43 days to EU AI Act enforcement — what "ready" actually means technically
August 2, 2026 is not a soft deadline. The Commission's enforcement powers over GPAI model providers come into force that day: documentation, transparency requirements, human oversight, post-market monitoring. The regulation is clear. What's not clear is what "compliant" looks like as a technical artifact your legal team can hand to an auditor.
Most teams building on top of LLMs are in the same position: they've read the Act, they understand roughly what they need, and they have no idea what format the evidence should be in. The gap between "we do this" and "here's proof we do this" is where most compliance efforts stall.
What actually needs to exist on paper — by August 2 — for a GPAI-integrated system:
System-level documentation that maps each agent capability to a risk tier. This isn't architecture diagrams; it's a record that links your tool calls to the human oversight mechanism that gates them. If an agent can take an external action (send email, execute code, call an API), you need documentation showing what policy enforces the scope of that action and who approved that policy.
Incident response trail. The Act requires post-market monitoring. In practice that means: when something goes wrong, can you reconstruct what the agent did, what context it had, and what decision produced the bad outcome? Logging agent reasoning is table stakes. Having that log structured in a way an auditor recognizes is the actual requirement most teams miss.
A transparency layer at the boundary. When a user interacts with a GPAI-powered system, there are specific disclosure obligations. These aren't "AI-generated" watermarks — they're structured disclosures about what the system can and can't do and how decisions are escalated to humans.
The teams that will have problems in August aren't the ones who haven't read the Act — it's the ones who did all the right engineering but have no written record of it. The compliance failure mode is almost always documentation, not architecture.
i built an ai-audit for this exact gap: a 2-hour working session that produces a prioritized gap report — the actual document you hand to legal, not a self-assessment checklist. delivery in 48 hours. $997.
Top comments (0)