SS Shihan Suhail Risk · Compliance · AI
← All writing
AIGRCRisk

What the EU AI Act Means for Risk and Compliance Teams

· 7 min read

Most of the AI governance conversations I sat in a couple of years ago were aspirational, principles documents, ethics boards, statements about fairness that nobody quite knew how to enforce. The EU AI Act has changed the nature of those conversations. It turns a set of values into a regulation with tiers, obligations, deadlines and penalties, and it forces a question that principles never did, which of our AI systems are we actually responsible for, and to what standard?

The Act is Regulation (EU) 2024/1689. It entered into force on 1 August 2024 and its obligations are phasing in over the following years rather than landing all at once. For anyone in a risk or compliance function, this is now a live regulatory programme, not a horizon item.

A risk based law, not a technology law

The Act regulates AI by risk, not by technology. It does not much care whether you built a neural network or a simpler statistical model. It cares about what the system is used for and what could go wrong. Everything sorts into four tiers.

  • Unacceptable risk. A small set of practices are simply banned, things like social scoring by public authorities and certain manipulative or exploitative uses. These prohibitions began applying early, from February 2025. The compliance task here is mostly to confirm you are nowhere near them.
  • High risk. This is the heart of the Act. Systems used in areas such as employment and recruitment, access to essential services, credit scoring, education, critical infrastructure and law enforcement carry the bulk of the obligations. Most of these requirements apply from August 2026.
  • Limited risk. Systems like chatbots and generative tools that interact with people carry transparency obligations, chiefly that people are told they are dealing with AI, and that AI generated content is disclosed.
  • Minimal risk. Everything else, the large majority of AI in everyday use, which is largely unregulated by the Act.

So your first job is classification, not engineering. Until you know which tier each system sits in, you cannot know what you owe.

What “high risk” actually requires

When a system lands in the high risk tier, the obligations are substantial and they will feel familiar to anyone who has run a controlled environment before. Providers of high risk systems must, among other things:

  • Operate a risk management system across the AI lifecycle.
  • Apply data governance, ensuring training, validation and test data are relevant, representative and appropriately managed.
  • Maintain technical documentation and automatic logging sufficient to trace how the system behaves.
  • Provide transparency to deployers so the system can be used correctly.
  • Ensure meaningful human oversight.
  • Meet standards of accuracy, robustness and cybersecurity.

Before a high risk system reaches the market it generally has to go through a conformity assessment and, where applicable, carry a CE marking and be registered in an EU database. If that sounds like the regime around other regulated products, that is exactly the lineage the Act is drawing on.

Know which role you are playing

A point that trips teams up is that your obligations depend on your role in relation to a system, and you can hold different roles for different systems. The Act distinguishes providers, who develop or place a system on the market, from deployers, who use one under their own authority, alongside importers and distributors. A bank that buys a high risk recruitment tool is a deployer of it, with its own duties around oversight and proper use, even though it did not build the thing. Map your roles system by system, because the answer is rarely uniform across an organisation.

General purpose AI has its own track

The Act also addresses general purpose AI models, the large foundation models that sit underneath so many applications. Providers of these models carry their own set of obligations, with additional requirements for the most capable models judged to pose systemic risk. These provisions came into effect from August 2025. Most organisations are consumers of these models rather than providers of them, but if you are fine tuning or redistributing one, it is worth checking carefully where you stand, because you may have taken on more than you realise.

Why this belongs to risk and compliance

It would be easy to file the AI Act under “data science problem”, and that would be a mistake. The Act is, at its core, a risk management and documentation regime, and those are exactly the muscles a good compliance function already has. The obligations, inventory your systems, assess their risk, document controls, ensure oversight, keep records, demonstrate conformity, are the same shape as work you do for security and operational compliance. The novelty is the subject matter, not the method.

And the stakes are real. Penalties at the top end reach into the millions of euros or a percentage of global annual turnover, with the most serious band reserved for the prohibited practices. This is not guidance you can afford to treat as optional.

Where to start

  • Build an AI inventory. You cannot govern what you have not catalogued, and most organisations underestimate how many AI systems are already in use, including ones embedded in tools they bought.
  • Classify each system by risk tier and by your role. This single exercise tells you where your real obligations sit and lets you ignore the long tail of minimal risk systems with confidence.
  • Stand up lifecycle governance for the high risk ones. Risk assessment, documentation, human oversight and monitoring, owned by someone accountable.
  • Track the phased dates. Different obligations bite at different times. Treat it as a programme with milestones, not a single deadline.

Closing thoughts

The EU AI Act takes AI governance out of the realm of good intentions and gives it the structure of regulation, tiers, duties, evidence and consequences. For risk and compliance teams that is, frankly, a relief, because structure is what we know how to work with. Start by knowing what AI you run and how risky each use is, concentrate your effort on the high risk systems where the obligations are real, and run the whole thing as the lifecycle programme it is. Done that way, the Act becomes less a threat to manage and more an opportunity to put AI on the same disciplined footing as everything else you already govern.

Keep reading

AzureSecurity

Scanning Terraform Against Azure Policy at Build Time in Azure DevOps

Read →
AzureSecurity

Strengthening Your Cloud Security Posture with Microsoft Defender for Cloud

Read →