The EU AI Act is 144 pages of regulation that you mostly do not have to read. What you have to do is twelve things, in roughly this order. We have walked nine clients through this. Here is the practitioner's list.
- Classify your system. Prohibited, high-risk, limited-risk, or minimal-risk. The classification determines everything else.
- Stand up an AI inventory. A central register of every AI system in your organization, owner, classification, last review date.
- Map data lineage. For each high-risk system, document where its training and operational data come from.
- Build a risk management process. Identify, assess, mitigate, monitor. The shape is familiar to anyone who has done ISO 27001.
- Document the model. Architecture, capabilities, limitations, intended use, foreseeable misuse.
- Establish human oversight. Documented controls that let a human stop or override the system.
- Test and evaluate. Demonstrable evals against representative test sets, including for bias and robustness.
- Log everything. Comprehensive, tamper-evident logs of system behavior in production.
- Publish a transparency notice. When a user interacts with the system, they need to know it's AI.
- Stand up a post-market monitoring loop. Continuous tracking of model behavior, drift, incidents.
- Prepare for incident reporting. A documented process for reporting serious incidents to the relevant authority.
- Conformity assessment. For high-risk systems, a formal assessment before market entry.
Where teams trip up
Three common mistakes. First: classifying too low. Almost every team that handles employment, credit, or health decisions has at least one high-risk system. Second: building the controls but not documenting them. The Act is a documentation regulation as much as a control regulation. Third: assuming the model provider's compliance covers you. It does not. You are the deployer; you have your own obligations.
If you have an existing security/risk management practice (ISO 27001, SOC 2), you are 60% of the way there. The Act is mostly familiar shapes.
Timeline reality
Most organizations need 6–9 months to be defensibly compliant for a high-risk system. Start now. The fines are real. The reputational risk is realer.