:
- Most Annex III high-risk systems can use a self-assessment process, provided documentation is thorough and complete
- High-risk AI systems in biometrics and critical infrastructure may require third-party assessment
- AI embedded in regulated products (medical devices, machinery) follows the conformity assessment path of the relevant product regulation
Action: Determine which conformity assessment path applies to each high-risk system. For self-assessment, build an internal process that mirrors third-party audit rigor — it will hold up better under regulatory scrutiny and prepares you if third-party assessment is later required. Register compliant systems in the EU AI database where required.
Step 12: Establish Post-Deployment Monitoring and Incident Response
EU AI Act compliance doesn’t end at deployment. High-risk AI systems must be subject to ongoing post-market monitoring — and organizations must have processes to respond when something goes wrong.
Post-deployment monitoring requirements:
- Proactive collection of performance data in production
- Monitoring for distributional shift — changes in real-world data that affect model performance
- Review of user feedback and incident reports
- Systematic evaluation for bias drift over time
- Triggers for re-assessment when system behavior changes materially
Incident response requirements:
- Serious incidents — those resulting in harm, near-miss, or significant unintended behavior — must be reported to the relevant national supervisory authority
- Reporting timelines vary by incident severity
- Incidents must be investigated, root-caused, and remediated with documented corrective actions
Action: Build monitoring dashboards for each high-risk system in production. Define incident severity thresholds and reporting workflows. Conduct tabletop exercises for AI incident scenarios before they happen — not after.
EU AI Act Compliance: The Governance Infrastructure Imperative
Running through this checklist, one thing becomes clear: EU AI Act compliance is not a documentation exercise. It is an infrastructure challenge.
The organizations that will meet the August 2026 deadline aren’t those with the best lawyers. They’re the ones that built AI governance capabilities into their infrastructure from the start — visibility into every AI system, audit trails on every output, access controls on every deployment, and human oversight mechanisms that actually function.
At Airia, we built the AI control layer that makes this possible. Across model deployments, agentic workflows, and multi-model environments, Airia gives enterprises the governance infrastructure to operate AI at scale — with the documentation, monitoring, and oversight capabilities the EU AI Act requires.
Ready to build your EU AI Act compliance infrastructure?
Frequently Asked Questions: EU AI Act Compliance
When does the EU AI Act become fully enforceable?
The EU AI Act becomes fully applicable in August 2026. However, the ban on prohibited AI practices took effect in February 2025, and GPAI model obligations applied from August 2025. Organizations should not wait until 2026 to begin compliance work.
What happens if my organization is not EU AI Act compliant?
Non-compliance penalties under the EU AI Act are substantial: up to €35 million or 7% of global annual turnover for violations involving prohibited AI practices; up to €15 million or 3% of turnover for violations of other obligations; up to €7.5 million or 1.5% of turnover for providing incorrect information to regulators.
Does the EU AI Act apply to companies outside the EU?
Yes. The EU AI Act applies to any organization that places AI systems on the EU market, puts them into service in the EU, or whose AI outputs are used in the EU — regardless of where the organization is headquartered.
What is a conformity assessment under the EU AI Act?
A conformity assessment is a formal evaluation confirming that a high-risk AI system meets EU AI Act requirements before it can be deployed. Most Annex III high-risk systems can use self-assessment; some categories require third-party audits.
How long does EU AI Act compliance take to implement?
For organizations starting from scratch, full high-risk AI compliance typically requires 6–12 months of sustained effort — including AI inventory, risk classification, documentation buildout, technical implementation of logging and oversight mechanisms, and conformity assessment. Organizations with existing AI governance programs can move faster but should not underestimate the operational scope.
This post is for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel for EU AI Act compliance guidance specific to their circumstances.
