The EU AI Act enforcement deadline is August 2, 2026. Most organisations aren't ready. Here's exactly what your AI inventory needs — and what happens if you don't have one.
Most organisations can't tell you how many AI systems they're running right now. Not roughly. Not confidently. Not at all.
Over half of organisations lack systematic inventories of AI systems currently in production or development. The EU AI Act enforcement deadline is 2 August 2026. Non-compliance could cost your company up to 7% of global annual revenue.
This article is for operations, finance, and IT leaders at mid-sized and enterprise organisations who need a clear, practical picture of what compliance looks like — and what to do in the next 75 days.
What the August 2026 Deadline Actually Requires
The EU AI Act is the first-ever comprehensive legal framework on AI worldwide. It is not guidance. It is enforceable regulation with direct legal effect across all 27 EU member states.
Three obligations take effect on 2 August 2026:
- Annex III high-risk obligations. AI used in employment, credit decisions, education, and law enforcement becomes enforceable.
- Transparency requirements. AI-generated content must be clearly labelled. Transparency rules take effect August 2026.
- Extraterritorial reach. Any AI impacting EU users must comply — regardless of where the company is based.
The European Commission proposed a Digital Omnibus package that could postpone some obligations to December 2027 — but prudent compliance planning treats August 2026 as the binding deadline.
The Four-Tier Risk Classification — Where Your AI Systems Probably Sit
The framework differentiates AI systems by potential harm, imposing escalating obligations where risks increase.
| Risk Tier | Description | Obligation |
|---|---|---|
| Unacceptable | AI that threatens safety or fundamental rights (e.g. social scoring, manipulative systems) | Banned outright |
| High-risk | AI in employment, credit, education, law enforcement, critical infrastructure | Full compliance: risk management, data governance, documentation, human oversight |
| Limited risk | Chatbots, AI-generated content, emotion recognition systems | Transparency disclosures — users must know they're interacting with AI |
| Minimal risk | Spam filters, AI-powered search, most internal tools | Largely unregulated |
The trap most organisations fall into: assuming everything they run is minimal risk. HR screening, credit assessments, IT security triage, and customer-facing decisions are likely high-risk or limited-risk.
What Your AI Inventory Needs to Contain
Your AI inventory is a living register that maps every AI system to its regulatory obligations — not a spreadsheet someone fills in once.
Each entry needs:
- System name and purpose
- Risk classification with justification
- Your role in the value chain: provider, deployer, importer, or distributor
- Data lineage and governance
- Technical documentation (Annex IV: design decisions, data lineage, testing methodologies)
- Human oversight mechanisms and escalation paths
- Third-party vendor dependencies and their compliance status
- Incident reporting protocols
Three categories most organisations miss:
- Shadow AI. Marketing AI copywriting tools, finance forecasting plug-ins, customer service chatbots
- Embedded AI in SaaS. AI features in your CRM, ERP, or ITSM platform enabled by default
- Legacy automation with ML components. Smart rules engines using machine learning built 2–3 years ago
Start a conversation that leads to progress.
Connect with our team and explore solutions tailored to your needs.
The Compliance Gaps Most Organisations Haven't Closed
Treating AI Like Traditional Software
AI systems aren't static code. They learn, drift, and produce different outputs over time. Compliance frameworks need model monitoring, retraining protocols, and ongoing risk assessment.
No Cross-Functional Governance
Compliance requires legal, compliance, HR, and business unit leaders at the table — not just IT. Every AI system needs clear cross-functional accountability.
Missing Design History
Annex IV requires comprehensive records of design decisions and testing methodologies. Agile teams with minimal documentation will struggle to reconstruct this history.
Ignoring the Regulatory Stack
Financial services organisations are likely subject to DORA and NIS2 alongside the AI Act. An integrated compliance approach — covering all three — saves significant effort.
A Practical 5-Step Action Plan for the Next 75 Days
Step 1: Complete your AI inventory
Every system, every team, every vendor. Aim for done, not perfect.
Step 2: Classify every system by risk tier
Be conservative. If unsure whether a system is high-risk, treat it as high-risk until proven otherwise.
Step 3: Identify your top 3 compliance gaps
Focus on high-risk systems first: missing documentation, no human oversight, unassessed third-party vendors.
Step 4: Assign cross-functional owners
Every high-risk AI system needs a named person responsible for compliance — not a committee, a person.
Step 5: Build your evidence trail
Document that you've assessed, classified, and are actively managing your AI systems. Regulatory authorities can impose fines, restrict market access, and require product recalls.
What This Means for Your Team
The EU AI Act isn't designed to stop you using AI. It's designed to make sure you know what you're running, who it affects, and how you're managing the risks. For most enterprise and mid-market organisations, the scope is manageable — dozens of AI systems, not thousands.
Penalties reach up to 7% of global annual turnover. Beyond fines: operational disruptions, product launch delays, import bans, and reputational damage.
Frequently Asked Questions
Does the EU AI Act apply to my company if we're not based in the EU?
Yes. The Act has extraterritorial reach — if your AI systems affect EU users or process EU data, you are in scope regardless of where your company is headquartered. This applies to SaaS products, cloud-based tools, and APIs accessible from Europe.
What counts as a high-risk AI system under the EU AI Act?
High-risk AI systems are those used in employment decisions, credit assessments, education, law enforcement, critical infrastructure, and similar contexts where outcomes significantly affect people's rights or safety. If your company uses AI for HR screening, customer creditworthiness, or IT security triage, you are likely operating in high-risk territory and should classify accordingly.
What happens if we miss the August 2026 deadline?
Non-compliance with the EU AI Act can result in fines of up to €35 million or 7% of global annual turnover — whichever is higher. Beyond financial penalties, organisations can face product launch delays, import bans, mandatory recalls, and reputational damage with customers and regulators.
We already have DORA and NIS2 compliance programmes. Do we need a separate AI Act programme?
Not necessarily a separate one — but you do need to expand what you have. The EU AI Act, DORA, and NIS2 overlap significantly for financial services organisations. A well-designed integrated compliance framework can satisfy requirements across all three simultaneously, avoiding duplicated effort. The key is mapping your AI systems as ICT assets within your existing GRC structure.
