← Back to all articles

What the EU AI Act Means for Your Q2 AI Projects

By Vance Sterling·9 min read·April 16, 2026

The EU AI Act is not a future concern anymore. The first obligations took effect in February 2025, and the high-risk system requirements are now fully enforceable. If your organization operates in the EU, sells to EU customers, or deploys AI systems that affect EU residents, this regulation applies to you. And if you are launching AI projects this quarter without understanding the Act's risk classification system, you are building on a foundation that may need to be torn up before year-end.

The Four Risk Categories and Why Most Enterprise AI Falls in the Middle

The EU AI Act classifies AI systems into four risk tiers: unacceptable, high, limited, and minimal. Most of the press coverage focuses on the extremes — banned AI (social scoring, real-time biometric surveillance in public spaces) and minimal risk AI (spam filters, video game AI). But most enterprise AI falls into the high or limited risk categories, and that is where the compliance obligations live.

High-risk AI includes systems used in: employment (hiring, performance evaluation, task allocation), creditworthiness assessment, insurance pricing and claims, access to essential services, law enforcement, and migration management. If you are in financial services, HR tech, insurance, or healthcare, a meaningful portion of your AI portfolio probably qualifies as high-risk under the Act.

At one European bank I advise, we audited their AI portfolio against the Act's categories. Of 18 active AI systems, 7 were high-risk (credit scoring, fraud detection, customer onboarding risk assessment, two HR tools, and two customer-facing recommendation engines that influenced financial product offerings). Another 4 were limited risk (chatbots that needed transparency disclosures). Only 7 were minimal risk. That means 61 percent of their AI portfolio carries compliance obligations under the Act.

What High-Risk Classification Actually Requires

If your AI system is classified as high-risk, the Act requires six categories of documentation and controls. These are not optional and they are not suggestions. They are legal requirements with penalties of up to 3 percent of global annual turnover for non-compliance.

Requirement 1: Risk management system. Not a one-time risk assessment. An ongoing system that identifies, evaluates, and mitigates risks throughout the AI system's lifecycle. This means risk assessments at design, development, deployment, and ongoing operation. Most organizations do a risk assessment at project kickoff and never revisit it. The Act requires continuous monitoring.

Requirement 2: Data governance. The training, validation, and testing datasets must meet specific quality criteria. You need to document data sources, collection methods, processing steps, and any known limitations or biases. If you cannot trace where your training data came from and demonstrate that it is representative, you have a compliance gap.

Requirement 3: Technical documentation. Detailed technical documentation that allows authorities to assess compliance. This includes the system's intended purpose, design specifications, training methodology, performance metrics, and known limitations. Think of it as a model card on steroids.

Requirement 4: Record-keeping and logging. The system must automatically record events (logs) relevant to identifying risks, facilitating post-market monitoring, and enabling traceability. You need to be able to reconstruct what the system did and why for any given decision.

Requirement 5: Transparency and user information. Users must be informed that they are interacting with an AI system. For high-risk systems, you must provide sufficient information for the user to interpret the system's output and use it appropriately. This goes beyond a simple disclosure banner.

Requirement 6: Human oversight. High-risk AI systems must be designed to allow effective oversight by humans. This includes the ability to understand the system's capabilities and limitations, monitor operation, interpret outputs, and override or reverse the system's decisions.

Governance Template

AI Governance Checklist (Template #8)

Risk-tiered governance checklist that maps to regulatory requirements including the EU AI Act. Covers risk classification, data governance, transparency, and human oversight documentation.

Get the Book on Kindle

What This Means for Your Q2 Projects

If you are kicking off AI projects this quarter, here is the practical impact. First, add a risk classification step to your project initiation process. Before any design work begins, determine whether the system falls into the high-risk category. This takes 30 minutes with the right checklist and saves months of retroactive compliance work.

Second, build documentation into the development process, not after it. The Act requires technical documentation, data governance records, and risk assessments. If you write these after the system is built, they are fiction. If you write them as you build, they are useful engineering artifacts that also happen to satisfy compliance.

Third, design for human oversight from the start. Retrofitting override capabilities into an automated system is expensive and architecturally ugly. If your system might need human oversight (and if it is high-risk, it definitely does), design the human-in-the-loop from day one. Add the dashboard, the override button, the audit log, and the explanation interface during development, not as a compliance patch six months later.

Fourth, talk to your legal team now, not when the auditors arrive. Many enterprise legal teams are still learning the Act's requirements. The earlier you involve them, the better the guidance you will get. The worst outcome is building a system and then discovering it needs fundamental architectural changes to comply.

The US Is Watching Too

Even if you do not operate in the EU, the Act matters. There are two reasons. First, the Brussels Effect: EU regulations tend to become global standards because companies find it easier to build one compliant system than to maintain separate versions. GDPR showed us this pattern. Many US companies adopted GDPR-grade data practices globally rather than building separate systems for EU and non-EU users.

Second, US regulation is accelerating. State-level AI laws are multiplying. Colorado, Illinois, and New York City already have AI-specific requirements for hiring and employment. Several states have proposed comprehensive AI governance bills. Building to the EU AI Act standard now means you will be ready when US requirements catch up, and they will.

The organizations that treat governance as a competitive advantage rather than a compliance burden will move faster than their competitors. They will ship AI projects with confidence, knowing that the governance documentation is already done. Their competitors will be scrambling to retroactively document systems they built without considering compliance, and some of those systems will need to be rebuilt entirely.

Actionable Takeaway

This week, audit your active AI portfolio against the EU AI Act's high-risk categories. For each system, answer: does it influence employment decisions, creditworthiness, insurance, or access to essential services? Count how many qualify as high-risk. For those systems, check whether you have the six required documentation categories (risk management, data governance, technical docs, logging, transparency, human oversight). Any gaps you find now are gaps you can close on your timeline. Gaps you find during an audit are gaps you close on someone else's timeline.

The AI Governance Checklist in the Business Case Kit maps directly to the EU AI Act's requirements. Template #8 includes risk classification, documentation requirements by tier, and fill-in fields for every governance category covered in this article.

Get the AI Business Case Kit →

Get the AI-First Leader on Kindle

8 fill-in-the-blank templates for scoring use cases, evaluating vendors, building budgets, and presenting to the board. From 20+ years in enterprise AI.

Not ready to buy?

Start free: 5 AI Questions Every Executive Must Answer Before Investing →

Free PDF guide. No spam.