AI Act Compliance Roadmap – Checklist & Planning Guide

The EU AI Act is not a future concern — high-risk system obligations are enforceable from August 2026, and prohibited AI practices have been banned since February 2025. This guide gives you a practical, 12-month compliance roadmap you can start executing this week, with concrete checklists, documentation templates, and real-world case studies.

Read the French version: Feuille de route pour la conformité à l'AI Act de l'UE.

The EU AI Act Timeline: What Applies When

The AI Act has a phased implementation schedule. Most organizations underestimate how much of it already applies.

August 1, 2024: AI Act entered into force.
February 2, 2025: Prohibitions on unacceptable-risk AI became fully enforceable. If you operate any system in this category, you are already out of compliance.
August 2, 2025: General-purpose AI (GPAI) model rules apply. Obligations for providers of foundation models above 10^25 FLOPs take effect.
August 2, 2026: All high-risk AI system obligations become enforceable — technical documentation, conformity assessment, EU database registration, human oversight, logging, and post-market monitoring.
August 2, 2027: High-risk AI systems already on the market before August 2026 must achieve compliance (transition period for legacy systems).

If your organization deploys AI systems in the high-risk categories — HR, credit, education, healthcare, critical infrastructure, or law enforcement — you have until August 2026 to achieve full compliance. That is approximately 14 months from the date this article was published.

Step 1: Build Your AI System Inventory

Compliance begins with visibility. Most organizations that have never conducted a systematic AI audit discover they deploy 2-3 times more AI systems than their leadership team assumed. The inventory is the foundation for everything that follows.

What to Include in Your AI Inventory

Cast a wide net. The AI Act covers systems that use machine learning, logic-based approaches, and statistical methods to generate outputs that influence decisions. This includes:

Internally developed AI: models your data team built, fine-tuned, or deployed via open-source frameworks (scikit-learn, PyTorch, LangChain)
Third-party SaaS with embedded AI: Salesforce Einstein, HubSpot AI scoring, Workday ML, SAP AI features
API-connected AI services: Claude API, OpenAI API, Azure OpenAI — your organization is a deployer for the use cases you build on top of these
AI features in enterprise tools: Microsoft Copilot (M365), Google Workspace AI, GitHub Copilot
Automation workflows with AI decisions: n8n or Zapier workflows that include AI nodes making classification decisions

AI Inventory Template

Use this JSON structure to standardize your inventory. Import it into Notion, Airtable, or any spreadsheet tool:

{
  "ai_system_register": [
    {
      "id": "SYS-001",
      "name": "Recruitment Screening Tool",
      "vendor": "TalentScout SaaS",
      "business_unit": "HR",
      "ai_functionality": "CV ranking and candidate scoring",
      "data_inputs": ["CV text", "LinkedIn profiles", "assessment answers"],
      "decision_output": "Ranked shortlist (automated)",
      "affected_population": "Job applicants",
      "initial_risk_level": "HIGH — employment decisions (Annex III)",
      "compliance_owner": "Head of HR",
      "last_reviewed": "2026-05-01"
    },
    {
      "id": "SYS-002",
      "name": "Customer Support Chatbot",
      "vendor": "Internal (Claude API)",
      "business_unit": "Customer Success",
      "ai_functionality": "Automated response generation",
      "data_inputs": ["Customer messages", "Knowledge base"],
      "decision_output": "Text responses (human escalation available)",
      "affected_population": "Customers",
      "initial_risk_level": "LIMITED — transparency obligation only",
      "compliance_owner": "Head of Customer Success",
      "last_reviewed": "2026-05-01"
    }
  ]
}

Step 2: Classify Every System by Risk Level

The AI Act uses a four-tier risk pyramid. Your compliance obligations — and the cost of non-compliance — scale directly with the tier. Classify by use case, not by technology. The same model can be minimal risk in one context and high risk in another.

Unacceptable Risk (Prohibited Since February 2025)

These practices are banned outright. Penalties reach EUR 35 million or 7% of global turnover. Verify none of the following exist in your vendor contracts or internal deployments:

Social scoring systems evaluating citizens across multiple domains to determine access to services
Subliminal manipulation of human behavior below conscious awareness to cause harm
Exploitation of vulnerabilities (age, disability) to distort behavior against someone's interests
Real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions)
Biometric categorization inferring sensitive attributes (race, religion, political opinion, sexual orientation)

High Risk (Full Compliance Required by August 2026)

Annex III lists the domains where AI systems automatically trigger high-risk classification:

HR and employment: recruitment screening, candidate ranking, employee evaluation, promotion or termination decisions
Education: admissions assessment, examination scoring, learning progress evaluation
Credit and insurance: creditworthiness assessment, underwriting, fraud scoring applied to individuals
Healthcare: medical device AI (under MDR/IVDR), clinical decision support that influences treatment
Critical infrastructure: AI managing energy grids, water supply, transport networks
Law enforcement and justice: predictive policing, evidence analysis, sentencing recommendations
Migration and border control: visa assessment, asylum processing, risk profiling at borders

Limited Risk (Transparency Obligations Only)

Chatbots must disclose they are AI. Deepfakes and AI-generated images must be labeled. Emotion recognition systems must be disclosed to users. No technical documentation or conformity assessment required — but non-disclosure can still attract penalties.

Minimal Risk (No Specific Obligations)

Spam filters, content recommendation engines, inventory forecasting, grammar correction, and most internal productivity AI fall here. No mandatory compliance steps — though good governance practices still apply.

Classification Warning

An off-the-shelf HR tool that automatically ranks candidates makes your organization a deployer of a high-risk AI system — even if your company did not build it. Deployers share compliance obligations with providers. You cannot offload compliance by pointing to your vendor's contract.

Step 3: Map GDPR and AI Act Obligations Together

The AI Act and GDPR are complementary frameworks that apply simultaneously. For every AI system that processes personal data — which is nearly all of them — you must satisfy both. Running them as separate compliance tracks wastes effort and creates gaps.

Where They Overlap

DPIA (GDPR Art. 35) and Risk Management (AI Act Art. 9): Run a combined assessment that satisfies both. The DPIA covers data protection risks; the AI Act risk file covers safety and rights risks. Many organizations use a single integrated document.
Right to explanation (GDPR Art. 22) and Transparency (AI Act Art. 13): Both require that affected individuals can understand and challenge automated decisions. Design your explainability layer once, document it for both regulators.
Logging (AI Act Art. 12) and Data Retention (GDPR): AI Act requires tamper-evident logs of inference events. GDPR limits how long personal data can be retained. Define a retention window that satisfies both — typically pseudonymized logs retained for 3-5 years.

For a detailed GDPR+AI compliance checklist, see our guide: GDPR and AI: Complete Compliance Checklist for 2026.

The 12-Month Compliance Roadmap

For an organization with 5-15 AI systems, this phased roadmap achieves full high-risk compliance by the August 2026 deadline. Adjust the timeline based on your system count and internal capacity.

Phase 1: Months 1-2 — Inventory and Classification

Complete AI system inventory across all business units (include shadow IT: ask department heads, not just IT)
Assign a risk level (unacceptable / high / limited / minimal) to each system using Annex III as the reference
Identify prohibited practices — scan vendor contracts and third-party data sheets
Appoint a compliance owner per high-risk system and a central AI Compliance Officer (can be your DPO if AI scope is manageable)
Map GDPR overlap: which high-risk AI systems process personal data? (Answer: almost all of them)

Output: A signed-off AI system register with risk levels and owners. This document becomes the foundation for every subsequent step.

Phase 2: Months 3-5 — Documentation and Gap Analysis

Produce technical documentation for every high-risk system (AI Act Art. 11 + Annex IV): system description, model architecture, training data sources, performance metrics, post-market monitoring plan
Run combined GDPR DPIA + AI Act risk assessment for each high-risk system
Conduct bias analysis on training and validation data using open-source tools (Fairlearn, IBM AIF360)
Identify gaps: which systems lack logging, human oversight mechanisms, or transparency disclosures?
Review vendor contracts: do providers supply AI Act-compliant technical documentation? Request it in writing.

Output: Gap analysis report with prioritized remediation list. High-risk systems with no documentation are highest priority.

Phase 3: Months 6-8 — Technical Remediation

Implement automatic logging for every high-risk system: inference events, confidence scores, human override events, drift alerts
Deploy human oversight mechanisms: review interfaces with explainability outputs, mandatory sign-off workflows for consequential decisions
Add transparency disclosures to user-facing interfaces: AI disclosure banners, decision explanation components
Set up post-market monitoring: drift detection (Evidently AI), accuracy tracking, quarterly review cadence
Implement feedback channels for affected individuals to report AI errors

Output: Updated systems with logging, oversight, and transparency in place. Evidence package for conformity assessment.

Phase 4: Months 9-10 — Training and Conformity Assessment

Train all staff who use or supervise high-risk AI systems (required by AI Act Art. 4 from August 2026): capabilities, limitations, failure modes, escalation procedures
Complete self-assessment conformity review against CEN-CENELEC harmonized standards (EN ISO/IEC 42001)
Prepare Declaration of Conformity for each high-risk system
Engage a notified body if any systems fall under MDR/IVDR or other regulated sectoral legislation

Output: Training completion certificates, conformity assessment documentation, Declarations of Conformity.

Phase 5: Months 11-12 — Registration and Go-Live

Register high-risk AI systems in the EU AI database (mandatory for high-risk Annex III systems deployed to public sector or at scale)
Establish incident reporting procedure: internal escalation timelines (24h to compliance team, 72h preliminary report), authority notification channels (CNIL, sector regulator)
Conduct a final compliance review across all high-risk systems
Schedule post-market monitoring quarterly reviews and annual compliance audits

Output: EU AI database registrations completed, incident procedure documented and tested, compliance status confirmed for all high-risk systems.

Technical Documentation: What Art. 11 Requires

Technical documentation must be produced before a high-risk AI system is deployed and kept current throughout its lifecycle. Annex IV specifies the required content. This YAML template covers the mandatory elements:

# Technical Documentation Template (AI Act Art. 11 + Annex IV)
system:
  name: "Automated Loan Pre-Screening System"
  version: "2.3.1"
  intended_purpose: >
    Pre-screen retail loan applications to generate a risk score
    for mandatory human review before any credit decision.
  risk_category: "HIGH — credit decisions (Annex III)"
  deployment_date: "2026-03-15"
  compliance_owner: "Head of Credit Risk"

model:
  type: "Gradient Boosting Classifier"
  framework: "scikit-learn 1.4.2 / Python 3.11"
  input_features:
    - "Annual income (EUR) — no protected attributes"
    - "Employment duration (months)"
    - "Existing debt ratio (%)"
    - "Loan-to-value ratio (%)"
  output: "Risk score 0–100 + REJECT/REVIEW/APPROVE flag"
  human_override: "Mandatory for all REJECT and APPROVE outcomes"

training_data:
  source: "Internal loan history 2018–2024"
  size: "142,000 records"
  protected_attributes_excluded: ["gender", "nationality", "ethnicity"]
  bias_testing: "Quarterly disparate impact analysis via Fairlearn"
  retention: "5 years, then anonymized per GDPR schedule"

performance:
  accuracy_at_deployment: "82.4% (test set 2025-Q4)"
  minimum_acceptable_accuracy: "78%"
  false_positive_rate: "11.2%"
  false_negative_rate: "8.6%"
  disparate_impact_ratio: "0.84 (threshold ≥ 0.80)"

post_market_monitoring:
  review_cadence: "Quarterly"
  drift_detection: "Evidently AI statistical drift alerts"
  accuracy_alert_threshold: "Below 78% triggers immediate review"
  incident_log: "s3://compliance-logs/loan-screening/incidents/"
  next_review: "2026-08-01"

Human Oversight: Making It Meaningful

Article 14 requires high-risk AI systems to allow meaningful human oversight. Regulators draw a sharp line between oversight that is nominal (an override button exists) and oversight that is genuine (humans actually evaluate AI outputs independently).

Signs of Nominal Oversight (Fails Art. 14)

Human override rate is 0% or near-zero on a system making consequential decisions
Reviewers see only the AI's recommendation, not the underlying factors
There is no training requirement before someone can act as a reviewer
The override process takes less than 30 seconds — suggesting rubber-stamp approval

Signs of Genuine Oversight (Satisfies Art. 14)

Reviewers see the AI confidence score, top decision factors (via SHAP or similar), and any data quality warnings
Mandatory human sign-off for decisions above a defined impact threshold, with no bypass path
Human reviewers are trained on the AI system's failure modes and common error patterns
Override rate is monitored quarterly — a sudden drop triggers an audit of the oversight mechanism
Random sampling of approved decisions for quality review (at least 5% of volume monthly)

AI Governance Training

Talki Academy's AI Governance for Enterprise training covers the full AI Act compliance framework: risk classification, documentation, human oversight design, and incident response. Eligible for OPCO funding — potential out-of-pocket cost: EUR 0.

Case Studies: Three Organizations Building Compliance Programs

Case 1: European Retail Bank — Credit Scoring AI

Situation: A mid-size bank with 2.4 million retail customers runs an automated credit pre-screening model built in 2021. The model was never subject to AI Act requirements when developed, but Annex III classifies it as high-risk.

Gap analysis findings:No technical documentation existed. Logging captured only final decisions, not input features or confidence scores. Human reviewers saw only "APPROVE" or "REJECT" — no explanation of driving factors. Override rate was 0.3%, suggesting the oversight mechanism was nominal.

Remediation approach (9 months):The bank retroactively created Annex IV documentation from model cards and internal development notes. They deployed a SHAP explainability layer that surfaces the top 3 decision factors to reviewers. Inference logging was added to an append-only S3 bucket with WORM policy. Reviewers completed a 4-hour training course covering the model's documented failure modes. Override rate rose to 4.2% within two months — evidence of genuine engagement.

Case 2: HR Tech Scale-Up — Recruitment Platform

Situation: A 180-person HR tech company offers a recruitment screening SaaS to enterprise clients. The company is both a provider (builds the AI) and a deployer (uses it internally). Both roles carry distinct obligations.

Provider obligations met: Technical documentation including model architecture, training data sources (anonymized European job market data, 2019-2024), quarterly bias analysis reports, and a post-market monitoring plan. Declaration of Conformity issued. Harmonized standard (EN ISO/IEC 42001) self-assessment completed in 3 months with external legal review.

Deployer obligations added: For their own recruitment use of the product, the company added an AI disclosure banner to the candidate portal, documented their human oversight process (all rejections reviewed by a recruiter before notification), and created an incident reporting SOP. GDPR DPIA combined with AI Act risk assessment was completed in 6 weeks.

Case 3: Industrial Manufacturer — Predictive Maintenance AI

Situation: A manufacturing company uses AI to predict equipment failure across 12 factories. Initial assessment suggested this might be high-risk (critical infrastructure). Closer review of Annex III showed the system falls outside critical infrastructure scope (it manages internal equipment, not public infrastructure networks) — making it minimal risk.

Lesson: Correct classification saves significant compliance effort. The company conducted a 3-day workshop with legal counsel before starting any documentation work. By confirming minimal risk status, they avoided a EUR 180,000 compliance program while maintaining the governance practices (logging, monitoring, incident response) that make sense operationally regardless of regulatory obligation.

Compliance Checklist: 15 Control Points

Use this checklist to track your organization's compliance status. All 15 points must be complete before August 2026 for every high-risk AI system.

Foundation

☐ 1. Complete AI system inventory with owner, purpose, data inputs, and decision type for every system
☐ 2. Risk level assigned (unacceptable / high / limited / minimal) for every system — by use case, not technology
☐ 3. Prohibited practice scan: no unacceptable-risk AI deployed or contracted
☐ 4. GDPR overlap mapped: lawful basis, DPIA where required, ROPA updated
☐ 5. Compliance ownership defined: AI Compliance Officer, System Owner, Data Owner, Vendor Manager

High-Risk System Requirements

☐ 6. Technical documentation produced for every high-risk system (Art. 11 + Annex IV)
☐ 7. Data governance plan: sources documented, bias analysis performed, lineage tracked
☐ 8. Risk management file created and updated on every significant system change (Art. 9)
☐ 9. Automatic logging enabled: inference events, human overrides, drift alerts (Art. 12)
☐ 10. Conformity assessment completed; Declaration of Conformity signed; EU AI database registration done (Art. 43 + 71)

Operational Requirements

☐ 11. Human oversight mechanisms tested: reviewers trained, override rate monitored (Art. 14)
☐ 12. Transparency disclosures in place: user-facing AI disclosure, decision explanation capability (Art. 13 + 50)
☐ 13. Accuracy and robustness thresholds defined, tested, and monitored in production (Art. 15)
☐ 14. Post-market monitoring plan active: quarterly review, incident log, feedback channel (Art. 72)
☐ 15. Incident reporting procedure documented: internal escalation, authority notification, corrective action (Art. 73)

FAQ: EU AI Act Compliance

When do EU AI Act obligations take full effect?

The AI Act entered into force in August 2024. Prohibitions on unacceptable-risk AI became enforceable in February 2025. High-risk system obligations (technical documentation, conformity assessment, human oversight, logging) apply from August 2026. General-purpose AI model requirements apply from August 2025. Organizations deploying AI need to start their compliance programs now to meet the August 2026 deadline.

Does the AI Act apply to my company if we only use third-party AI tools?

Yes. The AI Act applies to both providers (companies that develop AI systems) and deployers (companies that use AI systems in their operations). If you use an HR SaaS that automatically ranks candidates, a credit scoring tool, or any AI system listed in Annex III, you are a deployer and share compliance obligations. You cannot offload compliance entirely to your vendor — you must verify their documentation and ensure your use case is covered.

What is the difference between a high-risk AI system and a general-purpose AI model?

A high-risk AI system is defined by its use case: HR decisions, credit scoring, medical diagnostics, law enforcement, education assessment, and critical infrastructure management are high-risk regardless of the underlying technology. A general-purpose AI model (GPAI) like GPT-4 or Claude is regulated based on its training compute (above 10^25 FLOPs) and systemic risk assessment. Most organizations deploying AI face high-risk system rules, not GPAI rules.

Can I self-certify compliance, or do I need a notified body?

Most organizations can self-certify high-risk AI systems using harmonized standards (EN ISO/IEC 42001). Third-party notified body assessment is only mandatory for AI systems in safety-critical regulated sectors where sectoral legislation already requires it — specifically medical devices (MDR/IVDR) and machinery subject to the Machinery Regulation. For employment, credit, and education AI, internal conformity assessment is sufficient.

What are the penalties for non-compliance with the EU AI Act?

Penalties are tiered by violation severity. Deploying prohibited AI systems: up to EUR 35 million or 7% of global annual turnover (whichever is higher). Violations of high-risk system requirements: up to EUR 15 million or 3% of turnover. Providing incorrect information to authorities: up to EUR 7.5 million or 1.5% of turnover. SMEs face lower maximum amounts. Penalties apply per violation, so operating multiple non-compliant systems multiplies exposure.

How long does a typical AI Act compliance program take?

For an organization with 3-10 AI systems (a typical mid-size enterprise), a full compliance program takes 9-12 months: 2 months for inventory and risk classification, 3 months for documentation and gap analysis, 2 months for technical remediation, 2 months for testing and conformity assessment, 1 month for registration and final sign-off. Organizations with legacy AI systems or complex vendor relationships may need 18 months. Starting in Q1 2026 leaves no buffer for the August 2026 deadline.

Conclusion: Compliance as Architecture, Not Audit

Organizations that treat AI Act compliance as a one-time audit will fail at their first regulatory inspection. The regulation is designed to be an ongoing operational standard — technical documentation must stay current, risk files must be updated at every significant change, and post-market monitoring must run continuously.

The companies building compliant AI systems today are making better engineering decisions in the process: cleaner data pipelines, explicit performance thresholds, human oversight that actually catches model failures. Compliance cost is real, but so is the operational resilience it creates.

Start with the inventory. Classify by use case. Prioritize your high-risk systems. The August 2026 deadline is achievable — but only if you begin now.

To go further: AI Governance for Enterprise Training — OPCO-eligible, fully practical, covers the complete regulatory framework.