The EU AI Act Compliance Deadline: What Your Enterprise Is Not Doing With Ten Weeks Left
August 2, 2026 is the compliance deadline for high-risk AI systems under the EU AI Act. Most enterprises that are "deployers" under the regulation — organizations that put third-party AI systems into operational use — have not completed, or in many cases even started, the required conformity assessment, technical documentation, and human oversight frameworks. The gap is not primarily a legal knowledge problem. It is a gap between the AI tools enterprise functions have adopted operationally and the governance process that was supposed to evaluate them. This memo dissects what the Act actually requires of deployers, which AI tools commonly cross the high-risk threshold, and what your organization must do in the remaining window.
August 2, 2026 — 10 weeks from today
Background
The EU AI Act — Regulation (EU) 2024/1689 — became law on August 1, 2024. It is the world’s first comprehensive legal framework governing AI systems, and it applies not only to companies that build AI but to companies that deploy it. The compliance timeline is phased: prohibited AI practices were banned as of February 2, 2025; obligations for General-Purpose AI models took effect on August 2, 2025; and obligations for high-risk AI systems under Annex III take effect on August 2, 2026. That date is ten weeks from this publication.
The Act creates two categories of obligation that most enterprises have conflated or ignored entirely. The first applies to providers — organizations that develop AI systems and place them on the market. The second applies to deployers— organizations that put AI systems into operation, even if they did not build them. An enterprise that subscribes to an AI-powered applicant tracking system, a credit risk scoring platform, an employee performance analytics tool, or an insurance underwriting product is a deployer. The provider’s compliance with the Act does not discharge the deployer’s independent obligations.
The Annex III high-risk list is specific. It covers AI systems used in: biometric identification and categorisation of natural persons; management and operation of critical infrastructure; education and vocational training (access, assessment, evaluation); employment, workers management, and access to self-employment (recruitment, selection, promotion, contract termination, task allocation, performance monitoring); access to essential private and public services (creditworthiness, insurance risk assessment, emergency dispatch prioritisation, public benefits); law enforcement; migration, asylum, and border control management; and administration of justice and democratic processes. If your enterprise operates in the EU, employs EU residents, or offers services to EU customers, and you use AI tools in any of these categories, you are almost certainly a deployer of high-risk AI systems.
The compliance gap is documented. Industry surveys conducted in late 2025 found that fewer than 20% of large EU-based enterprises had completed a formal AI system inventory under the Act’s classification framework. The challenge is structural: the teams that adopted AI tools — HR, finance, operations, customer service — did not adopt them through a procurement process designed to evaluate regulatory classification. They adopted them as SaaS products, sometimes without IT or legal involvement. The AI Act creates compliance obligations at the point of deployment, not at the point of vendor selection. That means the obligation often arrived before the governance process that was supposed to gate it.
The deployer obligations under the Act for high-risk systems are substantive. Deployers must: implement appropriate technical and organisational measures to ensure they use systems in accordance with instructions for use; assign human oversight to qualified natural persons with authority to intervene; monitor AI system operation for risks to health, safety, or fundamental rights; maintain logs of AI system operation to the extent the system makes logs available; inform natural persons when they are subject to decisions made with AI involvement; and report serious incidents to national supervisory authorities within 72 hours of awareness. None of these obligations are satisfied by the vendor’s terms of service alone.
The enforcement architecture is now active. Each EU member state was required to designate its national supervisory authority — the body empowered to investigate, audit, and fine deployers — by August 2, 2025. Those authorities are operational. The European AI Office, which oversees GPAI models and coordinates cross-border enforcement, has been actively issuing guidance and conducting preliminary investigations since early 2026. Maximum fines for deployers that breach the Act’s high-risk obligations are €15 million or 3% of global annual turnover, whichever is higher. The compliance window for high-risk systems does not include a grace period for “good faith” efforts.
Decision Required
The decision your organization must make before August 2, 2026:Given that your enterprise likely deploys one or more AI systems that meet the EU AI Act’s definition of high-risk under Annex III — and given that deployer obligations under the Act are independent of vendor compliance — have you completed the required AI system inventory, conducted conformity assessments for in-scope systems, assigned qualified human oversight to each system, and established the logging and incident-reporting infrastructure the Act requires? If not, what is your organization’s position on non-compliance when enforcement actions begin on August 2?
The secondary decision is about organisational architecture. The EU AI Act does not map cleanly onto existing enterprise governance structures. Privacy and data protection teams understand GDPR but not AI risk categorisation. Legal teams understand regulatory compliance frameworks but may not have a working inventory of deployed AI systems. IT teams may have a software asset inventory but almost certainly lack the classification framework the Act requires. HR, finance, and operations teams deployed AI tools without a regulatory lens. The compliance question is therefore also an organisational design question: which function owns AI Act compliance, with what authority, and with what access to the information required to execute it?
There is also a geographic scope decision. The Act applies to AI systems placed on the EU market or put into service in the EU. For multinationals with operations in both the EU and non-EU jurisdictions, the practical question is whether to apply EU AI Act compliance standards globally — to avoid managing two governance frameworks for the same tools — or to scope compliance narrowly to EU operations. The former is operationally simpler but more costly to achieve; the latter is precisely scoped but creates compliance risk if the system classification is wrong.
Options
Assess that enforcement actions in the first months of the high-risk deadline are likely to focus on egregious cases — systemic violations, high-profile sectors, complaints-driven investigations — and that a documented good-faith compliance programme, even if incomplete, materially reduces enforcement risk in 2026. Prioritise inventory completion and assign human oversight for the highest-risk systems first, treating August 2 as the start of a compliance programme, not its completion date. Lowest immediate cost, highest regulatory risk, defensible only with a credible programme timeline.
Issue an operational hold on any AI system that has not been classified under the Act’s risk framework, pending completion of a classification assessment. For systems already deployed: document their current operational status and assign interim human oversight immediately. This eliminates new compliance risk accumulation but may operationally disrupt functions that have embedded AI into workflows. Legally conservative; operationally disruptive for functions with embedded AI tools.
Immediately commission a cross-functional inventory of all deployed AI systems — led by legal or compliance, involving HR, IT, finance, and operations — using Annex III as the classification framework. For each system classified as high-risk: require the vendor to provide their conformity documentation; assess deployer obligations against the Act’s requirements; assign a qualified human oversight owner; establish logging retrieval capability; and document the implementation timeline with accountability. Use the 30-day inventory to determine which systems can achieve compliance by August 2 and which require a documented remediation timeline. This is achievable in ten weeks for organisations with clear executive sponsorship.
Treat the EU AI Act as the global standard for AI governance — apply its classification framework, documentation requirements, and human oversight obligations to all AI systems regardless of jurisdiction. This eliminates the operational overhead of maintaining geography-specific compliance standards for the same tools. It positions the organisation ahead of AI regulation in the UK (AI Bill currently in committee), the US (state-level AI regulation accelerating), and other jurisdictions developing their own frameworks. Higher immediate implementation cost; significantly simpler ongoing governance.
Recommendation
Option C as the immediate action, combined with Option D as the target state. The ten-week window is workable — if the inventory starts within the next two weeks. The organisations that will face August 2 enforcement risk are the ones that have not started.
The inventory has two components. The first is coverage: which AI systems does your organisation deploy, in what operational contexts, touching which categories of Annex III? This is a cross-functional discovery exercise. Legal cannot do it alone, because legal does not know which AI SaaS tools HR adopted in 2023 and 2024. IT cannot do it alone, because IT’s software asset inventory does not capture classification-relevant context. The inventory requires a structured questionnaire pushed to every business function, with legal or compliance reviewing each response for Annex III applicability.
The second component is remediation sequencing. Not all in-scope systems carry equal risk. Employment and credit systems — the two Annex III categories most commonly embedded in enterprise SaaS — carry the highest enforcement priority because they directly affect fundamental rights. Start with HR AI tools (applicant tracking, performance management, workforce planning) and financial services AI tools (credit scoring, fraud detection, insurance underwriting) and achieve documented compliance on these before the deadline. For lower-priority in-scope systems, a documented remediation timeline with interim oversight measures is the defensible position.
On the global governance question: given the direction of AI regulation in major jurisdictions — the EU AI Act, the UK AI Bill, US state-level AI laws in Colorado, Illinois, and Texas covering employment AI specifically — maintaining geography-specific compliance frameworks will compound in cost. The EU AI Act’s classification framework is the most comprehensive currently available. Building your governance architecture on it now, and applying it globally, is cheaper than rebuilding for each jurisdiction. The investment in Option C’s compliance sprint pays for itself twice if it builds the governance infrastructure that satisfies the next wave of regulation.
Risks
The most significant compliance risk for most enterprises is not the AI systems that IT knows about — it is the AI tools that business functions adopted independently. HR teams using AI-powered applicant tracking and performance scoring tools. Finance teams using AI-driven credit and vendor risk platforms. Sales teams using AI lead scoring and customer segmentation tools. These deployments often happened through individual SaaS subscriptions, P-card purchases, or trials that never went through IT procurement or legal review. If these tools are Annex III high-risk and your organisation did not conduct a deployer conformity assessment, you are non-compliant — regardless of whether you know the tool exists.
Many AI SaaS vendors have now produced EU AI Act compliance documentation — technical documentation, conformity assessments, instructions for use — and some enterprise procurement teams have treated receipt of that documentation as the end of their compliance obligation. It is not. The Act creates independent deployer obligations that vendor documentation does not satisfy: the human oversight assignment must be your organisation’s; the operational logs must be retrievable by your organisation; the incident reporting obligation runs from your organisation to the national supervisory authority. A vendor’s “EU AI Act compliant” badge does not make your deployment compliant.
Article 73 of the Act requires deployers of high-risk AI systems to report serious incidents — incidents resulting in death, serious injury, or serious disruption of critical infrastructure, or involving breaches of EU law protecting fundamental rights — to the national supervisory authority within 72 hours of becoming aware. Most large enterprises do not have an AI incident detection and reporting workflow. Their cybersecurity incident response processes do not cover AI-specific failures. Their legal and compliance escalation paths were not designed for AI Act reporting timelines. Building this infrastructure requires a cross-functional workstream — IT, legal, compliance, HR, operations — that most organisations have not scoped.
Of all Annex III categories, employment, workers management, and access to self-employment AI has attracted the most regulatory attention in advance of the August 2 deadline. National supervisory authorities in Germany, France, and the Netherlands have each signalled that AI use in recruitment and performance management will be an early enforcement priority. AI tools used in applicant screening, automated interview assessment, performance scoring, and promotion or termination decision support are high-risk under the Act. Enterprises that use these tools and cannot demonstrate human oversight — specifically, a qualified natural person with authority and the information needed to override AI recommendations — are likely to be among the first enforcement targets.
Questions Your Team Should Be Answering
These are the questions that distinguish organizations that get this right from those that do not. If your team cannot answer them, that is your first deliverable.
- 1.
Has your organisation completed an inventory of all AI systems deployed by each business function — HR, finance, operations, customer service, legal, IT — against the Annex III classification framework, and who owns that inventory with ongoing responsibility to keep it current as new tools are adopted?
- 2.
For each AI system your organisation has classified as high-risk: has a qualified natural person been formally assigned as the human oversight owner, with documented authority to intervene or override AI outputs, and the training required to exercise that authority meaningfully?
- 3.
What AI incident detection and reporting capability does your organisation currently have, and is it capable of producing a reportable-incident determination within a timeframe that allows a 72-hour notification to the relevant national supervisory authority?
- 4.
For AI systems used in employment decisions — applicant screening, performance management, workforce planning, promotion or termination support — has your organisation reviewed the vendor’s instructions for use, confirmed that your deployment matches the permitted use cases, and documented the human oversight mechanism in a way that would satisfy a supervisory authority inquiry?
- 5.
Which function in your organisation owns EU AI Act deployer compliance, with what authority to halt or remediate non-compliant deployments, and what cross-functional access do they have to the inventory and documentation required to execute that responsibility?
- 6.
Has your organisation decided whether to apply EU AI Act compliance standards globally — across all jurisdictions where the same AI tools are deployed — or to scope compliance narrowly to EU operations, and has that decision been formally documented with the rationale and risk acceptance for the non-EU scope?
If this memo belongs in your next executive meeting or board pack, send it along. One click opens a pre-drafted email — edit or send as-is.
Microsoft Copilot for M365: The Adoption Numbers Your Vendor Doesn't Want You to Read
Most enterprises deploying Copilot for M365 cannot answer: what percentage of licenses show meaningful weekly use? Independent studies put real utilization at 30–50% of license count. Your renewal decision is arriving without independent measurement.
Read memo →The EY-Microsoft Alliance: When Your Auditor Becomes Your AI Vendor
EY and Microsoft announced a $1B+ joint initiative. EY is now both a Microsoft AI customer and a sales partner — creating a second structural conflict in four days.
Read memo →The OpenAI Deployment Company: What Your Consulting Firm Didn't Disclose
OpenAI launched a $14B deployment company with Bain & Company and McKinsey as founding partners — the same firms your enterprise pays for independent AI strategy advice.
Read memo →