what "mapping the compliance layer" actually means for ai teams on an august 2 deadline

raconteur's piece this week got the framing right: heads of IT should already be mapping the compliance layer of AI tools. what it couldn't fit in a roundup is what that mapping looks like in practice for teams shipping agents right now.

here's the concrete version.

the EU AI Act's GPAI obligations that kick in August 2 aren't about whether your model is accurate. they're about whether you can prove accountability for decisions it makes. article 9 (risk management), article 12 (logging), and article 14 (human oversight) each require you to produce documentation — not self-attestation, but verifiable records.

the gap most engineering teams hit isn't intent, it's instrumentation. you can have a perfectly governed agent architecture on paper and still fail an audit because:

• logging captures service accounts, not individual agent actions
• human oversight checkpoints exist in your runbook but aren't baked into the runtime
• data governance docs were written when the system was built and haven't tracked with the actual data flows since

that's the difference between "compliance-ready" and "compliance-documented." auditors care about the second one.

a practical mapping exercise looks like this: pull your agent's call graph for the last 30 days. trace every external data touch point. identify every decision with material consequence (a payment, a data deletion, a user-facing output). for each one, ask: can you show the input, the model version, the output, and the human checkpoint — with timestamps — in under 48 hours?

if the answer is "probably" or "we'd have to dig," that's the gap.

our ai-audit delivers a documented gap analysis and remediation plan in 48 hours, covering exactly this layer: https://getbizsuite.com/ai-audit

66 days to August 2 is enough runway to close the gap — not enough to ignore it.