The EU AI Act has deadlines. Your AI systems have homework.
If you operate in the EU, sell to EU customers, or your AI's outputs are used there, the AI Act applies to you — American headquarters notwithstanding, and with penalties scaling to global revenue. The work is tractable if you start with classification: most systems land in the minimal-risk tier and need little. The ones that don't need documentation, controls, and evidence. I map your inventory, classify honestly, and build the compliance file that satisfies a regulator.
The Act is risk-tiered, and the tiers do most of the work. Prohibited practices — social scoring, manipulative systems, most real-time biometric surveillance — are simply banned. High-risk systems, which include AI used in hiring, credit, insurance pricing, education, and critical infrastructure, carry the heavy obligations: risk management systems, data governance, technical documentation, human oversight, accuracy and robustness evidence, and registration. Limited-risk systems mainly owe transparency — telling people they're talking to a machine. Everything else is minimal-risk.
Two things surprise US enterprises. First, scope: the Act follows the output, so a Chicago-built model scoring EU job applicants is in scope. Second, the deployer role: you don't have to build the AI to owe obligations for using it — buying a high-risk HR screening tool makes you a deployer with duties of your own. Your vendor's compliance page doesn't discharge them.
The engagement
- Inventory and classification — every AI system you build or buy, classified by risk tier with written rationale you can defend.
- Gap analysis and remediation — what each in-scope system is missing, prioritized by deadline and exposure, with fixes scoped and priced.
- The compliance file — technical documentation, risk management records, human-oversight procedures, and monitoring evidence, maintained as systems change.
GDPR taught everyone the cost of treating EU regulation as someone else's problem. The AI Act grades the same way.
From inventory to evidence in four stages.
Questions, answered.
Does the EU AI Act apply to US companies?
Yes, if your AI system is placed on the EU market or its outputs are used in the EU — customers, employees, or applicants there are enough. It is extraterritorial by design, like GDPR, and penalties for the most serious violations scale to a percentage of global revenue.
What counts as a high-risk AI system?
The Act enumerates categories: AI used in employment and worker management, credit and insurance decisions, education, essential services, law enforcement, and critical infrastructure, among others. A résumé-screening feature inside your HR platform can put you in the high-risk tier as a deployer — which is why the honest inventory matters.
We only use vendor AI tools — are we off the hook?
No. The Act assigns obligations by role, and deployers of high-risk systems have their own: human oversight, input-data governance, monitoring, and record-keeping. Your vendor owes you documentation; you owe the regulator your own diligence in using the tool.
How does this overlap with GDPR and SOC 2 work we have done?
Substantially — data governance, records, vendor management, and impact-assessment muscle all carry over. The AI Act adds model-specific layers: risk classification, accuracy and robustness evidence, and human-oversight design. I map new obligations onto your existing framework so you build once, not twice.
Classify now, or litigate later.
The inventory-and-classification pass takes weeks and answers the scary question precisely. Waiting doesn't make the tier go away — it makes the timeline worse.