Organizations found non-compliant with the EU AI Act face fines of up to €35 million or 7% of global annual turnover for the most serious violations. But the bigger risk for most organizations is not the penalty itself, it is discovering, too late, that they cannot account for the AI systems already operating inside their environment.
A chatbot added to a productivity platform. An AI feature embedded inside a SaaS application. A third-party tool making automated recommendations behind the scenes. AI is becoming increasingly difficult to track and under the EU AI Act, that lack of visibility creates a serious compliance challenge.
The challenge? Most organizations do not have a complete picture of where AI exists across their environment.
The European Union’s AI Act introduces the world’s first comprehensive regulatory framework for artificial intelligence. But achieving EU AI Act compliance does not start with policies or paperwork. It starts with answering a much simpler question.
Do You Actually Know Every AI System Operating Inside Your Organization?
Without a complete inventory, organizations cannot determine whether they are providers or deployers, classify AI systems according to risk, maintain the required documentation, or demonstrate compliance during an audit.
EU AI Act compliance starts with a single capability: a complete, continuously updated inventory of every AI system operating across your environment. This guide explains who the EU AI Act applies to, what obligations organizations need to prepare for, and why visibility is the foundation of every successful AI governance strategy.
Does the EU AI Act Apply to Your Organization?
One of the biggest misconceptions about the European AI Act is that it only applies to companies located inside the European Union.
In reality, the regulation has a much broader reach.
If your organization develops AI systems sold within the EU, uses AI systems that affect people in the EU, or integrates AI capabilities into products and services available on the European market, you may have EU AI Act obligations, regardless of where your headquarters are located.
Provider vs. Deployer: Why Your Role Matters
Your responsibilities under the EU AI Act depend largely on whether you are considered a provider or a deployer.
Providers develop AI systems or place them on the market under their own name. They are responsible for meeting extensive requirements related to design, testing, technical documentation, risk management, and ongoing compliance.
Deployers use AI systems within their operations. A company using AI for recruitment, employee management, customer interactions, fraud detection, or business forecasting may still have significant compliance responsibilities, even if the AI technology was developed by a third party.
Many organizations will operate as both providers and deployers. A company may develop internal AI models while also using external AI services, creating multiple layers of responsibility.
Understanding your role is the first step. Identifying every AI system that supports that role is the next.
The AI Inventory Exercise Most Organizations Haven’t Completed
Ask most IT and Security teams how many devices, applications, and services exist across their environment, and the answer is often complicated.
Now ask them how many of those assets contain AI capabilities. The answer is usually much less certain.
AI is no longer limited to standalone applications. It is embedded inside cloud platforms, productivity suites, customer relationship management tools, security products, and countless third-party services.
That is why AI governance begins with discovery.
A practical first step toward EU AI Act compliance is building a complete inventory of AI systems and AI-enabled assets across your environment.
This inventory should include:
- Internal AI assistants and copilots
- Customer-facing AI applications
- HR and recruitment technologies
- Fraud detection systems
- Generative AI tools
- Machine learning models
- Predictive analytics platforms
- Third-party AI services
For every AI system, organizations should document:
- Business owner
- Technical owner
- Intended purpose
- Data sources
- Users impacted by the system
- Geographic reach
- Vendor or model provider
This information becomes the foundation for AI classification, risk assessment, documentation, and future audits.
The organizations that struggle with EU AI Act compliance will not necessarily be the ones without AI policies. They will be the ones that never discovered all the AI systems they were already using.
What Counts as an AI System Under the EU AI Act?
Another major challenge is understanding what the regulation actually considers an AI system.
The EU AI Act defines AI broadly as a machine-based system that can operate with varying levels of autonomy and generate outputs such as predictions, recommendations, content, or decisions that influence physical or virtual environments.
In practice, this means organizations must look beyond obvious AI tools like chatbots and large language models.
A resume screening platform, a customer support assistant, a forecasting model, or a recommendation engine may all fall under the scope of the European AI Act depending on how they function.
At the same time, not every automated technology qualifies as AI. Traditional rule-based workflows, deterministic systems, and standard reporting dashboards may not meet the definition.
The distinction is not always obvious, which is why maintaining accurate, continuously updated asset intelligence becomes essential.
Understanding EU AI Act Requirements Through the Risk Framework
Once organizations identify their AI systems, the next step is understanding how those systems are classified under the EU AI Act.
The regulation follows a risk-based approach. The level of EU AI Act obligations depends on the potential impact an AI system can have on individuals, safety, and fundamental rights.
Prohibited AI Practices
Certain AI applications are considered unacceptable because they create excessive risks to individuals or society. These systems are prohibited under the EU AI Act.
Organizations should regularly evaluate both existing and newly introduced AI technologies to verify that they do not fall within prohibited categories.
High-Risk AI Systems
High-risk AI systems are subject to some of the most extensive EU AI Act requirements.
Examples may include AI systems used for:
- Employment and recruitment decisions
- Educational assessments
- Creditworthiness evaluations
- Access to essential public or private services
- Certain healthcare applications
- Critical infrastructure operations
For organizations operating these systems, compliance involves more than simply documenting their existence. They must establish appropriate governance, maintain technical documentation, implement human oversight, and continuously monitor performance.
But none of these activities are possible if organizations cannot first identify where these high-risk AI systems exist.
General-Purpose AI (GPAI) Models
The EU AI Act also establishes specific requirements for providers of general-purpose AI models, including many foundation models and large language models.
Organizations using GPAI technologies should understand their responsibilities, evaluate their providers’ compliance commitments, and maintain visibility into where these technologies are used across the enterprise.
August 2, 2026: The EU AI Act Deadline Organizations Cannot Ignore
The EU AI Act timeline includes multiple phases, but August 2, 2026 represents one of the most significant milestones for organizations preparing their compliance strategy.
Key dates include:
Organizations should use the EU AI Act timeline to prioritize AI discovery, governance initiatives, documentation efforts, and risk assessments.
What Organizations Need to Prepare Before August 2, 2026
Preparing for EU AI Act compliance does not begin with creating a policy document. It begins with understanding what AI systems exist, who owns them, and how they affect business operations.
A practical preparation strategy includes:
1. Create and Maintain an AI Inventory
Develop a continuously updated inventory of AI systems across IT, cloud, SaaS, and third-party environments.
Without this foundation, organizations cannot accurately classify AI systems or determine which EU AI Act requirements apply.
2. Assess Risk and Classification
Evaluate whether systems fall into prohibited, high-risk, or other categories under the EU AI Act.
Risk assessments should consider the system’s purpose, affected users, level of autonomy, and potential impact.
3. Establish Documentation and Governance Processes
Organizations should maintain appropriate evidence, including:
- System descriptions and intended purposes
- Ownership and accountability records
- Risk assessments
- Testing and validation documentation
- Human oversight procedures
- Monitoring and change records
4. Continuously Monitor AI Systems
AI environments change constantly. New applications, software updates, and embedded AI capabilities can introduce previously unknown AI systems.
Continuous visibility helps organizations maintain accurate inventories and support ongoing compliance.
Role-Based Responsibilities: Who Owns What Before August 2, 2026
EU AI Act compliance does not sit with a single team. The obligations are operational, which means they land across Legal, IT, Security, Product, and Risk — and gaps appear when no one has clearly defined who owns what.
Here is a practical breakdown of responsibilities by function.
Legal and Compliance
Legal teams carry the heaviest documentation burden under the EU AI Act.
Before August 2, 2026, Legal should lead the organizational gap analysis against the regulation’s requirements, maintain conformity records for high-risk AI systems, and ensure procurement and vendor contracts reflect AI-specific obligations around intended use, data rights, transparency, and downstream liability.
For organizations operating outside the EU that place AI on the European market, Legal is also responsible for appointing an EU Authorized Representative where required, a formal requirement that carries real accountability.
Legal should also align EU AI Act obligations with existing GDPR and data protection frameworks to avoid conflicting requirements, and coordinate any regulatory interactions or incident notifications if they arise.
IT and Security
IT and Security own the infrastructure that makes compliance evidence possible.
This means building and maintaining the logging pipelines that capture AI inputs, outputs, and human interventions, the records that demonstrate compliance during an audit. Without reliable, time-stamped, tamper-resistant logs, documentation produced by other teams has nothing to stand on.
Security teams should also apply secure development lifecycle controls to AI components, manage access and permissions, monitor for AI-specific threats such as model abuse, prompt injection, and data poisoning, and ensure AI systems are covered in incident response playbooks.
Critically, IT teams are responsible for maintaining a continuously updated inventory of AI-enabled assets across the organization. AI capabilities embedded inside SaaS platforms, cloud services, and third-party integrations are easy to miss, and unknown systems cannot be classified, documented, or governed.
Product and Operations
Product teams are responsible for the design-time decisions that determine whether a system meets EU AI Act requirements before it reaches users.
This includes defining the intended purpose of each AI system and its acceptable operational scope, designing human oversight into workflows, publishing clear instructions for use, and ensuring transparency disclosures are in place where the regulation requires them, for example, when users are interacting with AI-generated content or an AI agent.
Product and Operations are also responsible for managing retraining schedules, controlling feature releases, and maintaining rollback procedures. If a system changes significantly after initial deployment, the compliance documentation needs to change with it.
Risk Management and Internal Audit
Risk Management maintains the AI risk register and conducts the periodic assessments that determine whether existing controls remain adequate as systems and environments evolve.
This function should verify that high-risk AI systems have the required controls in place, audit the evidence of logging, versioning, and human oversight, and report compliance status, including material risks and open remediation items to leadership on a regular basis.
Internal Audit plays an important role in validating that what teams say they are doing and what is actually happening in production are consistent. This matters because the EU AI Act’s enforcement approach will likely focus on whether organizations can demonstrate active, ongoing oversight, not just whether they produced a policy document.
Executive Leadership
Senior leaders set the conditions for compliance by allocating resources, assigning accountability, and establishing the organization’s risk appetite for AI use cases.
In practice, this means designating clear owners for high-risk AI systems, ensuring teams have the budget and staffing for oversight, testing, and documentation, and being prepared to sign declarations of conformity where applicable.
It also means treating August 2, 2026 as an operational deadline with board-level visibility — not a compliance team deliverable that leadership reviews once it is finished.
The most common failure point is not that individual teams miss their responsibilities, it is that teams work from different inventories of AI systems and never reconcile them. Legal may be aware of AI tools procured through vendor contracts. IT may have discovered additional AI capabilities through network scanning. Product may be developing AI features that have not yet been flagged for risk review.
A shared, continuously updated AI asset inventory is what allows these teams to work from the same picture. Without it, compliance efforts across functions are building on different foundations.
From AI Discovery to EU AI Act Compliance: Why Visibility Matters
The biggest challenge facing many organizations is not understanding the EU AI Act itself. It is knowing where to begin.
Before teams can classify AI systems, determine whether they are high risk, collect documentation, or demonstrate compliance during an audit, they need visibility into the technologies operating across their environment.
AI systems are already embedded across productivity platforms, customer service applications, security tools, HR technologies, and cloud services. Without a reliable way to discover these assets, organizations may be making compliance decisions based on incomplete information.
Lansweeper Provides the Foundation for AI System Visibility
Lansweeper’s AI Asset Management gives IT and Security teams a single, continuously updated view of every AI tool, service connection, and AI-capable device across their environment, tied to individual assets, flagged by risk level, and ready to act on.
With Lansweeper, organizations can:
- Discover AI service connections to platforms including OpenAI, Microsoft Copilot, Google Gemini, and Anthropic, without pulling firewall logs
- Surface locally installed AI applications, AI browser extensions, developer AI integrations, and local model servers running on-device
- Maintain a continuously validated inventory of hardware, software, cloud assets, and AI-enabled applications in a single dashboard
- Verify which devices connect to approved AI services and which don’t — confirming policy compliance without manual investigation
- Provide IT, Security, Risk, and Compliance teams with the same shared, accurate picture of the environment
The EU AI Act requires organizations to move from assumptions to evidence. That journey starts with knowing what AI technology exists, where it is operating, and who is responsible for it.
Build AI Compliance on a Foundation of Trusted Asset Intelligence
Organizations cannot govern AI they cannot see.
As the August 2, 2026 deadline approaches, organizations should focus on establishing visibility into their AI ecosystem, understanding their responsibilities, and creating the documentation and governance processes required under the European AI Act.
Lansweeper provides the trusted asset intelligence organizations need to identify AI systems, strengthen governance efforts, and approach EU AI Act compliance with greater confidence.
Lansweeper Demo
See Lansweeper in Action
Sit back and dive into the Lansweeper interface & core capabilities to learn how Lansweeper can help your team thrive.
FAQ
-
What is the EU AI Act?
The EU AI Act, also known as the European AI Act, is a regulatory framework that governs the development, deployment, and use of artificial intelligence using a risk-based approach.
-
Who must comply with the EU AI Act?
The regulation applies to AI providers, deployers, importers, distributors, and organizations whose AI systems or AI outputs affect individuals within the European Union.
-
What are high-risk AI systems?
High-risk AI systems are applications that can significantly affect health, safety, fundamental rights, employment opportunities, access to essential services, or critical infrastructure.
-
What documentation is required for EU AI Act compliance?
Depending on their role and the AI system involved, organizations may need technical documentation, risk assessments, testing records, governance evidence, monitoring records, and other compliance documentation.
-
What is a GPAI model?
A general-purpose AI model is a model capable of supporting multiple downstream applications, including many foundation models and large language models.
-
What happens if an organization does not comply with the EU AI Act?
Non-compliance can result in enforcement actions, restrictions on AI systems, and substantial financial penalties depending on the severity of the violation and the applicable EU AI Act obligations.
