DEV Community

Mohamed
Mohamed

Posted on

The EU AI Act Is Coming. Most Enterprise Leaders Are Not Ready for What It Actually Requires.

The EU AI Act passed in August 2024. Full enforcement of the high-risk provisions kicks in from August 2026. Most of the enterprise leaders I speak with know it exists and have not read it. Their legal teams have read summaries. Almost nobody has walked through what it actually means for the AI systems they are currently deploying or planning to deploy.

I want to be specific about what the Act requires, because the gap between the general awareness and the operational reality of compliance is large and the timeline is shorter than it looks.

The Act takes a risk-based approach. AI systems are classified into four tiers: unacceptable risk (banned), high risk (heavily regulated), limited risk (transparency obligations), and minimal risk (no specific obligations). The classification that matters most for enterprise deployment is high risk, because that is where most consequential business AI applications land.

High-risk systems under the Act include AI used in employment decisions, including recruitment, promotion, and performance evaluation. AI used in credit and insurance risk assessment. AI used in access to essential services. AI used in educational assessment. And AI used in biometric identification, which has its own stricter treatment.

If your organization is using AI to screen resumes, score candidates, evaluate employee performance, assess customer creditworthiness, or make decisions that affect individuals' access to services, you are in high-risk territory. The obligations that come with that classification are substantial.

High-risk AI systems must maintain technical documentation that allows assessment of conformity. They must maintain logs enabling post-hoc monitoring of system performance. They must be designed to allow oversight by natural persons. They must be transparent enough that users know they are interacting with AI. They must be accurate, robust, and cybersecure for their intended purpose. And for systems used to make decisions about individuals, there must be human oversight capable of overriding the AI's output.

The requirement that catches most organizations off guard is the logging obligation. The Act requires that high-risk AI systems be designed to automatically record events relevant to identifying risks. This is not the same as the audit logging most organizations currently implement. It requires records sufficient to reconstruct what the system did, why, and what the outcomes were, specifically to enable investigation of cases where the system may have produced incorrect or discriminatory outputs.

Most enterprise AI deployments I have reviewed do not have logging at this level of completeness. They log that queries happened. They do not log the full context, the retrieved information, the confidence indicators, or the chain of reasoning that produced the output. Retrofitting this capability after deployment is significantly harder than building it in from the start.

The human oversight requirement is the other provision that requires genuine architectural change rather than documentation. The Act requires that high-risk systems be designed so that natural persons can intervene, override, or halt the system. For many AI deployments that have been positioned as productivity tools that reduce human involvement in decisions, this requirement runs directly against the design premise.

For organizations operating in the EU or processing data about EU residents, the Act applies regardless of where the AI system is deployed. An American company using AI to make employment decisions about EU employees or customers is within scope.

The compliance timeline feels comfortable until you work backward from it. Full high-risk obligations apply from August 2026. Conformity assessments for systems in use before that date must be completed by August 2027. That sounds like two years, but conformity assessment for a complex AI system, involving technical documentation, risk assessment, human oversight design, and logging architecture review, realistically takes six to twelve months. Organizations that want to be compliant when enforcement begins need to start their assessment process in 2025.

The practical recommendation is to start with classification. Map every AI system currently deployed or planned and determine honestly which ones process information about individuals in ways that affect their interests. That mapping, done carefully, tells you where the compliance investment needs to go and in what order.

Organizations that are already running AI on self-hosted infrastructure have a meaningful advantage here. The logging and oversight requirements are easier to implement when the infrastructure is under your control. Explaining to a regulator how your system maintains required logs when those logs live on a vendor's cloud infrastructure, subject to the vendor's retention policies, is a harder conversation than explaining a logging architecture that you directly operate and control.

The Act is not designed to prevent enterprises from using AI. It is designed to ensure that AI used for consequential decisions about people is accountable, transparent, and subject to human oversight. Organizations that have been building toward those properties anyway are better positioned than they might realize. Organizations that have been treating accountability and oversight as optional are about to find out that for a significant class of AI applications, they are not.

Top comments (0)