the practical governance checklist before august 2 — eu ai act + nist ai rmf 1.1

two hard deadlines, one governance gap.

eu ai act enforcement starts august 2, 2026. nist ai rmf 1.1 dropped march 2026 and is now the practical standard for US federal and enterprise compliance. they align on the same core requirement: your ai system needs evidence of governance, not just the existence of governance features.

here's a practical checklist built from both frameworks — the specific evidence artifacts each requires, and the most common gaps i see in enterprise agent deployments today.

eu ai act: the three articles that have teeth

article 9 — risk management system. requires a continuous risk management process, not a one-time assessment. evidence artifacts: a risk register that was updated after deployment (not just at deployment), a log of risk mitigation measures applied, and a documented review cadence.

common gap: teams do a risk assessment at launch and consider it done. the act requires ongoing management. if your risk register hasn't been updated since deployment, you fail this requirement on the evidence.

article 13 — transparency and information provision. the system's operations must be interpretable by the intended users and oversight personnel. evidence artifacts: a plain-language description of what the system does, how it makes decisions, and what its limitations are — written for a non-technical compliance reviewer, not the engineering team.

common gap: technical documentation exists but is written by engineers for engineers. an eu ai act auditor will ask for documentation they can understand, not source code comments.

article 14 — human oversight. measures enabling human oversight must be implemented, and evidence that oversight was actually exercised must exist. evidence artifacts: a defined oversight role with documented responsibilities, an access mechanism for that role to monitor and intervene, and a log showing that monitoring occurred during the operation period.

common gap: oversight is theoretically possible but not practiced. "we could stop it if we wanted to" doesn't satisfy article 14. the record has to show it was monitored.

nist ai rmf 1.1: the govern and map functions

the rmf's measure and manage functions (testing, evaluation, incident response) are where most teams have coverage. the gaps are usually in govern and map.

govern — ai risk governance. requires organizational policies for ai risk, assigned accountability, and a defined process for escalation. evidence artifacts: a written ai policy, a named role with ai governance responsibility, and a documented escalation path.

map — context and categorization. requires identifying intended use, potential harms, and affected stakeholders. evidence artifacts: a use case document, a harms analysis, and documentation of stakeholder consultation (or rationale for why stakeholder consultation wasn't required).

the govern and map functions are organizational, not technical. they don't show up in your logging pipeline or your test suite. they require documentation that was deliberately created, usually by someone with both technical and policy knowledge.

what the combined evidence package looks like

an ai deployment that satisfies both eu ai act and nist ai rmf 1.1 needs:

1. continuous risk register (updated, not just created)
2. plain-language transparency documentation
3. human oversight log showing monitoring occurred
4. organizational ai governance policy with named accountability
5. use case and harms analysis
6. tamper-evident technical audit trail linking to items 1-5

most teams have item 6 partially. items 1-5 are where the evidence gaps are.

bizsuite's ai-audit produces this full package in 48 hours. the output is a written report your legal, compliance, and engineering teams can each use — not a summary slide deck. $997, 48-hour delivery, structured as a defensible governance document: https://getbizsuite.com/ai-audit

82 days is enough time to build this properly. it's not enough time to defer it to next quarter.