1. Does the EU AI Act apply to your company?

In practice: if you operate in the EU, sell into the EU, or your AI outputs are used in the EU, you should assume you are in scope.

It doesn’t only target “AI vendors.” It also affects companies that deploy AI systems in real business processes, especially where AI influences decisions about people, access, money, or safety. That includes common corporate scenarios like recruiting, candidate screening, performance monitoring, creditworthiness assessments, insurance decisions, education/training assessments, and some security-related uses.

My opinion: The most expensive mistake is waiting until a customer, an auditor, or an incident forces you to map your AI usage under pressure. A basic AI inventory and risk classification is a fast, high-leverage move.

2. The risk classes (the part executives actually need)

The AI Act is built around risk. Your obligations depend on what your AI does and where it’s used.

A) Prohibited practices (unacceptable risk)

Certain AI uses are essentially banned. Most companies don’t plan to do these, but “accidental proximity” happens: analytics tools that infer sensitive traits, monitoring tools that cross into emotion recognition, or “behavior shaping” that becomes manipulative.

B) High-risk AI systems (heavy obligations)

This is the category that drives serious compliance work. High-risk often appears in:

HR and worker management (recruitment, screening, evaluation, monitoring)

Education and vocational training (testing, scoring, admissions decisions)

Access to essential services (credit decisions, certain insurance and eligibility decisions)

Critical infrastructure, safety-related contexts, and some biometric uses

C) Transparency obligations (limited risk)

If humans interact with AI (e.g., chatbots), people may need to be informed. If you generate or manipulate content that could mislead (synthetic media, “deepfakes”), disclosures/labeling can be required.

D) Minimal risk

Many AI use cases are here. But “minimal risk” doesn’t mean “no responsibility.” It still sits inside your broader compliance reality: GDPR, security, consumer protection, IP, and contractual obligations.

My opinion: Most companies don’t fail because they pick the wrong tool. They fail because they don’t classify the use case early enough. Classification is the steering wheel.

3. What obligations and work does this create?

Here’s the crucial point: obligations don’t only apply to the company that built the AI. They also apply to the company that uses it.

If you provide a high-risk AI system (including when you significantly modify or re-brand a system), you’re looking at “product-grade” compliance: risk management, documentation, logging, human oversight design, robustness and security controls, and a conformity approach before market use.

If you deploy high-risk AI systems (you use them inside your business), you still have duties: use according to instructions, ensure meaningful human oversight, monitor the system, keep appropriate logs, manage incidents, and apply organizational controls. You also need clarity on responsibilities with vendors, because “the vendor said it’s compliant” won’t protect you if your usage context creates risk.

My opinion: This is why “Shadow AI” is not a moral problem; it’s a governance problem. If AI is used informally in HR or operations, you can’t prove oversight, you can’t prove control, and you can’t respond cleanly when someone asks, “Show me how this decision was influenced.”

4. What are the real business risks?

Yes, penalties matter. But for most companies, the bigger immediate risks are:

Deals slowing down because enterprise customers demand AI Act evidence

Procurement asking for documents you can’t produce quickly

HR or operations deploying AI tools that trigger high-risk requirements unintentionally

Incidents: complaints, bias concerns, reputational issues, or security exposure

“Compliance retrofit” costs that balloon because you’re fixing governance after rollout

In plain language: the AI Act turns “AI experimentation” into “AI operations.” And operations need ownership, controls, and proof.

5. The practical way to get ahead without turning this into a bureaucracy

If you want to reduce risk quickly, focus on these five moves:

First, build an AI inventory.
Not a 6-month enterprise architecture exercise. A practical list: what AI is used, by whom, for what decisions, and on which data.

Second, classify every use case.
Prohibited, high-risk, transparency, minimal. Most organizations are surprised how many tools sit in “gray areas.”

Third, clarify roles and responsibility.
Who is the deployer? Who is the provider? Who owns oversight, logging, and incident response? Where does legal/compliance actually need to sign off?

Fourth, fix the fast gaps.
AI literacy basics, transparency notices where required, and vendor due diligence that produces usable documentation.

Fifth, for high-risk: build the “evidence lifecycle.”
Data governance, evaluation and testing approach, monitoring, and the documentation you need to prove control.

My opinion: The winning strategy is not “be perfect.” It’s “be provable.” You don’t need a mountain of policies. You need a system that produces evidence and decisions reliably.

Call to action (positioned for bookings)
If you want, I can help you get from uncertainty to a clear management decision in days, not months.

My typical engagement for mid-sized companies is an AI Act Readiness Check:

• A fast AI-use inventory (including Shadow AI entry points)
• A risk classification map (what’s high-risk, what’s transparency, what’s fine)
• A prioritized gap list with concrete actions and owners
• Vendor/documentation requirements you can send to procurement and suppliers
• A short roadmap that fits your business reality (not a compliance fantasy)

If you’d like this, send me a short note with: your industry, where you suspect AI is used most (HR, support, marketing, finance, ops), and whether you build any AI internally. I’ll reply with a clear next-step proposal.