66 days to EU AI Act enforcement — what "conformity assessed" actually requires
the EU Commission's GPAI guidelines for high-risk AI systems are published. the enforcement date is August 2, 2026. the requirement is specific: conformity-assessed, registered, and operational with risk management, data governance, logging, and human oversight by that date.
that's not a "prepare to prepare" deadline. that's a "have the documentation ready for examination" deadline.
most enterprise teams are not ready. here's what conformity assessment actually asks for, and what the gaps look like in practice.
what "conformity assessed" means in operational terms
the EU AI Act's conformity assessment for high-risk systems isn't a checkbox form. it's a structured examination of whether the AI system has documented evidence across four domains:
risk management — a documented process that identified the system as high-risk before deployment, not after. the timing matters. retrospective risk classification doesn't satisfy conformity assessment because the requirement is that you managed the risk during development, not that you recognized it afterward.
data governance — documentation of what data the system was trained or fine-tuned on, how bias was assessed, and what monitoring is in place for data drift. for systems using third-party models (which is most enterprise deployments), this means having documented evidence of the base model's training data governance, plus your own fine-tuning governance on top.
logging — not application logs. the requirement is for logs that enable "ex post monitoring" — the ability to reconstruct what the system did and why, independent of the system itself. that's a higher bar than "we have CloudWatch." it means action-level, tamper-evident logs that a compliance examiner can verify haven't been altered.
human oversight — documented evidence that humans can effectively oversee the system's operation, including specific mechanisms that allow intervention, override, or shutdown. "we can turn it off" doesn't satisfy this. the requirement is documented thresholds at which human review is triggered, with evidence that those thresholds are enforced at the infrastructure level.
where most enterprise teams are actually landing
the honest assessment for most enterprise teams with serious AI deployments:
risk management is partially documented — most teams have done a risk classification exercise, but many classified their systems as non-high-risk to avoid the conformity assessment burden. some of those classifications are going to be challenged.
data governance for base models is often missing because teams delegated it to the model provider. the EU Commission's guidelines make clear that using a third-party GPAI model doesn't transfer compliance responsibility — you still need documentation of the base model's governance.
logging is the most common gap. most teams have completion logs (what the model output) but not action-level provenance (what the model triggered, with an unbroken chain back to the authorizing instruction). the difference is significant for conformity assessment.
human oversight is the least understood requirement. teams often point to their human review processes (content moderation, escalation workflows) as evidence. what the assessment actually asks for is whether those processes are architecturally enforced — whether the system cannot act outside the human oversight boundary, not just whether humans usually review its outputs.
the 66-day window
August 2, 2026 is 66 days from now. that's not enough time to build the logging infrastructure from scratch, retrain a governance model, or stand up a new oversight architecture.
it is enough time to document the current state, identify the specific gaps against the conformity assessment criteria, and close the gaps that are closeable in the window.
BizSuite's AI Audit does that in 48 hours. the output is a structured assessment against EU AI Act conformity criteria: what's documented and compliant, what's partially compliant and fixable in the window, and what's a gap that needs a longer-term remediation plan. $997 flat.
the teams that go into August with a documented gap analysis are in a fundamentally different position than the ones that go in hoping nobody looks. the enforcement window is real and the first audits will happen.
Top comments (0)