The Question
Every major regulatory framework produces the same enterprise response: a burst of attention at passage, a slow fade as implementation timelines recede into the future, and a scramble when enforcement actually arrives. The EU AI Act is following that pattern precisely — with the added complication that most enterprise legal teams treated it as a European regulatory problem and assigned it to their EU compliance specialists, leaving the broader organization unaware of how extensively it applies to AI systems deployed globally.
The EU AI Act is not a European problem for companies with European operations. It is a global compliance framework for any organization that deploys AI systems that affect EU individuals — which includes the vast majority of multinational enterprises, US technology companies with EU customers, and global financial institutions. The compliance surface is larger than most legal teams have mapped, and the timeline has advanced further than most leadership teams realize.
February 2025 brought the first enforceable obligations. August 2025 brought the second wave. August 2026 — three months away — brings the high-risk AI system requirements that will affect the largest number of enterprise deployments. August 2027 brings full enforcement across all categories.
The EU AI Act creates obligations that your legal team cannot satisfy without engineering, security, and compliance working together — and the August 2026 deadline for high-risk systems is closer than most enterprises have planned for.
Why This Matters Now
The first EU AI Act enforcement action under the prohibited practices provisions arrived in early 2025, when the European Data Protection Board issued guidance confirming that real-time biometric surveillance systems deployed in publicly accessible spaces — including some retail loss prevention AI tools — constituted prohibited practices under Article 5. Several major retailers operating in the EU quietly discontinued or modified their computer vision deployments rather than face the Act's maximum penalty: up to €35 million or 7% of global annual turnover, whichever is higher.
That enforcement signal clarified several things that had been ambiguous during the Act's passage. First, National Competent Authorities — the member-state regulators designated to enforce the Act — are actively looking for early enforcement targets. First movers on enforcement establish precedent and signal seriousness. Second, the prohibited practices provisions have real operational bite: AI systems that perform subliminal manipulation, exploit psychological vulnerabilities, deploy real-time biometric identification in public spaces outside narrow law enforcement exceptions, and conduct social scoring by public authorities are simply prohibited, with no compliance pathway. Third, global annual turnover as the fine calculation base means that a violation in France generates a fine calculated on worldwide revenue — not European revenue. For a US technology company with $50 billion in global revenue, a 7% penalty is $3.5 billion.
The August 2025 deadline brought General Purpose AI model obligations into effect. Organizations deploying foundation models — or building products on foundation models accessed via API — face transparency requirements, copyright compliance documentation, and, for models exceeding 10^25 FLOPs of compute, systemic risk assessment requirements. OpenAI, Anthropic, Google DeepMind, and Meta's Llama series all triggered systemic risk assessment obligations. Enterprises building on these APIs are downstream beneficiaries of the model providers' compliance work — but they remain responsible for their own deployment-level obligations.
What the CURVE™ Data Shows
The 2026 Stackcurve AI Governance CURVE™ Report evaluated platforms on EU AI Act readiness across five dimensions: high-risk classification workflows, technical documentation generation (Article 11 conformity), human oversight mechanism design, post-market monitoring, and incident reporting to competent authorities.
The findings were uneven. ValidMind demonstrated the strongest Article 11 technical documentation capabilities, with structured workflows that map to the Act's specific documentation requirements for high-risk systems. IBM OpenPages and ServiceNow's AI governance module scored well on organizational compliance tracking but required significant configuration to address EU AI Act specifics. Credo AI's compliance mapping feature — which maps model risk assessments to regulatory frameworks — added EU AI Act mapping in late 2024, but buyer feedback in our research indicated the mapping remains higher-level than the Act's technical requirements demand.
No platform evaluated covers the full EU AI Act compliance surface out of the box. The platforms that scored highest were those that provided structured documentation templates and compliance workflow automation, while acknowledging that legal and engineering input was required to complete the assessment.
The full vendor rankings are in the 2026 Stackcurve AI Governance CURVE™ Report — free to download.
The Gap Most Buyers Miss
The EU AI Act's compliance complexity is concentrated in three areas that enterprise legal teams consistently underestimate.
High-Risk Classification Is Not Obvious
The Act's Annex III defines eight categories of high-risk AI systems, but classification is not mechanical. The categories include: biometric identification and categorization; management and operation of critical infrastructure; education and vocational training; employment and worker management; access to essential private services and public benefits; law enforcement; migration, asylum, and border control; and administration of justice.
The gap is in application. An AI-assisted resume screening tool deployed in HR is unambiguously high-risk under the employment category. But what about an AI tool that helps managers write performance reviews? What about an AI system that recommends training assignments? The boundaries of "employment and worker management" are not crisp, and the first enforcement actions will clarify them. Enterprises that have not conducted a conservative high-risk classification assessment — one that includes borderline cases — are building compliance programs on assumptions that may not survive regulatory scrutiny.
Article 11 Technical Documentation Requires Engineering
High-risk AI systems must maintain technical documentation covering: general description of the system and its intended purpose; description of the elements of the AI system and its development process; information about the training, validation, and testing data; monitoring, functioning, and control of the system; risk management system documentation; changes over the system's lifetime; and ongoing technical standards compliance.
This documentation cannot be produced by a legal team. It requires engineering participation — specifically, the engineers who built or configured the system. Most enterprise AI deployments, particularly those built on vendor APIs or configured through low-code tooling, do not have documentation at this level of specificity. Producing it retroactively for systems already in production is significantly harder than building documentation practices into initial deployment.
Human Oversight Requirements Are Operational Obligations
Article 14 requires high-risk AI systems to be designed and developed in ways that allow human oversight during the system's operation. This is not a documentation requirement — it is a product requirement. High-risk systems must enable designated human overseers to understand the system's capabilities and limitations, monitor for anomalies, intervene or interrupt the system, and interpret the system's output.
If a high-risk AI system has been deployed without human override capabilities — if, for example, an automated benefits eligibility determination system makes decisions without a defined human review pathway for contested outcomes — the system is not compliant regardless of how good the documentation is. Retrofitting human oversight mechanisms into deployed systems is a significant engineering effort that many organizations have not budgeted for the August 2026 deadline.
Questions Your Buying Team Should Be Asking
1. Have we completed a formal high-risk AI classification assessment for every AI system we operate that touches EU individuals, using a conservative interpretation of Annex III categories?
The classification assessment is the foundational compliance document. Without it, you do not know which of your AI systems are subject to the Act's most demanding requirements. A conservative interpretation — one that classifies borderline systems as high-risk and adjusts after analysis — is the appropriate starting posture given the enforcement risk of misclassification.
2. For each system we have classified as high-risk, can we produce Article 11-compliant technical documentation from our engineering team within 30 days?
This question surfaces the documentation gap. Most organizations that have not explicitly built Article 11 documentation into their development process cannot produce compliant documentation on demand. The 30-day time horizon reflects the speed at which National Competent Authorities can request documentation following an incident or complaint.
3. Do our high-risk AI systems have operational human oversight mechanisms — not just documented policies, but actual system features that allow designated humans to monitor, intervene, and override?
The distinction between a policy requiring human oversight and a system feature enabling it is where many compliance programs fail. Article 14 requires the latter.
4. Have we assessed our General Purpose AI usage — including API-based access to foundation models — against the Act's transparency and documentation obligations for GPAI deployment?
Enterprises using GPT-4o, Claude, Gemini, or Llama-based systems in customer-facing or high-stakes internal applications have GPAI deployment obligations that sit on top of their model providers' GPAI obligations. These are not automatically satisfied by the model provider's compliance.
5. Do we have a designated EU AI Act compliance owner with cross-functional authority — someone who can require engineering changes, halt deployments, and escalate to the board?
The EU AI Act's obligations cannot be satisfied by a legal team operating in an advisory capacity. Compliance requires the authority to modify systems, delay deployments, and escalate non-compliance to senior leadership. Organizations without a designated owner with that authority are producing compliance documentation for a program they cannot actually enforce.
The Stackcurve Take
The enterprises that are ahead of the August 2026 deadline share a common posture: they treated the EU AI Act as an engineering problem that required legal framing, not a legal problem that required engineering support. They started with the technical documentation requirements and worked backward to the organizational structures and policies needed to produce and maintain that documentation. They built classification workflows, assigned ownership, and ran pilot assessments on their highest-risk systems before the deadline pressure arrived.
The enterprises that are behind the deadline share a different posture: they assigned EU AI Act compliance to the legal team, received a policy analysis and a gap assessment, and waited for the gap to be addressed through vendor tools. Vendor tools help — but they do not replace the engineering work of documenting existing systems, building human oversight mechanisms, and establishing post-market monitoring. That work takes organizational will, cross-functional coordination, and time that the August 2026 deadline is consuming.
The fines are real. The enforcement infrastructure is active. The 7% of global annual turnover calculation has no ceiling.
The 2026 Stackcurve AI Governance CURVE™ Report covers the EU AI Act readiness capabilities of leading governance platforms, including which vendors have invested in Article 11 documentation workflows and which have added compliance mapping as a feature afterthought. Download it free →
Stackcurve Advisory Briefs are independent research. No vendor pays for placement, tier assignment, or editorial influence. The CURVE™ methodology is disclosed in full at stackcurve.net/research/methodology.