Compliance

The EU AI Act, in 12 things you actually have to do

We won't translate the regulation. We'll tell you what to put in your system, in what order, and which auditor will ask for it.

Mindlytic AI Team · AI Governance Lead·2026-01-20·3 MIN READ·332 WORDS
DEFENSE IN DEPTH
COMPLIANCEEU-AI-ACTGOVERNANCE

The EU AI Act is 144 pages of regulation that you mostly do not have to read. What you have to do is twelve things, in roughly this order. We have walked nine clients through this. Here is the practitioner's list.

  1. Classify your system. Prohibited, high-risk, limited-risk, or minimal-risk. The classification determines everything else.
  2. Stand up an AI inventory. A central register of every AI system in your organization, owner, classification, last review date.
  3. Map data lineage. For each high-risk system, document where its training and operational data come from.
  4. Build a risk management process. Identify, assess, mitigate, monitor. The shape is familiar to anyone who has done ISO 27001.
  5. Document the model. Architecture, capabilities, limitations, intended use, foreseeable misuse.
  6. Establish human oversight. Documented controls that let a human stop or override the system.
  7. Test and evaluate. Demonstrable evals against representative test sets, including for bias and robustness.
  8. Log everything. Comprehensive, tamper-evident logs of system behavior in production.
  9. Publish a transparency notice. When a user interacts with the system, they need to know it's AI.
  10. Stand up a post-market monitoring loop. Continuous tracking of model behavior, drift, incidents.
  11. Prepare for incident reporting. A documented process for reporting serious incidents to the relevant authority.
  12. Conformity assessment. For high-risk systems, a formal assessment before market entry.

Where teams trip up

Three common mistakes. First: classifying too low. Almost every team that handles employment, credit, or health decisions has at least one high-risk system. Second: building the controls but not documenting them. The Act is a documentation regulation as much as a control regulation. Third: assuming the model provider's compliance covers you. It does not. You are the deployer; you have your own obligations.

GOOD NEWS

If you have an existing security/risk management practice (ISO 27001, SOC 2), you are 60% of the way there. The Act is mostly familiar shapes.

Timeline reality

Most organizations need 6–9 months to be defensibly compliant for a high-risk system. Start now. The fines are real. The reputational risk is realer.

M
AUTHOR
Mindlytic AI Team
AI Governance Lead

Authored by the Mindlytic AI engineering practice — a senior-only team shipping production AI systems for clients across hospitality, fintech, insurance, healthcare, legal, and MSP.

Email →More about the team →
Related reading

More from the blog.

PLANNER
Architecture
Anatomy of a production AI agent in 2026
2026-04-12 · 14 MIN
RETRIEVAL · TOP-K
Retrieval
RAG that actually works in production
2026-04-02 · 16 MIN
600MS · TURN LATENCY
Voice AI
Why your voice agent feels off (and how to fix turn-taking)
2026-03-26 · 11 MIN

Want to ship something like this?

Mindlytic builds production AI for hospitality, fintech, insurance, and more. Book a 30-minute discovery call.