Artificial intelligence already supports customer service, document analysis, business decisions, and, in some sectors, health outcomes, public safety, and access to financial services. As adoption accelerates, organisations face a critical question: how can AI be used safely, transparently, and responsibly?
The European Union’s answer is the EU AI Act: the world’s first comprehensive framework for governing AI systems. It aims to create consistent rules across the European market while strengthening trust without stifling innovation.
For organisations, this creates new expectations around governance, risk management, documentation, accountability, and monitoring. Companies will need to know which AI systems they use, who owns them, what risks they create, and how compliance can be demonstrated.
What Is the EU AI Act?
The EU AI Act responds to the rapid adoption of AI across business processes, especially where AI influences decisions, customer interactions, risk management, or access to services.
It creates a common framework for developing, deploying, and using AI systems in the European Union, with requirements that scale according to the level of risk.
Regulatory momentum has been building as AI moves from experimentation into core business operations, making consistent rules on transparency, accountability, and risk management increasingly important across the EU market.
For organisations, the key message is practical: AI must be identified, owned, assessed, documented, monitored, and governed throughout its lifecycle.
The Risk-Based Approach Behind the AI Act
The EU AI Act is built on a straightforward principle: the greater the risk posed by an AI system, the greater the regulatory obligations associated with it.
As a result, one of the first compliance challenges organisations face is determining how their AI systems should be classified.
| Risk Category | Description | Regulatory Requirements |
| Unacceptable Risk | AI uses considered incompatible with EU values and fundamental rights | Prohibited |
| High Risk | Systems that can significantly affect people’s rights, safety, or life opportunities | Extensive compliance requirements |
| Limited Risk | Systems presenting lower levels of risk | Transparency obligations |
| Minimal Risk | AI applications with little or no impact on users | No specific obligations |
In practice, unacceptable-risk systems include certain forms of social scoring and AI applications designed to manipulate behaviour in harmful ways.
High-risk systems include AI used in areas such as recruitment, creditworthiness assessments, education, healthcare, and critical infrastructure.
Limited-risk systems typically include chatbots and content-generation tools, where transparency towards users becomes the primary requirement.
Minimal-risk systems cover many everyday AI applications, including spam filters, recommendation engines, and similar technologies that pose limited risk to individuals.
Prohibited AI Practices
Some AI applications have been deemed so risky that the EU AI Act prohibits them entirely.
Examples of prohibited practices include AI systems used to:
- Manipulate human behaviour in ways that may cause harm
- Exploit vulnerabilities of specific groups of people
- Conduct certain forms of social scoring
- Perform particular biometric applications identified in the regulation
Public discussions about the EU AI Act often focus heavily on these prohibited use cases. In practice, however, I believe most organisations will face a very different challenge.
Few companies are actively considering the deployment of prohibited AI systems. Far more organisations will need to address the governance, documentation, risk assessment, and monitoring requirements associated with high-risk AI.
That is where the majority of compliance effort is likely to be concentrated.

General-Purpose AI and Generative AI
The EU AI Act covers not only individual AI applications, but also General-Purpose AI (GPAI) models. These systems, including large language models and other forms of generative AI, now support business activities such as content creation, analysis, automation, and decision support.
For many organisations, the immediate challenge is gaining visibility into where generative AI is already being used across the business. Employees often use AI-powered tools without formal policies, ownership, or oversight, making AI inventory and governance a practical first step.
Because GPAI models can affect many business processes and use cases, the Act applies dedicated requirements to their providers.
What obligations apply to GPAI providers?
Depending on the nature of the model and its risk profile, providers may be required to:
- Maintain appropriate technical documentation
- Disclose information about the model’s capabilities and limitations
- Comply with copyright-related obligations
- Implement risk management processes
Additional requirements may apply to GPAI models classified as presenting systemic risk due to their scale, capabilities, or potential impact.
Generative AI and Transparency
One of the EU AI Act’s primary objectives is to protect EU citizens and ensure that artificial intelligence is used in a safe, transparent, and ethical manner. As a result, the regulation introduces a number of transparency requirements for AI-generated content.
In certain situations, users must be informed that:
- They are interacting with an AI system
- They are viewing or consuming AI-generated content
- An image, audio recording, or video has been artificially generated or modified
These requirements are intended to reduce the risk of misinformation while strengthening trust in AI-enabled services.
The AI Act goes beyond user-facing transparency obligations. It also requires providers to ensure that AI systems are sufficiently explainable, that their operation is appropriately documented, and that comprehensive technical documentation is maintained. Depending on the type of AI system, this may include keeping logs throughout the system’s lifecycle, documenting model behaviour, and providing information about the data used to train the model.
Responsibilities of AI Providers and Users
The AI Act introduces a shared-responsibility model between AI providers and organisations that use AI systems.
This represents an important shift in how compliance is approached. Many organisations have traditionally assumed that regulatory responsibility sits primarily with the technology vendor. The AI Act makes it clear that compliance obligations extend well beyond the provider.
Importantly, the AI Act may also apply to organisations based outside the European Union. The key consideration is not where the provider is located, but whether the AI system, or its outputs, is used within the EU.
Responsibilities of AI Providers
AI providers are primarily responsible for ensuring that their products comply with requirements before they are placed on the market.
Depending on the risk category of the system, obligations may include:
- Conducting conformity assessments
- Implementing risk management processes
- Preparing technical documentation
- Ensuring data quality
- Establishing human oversight mechanisms
- Monitoring system performance after deployment
- Implementing appropriate cybersecurity controls
For GPAI models, providers may also face additional obligations related to transparency, documentation, and systemic risk management.

Responsibilities of AI Users
Organisations that deploy or use AI systems also have their own responsibilities under the regulation.
Key obligations include:
- Using AI systems in accordance with the provider’s intended purpose
- Monitoring system performance and outcomes
- Reporting incidents and significant malfunctions
- Ensuring appropriate human oversight
- Maintaining required documentation
- Managing risks associated with AI usage
One of the most common questions I hear during discussions about the AI Act is: “If we buy a compliant AI solution, aren’t we already covered?”
The answer is no.
Even the most compliant technology will not automatically make an organisation compliant. Organisations must still be able to demonstrate who uses the system, how it is used, what risks it creates, and what governance and oversight mechanisms are in place.
When Does the EU AI Act Apply?
Although the EU AI Act formally entered into force on 1 August 2024, its requirements are being introduced gradually over several years. This phased implementation is intended to give organisations, AI providers, and regulators sufficient time to adapt to the new regulatory framework.
The key milestones are as follows:
2 February 2025: The first provisions became applicable, including the prohibition of AI practices considered to pose an unacceptable risk, such as certain forms of social scoring and manipulative AI applications.
2 August 2026: Requirements for general-purpose AI (GPAI) models and a number of transparency obligations come into effect. These include, for example, requirements to label AI-generated content and to inform users when they are interacting with an AI system.
August 2027: The transitional period ends for general-purpose AI models that were already on the market before August 2025. From this point onwards, these models must fully comply with the AI Act’s requirements.
December 2027: The extended compliance deadline applies to certain stand-alone high-risk AI systems, including AI used in areas such as recruitment, education, creditworthiness assessment, and critical infrastructure.
At first glance, it may seem counterintuitive that some high-risk systems have a later compliance deadline than lower-risk AI applications. In practice, this reflects a pragmatic decision by EU lawmakers, giving organisations additional time to implement the governance, documentation, and risk management processes required for these more complex systems.
August 2028: The AI Act becomes applicable to high-risk AI systems embedded in products that are already regulated under other EU legislation. This includes AI incorporated into products such as medical devices, vehicles, machinery, lifts, and certain toys.
2030: The final implementation phase is expected to cover certain AI systems used by public authorities and AI operating within large-scale EU information systems, including those supporting areas such as the Schengen framework and Europol.

AI Governance: Managing AI Across the Organisation
If GDPR forced organisations to establish stronger data governance practices, the EU AI Act is likely to have a similar effect on the governance of artificial intelligence.
AI governance encompasses the processes, policies, controls, and accountability mechanisms that enable organisations to manage AI throughout its lifecycle.
For many businesses, this will require the introduction of entirely new governance and oversight practices.
Building an AI System and Use Case Register
A logical starting point is creating a comprehensive inventory of AI systems and use cases.
At a minimum, the register should answer several key questions:
- Which AI systems are currently in use?
- Who is responsible for them?
- Which business processes do they support?
- What data do they use?
- How should they be classified from a risk perspective?
Without this level of visibility, effective compliance becomes extremely difficult.
If I had to recommend a single first step towards AI Act readiness, it would be creating an AI register.
In most organisations, the first workshops rarely focus on risk assessments or documentation requirements. Instead, they become an exercise in discovering how many AI tools are already being used and by whom. Unsanctioned or department-led implementations are often the most difficult to identify, govern, and monitor.
Risk Assessment and AI Mapping
Once AI systems have been identified, the next step is assessing their risks and mapping their relationships to business processes, data sources, technology assets, and business owners.
This provides the context needed to understand AI’s impact on the organisation, classify use cases correctly, and evaluate the consequences of legal changes, incidents, or technology updates more effectively.
Monitoring Changes and Maintaining Compliance
AI environments evolve rapidly. Models change, data changes, business requirements change, and regulatory expectations continue to develop. As a result, governance cannot be treated as a one-off assessment exercise.
Organisations should continuously monitor AI models, data sources, configurations, and regulatory developments, updating risk assessments whenever material changes occur.
Auditability and Decision Documentation
The EU AI Act places significant emphasis on accountability. Organisations must be able to demonstrate where AI is being used, who is responsible for it, how risks were assessed, and which controls have been implemented.
In practice, this requires maintaining an auditable trail that connects technical implementation details with business decisions and governance activities.

Human Oversight as a Risk Control Mechanism
A core principle of the AI Act is that humans must retain meaningful control over AI-driven processes.
Depending on the nature of the system and the risks involved, this oversight may take different forms:
- Human-in-the-loop – a person approves a decision before it is executed
- Human-on-the-loop – a person monitors the system and can intervene when necessary
- Human-in-command – a person retains ultimate authority over the entire process
The appropriate model depends on the significance of the decisions being made and the level of risk associated with the AI system.
Discussions about artificial intelligence often focus on a future of complete automation. In reality, most organisations will operate in a human-and-AI collaboration model for many years to come.
That is precisely why the AI Act places such a strong emphasis on human oversight. The regulation is designed to ensure that accountability for important decisions remains with people rather than being transferred entirely to algorithms.
The EU AI Act, GDPR, NIS2, and DORA: How the Frameworks Connect
The AI Act does not exist in isolation. For many organisations, it will become another component of an increasingly complex regulatory landscape covering risk management, cybersecurity, operational resilience, and compliance.
From a governance perspective, the greatest value comes from viewing these frameworks as complementary parts of a single operating model rather than as separate compliance initiatives.
| Regulation | Primary Focus | Overlap with the EU AI Act | What It Means for Organisations |
| GDPR | Personal data protection | AI training and processing data, transparency, accountability, documentation, and risk assessment | AI should be managed alongside privacy and data governance processes rather than as a standalone compliance domain |
| NIS2 | Cybersecurity and organisational resilience | Security of AI systems, incident management, business continuity, and infrastructure protection | AI systems should be governed within the same security and resilience framework as other critical technologies |
| DORA | Digital operational resilience in financial services | ICT risk management, third-party oversight, technology monitoring, and documentation | Financial institutions should integrate AI governance into existing resilience, vendor management, and technology risk processes |
Rather than building separate compliance programmes for every regulation, organisations should focus on common governance foundations: risk, data, security, accountability, suppliers, and documentation.
When these core elements are managed consistently, the same governance mechanisms can support compliance with the AI Act, GDPR, NIS2, and DORA simultaneously. This philosophy was one of the key drivers behind our modular platform AdaptiveGRC
Practical Implementation of AI Act Compliance
Understanding the AI Act is only the first step. The real challenge lies in translating regulatory requirements into day-to-day operational practices. Many organisations already use AI in various forms, often in a decentralised and largely unmanaged way. At the same time, few have established a comprehensive framework for governing AI across the business.
As a result, questions around accountability, ownership, risk, and compliance often remain difficult to answer. That is why EU AI Act compliance should be approached as a structured transformation programme rather than a one-off regulatory exercise.
Gap Analysis and Identifying Compliance Gaps
A practical starting point is conducting a gap analysis to assess how closely the organisation aligns with EU AI Act requirements and where improvements are needed.
The assessment should cover:
- AI systems currently in use
- Risk management processes
- Documentation practices
- Governance and oversight mechanisms
- Policies and procedures
- Roles and responsibilities
- Monitoring and reporting processes
The outcome should be a clear view of the organisation’s current maturity level together with a prioritised list of gaps and remediation actions.
Many organisations will discover that some of the required capabilities already exist through programmes related to enterprise risk management, GDPR, NIS2, DORA, or ISO 27001.
The challenge is that these capabilities are rarely connected to AI governance in a structured way.
Based on what we see in practice, the most common gaps include:
- No central inventory of AI systems
- Informal use of AI tools by employees
- Lack of AI risk classification
- Insufficient documentation of decisions
- Limited post-deployment monitoring
- Unclear ownership and accountability
A well-executed gap analysis often delivers an additional benefit. For many organisations, it is the first time they gain a complete picture of AI systems, business owners, processes, data sources, and existing controls in a single view. In that sense, the exercise frequently becomes the starting point for a broader AI governance programme.
Building a Remediation Roadmap
Once the gap analysis has been completed, organisations should develop a structured remediation plan.
A phased approach is often the most effective.
Phase 1: AI Inventory
- Identify AI systems and use cases
- Create an AI register
- Assign business owners
- Classify AI use cases
Phase 2: Risk Management
- Develop an AI risk assessment methodology
- Identify high-risk AI systems
- Implement risk evaluation and approval processes
Phase 3: Governance and Accountability
- Define roles and responsibilities
- Establish AI policies and standards
- Implement oversight processes
Phase 4: Monitoring and Reporting
- Define monitoring metrics and controls
- Establish reporting procedures
- Prepare audit and assurance processes
This phased approach allows organisations to build compliance progressively without creating unnecessary disruption.

Managing AI Risk in Practice
The EU AI Act requires organisations to manage AI-related risks, but it does not prescribe a single methodology. The most mature organisations integrate AI risk into their existing enterprise risk management framework rather than treating it as a standalone compliance initiative.
In practice, this means considering AI-related impacts across areas such as:
- Regulatory risk
- Operational risk
- Technology risk
- Cybersecurity risk
- Reputational risk
- Data quality risk
Put simply, organisations should assess how AI affects each of these domains and how AI-enabled technologies influence existing risk profiles. This approach avoids creating yet another isolated compliance programme while strengthening overall governance and risk management effectiveness.
Penalties for Non-Compliance
Like other major European regulations, the AI Act introduces the possibility of significant financial penalties for non-compliance.
The level of sanctions depends on factors such as:
- The nature of the violation
- The scale of non-compliance
- The type of AI system involved
- The impact on individuals or organisations
- Actions taken to mitigate the consequences
The most severe penalties are reserved for prohibited AI practices.
However, regulators are unlikely to focus solely on whether an incident occurred. They will also consider whether the organisation had implemented appropriate governance structures, monitoring mechanisms, and risk management processes.
For this reason, the ability to demonstrate due diligence and effective governance may play a significant role in regulatory assessments.
When new requirements emerge, conversations often focus almost entirely on potential fines. In reality, organisations should be equally concerned about the operational, reputational, and business consequences of uncontrolled AI usage. Effective governance helps reduce exposure across all three dimensions.
How to Prepare Your Organisation for the AI Act
Regardless of industry, organisations should begin preparing for the AI Act sooner rather than later.
Building an effective AI governance framework takes time. It requires collaboration across business, technology, risk, compliance, security, and legal teams, as well as a clear understanding of how AI is currently being used throughout the organisation.
The organisations that start early will be in a much stronger position when regulatory requirements become fully applicable.
AI Act Readiness Checklist
Before launching an AI compliance programme, organisations should ensure that they can answer the following questions:
□ Have all AI systems and use cases been identified?
□ Is there a current and maintained inventory of AI systems?
□ Have AI use cases been classified according to risk?
□ Has ownership been assigned for each AI system?
□ Is there a formal process for assessing AI-related risks?
□ Are AI governance roles and responsibilities clearly defined?
□ Have the necessary policies and procedures been established?
□ Are AI systems being monitored on an ongoing basis?
□ Is there sufficient auditability and documentation?
□ Have relevant employees received appropriate training?
While not every organisation will be able to answer “yes” to all of these questions today, the checklist provides a useful benchmark for measuring AI governance maturity and identifying priority areas for improvement.[RI1]
The Role of GRC Platforms in AI Compliance
As the number of AI systems grows, managing compliance through spreadsheets, email threads, and disconnected documents quickly becomes unsustainable.
This is why many organisations are turning to GRC platforms to centralise governance processes and create a single source of truth for compliance activities.
Solutions such as AdaptiveGRC can help organisations:
- Maintain AI inventories and use case registers
- Assess and monitor AI-related risks
- Map relationships between systems, processes, data, and controls
- Track regulatory requirements and compliance activities
- Support audit and reporting processes
- Monitor changes across the AI environment
By bringing these capabilities together in one environment, organisations gain better visibility into how AI is used across the business and can respond more effectively to evolving requirements.

The Impact of the AI Act on Business and Innovation
Major regulation often raises concerns about innovation, cost, and competitiveness. For the AI Act, the business challenge is not simply meeting new obligations, but building the governance needed to scale AI safely and sustainably.
Critics argue that unclear rules, compliance costs, and excessive bureaucracy could slow AI development, especially for start-ups and smaller providers. I believe the Act’s impact will depend less on the rules themselves and more on whether implementation is practical, predictable, and proportionate.
Trust, transparency, accountability, and risk management are becoming practical enablers of adoption rather than separate compliance concerns. Organisations that treat the AI Act as a governance opportunity will be better positioned to reduce risk, improve control, and create long-term business value.
Summary
The EU AI Act introduces the first comprehensive regulatory framework for artificial intelligence in the European Union.
Its objective is not to restrict innovation, but to create an environment in which AI can be developed and used safely, transparently, and responsibly.
For organisations, this means recognising that AI is not merely a technology challenge. It is also a governance, risk management, and compliance challenge.
Key areas of focus include:
- AI risk classification
- Risk management and controls
- Documentation and auditability
- Transparency requirements
- Human oversight
- Post-deployment monitoring
- AI governance and compliance processes
Organisations that begin preparing early will be better equipped to meet regulatory expectations while unlocking the benefits of AI in a controlled and sustainable way.
Organisations looking for official guidance can also use the European Commission’s AI Act Single Information Platform, which provides practical resources, interactive tools, and up-to-date information on AI Act requirements.
