headerLogo

How To Comply With The Eu AI Act: A Practical Guide

Published on July 1, 2026

EU AI Act

If a regulator or your board asked today which AI systems you have in production, which EU AI Act obligations apply to each, and whether the evidence is complete... how long would it take your team to answer?

For most enterprises, the honest answer is weeks. Not because no one cares about compliance, but because the processes built to prove it were never designed to keep pace with how fast AI is actually being deployed. Model inventories live in spreadsheets. Approvals run through email. Risk classifications get assigned once and quietly drift out of date.

In 2026, the stakes around that gap changed in two directions at once. The deadlines for the EU AI Act's most demanding obligations moved later — but the obligations themselves got harder, and enforcement of what's already in force is well underway. The teams that will navigate this well are the ones that stop treating compliance as a periodic fire drill and start treating it as a system. This guide walks through where the Act stands now, what high-risk compliance actually requires of data and AI teams, and how a single system of record — built on governed data products — turns "Are we compliant?" into a question your infrastructure can answer on demand.

Where the EU AI Act stands in 2026

The EU AI Act is the world's first comprehensive, horizontal legal framework for artificial intelligence.¹ It takes a risk-based approach,² sorting AI systems into four tiers — unacceptable risk (prohibited outright), high risk (heavily regulated), limited risk (transparency obligations), and minimal risk (largely unregulated). If your AI system's output touches anyone in the EU, the Act applies regardless of where your company is headquartered.

The headline development of 2026 is a timeline reset. Under the Digital Omnibus (a provisional political agreement reached on 6 May 2026 and pending formal adoption) the compliance deadline for high-risk standalone systems listed in Annex III (recruitment, credit scoring, education, law enforcement, and similar use cases) was deferred from 2 August 2026 to 2 December 2027.³ AI embedded in regulated products under Annex I — medical devices, machinery, vehicles — moves to 2 August 2028.⁴

It would be a mistake to read that as a reprieve. Several obligations are already enforceable and unchanged: the ban on prohibited practices has applied since 2 February 2025,⁵ and obligations for general-purpose AI model providers have applied since 2 August 2025.⁶ Transparency rules — disclosure of AI interactions and labeling of synthetic content — are also arriving, alongside a new prohibition on non-consensual intimate imagery taking effect in December 2026.⁷ And the penalty structure is severe: the most serious violations can reach €35 million or 7% of global annual turnover,⁸ exceeding even GDPR's maximum of €20 million or 4% of global turnover.⁹

The practical takeaway for data and AI leaders: the deadline moved, the obligation didn't. The roughly 16 extra months are runway to build a durable compliance capability, not permission to defer it. And because formal adoption was still pending as of mid-2026, confirm the final text before locking your plan to any single date.

What high-risk obligations require of data and AI teams

Strip away the legal language, and the Act's high-risk requirements translate into a concrete to-do list that lands squarely on data and AI teams. High-risk systems must satisfy obligations spanning risk management, data governance and data quality, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity.

In day-to-day terms, that means:

  • Data quality and bias controls. Training, validation, and testing datasets must meet quality standards, and you must examine them for bias and build mechanisms to detect and correct it across the lifecycle.

  • Documentation and provenance. You need detailed technical records of data sources, preparation methods, model development, testing, and ongoing monitoring — enough to demonstrate compliance and support explainability.

  • Risk management and human oversight. Ongoing assessment frameworks must evaluate negative impacts throughout a system's life, and humans must be able to intervene and override.

Here's the part teams underestimate: regulators don't ask for documentation. They ask for evidence: proof that the documentation reflects what is actually running in production, at the moment of the audit. A model card that was accurate in Q1 doesn't satisfy a Q3 examination. That single distinction is why so many compliance programs that look complete on paper collapse under scrutiny.

Why the standard approach to AI governance fails

Most organizations respond to this pressure by building a registry: a list of AI assets, maybe with attached documentation and a sign-off. It feels like a solution. It isn't.

The first problem is visibility. AI deployment is distributed and heterogeneous; models live in MLflow, agents run in custom pipelines, tools get built by individual teams and shipped without any central registry knowing they exist. The result is the shadow AI problem: a growing population of operational AI assets that are invisible to governance. And models, agents, and tools are distinct asset classes with different risk profiles and documentation requirements, so a system built for one rarely handles all three.

The second problem is drift. A static registry is a snapshot of your AI estate at the moment someone last updated it. But models get retrained, data dependencies shift, and regulations take effect. A model retrained on new data is a materially different risk object than the version approved six months ago, even under the same name. Nothing in a static system detects that drift — so the registry keeps looking authoritative while quietly becoming fiction. This is the document trap: mistaking documentation filing for documentation governance.

The scale of the underlying readiness gap is well documented. IBM's Institute for Business Value found that while most executives plan to expand their use of generative AI, fewer than half have adequately addressed the associated risks of trust and security.¹⁰ And Gartner has predicted that at least 30% of generative AI projects will be abandoned after proof of concept by the end of 2025,¹¹ with poor data quality and inadequate risk controls among the leading causes. The same Gartner research identifies poor data quality as one of the four primary causes of GenAI project abandonment — a problem that governed data products are designed to solve at source. The gap isn't a values problem. It's a systems problem.

Image showing the difference between a static asset registry vs a living system of record for AI model management

The compliance operating model: An AI system of record

Compliance under the EU AI Act has to be continuous, not periodic — and that requires a different kind of foundation. A living AI system of record does five things a static registry cannot, and each maps directly to an Act obligation.

A complete AI asset registry

A single inventory of every model, agent, and tool across the enterprise, ingested from connected platforms or submitted via SDK, with each asset mapped to its upstream data dependencies. This is what eliminates shadow AI and gives every asset a searchable, lineage-backed profile — the precondition for any credible risk classification.

Evidence-backed model cards

Alation AI Governance generates model cards from live asset metadata, data dependencies, and applicable regulatory requirements, with every field citing its source. This replaces field-count completeness ("we filled in all the boxes") with evidence completeness ("here is the proof, and here is what still needs human verification") — exactly the standard the Act's technical documentation requirements demand.

Agentic governance workflows

Approval routing driven by regulation applicability, not just org hierarchy. A high-risk EU AI Act asset routes to Legal and the CISO; a lower-risk asset follows the standard chain. Missing evidence automatically creates remediation tasks linked to the gap, and every action is logged in an append-only audit trail that can be exported in narrative form for regulators. That covers the Act's risk management, human oversight, and record-keeping obligations in one motion.

A regulation registry

Built-in support for the EU AI Act, the AI-relevant subset of GDPR, NIST AI RMF, and ISO 42001, with the ability to extend to new frameworks as they arrive. For enterprises operating across regions, this is what keeps obligations current without manual tracking as state-level AI acts and other regulations multiply.

A live executive dashboard

An on-demand compliance posture for CDOs, CIOs, CROs, and Chief Compliance Officers, showing an overall compliance score, a per-regulation breakdown with trend lines, and the top open risk items — all drillable to the underlying assets and evidence. A board-ready PDF exports in seconds with live metrics, not cached numbers. This is the difference between answering the board from the system and answering from a fire drill. Alation's broader approach to this is what we call outcome-based governance: declaring outcomes and delivering evidence continuously.

Image showing the 5 key capabiliteis of an AI system of record

The role of data products in maintaining compliant AI

Here is the capability pure-play AI governance tools cannot replicate: lineage from the AI model back to the data it was built on. Governing an AI asset without knowing its training data is like auditing a financial statement without access to the underlying transactions. Governed data is the foundation of governed AI, and data products are how that foundation gets operationalized.

A data product is a governed, documented, certified unit of data with a clear owner, a defined contract, and live quality scores. When the inputs to a high-risk AI system are managed as certified data products rather than ungoverned extracts, three things become possible at audit time. Model cards can cite specific data-dependency evidence. Approval workflows can verify whether a model's training data is actually certified before sign-off. And compliance records can surface live data quality scores for the exact inputs that produced the model.

That mapping is precisely what the Act's data governance and quality obligations require: bias examination, provenance tracking, and quality protocols. Those requirements are dramatically cheaper to satisfy when the underlying data is already governed and discoverable through a Data Products Marketplace, and the lineage from input to model is captured automatically rather than reconstructed under deadline. 

McKinsey's 2025 State of AI research reinforces the payoff: organizations seeing the greatest returns from AI consistently outperform peers on governance practices — including defined processes for human validation of model outputs and fundamentally redesigned workflows — and are more than three times more likely than others to achieve transformative business impact.¹² Governance, done right, is the mechanism that makes AI trustworthy enough to scale — not the brake on it.

Cross-border compliance and data residency

The EU AI Act doesn't operate in isolation. It sits alongside GDPR and a patchwork of data residency and sovereignty rules, and high-risk AI training data and outputs implicate both where that data physically lives and which laws govern it. For multinational enterprises, the same asset inventory carries multiplying obligations.

The durable answer is the same principle that applies to AI governance generally: build compliance in by design rather than retrofitting it. As covered in our guide to data residency by design, that means location-aware architecture, automated controls that flag violations before they occur, and audit trails generated as a byproduct of operations rather than assembled after the fact. The teams that treat residency and AI compliance as one connected problem — rather than two separate scrambles — move into new markets faster and avoid the expensive retrofits that plague reactive approaches.

A practical EU AI Act compliance roadmap for 2026–2027

With the high-risk anchor now at December 2027 — and several obligations already live — here is how to sequence the work.

Next 90 days. Complete an AI asset inventory covering every model, agent, and tool, and run a preliminary Annex III risk classification on each. Confirm which obligations are already enforceable for you (prohibited practices, GPAI rules, transparency). Stand up a cross-functional governance group spanning data, legal, privacy, risk, and the business.

Near term. Map each asset to the regulations that apply to it. Generate evidence-backed model cards for your high-risk candidates, and certify the data products feeding those systems so their inputs carry provenance and quality evidence. Close documentation gaps as remediation tasks, not as a year-end project.

Through 2027. Move to continuous monitoring with drift detection, maintain a live compliance posture, and prepare for conformity assessments and EU database registration for high-risk systems. Confirm the final Digital Omnibus text once it is formally adopted, and adjust dates if needed.

Build a system for AI compliance

The question "Are we compliant?" is not going away. If anything, it will be asked more often, by more stakeholders, under more frameworks — the EU AI Act today, NIST AI RMF, ISO 42001, and state-level acts close behind. The deadline moved; the obligation didn't.

The organizations that answer the question well will be the ones that built a system for it rather than a process around it: governed data products feeding a single AI system of record that knows every asset, the regulations that apply to each, and whether the evidence is complete. That's how compliance stops being a fire drill and becomes a live, honest, drillable answer — and how responsible AI becomes a competitive advantage rather than a cost center.

Curious to see what that looks like in practice? Explore Alation AI Governance or read how we built a system of record for enterprise AI compliance.


Sources & Notes

Every external claim on this page is independently verifiable. The public sources are listed here.

  1. EU AI Act described as "the world's first comprehensive horizontal regulatory framework for artificial intelligence." — Gibson Dunn, EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes (27 May 2026) ↗ https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/

  2. Risk-based approach, four tiers. — European Parliament, EU AI Act: First Regulation on Artificial Intelligencehttps://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence

  3. Annex III high-risk standalone systems deferred to 2 December 2027 under the Digital Omnibus (provisional agreement 6 May 2026, pending formal adoption). — Gibson Dunn (see ¹)

  4. AI embedded in Annex I regulated products deferred to 2 August 2028. — Gibson Dunn (see ¹)

  5. Prohibited practices (Article 5) enforceable since 2 February 2025. — Gibson Dunn (see ¹)

  6. General-purpose AI model obligations (Articles 51–56) applicable since 2 August 2025. — Gibson Dunn (see ¹)

  7. New prohibition on AI-generated non-consensual intimate imagery takes effect 2 December 2026. — Gibson Dunn (see ¹); also confirmed by Latham & Watkins ↗ https://www.lw.com/en/insights/ai-act-update-eu-resolves-to-change-rules-and-extend-deadlines

  8. Most serious AI Act violations carry fines of up to €35 million or 7% of annual worldwide turnover. — Latham & Watkins, AI Act Update: EU Resolves to Change Rules and Extend Deadlines (13 May 2026) ↗ https://www.lw.com/en/insights/ai-act-update-eu-resolves-to-change-rules-and-extend-deadlines

  9. GDPR maximum penalty is €20 million or 4% of global annual turnover, lower than the AI Act's 7% ceiling. — EU Artificial Intelligence Act, Article 99 ↗ https://artificialintelligenceact.eu/article/99/

  10. IBM finding on executive plans to expand generative AI vs. readiness to address risk. — IBM Institute for Business Value, The CEO's Guide to Generative AI: Responsible AI & Ethics (October 2023; updated 2024) ↗ https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/ceo-generative-ai/responsible-ai-ethics 

  11. At least 30% of generative AI projects to be abandoned after proof of concept by end of 2025; causes include poor data quality, inadequate risk controls, escalating costs, and unclear business value. — Gartner, Press Release (29 July 2024) ↗ https://www.gartner.com/en/newsroom/press-releases/2024-07-29-gartner-predicts-30-percent-of-generative-ai-projects-will-be-abandoned-after-proof-of-concept-by-end-of-2025

  12. AI high performers are more than three times more likely than others to achieve transformative business impact; top distinguishing practices include governance processes for human validation and workflow redesign. — McKinsey & Company, The State of AI in 2025: Agents, Innovation, and Transformation (5 November 2025) ↗ https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai


Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER and Magic Quadrant are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

    Contents
  • Where the EU AI Act stands in 2026
  • What high-risk obligations require of data and AI teams
  • Why the standard approach to AI governance fails
  • The compliance operating model: An AI system of record
  • The role of data products in maintaining compliant AI
  • Cross-border compliance and data residency
  • A practical EU AI Act compliance roadmap for 2026–2027
  • Build a system for AI compliance
  • Sources & Notes
Tagged with

Loading...