Business professionals in a conference room analyzing interconnected data networks on a large screen

Understanding the EU AI Act: Key Steps for Businesses

Executive Summary

The EU AI Act has moved from a future planning item to a present-day governance obligation, and the strategic stakes for senior leaders are now concrete. As of August 2026, most of its provisions apply to any organization that develops, deploys, or relies on AI—including the hiring, promotion, and workforce-monitoring tools that sit at the center of HR strategy and are explicitly classified as high-risk. The financial exposure is material enough for the board’s risk register: fines reach up to €35 million or 7% of global annual turnover, a figure that can dwarf the fixed penalty for large multinationals. But the Act is more than a compliance cost. Responsible engagement works on two fronts at once: building strong, board-level governance inside the organization—clear ownership, AI literacy, vendor due diligence, and impact assessments—and participating constructively in the external policy process through regulatory sandboxes, codes of practice, and consultations, where early movers earn influence and credibility that late arrivals cannot match. Because the Act is poised to set a global benchmark much as GDPR did, companies that build to its standard now position themselves to absorb the next wave of rules with minimal disruption. For executives, the choice is not whether to comply but whether to treat AI governance as a grudging expense or as a durable source of competitive advantage—a procurement edge, an investor-relations story, and a trust signal to employees and customers alike.

The EU AI Act is no longer a distant policy debate—as of August 2026, most of its provisions apply to any company that develops, deploys, or relies on AI. For senior executives, the question has shifted from “Should we prepare?” to “How do we engage responsibly, both inside our organization and with the regulators shaping the rules?” This guide breaks down the EU AI Act’s risk-based framework, its enforcement timeline, and the practical steps your company can take to build trust, reduce compliance risk, and help shape sound AI policy—illustrated with named, publicly documented cases that show what happens when companies get it right, and when they don’t.

Abstract

This article examines how companies can engage responsibly with AI regulation in the era of the EU AI Act, the first comprehensive AI law from a major regulator. It outlines the Act’s risk-based framework, its staggered enforcement timeline, and the substantial penalties that now place AI governance firmly on the board’s agenda. Drawing on publicly documented cases—from Amazon’s abandoned recruiting tool and the Dutch childcare-benefits scandal to the governance approaches of Workday, IBM, and Microsoft—it argues that responsible engagement operates on two fronts: building strong internal governance through clear ownership, board-level literacy, vendor due diligence, and impact assessments, and participating constructively in the external policy process via regulatory sandboxes, codes of practice, and consultations. The analysis pays particular attention to high-risk applications in hiring and workforce management, where the stakes for HR and corporate-affairs leaders are most immediate. Because the Act is poised to set a global benchmark much as GDPR did, the article makes the case that early, single-standard compliance is not merely a defensive measure but a durable source of competitive advantage—offering executives a practical roadmap for turning regulatory obligation into trust, credibility, and strategic positioning.

Key Takeaways

  • The EU AI Act is the first comprehensive AI law from a major regulator, and it sorts AI applications into four risk tiers—unacceptable, high, limited, and minimal—with obligations that scale up sharply as risk rises.
  • Most provisions apply from 2 August 2026, with prohibited practices and general-purpose AI (GPAI) rules already in force since 2025; companies that treated earlier deadlines as optional are now operating under full legal exposure.
  • HR and workforce tools are squarely in scope. Systems that screen résumés, rank candidates, or monitor employees are explicitly classified as high-risk, putting CHROs and corporate-affairs leaders on the front line of compliance.
  • Penalties are significant: up to €35 million or 7% of global annual turnover for banned practices—an exposure that belongs on the board’s risk register and in enterprise risk reporting, not just with legal.
  • Most boards are not yet ready. Only about 15% of S&P 500 companies disclose any board oversight of AI, and just 13% have a director with AI expertise—a governance gap regulators, activist investors, and litigants can exploit.
  • Third-party tools are a hidden liability. More than half of AI failures originate from external vendors, so the same due diligence applied to financial controls and data security should extend to every AI system you license.
  • Responsible engagement is both internal and external: strong board-level governance—clear ownership, AI literacy, vendor due diligence, and impact assessments—plus active, transparent participation in consultations, codes of practice, and regulatory sandboxes, where early movers earn lasting influence.
  • The Act will likely set a global standard, much as GDPR did, so companies outside the EU should treat it as a baseline rather than a regional concern—building to one high standard now is cheaper than re-engineering systems jurisdiction by jurisdiction later.
  • Compliance is a competitive lever, not just a cost. Done well, responsible AI governance becomes a procurement edge, an investor-relations story, and a trust signal to employees and customers alike.

What is the EU AI Act, and why does it matter for your company?

The EU AI Act is a European regulation governing artificial intelligence—the first comprehensive AI law introduced by any major regulator. It entered into force on 1 August 2024 and applies its core obligations from 2 August 2026.The Act matters because its reach extends well beyond Europe. Any company that places an AI system on the EU market, or whose AI outputs are used in the EU, falls within scope—regardless of where the company is headquartered. For HR leaders, this is especially relevant: tools that screen résumés, rank candidates, or monitor employee performance are explicitly classified as high-risk under the Act.Consider what this means in practice. Amazon famously scrapped an experimental recruiting tool in 2018 after discovering it had taught itself to penalize résumés containing the word “women’s”—as in “women’s chess club captain.” The system had learned from a decade of male-dominated hiring data and quietly reproduced that bias. Under the EU AI Act, a tool like that would now sit squarely in the high-risk category, subject to mandatory bias testing, documentation, and human oversight. **The executive lesson is sharper than “AI can be biased.” It is that an unowned AI tool can fail silently for years, accruing legal, reputational, and workforce-equity liabilities that no one is tracking. For a CHRO, the question is not whether your hiring tools are biased but who in your organization is accountable for proving they are not.**The financial stakes are clear. Non-compliance with prohibited practices can trigger fines up to €35 million or 7% of total worldwide annual turnover, whichever is higher (Article 99, EU AI Act). For a large multinational, that 7% figure can dwarf the €35 million floor—a sum substantial enough to command any board’s attention. Other violations carry lower but still substantial penalties. Framed correctly, this is not a compliance line item; it is a material risk disclosure your CFO and audit committee should already be modeling.

How does the EU AI Act’s risk-based framework work?

The EU AI Act regulates AI on a sliding scale, assigning each application to one of four risk categories. The higher the risk, the stricter the obligations.

Risk categoryWhat it coversObligations
Unacceptable riskGovernment-run social scoring, certain real-time biometric surveillance, manipulative systemsBanned outright
High riskCV-screening tools, candidate ranking, critical infrastructure, education, access to essential servicesStrict requirements: risk management, documentation, human oversight, transparency
Limited riskChatbots, AI-generated contentTransparency obligations (users must know they’re interacting with AI)
Minimal riskSpam filters, AI in video gamesLargely unregulated
For most organizations, the high-risk category demands the most attention. If your company uses AI to make or support decisions about hiring, promotion, or termination, those systems are treated as high-risk and carry the heaviest compliance burden.
The EU AI Act applies its obligations in stages rather than all at once. Knowing which rules are already live—and which are imminent—helps you prioritize.
DateWhat applies
1 August 2024Act enters into force (no obligations yet)
2 February 2025Bans on prohibited AI practices and AI literacy requirements take effect
2 August 2025Rules for GPAI models, governance structures, and penalties apply
2 August 2026The majority of the Act applies, including most high-risk obligations
2 August 2027Remaining high-risk classification rules (Article 6(1)) and legacy GPAI obligations apply## What does responsible engagement with AI regulation actually mean?
Responsible engagement means two things working together: building strong AI governance inside your organization, and participating constructively in the external policy process. One without the other leaves you exposed—either to compliance failures or to rules written without your input.The International Corporate Governance Network (ICGN) identifies five cornerstones of responsible AI: board oversight, responsible practices, risk management, transparency, and regulatory compliance. These principles apply whether you build AI in-house or rely on third-party vendors. Notably, ICGN reports that more than half of all AI failures originate from third-party tools—a critical point given how many companies depend on external systems.That third-party risk is not hypothetical. Many of the AI hiring tools used across industries are licensed from outside vendors, which means the company deploying the tool often inherits a bias problem it never created and cannot easily see inside. The Dutch childcare-benefits scandal shows how severe the consequences can be: the Dutch tax authority’s automated fraud-detection system wrongly flagged thousands of families—disproportionately those with dual nationality or low incomes—for benefits fraud, and the resulting fallout contributed to the resignation of the entire Dutch government in 2021. The system had not been built with malicious intent, but no one had owned the risk closely enough to catch the harm before it spread—and the accountability ultimately landed at the very top. For senior leaders, the takeaway is blunt: AI failure is now a leadership-tenure risk, not a technical footnote. Whoever signs off on deploying a high-risk system should understand that their name is effectively on the outcome. The practical move is to demand the same vendor due diligence for AI tools that you already require for financial controls or data security.

How should boards build internal AI governance?

Brass balance scale with a microchip on one side and legal agreement documents on the other in a law office
A brass balance scale compares a microchip and legal documents on intellectual property law.

Boards carry ultimate accountability for a company’s responsible use of AI, and effective oversight starts before regulators require it. Yet the evidence shows most boards are not yet there. An ISS-Corporate analysis of S&P 500 proxy statements found that only about 15% of companies disclosed any board oversight of AI, just 13% had even one director with AI-related expertise, and a mere 1.6% disclosed explicit full-board or committee oversight. Surveys cited by ICGN paint a similar picture: in one study of 700 leaders, 58% had no AI expertise on their boards or did not know their members’ proficiency, and in another, 86% of organizations were using some form of AI without board awareness.That 86% figure deserves a pause. It means that in most companies, AI is already making or shaping decisions—about who gets hired, which customers get flagged, how performance is scored—without the board fully knowing it. **The risk isn’t a future one; it’s already sitting on the balance sheet, unmeasured and undisclosed. For a board, that is a governance gap a regulator, an activist investor, or a plaintiff’s lawyer can exploit. The first job of the board is not to master the technology—it is to insist on visibility: a current inventory of where AI operates, who owns each system, and what could go wrong.**To close that gap, executive teams should:

  • Assign clear ownership. Designate who is accountable for AI risks and who answers for any controversy. When something goes wrong, “the algorithm did it” is not a defense a regulator or a journalist will accept. Some companies have made this concrete: Workday, for example, has appointed a Chief Responsible AI Officer to direct its governance program—a model worth weighing for any organization where AI now touches material decisions, because a named owner at the executive table converts diffuse risk into clear accountability.
  • Build board-level literacy. Use training, external experts, and advisory bodies so directors can assess AI risks and opportunities credibly. The ISS-Corporate data shows board AI expertise is heavily concentrated in the technology sector—30% of S&P 500 IT companies have a director with AI experience—while most other industries lag far behind, the same way many boards once brought in cybersecurity specialists only after high-profile breaches made the threat impossible to ignore. The strategic lesson: don’t wait for your own crisis to build the expertise; the boards that lead are recruiting AI fluency now, while it’s still a choice rather than a reaction.
  • Embed responsible AI in existing policies. Integrate it into your Code of Conduct, data privacy, information security, and vendor assessment policies rather than creating a siloed document that no one reads. ICGN’s framework explicitly favors weaving responsible AI into existing structures over building a standalone policy—an approach that also signals to regulators that governance is operational, not cosmetic.
  • Run impact assessments and audits. Conduct due diligence on bias, privacy, and human rights impacts before scaling any system. New York City’s Local Law 144 already requires employers to commission independent bias audits of automated hiring tools—a preview of the kind of scrutiny spreading globally, and a reason to build audit capacity now rather than scramble to retrofit it under each new mandate.
  • Pilot before you deploy. Test high-risk use cases with sector and product specialists to surface problems early. A controlled pilot that reveals a flaw is a success; the same flaw discovered after a company-wide rollout—as Amazon found with its recruiting tool—is a crisis. The cost difference between catching a problem in a pilot and catching it in production is the single clearest argument for disciplined deployment governance.For HR specifically, define the scope of AI in human capital management. Clarify whether the technology is expected to deliver fairer, more transparent outcomes—and what your response will be if it fails. A practical starting question for any CHRO: if a rejected candidate asked you to explain exactly why the system screened them out, could you give a clear, defensible answer? If not, the system isn’t ready—and that answer should determine whether it ships.

How can companies participate in the policy process?

Companies can shape AI regulation through legitimate, transparent channels rather than waiting for rules to be imposed. The EU AI Act creates several formal entry points for industry input.Regulatory sandboxes. Under Article 57, each EU Member State must establish at least one AI regulatory sandbox, operational by 2 August 2026. These controlled environments let companies develop, test, and validate AI systems in close coordination with regulators before market release. Sandboxes are especially valuable for testing high-risk systems while maintaining a direct line to supervisory authorities. Spain led the way here, launching one of the first national AI sandboxes and giving early participants the chance to shape supervisory expectations rather than simply react to them. **For a chief corporate affairs leader, the strategic read is straightforward: early sandbox participation buys influence over how rules are interpreted, plus a credibility dividend with regulators that competitors arriving later cannot easily match. Being early often means being heard.**Codes of practice. The GPAI Code of Practice gives developers a framework for demonstrating compliance. Companies can choose to follow it or show compliance through other means, but engaging with these codes signals good faith and helps establish workable standards. When the EU published the list of signatories to the AI Act’s Code of Practice, major developers including Microsoft and Meta were among the names scrutinized—a public signal of which companies chose to cooperate openly and which held back. **That visibility is the point for executives: signing is a reputational decision the board should make deliberately, because the signatory list itself becomes a public statement of where your company stands with regulators and customers.**Public consultations and advisory bodies. The Act’s Advisory Forum provides technical expertise to the European Commission and the AI Board. Participating in consultations lets companies contribute practical, on-the-ground insight to rules that might otherwise be written without it. The GDPR era offers a cautionary tale: companies that sat out the drafting process later complained the rules ignored operational realities—but by then the text was law, and complaints carried little weight. The lesson for the C-suite is that the cheapest time to influence a rule is before it is written; lobbying after enactment is both costlier and less effective.

What transparency and documentation obligations apply?

Transparency is both a legal requirement and a trust-building tool. Companies must be clear about how their AI systems are designed, trained, tested, and scaled, and how they handle personal data.Practical obligations include:

  • Disclosing AI interactions. Stakeholders—customers and employees alike—must know when they are interacting with an AI system or viewing AI-generated content. The companies that handle this gracefully tend to be upfront: a simple line such as “You’re chatting with our AI assistant—type ‘agent’ anytime to reach a person” builds more trust than a chatbot quietly impersonating a human. Treated well, disclosure is not a constraint on customer experience but a contributor to it.
  • Documenting training data. Companies that develop AI must be transparent about the data their models were trained on—an obligation the Act applies directly to general-purpose models such as IBM’s Granite and Meta’s Llama, whose providers must publish detailed summaries of their training data. This is harder than it sounds; many organizations discover, mid-audit, that they cannot fully account for where their training data came from. For a general counsel, that gap is a live liability: undocumented data provenance is exactly what a regulator or litigant probes first. The defensible position is to commission a data-lineage review now, before an external party forces one.
  • Securing consent. Emerging best practice calls for explicit consent before using stakeholder data in AI systems. Workday, for one, publicly lets customers control whether their data is used to improve its machine-learning models—an example of consent built into the product rather than bolted on afterward, and a model that turns a compliance obligation into a customer-trust feature.
  • Reporting controversies promptly. Investors and regulators expect timely disclosure of any material AI-related issue. The instinct to delay rarely pays off; as countless data-breach cases have shown, the cover-up almost always damages reputation more than the original problem. For leadership, the rule of thumb is simple: disclose on your own timeline, or have the story disclosed for you on someone else’s.Strong documentation does more than satisfy auditors. It demonstrates the kind of accountability that preserves trust with your workforce, customers, and shareholders—and when a regulator does come knocking, a well-kept paper trail is often the difference between a quick clearance and a drawn-out investigation that consumes executive time and headlines.

How should companies advocate responsibly on AI policy?

Glowing AI core surrounded by labels indicating compliance and security standards
A futuristic AI core highlighting compliance, security, and ethical governance features

Responsible advocacy means representing your interests transparently while supporting rules that protect people and society—not lobbying to weaken safeguards behind closed doors. Companies that engage credibly tend to align their positions with established frameworks such as the OECD AI Principles, UNESCO’s Recommendation on the Ethics of AI, and ISO/IEC 42001, the international standard for AI management systems. A growing number of firms now pursue ISO/IEC 42001 certification much as they once sought ISO 27001 for information security—a credential that signals seriousness to regulators, partners, and customers alike, and one that increasingly surfaces in procurement and due-diligence checklists.The most effective approach frames advocacy around shared goals: workable standards, proportionate obligations, and clear guidance. Workday again offers a public example of this posture: rather than lobbying against the Act, the company has published its compliance approach “in the spirit of transparency and collaboration,” explicitly framing the regulation as a useful framework. The executive insight here is about positioning. Companies that fight regulation outright tend to win the battle and lose the relationship; companies that engage constructively earn standing that pays off across future rule-making. Executives who can explain how a proposed rule affects real operations—and offer constructive alternatives—carry far more weight than those seeking blanket exemptions. The difference is visible in practice: a CEO who tells regulators “this requirement adds three weeks to every product launch, and here’s a leaner way to achieve the same safeguard” is taken seriously, while one who simply demands an exemption is quietly filed under special pleading.

Why the EU AI Act is a global concern, not a regional one

The EU AI Act is likely to become a global benchmark, repeating the pattern set by GDPR in 2018. Brazil has already passed legislation creating a legal framework for AI, and other jurisdictions are watching closely. IBM, among others, has publicly noted that experts expect the Act to spur AI governance and ethics standards worldwide—much as GDPR did for privacy.We have seen this movie before. After GDPR, companies from California to Singapore found themselves adopting European-style privacy standards simply because it was cheaper to run one global system than to maintain a patchwork of regional ones. Several US states modeled their own privacy laws on GDPR’s core ideas. The same dynamic is now taking shape around AI, and the companies treating the EU AI Act as a worldwide template—Workday has publicly said it expects the Act to become “the global standard”—are quietly positioning themselves to absorb the next wave of rules with minimal disruption. **For a board weighing where to set the compliance bar, the strategic calculus is clear: building to the highest credible standard once is almost always cheaper than re-engineering systems jurisdiction by jurisdiction as new laws land. The Brussels effect turns early, single-standard compliance into a durable cost advantage.**For multinational organizations, this “Brussels effect” carries a strategic implication: building to the EU standard now positions you to comply across markets as similar rules emerge elsewhere. Treating the Act as a global baseline—rather than a European exception—reduces the cost and disruption of fragmented compliance down the line.

Turning compliance into competitive advantage

The companies that thrive under AI regulation will be those that treat it as a strategic priority rather than a legal hurdle. Responsible engagement protects you from significant fines, but it also builds something harder to quantify: trust with employees, customers, regulators, and investors. Consider how the early GDPR adopters fared—the firms that built genuine privacy programs not only avoided penalties but began using their data practices as a selling point, turning a compliance cost into a market differentiator. Workday is already pursuing the same playbook with AI, publicly positioning its responsible-AI program as a reason for customers to trust it. The strategic choice facing leadership is therefore not “comply or don’t”—it is whether to treat AI governance as a grudging cost or as a source of competitive advantage. The companies that choose the latter are converting a regulatory obligation into a procurement edge, an investor-relations story, and a recruiting message, all at once. The same opportunity is opening up across industries right now.To move forward, take three concrete steps. First, audit your current AI systems against the four risk categories and identify which fall into the high-risk tier—you may be surprised how many systems quietly qualify, and the inventory itself is often the moment leadership grasps the scale of the exposure. Second, establish clear board-level ownership and embed responsible AI into your existing governance policies. Third, engage the external process—explore your national regulatory sandbox, monitor codes of practice, and contribute to consultations where your expertise adds value.The regulatory landscape will keep evolving. Organizations that build durable governance and engage constructively today will be far better positioned to lead tomorrow.

Conclusion

The EU AI Act marks a decisive shift: AI governance is no longer a technical concern delegated downward but a board-level responsibility with direct financial, legal, and reputational stakes. The evidence runs through every section of this guide. Penalties reaching 7% of global turnover belong on the enterprise risk register. High-risk hiring and workforce tools place CHROs and corporate-affairs leaders on the front line. More than half of AI failures trace back to third-party vendors, yet most boards still lack the visibility, expertise, or ownership structures to catch a problem before it spreads—as Amazon’s abandoned recruiting tool and the Dutch childcare-benefits scandal made painfully clear. The companies that get this right share a common pattern: they assign clear accountability, build board-level literacy, embed responsible AI into existing policies, audit before they scale, and engage the external process through sandboxes, codes of practice, and consultations where early movers earn lasting influence. They treat the Act not as a European exception but as a global baseline, building to one high standard rather than re-engineering jurisdiction by jurisdiction as the Brussels effect plays out. And crucially, they recognize that responsible engagement is not a defensive cost but a strategic asset—a procurement edge, an investor-relations story, and a trust signal to employees and customers alike. For leadership teams, the imperative is clear and immediate: the question is no longer whether to act, but how decisively. The organizations that build durable governance and engage constructively today will not merely survive the next wave of regulation—they will help shape it, and lead the markets it defines.

Frequently asked questions

The questions below mirror what a market surveillance authority or regulator could ask your leadership team during an inquiry. Each is paired with the direct answer—or the evidence and action—your executives should be prepared to provide. Use it to pressure-test your readiness ahead of the August 2, 2026 deadline.

Does the EU AI Act apply to your company, and on what basis?

Yes, if your company develops, deploys, imports, or distributes AI systems in the EU—or if your AI outputs are used within the EU—the Act applies, regardless of where you are headquartered.

This extraterritorial reach captures non-EU firms in common scenarios:

  • A US software provider whose hiring tool is used by an EU subsidiary
  • An internal HR or workforce-monitoring tool deployed for EU-based employees
  • Any SaaS platform whose AI outputs reach EU users

Non-EU providers of high-risk AI systems must also appoint an authorized representative in the EU before placing the system on the market.

How has your company classified its AI systems under the four-tier risk framework?

Your company should be able to produce a current inventory mapping every AI system to one of the Act’s four risk tiers: unacceptable (banned), high, limited, or minimal.

Classification drives every downstream obligation, so accuracy matters:

  • Unacceptable risk: Banned outright (e.g., social scoring, workplace emotion recognition)
  • High risk: Strict obligations (e.g., CV screening, candidate ranking, access to essential services)
  • Limited risk: Transparency duties (e.g., chatbots, AI-generated content)
  • Minimal risk: Largely unregulated (e.g., spam filters)

Classification errors run in both directions, and nearly 70% of businesses report difficulty understanding their specific obligations. The inventory itself is often the moment leadership grasps the true scale of exposure.

Are your HR and recruitment AI tools registered and compliant as high-risk systems?

Yes—they must be. AI systems used to screen, rank, or match job candidates are explicitly classified as high-risk under Annex III, triggering the Act’s strictest requirements.

Your CHRO should be prepared to demonstrate, for each tool:

  • Documented bias testing and data governance
  • Assigned, competent human oversight personnel
  • Technical documentation drawn up before deployment
  • A clear, defensible explanation of any individual screening decision

Amazon’s abandoned recruiting tool, which taught itself to downgrade résumés containing the word “women’s,” is the cautionary example most often cited. The practical takeaway: inventory every AI touchpoint in the hiring funnel and confirm who is accountable for each.

What is your financial exposure for non-compliance, and does your board know it?

Penalties for prohibited practices reach up to €35 million or 7% of total worldwide annual turnover, whichever is higher. Violations of high-risk obligations can reach €15 million or 3% of global turnover.

For a multinational, the percentage figure—not the fixed sum—is the one that should command board attention. A 3% penalty against €10 billion in revenue is €300 million. This is a material risk disclosure that belongs on the enterprise risk register and in audit committee reporting, not solely with legal.

Does your company understand whether it is a provider, a deployer, or both?

Your company should have explicitly mapped its role for each AI system, because the obligations differ materially.

  • Providers (those who develop or place a system on the market) carry the heavier burden: risk management systems, technical documentation, conformity assessments, and EU database registration.
  • Deployers (those who use a system in operations) must follow provider instructions, assign competent human overseers, retain audit trails for at least six months, monitor operations, and report serious incidents without undue delay.

Many companies wear more than one hat. Licensing a third-party hiring tool typically makes you a deployer—but you cannot outsource accountability for how that tool treats candidates.

Who on your board or executive team is accountable for AI governance?

Your company should be able to name a specific owner accountable for AI risk—”the algorithm did it” is not a defense a regulator will accept.

Effective oversight rests on a few concrete moves:

  • Assign clear ownership. Some organizations, such as Workday, have appointed a Chief Responsible AI Officer to direct governance.
  • Build board-level literacy. Only about 15% of S&P 500 companies disclose any board oversight of AI, and just 13% have a director with AI expertise—a gap regulators and investors can exploit.
  • Embed responsible AI into existing policies rather than a standalone document no one reads.
  • Run impact assessments and pilots before scaling any high-risk system

What concrete steps has your company taken to prepare for the August 2026 deadline?

Your company should be able to evidence operational readiness, not just policy documents. The hardest obligations are operational: ongoing risk controls, traceable audit trails, human review, and maintained technical records.

A defensible preparation path includes:

  1. Classifying all AI systems against the four risk tiers
  2. Assigning board-level accountability and ownership
  3. Embedding responsible AI into existing governance, vendor, and data policies
  4. Running impact assessments on high-risk systems
  5. Establishing audit-trail retention, incident escalation, and human-oversight processes—and testing them before enforcement pressure arrives

Has your company explored participating in a national regulatory sandbox?

A regulatory sandbox is a controlled environment where companies develop, test, and validate AI systems in close coordination with regulators before market release. Each EU Member State must operate at least one, fully operational by August 2, 2026.

The strategic value for executives is twofold:

  • Compliance evidence: Competent authorities provide written proof of activities and an exit report, which market surveillance authorities and notified bodies must take into account—potentially accelerating conformity assessment.
  • Regulatory goodwill: Early participants help shape supervisory expectations rather than react to them. Spain’s early sandbox is a useful model to study before approaching your own national program.

Can you demonstrate compliance through documentation, audit trails, and transparency measures?

Your company should maintain documentation that satisfies auditors and demonstrates accountability on demand—a well-kept paper trail is often the difference between quick clearance and a drawn-out investigation.

Core obligations to evidence:

  • Disclosure: Users must know when they are interacting with an AI system, and AI-generated content must carry machine-readable labeling (Article 50, enforceable from August 2, 2026).
  • Data provenance: Documented training, validation, and testing dataset sources, evaluated for bias.
  • Audit trails: Tamper-evident logs of inputs, outputs, and decisions, retained for at least six months.
  • Human oversight: Designated personnel with documented competence, training, and authority.

Many organizations discover mid-audit that they cannot fully account for their training data. The defensible position is to commission a data-lineage review now, before an external party forces one.

How does your company engage constructively with the regulatory process?

Responsible advocacy means representing your interests transparently while supporting rules that protect people—not lobbying to weaken safeguards behind closed doors.

Credible engagement typically includes:

  • Aligning positions with established frameworks such as the OECD AI Principles and ISO/IEC 42001
  • Participating in public consultations and advisory bodies with practical, operational insight
  • Engaging with codes of practice as a public signal of good faith

Companies that fight regulation outright tend to win the battle and lose the relationship. Workday, for instance, has published its compliance approach “in the spirit of transparency and collaboration,” framing the Act as a useful framework rather than a threat.

Why should your company treat the EU AI Act as a global concern rather than a regional one?

Because the Act is poised to become a global benchmark, repeating the “Brussels effect” set by GDPR in 2018. Brazil has already passed AI legislation, and other jurisdictions are watching closely.

For a board weighing where to set the compliance bar, the calculus is clear: building to the highest credible standard once is almost always cheaper than re-engineering systems jurisdiction by jurisdiction as new laws land. Treated this way, early single-standard compliance becomes a durable cost advantage—and a procurement edge, an investor-relations story, and a trust signal to employees and customers alike.

**Who does the EU AI Act apply to?**

The Act applies to any company that develops, deploys, imports, or distributes AI systems in the EU—or whose AI outputs are used within the EU—regardless of where the company is based. A US software firm whose hiring tool is used by a German subsidiary, for example, falls squarely within scope. This gives the regulation significant extraterritorial reach, which means even firms with no European headquarters should treat it as directly relevant.

**What are the penalties for non-compliance?**

Non-compliance with prohibited AI practices can result in fines up to €35 million or 7% of total worldwide annual turnover, whichever is higher. For a company with billions in revenue, that 7% figure—not the fixed sum—is the one that should focus the board’s attention and belongs in your enterprise risk reporting. Other violations carry lower but still substantial penalties.

**Are HR and recruitment tools considered high-risk?**

Yes. AI systems used to screen, rank, or match job candidates are classified as high-risk under the EU AI Act, which means they are subject to strict requirements around risk management, documentation, human oversight, and transparency. Amazon’s abandoned recruiting tool, which had learned to downgrade women’s résumés, is the cautionary example most often cited here, and HR-software providers such as Workday have built dedicated governance programs around exactly these features. For a CHRO, the practical takeaway is to inventory every AI touchpoint in the hiring funnel and confirm who is accountable for each.

**What is a regulatory sandbox, and how can my company use one?**

A regulatory sandbox is a controlled environment where companies can develop and test AI systems in close coordination with regulators before bringing them to market. Each EU Member State must operate at least one, giving companies a way to validate high-risk systems while maintaining direct contact with authorities. Spain’s early sandbox is a useful model to study before approaching your own national program—and early participation can earn regulatory goodwill that pays off later.

**What’s the difference between a provider and a deployer?**

A provider develops an AI system or places it on the market, while a deployer uses an AI system in its operations. Both carry obligations under the Act, but providers—especially those building high-risk or general-purpose AI—bear the heavier compliance burden. Workday publicly describes itself as a provider, deployer, and downstream provider all at once, a reminder that many companies wear more than one hat. A company that merely licenses a third-party hiring tool is typically a deployer, but it still cannot outsource accountability for how that tool treats candidates—a distinction the board and general counsel should map explicitly.

**How can my company start preparing now?**

Begin by classifying your AI systems against the four risk tiers, assigning board-level accountability, embedding responsible AI into existing policies, and running impact assessments on high-risk systems. From there, engage external channels such as sandboxes and consultations. The simplest first move is often the most revealing: ask each department to list the AI tools it already uses—the inventory alone tends to surprise leadership and frequently becomes the catalyst for serious governance.

eu ai act, #ai regulation, #corporate ai governance, #responsible ai, #ai compliance, #board oversight, #high-risk ai, #general-purpose ai, #gpai, #regulatory sandboxes, #ai ethics, #executive leadership, #ai risk management, #ai transparency, #hr ai tools, #ai in recruitment, #brussels effect, #ai governance framework, #ai act compliance, #ai policy engagement, #ai literacy, #data governance, #ai accountability, #trustworthy ai, #enterprise ai strategy


Discover more from Responsible Public Affairs

Subscribe to get the latest posts sent to your email.

Share This :
Facebook
X
LinkedIn
Print
Email
WhatsApp

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Responsible Public Affairs

Subscribe now to keep reading and get access to the full archive.

Continue reading