The EU AI Act Compliance Clock: What Enterprise IT Buyers Need to Know Now

The EU AI Act is not a future problem. For enterprises operating AI systems in EU member states — or deploying AI systems that affect EU residents, regardless of where the enterprise is headquartered — the compliance obligations for high-risk AI systems are active. The grace periods that many compliance teams have been relying on are shorter than widely understood, and the gap between where most organizations are and where the regulation requires them to be is significant.

This is not a post about the regulation's technical details. Those details are available from legal counsel and from the European Commission's own guidance. This is a post about the organizational and procurement implications for enterprise IT buyers — specifically, what to do in the next 90 days.

The Classification Problem

The first and most urgent task for most enterprise IT teams is classification. The EU AI Act distinguishes between unacceptable-risk AI (banned entirely), high-risk AI (stringent obligations), limited-risk AI (transparency requirements), and minimal-risk AI (no specific obligations). The obligations attached to high-risk classification are substantial: conformity assessments, technical documentation, logging and human oversight requirements, bias monitoring, and registration in the EU database for high-risk AI systems.

The classification question sounds simple. In practice it is not. The regulation's high-risk categories include AI systems used in employment and worker management — which captures a significant portion of HR technology. It includes AI systems used in access to essential services — which captures credit scoring, insurance underwriting, and benefits eligibility systems. It includes AI systems used in law enforcement and border control — which has clear public-sector implications. And it includes AI systems used in critical infrastructure — which, depending on how infrastructure is defined in the relevant national implementation, may capture enterprise systems in energy, finance, and telecommunications.

Many enterprises have not completed a systematic audit of which AI systems they operate, which of those systems fall into high-risk categories, and what compliance obligations attach to each. This audit is not a legal formality — it is the prerequisite for every other compliance activity, and it should have started 18 months ago. If it has not started, it should start this week.

The Governance Architecture Requirement

For high-risk AI systems, the EU AI Act requires human oversight mechanisms: the ability for designated human operators to monitor the system's operation, intervene when necessary, and halt or override system decisions. It requires logging of system inputs and outputs, retained for a period specified in the technical documentation. And it requires post-market monitoring — ongoing surveillance of the deployed system's performance against the conformity assessment claims made at deployment.

These requirements are, in substance, very close to what the enterprise security community calls agent governance: the authorization, audit trail, and scope enforcement layer that enables organizations to know what their AI systems are doing and to intervene when necessary. Enterprises that have built robust AI governance infrastructure for security reasons will find EU AI Act compliance significantly more tractable than enterprises that have not.

Enterprises that have deployed AI systems without governance infrastructure face a harder problem: they must retrofit compliance obligations onto systems that were designed without those obligations in mind. This is technically possible. It is significantly more expensive and operationally disruptive than building governance in from the start.

The Vendor Landscape Question

EU AI Act compliance has created a secondary procurement question that IT buyers are beginning to ask systematically: what is my AI vendor's compliance posture, and what obligations does it place on me?

The regulation's obligations attach at multiple points in the AI supply chain. General-purpose AI model providers — the foundation model vendors — have their own obligations under the Act, including technical documentation and compliance with the EU AI Act's codes of practice. Deployers — enterprises that deploy AI systems for end uses — have their own distinct set of obligations. The two are not the same, and each party cannot rely on the other's compliance to satisfy its own requirements.

In practical terms, this means enterprise buyers need to ask their AI vendors — model providers, agent platform providers, and AI application vendors — for their EU AI Act compliance documentation. What conformity assessment has the vendor conducted? What technical documentation is available for the system the buyer is deploying? What audit logs does the vendor provide, and in what format, to satisfy the deployer's logging obligations? What support does the vendor provide for the buyer's own post-market monitoring activities?

Vendors that cannot answer these questions are vendors whose AI products are creating compliance exposure for the enterprises deploying them. This should be a procurement gate, not an afterthought.

The 90-Day Priority List

For enterprise IT teams that are behind on EU AI Act compliance, the practical 90-day priority list is:

• Complete the AI system inventory. Catalog every AI system the organization operates that affects EU residents, classify each against the Act's risk categories, and document the classification rationale. This is the foundation for everything else.
• Engage legal on the high-risk boundary cases. The classification of systems that sit at the boundary of high-risk categories — AI-assisted hiring tools, AI-informed credit decisions, AI-driven fraud detection — requires legal analysis that IT teams should not be doing independently.
• Assess the governance architecture of each high-risk system. For each system that is classified as high-risk, assess the current logging, human oversight, and monitoring capabilities against the Act's requirements. Document the gaps.
• Begin vendor compliance conversations. For each high-risk system powered by a third-party AI vendor, request the vendor's compliance documentation and assess the implications for the organization's own compliance posture.
• Prioritize governance infrastructure investment. Budget for the governance tooling required to close the gaps identified in the assessment. This is not a discretionary investment — it is a compliance requirement with financial penalties attached for non-compliance.

The EU AI Act compliance clock is running. The organizations that will find it most manageable are not necessarily the largest or the most AI-sophisticated — they are the ones that started the work earliest. Starting now is better than starting later.