Three mistakes enterprises are making on EU AI Act compliance—and how to fix them before December 2027

EU AI Act compliance is catching up with the fast-paced development of frontier AI models and their deployment across enterprises. From the continent that gave us the forward-looking General Data Protection Regulation (GDPR) framework in 2018, here comes another sweeping act that completely reshapes corporate compliance by establishing a global, risk-based enterprise AI governance framework for Artificial Intelligence systems/tools.

While GDPR regulates how personal data is collected, stored, and processed, the EU AI Act — which came into force on August 1, 2024 — regulates the safety, transparency, and risk level of AI systems. Now, if you understand that every AI algorithm is essentially a black box, this Act comes in timely and is critical for the advancement of trustworthy AI deployment across enterprises.

Who does the EU AI Act apply to?

The EU AI Act applies to any entity whose AI systems or outputs touch the European Union market, regardless of where the company is physically headquartered. It identifies specific corporate roles and imposes different legal obligations on each:

• Providers: Companies that develop an AI system (or a general-purpose AI model) and place it on the EU market or put it into service under their own name or trademark.
• Deployers: User organizations (like enterprises) that use an AI system under their own authority in the course of an industrial or professional activity.
• Importers and Distributors: Supply chain entities that bring foreign AI systems into the EU or make them available on the European market.
• Product Manufacturers: Companies that integrate an AI system into their own regulated safety products (medical devices, cars, or aviation equipment) under their own brand.

Let's look at the EU AI Act through the lens of enterprises—or, as the Act calls them, "Deployers."

EU AI Act obligations for enterprise deployers

Before we understand an enterprise's obligations under this Act, let us understand how the EU AI Act classifies AI tools and systems based on risk level. Enterprises must audit and categorize every AI tool according to the four risk categories shown below:

 Severe tiered penalties can reach up to €35 million or 7% of total global annual turnover—whichever is higher—for prohibited practices.

What CISOs must do before the December 2027 EU AI Act deadline

In my discussions with enterprise compliance teams, I consistently see three fundamental mistakes being made when it comes to meeting the December 2027 deadline for high-risk AI systems.

Mistake 1: Treating mandatory compliance actions as a documentation exercise rather than operational evidence. Your Word document describing an AI system is not evidence that the system behaved correctly last week. Article 19 requires automatically generated operational logs — not policies written about what the system is supposed to do.

Mistake 2: Assuming your vendor's compliance is your compliance. This is the one I hear most often. OpenAI and Anthropic are SOC 2 compliant—but that covers their infrastructure, not your organization's usage. Article 14 (Human Oversight) applies to the deployer — the enterprise — not the provider. The auditor will not accept a vendor's compliance certificate as evidence of your governance.

Mistake 3: Governing deployment but not operation. Pre-deployment review of an AI system is necessary but not sufficient. What is required is operational governance under Article 19 — logging and monitoring every request, every day, not just at launch.

The December 2027 deadline is 18 months away, and not all enterprises are ready. The extension from August 2026 gives enterprises a genuine opportunity to build the operational infrastructure the Act demands. Here is how to use that time:

1. Run an Article 25 check. Ensure your engineering teams have not modified the original vendor model's instructions so substantially that your organization is legally reclassified as a provider rather than a deployer. This reclassification significantly increases your compliance obligations.
2. Enforce human oversight controls. Design internal systems to require human sign-off before any high-risk AI output is finalized—final HR shortlists, credit approval decisions, and infrastructure management actions. That also means every request to an AI model is policy-checked, PII-redacted, and injection-blocked before it reaches the model.
3. Automate system logging. Verify that your applications automatically log every AI operation — every prompt, every request — and preserve these logs for a minimum period to guarantee post-market monitoring and traceability. A compliant log captures the model name, department, timestamp, and governance decision for each request. The audit trail must be immutable and searchable.
4. Initiate Fundamental Rights Impact Assessments (FRIA). Before deploying high-risk AI systems internally or within the EU market, mandate that your risk and compliance teams conduct a formal FRIA detailing how the system impacts fundamental rights and user data protections.

-A human writer, Srikant