DEV Community

t49qnsx7qt-kpanks
t49qnsx7qt-kpanks

Posted on

82 days to EU AI Act enforcement: what GPAI auditability actually requires

82 days to EU AI Act enforcement: what GPAI auditability actually requires

august 2, 2026 is when the European Commission's enforcement powers go live for general-purpose AI (GPAI) providers and high-risk AI systems. the obligation that will catch most teams unprepared isn't the risk classification — it's the auditability requirement.

the AI Act doesn't just say "you must be safe." it says you must be able to demonstrate that you've implemented risk management, human oversight, and transparency controls — and you must be able to show that documentation to an auditor on request. that's a different engineering problem.

what high-risk systems have to show

for any AI system classified as high-risk under annex III of the AI Act, the requirements include:

  • a risk management system with documented identification and mitigation of foreseeable risks
  • data governance covering training, validation, and testing datasets
  • technical documentation that's sufficient to allow a conformity assessment
  • automatic logging of events throughout the system's operational lifetime
  • human oversight measures that allow an operator to intervene
  • accuracy, robustness, and cybersecurity measures

the logging requirement is where most agentic deployments are unprepared. "we have logs" isn't the same as "we have structured audit trails that correlate agent decisions to their inputs, surface anomalies, and are queryable by a third-party auditor."

why GPAI providers are in a different position

GPAI models — the foundation models that other systems build on — face systemic risk assessments if they exceed a compute threshold (10^25 FLOPs). but even below that threshold, GPAI providers must publish technical documentation and cooperate with the AI Office on evaluations.

what that means in practice: if you're building products on top of a GPAI model and deploying into the EU, your downstream application inherits obligations. the foundation model provider's documentation doesn't cover your specific use case, your data processing, or your agent's decision-making logic.

the implementation gap

most teams are at one of two places right now:

place one: "we know we need to comply, we haven't started." the 82-day window is effectively gone for anything requiring third-party conformity assessment — those assessment bodies are already backlogged. what's still achievable is internal technical documentation and a defensible audit trail.

place two: "we think we comply, but we haven't tested the documentation against what an auditor would actually ask for." this is the more dangerous position, because it creates false confidence.

modulos AI put it clearly: enterprises evaluating AI governance platforms in Q3 2026 have missed the implementation window for august 2. selecting a platform before the end of H1 2026 — which is now — is the minimum viable timeline.

what a pre-enforcement audit actually catches

BizSuite's AI Audit is a 48-hour structured review of an agent system's decision logging, policy enforcement, anomaly detection coverage, and documentation gaps — delivered as a findings doc designed to be the starting point for a conformity assessment, not a replacement for it. it's $997, no recurring fee, no consulting theater.

the 48-hour turnaround is deliberate. at 82 days to enforcement, you don't need a six-month engagement. you need to know where your gaps are in time to fix them.

the audit covers: agent decision audit trail completeness, log retention and queryability, human oversight trigger documentation, policy enforcement verification, and GPAI dependency documentation gaps.

for teams who need to get a structured audit artifact before august 2: https://getbizsuite.com/ai-audit

Top comments (0)