5 things every company needs to do before the EU AI Act bites

The EU AI Act is no longer a future problem. The prohibition deadline already passed in February 2025. GPAI obligations bit in August 2025. High-risk obligations land in August 2026 — and one year is not a lot of time once you start putting evidence on paper.

1. Inventory every AI system in your org

You cannot comply with a regulation you cannot enumerate. Build an AI system register that captures, for every model and pipeline:

• What the system does (intended purpose, Annex IV §1).
• Who built it (provider) and who runs it (deployer).
• Where it sits in the value chain.
• The data it was trained / fine-tuned on.
• The downstream users and end-users.

2. Classify the risk for each one

Run every system through the five-gate classifier: prohibited (Art. 5), high-risk by safety-component test (Art. 6(1) + Annex I), high-risk by Annex III, GPAI (Art. 51), and transparency-only (Art. 50). Document the decision. The Art. 6(3) escape hatch exists, but you have to argue it on the record — not in a Slack thread.

3. Generate technical documentation

Annex IV is the conformity-assessment dossier. Every high-risk system needs one — covering intended purpose, design, validation, risk management, human oversight, accuracy & robustness, post-market monitoring. Generate the skeleton from your inventory and fill in the details as you ship.

4. Stand up post-market monitoring

Article 72 makes monitoring a continuous obligation, not a launch checkbox. You need plans for drift detection, performance regression, and bias review — and a wired-in path to serious-incident reporting under Article 73.

5. Govern human oversight + transparency

Article 14 oversight has to be more than a sentence in a policy. Define who can intervene, how, and where the audit trail lives. Article 50 transparency means real disclosure to users — including chatbots, emotion-recognition, biometric categorisation, and deep-fakes.