Artificial intelligence already supports customer service, document analysis, business decisions, and, in some sectors, health outcomes, public safety, and access to financial services. As adoption accelerates, organisations face a critical question: how can AI be used safely, transparently, and responsibly?

The European Union’s answer is the EU AI Act: the world’s first comprehensive framework for governing AI systems. It aims to create consistent rules across the European market while strengthening trust without stifling innovation.

For organisations, this creates new expectations around governance, risk management, documentation, accountability, and monitoring. Companies will need to know which AI systems they use, who owns them, what risks they create, and how compliance can be demonstrated.

What Is the EU AI Act?

The EU AI Act responds to the rapid adoption of AI across business processes, especially where AI influences decisions, customer interactions, risk management, or access to services.

It creates a common framework for developing, deploying, and using AI systems in the European Union, with requirements that scale according to the level of risk.

Regulatory momentum has been building as AI moves from experimentation into core business operations, making consistent rules on transparency, accountability, and risk management increasingly important across the EU market.

For organisations, the key message is practical: AI must be identified, owned, assessed, documented, monitored, and governed throughout its lifecycle.

The Risk-Based Approach Behind the AI Act

The EU AI Act is built on a straightforward principle: the greater the risk posed by an AI system, the greater the regulatory obligations associated with it.

As a result, one of the first compliance challenges organisations face is determining how their AI systems should be classified.

Risk CategoryDescriptionRegulatory Requirements
Unacceptable RiskAI uses considered incompatible with EU values and fundamental rightsProhibited
High RiskSystems that can significantly affect people’s rights, safety, or life opportunitiesExtensive compliance requirements
Limited RiskSystems presenting lower levels of riskTransparency obligations
Minimal RiskAI applications with little or no impact on usersNo specific obligations

In practice, unacceptable-risk systems include certain forms of social scoring and AI applications designed to manipulate behaviour in harmful ways.

High-risk systems include AI used in areas such as recruitment, creditworthiness assessments, education, healthcare, and critical infrastructure.

Limited-risk systems typically include chatbots and content-generation tools, where transparency towards users becomes the primary requirement.

Minimal-risk systems cover many everyday AI applications, including spam filters, recommendation engines, and similar technologies that pose limited risk to individuals.

Prohibited AI Practices

Some AI applications have been deemed so risky that the EU AI Act prohibits them entirely.

Examples of prohibited practices include AI systems used to:

  • Manipulate human behaviour in ways that may cause harm
  • Exploit vulnerabilities of specific groups of people
  • Conduct certain forms of social scoring
  • Perform particular biometric applications identified in the regulation

Public discussions about the EU AI Act often focus heavily on these prohibited use cases. In practice, however, I believe most organisations will face a very different challenge.

Few companies are actively considering the deployment of prohibited AI systems. Far more organisations will need to address the governance, documentation, risk assessment, and monitoring requirements associated with high-risk AI.

That is where the majority of compliance effort is likely to be concentrated.

General-Purpose AI and Generative AI

The EU AI Act covers not only individual AI applications, but also General-Purpose AI (GPAI) models. These systems, including large language models and other forms of generative AI, now support business activities such as content creation, analysis, automation, and decision support.

For many organisations, the immediate challenge is gaining visibility into where generative AI is already being used across the business. Employees often use AI-powered tools without formal policies, ownership, or oversight, making AI inventory and governance a practical first step.

Because GPAI models can affect many business processes and use cases, the Act applies dedicated requirements to their providers.

What obligations apply to GPAI providers?

Depending on the nature of the model and its risk profile, providers may be required to:

  • Maintain appropriate technical documentation
  • Disclose information about the model’s capabilities and limitations
  • Comply with copyright-related obligations
  • Implement risk management processes

Additional requirements may apply to GPAI models classified as presenting systemic risk due to their scale, capabilities, or potential impact.

Generative AI and Transparency

One of the EU AI Act’s primary objectives is to protect EU citizens and ensure that artificial intelligence is used in a safe, transparent, and ethical manner. As a result, the regulation introduces a number of transparency requirements for AI-generated content.

In certain situations, users must be informed that:

  • They are interacting with an AI system
  • They are viewing or consuming AI-generated content
  • An image, audio recording, or video has been artificially generated or modified

These requirements are intended to reduce the risk of misinformation while strengthening trust in AI-enabled services.

The AI Act goes beyond user-facing transparency obligations. It also requires providers to ensure that AI systems are sufficiently explainable, that their operation is appropriately documented, and that comprehensive technical documentation is maintained. Depending on the type of AI system, this may include keeping logs throughout the system’s lifecycle, documenting model behaviour, and providing information about the data used to train the model.

Responsibilities of AI Providers and Users

The AI Act introduces a shared-responsibility model between AI providers and organisations that use AI systems.

This represents an important shift in how compliance is approached. Many organisations have traditionally assumed that regulatory responsibility sits primarily with the technology vendor. The AI Act makes it clear that compliance obligations extend well beyond the provider.

Importantly, the AI Act may also apply to organisations based outside the European Union. The key consideration is not where the provider is located, but whether the AI system, or its outputs, is used within the EU.

Responsibilities of AI Providers

AI providers are primarily responsible for ensuring that their products comply with requirements before they are placed on the market.

Depending on the risk category of the system, obligations may include:

  • Conducting conformity assessments
  • Implementing risk management processes
  • Preparing technical documentation
  • Ensuring data quality
  • Establishing human oversight mechanisms
  • Monitoring system performance after deployment
  • Implementing appropriate cybersecurity controls

For GPAI models, providers may also face additional obligations related to transparency, documentation, and systemic risk management.

Responsibilities of AI Users

Organisations that deploy or use AI systems also have their own responsibilities under the regulation.

Key obligations include:

  • Using AI systems in accordance with the provider’s intended purpose
  • Monitoring system performance and outcomes
  • Reporting incidents and significant malfunctions
  • Ensuring appropriate human oversight
  • Maintaining required documentation
  • Managing risks associated with AI usage

One of the most common questions I hear during discussions about the AI Act is: “If we buy a compliant AI solution, aren’t we already covered?”

The answer is no.

Even the most compliant technology will not automatically make an organisation compliant. Organisations must still be able to demonstrate who uses the system, how it is used, what risks it creates, and what governance and oversight mechanisms are in place.

When Does the EU AI Act Apply?

Although the EU AI Act formally entered into force on 1 August 2024, its requirements are being introduced gradually over several years. This phased implementation is intended to give organisations, AI providers, and regulators sufficient time to adapt to the new regulatory framework.

The key milestones are as follows:

2 February 2025: The first provisions became applicable, including the prohibition of AI practices considered to pose an unacceptable risk, such as certain forms of social scoring and manipulative AI applications.

2 August 2026: Requirements for general-purpose AI (GPAI) models and a number of transparency obligations come into effect. These include, for example, requirements to label AI-generated content and to inform users when they are interacting with an AI system.

August 2027: The transitional period ends for general-purpose AI models that were already on the market before August 2025. From this point onwards, these models must fully comply with the AI Act’s requirements.

December 2027: The extended compliance deadline applies to certain stand-alone high-risk AI systems, including AI used in areas such as recruitment, education, creditworthiness assessment, and critical infrastructure.

At first glance, it may seem counterintuitive that some high-risk systems have a later compliance deadline than lower-risk AI applications. In practice, this reflects a pragmatic decision by EU lawmakers, giving organisations additional time to implement the governance, documentation, and risk management processes required for these more complex systems.

August 2028: The AI Act becomes applicable to high-risk AI systems embedded in products that are already regulated under other EU legislation. This includes AI incorporated into products such as medical devices, vehicles, machinery, lifts, and certain toys.

2030: The final implementation phase is expected to cover certain AI systems used by public authorities and AI operating within large-scale EU information systems, including those supporting areas such as the Schengen framework and Europol.

AI Governance: Managing AI Across the Organisation

If GDPR forced organisations to establish stronger data governance practices, the EU AI Act is likely to have a similar effect on the governance of artificial intelligence.

AI governance encompasses the processes, policies, controls, and accountability mechanisms that enable organisations to manage AI throughout its lifecycle.

For many businesses, this will require the introduction of entirely new governance and oversight practices.

Building an AI System and Use Case Register

A logical starting point is creating a comprehensive inventory of AI systems and use cases.

At a minimum, the register should answer several key questions:

  • Which AI systems are currently in use?
  • Who is responsible for them?
  • Which business processes do they support?
  • What data do they use?
  • How should they be classified from a risk perspective?

Without this level of visibility, effective compliance becomes extremely difficult.

If I had to recommend a single first step towards AI Act readiness, it would be creating an AI register.

In most organisations, the first workshops rarely focus on risk assessments or documentation requirements. Instead, they become an exercise in discovering how many AI tools are already being used and by whom. Unsanctioned or department-led implementations are often the most difficult to identify, govern, and monitor.

Risk Assessment and AI Mapping

Once AI systems have been identified, the next step is assessing their risks and mapping their relationships to business processes, data sources, technology assets, and business owners.

This provides the context needed to understand AI’s impact on the organisation, classify use cases correctly, and evaluate the consequences of legal changes, incidents, or technology updates more effectively.

Monitoring Changes and Maintaining Compliance

AI environments evolve rapidly. Models change, data changes, business requirements change, and regulatory expectations continue to develop. As a result, governance cannot be treated as a one-off assessment exercise.

Organisations should continuously monitor AI models, data sources, configurations, and regulatory developments, updating risk assessments whenever material changes occur.

Auditability and Decision Documentation

The EU AI Act places significant emphasis on accountability. Organisations must be able to demonstrate where AI is being used, who is responsible for it, how risks were assessed, and which controls have been implemented.

In practice, this requires maintaining an auditable trail that connects technical implementation details with business decisions and governance activities.

Human Oversight as a Risk Control Mechanism

A core principle of the AI Act is that humans must retain meaningful control over AI-driven processes.

Depending on the nature of the system and the risks involved, this oversight may take different forms:

  • Human-in-the-loop – a person approves a decision before it is executed
  • Human-on-the-loop – a person monitors the system and can intervene when necessary
  • Human-in-command – a person retains ultimate authority over the entire process

The appropriate model depends on the significance of the decisions being made and the level of risk associated with the AI system.

Discussions about artificial intelligence often focus on a future of complete automation. In reality, most organisations will operate in a human-and-AI collaboration model for many years to come.

That is precisely why the AI Act places such a strong emphasis on human oversight. The regulation is designed to ensure that accountability for important decisions remains with people rather than being transferred entirely to algorithms.

The EU AI Act, GDPR, NIS2, and DORA: How the Frameworks Connect

The AI Act does not exist in isolation. For many organisations, it will become another component of an increasingly complex regulatory landscape covering risk management, cybersecurity, operational resilience, and compliance.

From a governance perspective, the greatest value comes from viewing these frameworks as complementary parts of a single operating model rather than as separate compliance initiatives.

RegulationPrimary FocusOverlap with the EU AI ActWhat It Means for Organisations
GDPRPersonal data protectionAI training and processing data, transparency, accountability, documentation, and risk assessmentAI should be managed alongside privacy and data governance processes rather than as a standalone compliance domain
NIS2Cybersecurity and organisational resilienceSecurity of AI systems, incident management, business continuity, and infrastructure protectionAI systems should be governed within the same security and resilience framework as other critical technologies
DORADigital operational resilience in financial servicesICT risk management, third-party oversight, technology monitoring, and documentationFinancial institutions should integrate AI governance into existing resilience, vendor management, and technology risk processes

Rather than building separate compliance programmes for every regulation, organisations should focus on common governance foundations: risk, data, security, accountability, suppliers, and documentation.

When these core elements are managed consistently, the same governance mechanisms can support compliance with the AI Act, GDPR, NIS2, and DORA simultaneously. This philosophy was one of the key drivers behind our modular platform AdaptiveGRC

Practical Implementation of AI Act Compliance

Understanding the AI Act is only the first step. The real challenge lies in translating regulatory requirements into day-to-day operational practices. Many organisations already use AI in various forms, often in a decentralised and largely unmanaged way. At the same time, few have established a comprehensive framework for governing AI across the business.

As a result, questions around accountability, ownership, risk, and compliance often remain difficult to answer. That is why EU AI Act compliance should be approached as a structured transformation programme rather than a one-off regulatory exercise.

Gap Analysis and Identifying Compliance Gaps

A practical starting point is conducting a gap analysis to assess how closely the organisation aligns with EU AI Act requirements and where improvements are needed.

The assessment should cover:

  • AI systems currently in use
  • Risk management processes
  • Documentation practices
  • Governance and oversight mechanisms
  • Policies and procedures
  • Roles and responsibilities
  • Monitoring and reporting processes

The outcome should be a clear view of the organisation’s current maturity level together with a prioritised list of gaps and remediation actions.

Many organisations will discover that some of the required capabilities already exist through programmes related to enterprise risk management, GDPR, NIS2, DORA, or ISO 27001.

The challenge is that these capabilities are rarely connected to AI governance in a structured way.

Based on what we see in practice, the most common gaps include:

  • No central inventory of AI systems
  • Informal use of AI tools by employees
  • Lack of AI risk classification
  • Insufficient documentation of decisions
  • Limited post-deployment monitoring
  • Unclear ownership and accountability

A well-executed gap analysis often delivers an additional benefit. For many organisations, it is the first time they gain a complete picture of AI systems, business owners, processes, data sources, and existing controls in a single view. In that sense, the exercise frequently becomes the starting point for a broader AI governance programme.

Building a Remediation Roadmap

Once the gap analysis has been completed, organisations should develop a structured remediation plan.

A phased approach is often the most effective.

Phase 1: AI Inventory

  • Identify AI systems and use cases
  • Create an AI register
  • Assign business owners
  • Classify AI use cases

Phase 2: Risk Management

  • Develop an AI risk assessment methodology
  • Identify high-risk AI systems
  • Implement risk evaluation and approval processes

Phase 3: Governance and Accountability

  • Define roles and responsibilities
  • Establish AI policies and standards
  • Implement oversight processes

Phase 4: Monitoring and Reporting

  • Define monitoring metrics and controls
  • Establish reporting procedures
  • Prepare audit and assurance processes

This phased approach allows organisations to build compliance progressively without creating unnecessary disruption.

Managing AI Risk in Practice

The EU AI Act requires organisations to manage AI-related risks, but it does not prescribe a single methodology. The most mature organisations integrate AI risk into their existing enterprise risk management framework rather than treating it as a standalone compliance initiative.

In practice, this means considering AI-related impacts across areas such as:

  • Regulatory risk
  • Operational risk
  • Technology risk
  • Cybersecurity risk
  • Reputational risk
  • Data quality risk

Put simply, organisations should assess how AI affects each of these domains and how AI-enabled technologies influence existing risk profiles. This approach avoids creating yet another isolated compliance programme while strengthening overall governance and risk management effectiveness.

Penalties for Non-Compliance

Like other major European regulations, the AI Act introduces the possibility of significant financial penalties for non-compliance.

The level of sanctions depends on factors such as:

  • The nature of the violation
  • The scale of non-compliance
  • The type of AI system involved
  • The impact on individuals or organisations
  • Actions taken to mitigate the consequences

The most severe penalties are reserved for prohibited AI practices.

However, regulators are unlikely to focus solely on whether an incident occurred. They will also consider whether the organisation had implemented appropriate governance structures, monitoring mechanisms, and risk management processes.

For this reason, the ability to demonstrate due diligence and effective governance may play a significant role in regulatory assessments.

When new requirements emerge, conversations often focus almost entirely on potential fines. In reality, organisations should be equally concerned about the operational, reputational, and business consequences of uncontrolled AI usage. Effective governance helps reduce exposure across all three dimensions.

How to Prepare Your Organisation for the AI Act

Regardless of industry, organisations should begin preparing for the AI Act sooner rather than later.

Building an effective AI governance framework takes time. It requires collaboration across business, technology, risk, compliance, security, and legal teams, as well as a clear understanding of how AI is currently being used throughout the organisation.

The organisations that start early will be in a much stronger position when regulatory requirements become fully applicable.

AI Act Readiness Checklist

Before launching an AI compliance programme, organisations should ensure that they can answer the following questions:

□ Have all AI systems and use cases been identified?

□ Is there a current and maintained inventory of AI systems?

□ Have AI use cases been classified according to risk?

□ Has ownership been assigned for each AI system?

□ Is there a formal process for assessing AI-related risks?

□ Are AI governance roles and responsibilities clearly defined?

□ Have the necessary policies and procedures been established?

□ Are AI systems being monitored on an ongoing basis?

□ Is there sufficient auditability and documentation?

□ Have relevant employees received appropriate training?

While not every organisation will be able to answer “yes” to all of these questions today, the checklist provides a useful benchmark for measuring AI governance maturity and identifying priority areas for improvement.[RI1] 

The Role of GRC Platforms in AI Compliance

As the number of AI systems grows, managing compliance through spreadsheets, email threads, and disconnected documents quickly becomes unsustainable.

This is why many organisations are turning to GRC platforms to centralise governance processes and create a single source of truth for compliance activities.

Solutions such as AdaptiveGRC can help organisations:

  • Maintain AI inventories and use case registers
  • Assess and monitor AI-related risks
  • Map relationships between systems, processes, data, and controls
  • Track regulatory requirements and compliance activities
  • Support audit and reporting processes
  • Monitor changes across the AI environment

By bringing these capabilities together in one environment, organisations gain better visibility into how AI is used across the business and can respond more effectively to evolving requirements.

The Impact of the AI Act on Business and Innovation

Major regulation often raises concerns about innovation, cost, and competitiveness. For the AI Act, the business challenge is not simply meeting new obligations, but building the governance needed to scale AI safely and sustainably.

Critics argue that unclear rules, compliance costs, and excessive bureaucracy could slow AI development, especially for start-ups and smaller providers. I believe the Act’s impact will depend less on the rules themselves and more on whether implementation is practical, predictable, and proportionate.

Trust, transparency, accountability, and risk management are becoming practical enablers of adoption rather than separate compliance concerns. Organisations that treat the AI Act as a governance opportunity will be better positioned to reduce risk, improve control, and create long-term business value.

Summary

The EU AI Act introduces the first comprehensive regulatory framework for artificial intelligence in the European Union.

Its objective is not to restrict innovation, but to create an environment in which AI can be developed and used safely, transparently, and responsibly.

For organisations, this means recognising that AI is not merely a technology challenge. It is also a governance, risk management, and compliance challenge.

Key areas of focus include:

  • AI risk classification
  • Risk management and controls
  • Documentation and auditability
  • Transparency requirements
  • Human oversight
  • Post-deployment monitoring
  • AI governance and compliance processes

Organisations that begin preparing early will be better equipped to meet regulatory expectations while unlocking the benefits of AI in a controlled and sustainable way.

Organisations looking for official guidance can also use the European Commission’s AI Act Single Information Platform, which provides practical resources, interactive tools, and up-to-date information on AI Act requirements.

FAQ

Łukasz Krzewicki

Audit, Risk & Compliance Expert | C&F

A consultant and project manager with more than 20 years of experience in telecommunications, consulting, and IT. He is responsible for the GRC business line, product roadmap, and development planning at C&F. His specialties include risk management (certified CRISC), service delivery management, security management (certified CISM), software product management, SCRUM, CRM, and business process improvements.

View all articles by this author

Fill in the form

    The Controller of your personal data is C&F S.A. with its headquarters in Warsaw, Poland. Your data will be processed in accordance with C&F S.A. Privacy Policy

    Other posts:

    Solutions

    The AdaptiveGRC platform offers a variety of modules to help manage GRC activities for your company in agreement with the latest regulations (DORA, NIS2).

    In order to meet your company's specific needs, our team of experienced developers can tailor the required functionalities to deliver exactly what your company needs. If your company requires a customized module to effectively meet its needs, we can help.

    Let us fit the best solution for your company. Fill out the form below.
    GET CONSULTATION

    Streamline Your GRC Activities with AdaptiveGRC.
    Get Results Faster.

    • Fill out the form.
    • Our consultant will work with you to determine what your company needs.
    • We will schedule a product demo to show you the required features.
    • We will gain your feedback and tailor a tool to your needs.
    Fill in the form

      The Controller of your personal data is C&F S.A. with its headquarters in Warsaw, Poland. Your data will be processed in accordance with C&F S.A. Privacy Policy

      OUR TESTIMONIALS

      Read Gartner reviews to find out what users think about our solutions

      One of the best GRC software with very good price

      Adaptive GRC offers a great deal of flexibility in supporting GRC&AUDIT processes. The product is continuously developed and the customer receives new possibilities and functionalities. In addition, the price is very attractive in comparison to competitive products. The support team takes a flexible approach to the customer's needs.

      Sebastian B. CEO | Computer & Network Security Employees: 2–10

      Comprehensive platform for managing risk and compliance

      I used AdaptiveGRC Compliance and Risk Management modules for more than a year. Implementation went smooth, and the support team was always very helpful. I especially value the functionality AdaptiveGRC offers - all GRC processes can be managed in one tool, and there is a single database. The tool helped my organization lower operating costs and gain a better understanding of risks in the organization.

      Marcin K. Chief Information Security Officer | Financial Services Employees: 51–200

      Perfect program for compliance control

      It is amazing that thanks to AdaptiveGRC individual assessment management can be shortened from days to minutes. The tool can generate reports for different stakeholders containing only their desired assessment outcome data. I appreciate much the possibility of generating compliance specification lists for supplier contracts or internal departments.

      Jasween K. Compliance Pharmaceuticals Employees: 10 000+

      AdaptiveGRC supports insurance companies in their risk and compliance management processes

      I used AdaptiveGRC to 1. support insurance companies' compliance management processes following a complex industry-specific regulation. 2. I also used AdaptiveGRC to support the process of managing and monitoring data processors as GDPR came into effect. I experienced a significant increase in efficiency in both cases.

      Verified Reviewer Insurance | Self-employed

      What's in a name...

      As the name is representative, AdaptiveGRC is a complete, interconnected GRC solution that can be adapted to organizations across industries and size. The AGRC team did a superb job designing and building a best-in-class GRC solution that addresses the challenges faced in today's uncertain and ever-changing global business climate. Working with the AGRC team has been a pleasure and the support they have provided is exceptional.

      D Scott C. Business Development | Biotechnology Employees: 2–10

      Financial institutions could benefit greatly from AdaptiveGRC

      I am happy to be able to use AdaptiveGRC in my work. This dedicated solution is very helpful for anyone that has to fill out the SREP questionnaire. The extra time I gained was priceless. The platform's design was also very appealing to me. The fact that it was so simple to use was a major plus for me. Due to its comparison capabilities with past years' forms, I was able to cut down on the amount of time it took to complete the new questionnaire. What is more, I was able to monitor the progress of the people assigned to the process.

      Anna C. Head of Fin Crimes Team | Banking Employees: 10 000+

      Great support for insurance company

      My overall experience has been great. I also liked the layout of the platform. The time and control I gained is invaluable. I like the fact that it was very easy to use. It definitely allowed me to shorten the time I had to spend on filling out the SREP questionnaire. I also could easily control the status of work of my team members, check their progress, and monitor on daily basis.

      Verified Reviewer Insurance Employees: 201-500

      AdaptiveGRC - Big Player in GRC

      Easy to install and easy to configure. Out of the box solution. Cloud based or Server. AdaptiveGRC is an enterprise governance, risk management and compliance (eGRC) solution set with unique and unequalled capabilities. AdaptiveGRC can be deployed as one fully interconnected solution suite, or you can choose one or more modules.

      Leigh M. National Accounts | Consumer Goods