Skip to content
Hyperion Consulting logo - AI consulting and implementation services
Home
WorkInsightsAI LabAI AgentsVenturesPricingContact
Hyperion Consulting logo - AI consulting and implementation services

70% of AI pilots never reach production. I help you be the 30% that ships.

How I Help

  • AI Strategy Sprint
  • Pilot to Production
  • Production AI Systems
  • AI Development Training
  • EU AI Act Compliance
  • AI Agent Development
  • Cybersecurity for AI
  • AI for Cybersecurity
  • Industrial AI
  • Physical AI
  • Software-Defined Transformation
  • AI Tech Due Diligence
  • Startup-to-Scale
  • Red Team Due Diligence
  • AI Moat Forensics
  • Portfolio Value Engine
  • Technical Co-Founder Sprint
  • Investor Narrative Engineering
  • Series A War Room
  • Continuous Tech Monitoring
  • Exit Readiness
  • Post-Merger Tech Integration
  • Idea-to-MVP Sprint
  • Fundraising Tech Prep
  • SOC 2 Fast-Track

Company

  • The Hyperion Difference
  • Mohammed Cherifi
  • Work
  • Insights
  • Contact
  • Auralink SDC

Connect

  • contact.nospam@hyperion-consulting.iocontact at hyperion-consulting dot io
  • 126 Avenue du General Leclerc
    92100 Boulogne-Billancourt
    France

The 30% Report

70% of AI pilots never reach production. Get the playbook for the 30% that does.

Forbes Tech CouncilFrench Gov AI AmbassadorFranceNum Activateur
GDPR Compliant
EU AI Act Ready
ISO 27001 Aligned

© 2026 Hyperion Consulting. All rights reserved.

Privacy PolicyTerms of UseTerms of SaleLegal NoticeData Subject RequestEU Online Dispute ResolutionParis • Athens • Amsterdam
Back to InsightsAI Regulation

EU AI Act Compliance: The Complete Guide for August 2026

Mohammed Cherifi
October 15, 2025
12 min read

August 2, 2026. Mark it on your calendar.

That's the date when the EU AI Act's requirements for high-risk AI systems take full effect. The penalties for non-compliance reach €35 million or 7% of global annual turnover—whichever is higher. This isn't a distant concern. You have months, not years, to prepare.

This guide covers everything you need to know: which systems are affected, what compliance requires, and how to get there.

Understanding the Risk Classification

The EU AI Act categorizes AI systems into four risk levels:

Prohibited (Already in Effect)

Some AI practices are banned outright:

  • Social scoring by governments
  • Real-time biometric identification in public spaces (with limited exceptions)
  • Manipulation of vulnerable groups
  • Emotion recognition in workplaces and schools (with exceptions)

If you're doing any of these, stop immediately.

High-Risk (August 2026)

AI systems that significantly impact people's rights, safety, or access to essential services. This is where most enterprise attention should focus:

  • Credit scoring and lending decisions
  • Recruitment and employment decisions
  • Educational admissions and assessments
  • Access to essential public services
  • Law enforcement and border control
  • Critical infrastructure management

Limited Risk (August 2025)

AI systems requiring transparency obligations:

  • Chatbots must disclose they're AI
  • Deepfakes must be labeled
  • Emotion recognition systems must notify users

Minimal Risk (No Requirements)

AI systems posing minimal risk have no specific obligations. Most business AI falls here—spam filters, recommendation engines, internal analytics.

The High-Risk Requirements

For high-risk AI systems, the Act mandates comprehensive requirements under Articles 9-15:

Risk Management System (Article 9)

You must identify, analyze, and mitigate risks throughout the AI system lifecycle. This isn't a one-time assessment—it's ongoing.

Data Governance (Article 10)

Training, validation, and testing datasets must be relevant, representative, and free of errors. You must document data provenance and quality measures.

Technical Documentation (Article 11)

Detailed documentation demonstrating compliance. This includes system description, intended purpose, design specifications, and risk mitigation measures.

Record-Keeping (Article 12)

Automatic logging of system operations to enable traceability. Logs must be retained for the system's lifetime or as specified by law.

Transparency (Article 13)

Clear instructions for users explaining system operation, capabilities, and limitations.

Human Oversight (Article 14)

Design for effective human oversight. Humans must be able to understand, monitor, and intervene in AI decisions.

Accuracy, Robustness, and Cybersecurity (Article 15)

Systems must achieve appropriate levels of accuracy, be resilient to errors and attacks, and maintain cybersecurity.

The 6-Step Compliance Roadmap

Step 1: AI System Inventory

You can't comply with requirements for systems you don't know you have. Conduct a comprehensive inventory:

  • What AI systems are in use across your organization?
  • Who owns each system?
  • What decisions do they influence?
  • What data do they process?

Many organizations are shocked by this exercise. AI has proliferated faster than governance.

Step 2: Risk Classification

For each system, determine its risk category. Most challenging are borderline cases:

  • A chatbot is limited-risk. But a chatbot that influences financial decisions might be high-risk.
  • Analytics software is minimal-risk. But analytics that affects employment decisions is high-risk.

When in doubt, classify conservatively.

Step 3: Gap Analysis

For each high-risk system, assess current state against each Article requirement. Where are the gaps?

Common gaps include:

  • No bias testing framework
  • Insufficient explainability
  • No human oversight mechanisms
  • Incomplete documentation
  • Inadequate logging

Step 4: Technical Remediation

Implement the technical measures required to close gaps:

Bias Testing: Implement frameworks like Fairlearn or AIF360 to test for demographic parity, equalized odds, and other fairness metrics.

Explainability: Add SHAP, LIME, or other interpretability tools to enable explanation of individual decisions.

Human Oversight: Design review workflows for automated decisions, especially those with significant impact.

Logging: Implement comprehensive audit trails for model inputs, outputs, and decision factors.

Step 5: Documentation

Create compliant technical documentation. This is substantial work—expect weeks, not days, per system.

Key documentation elements:

  • System description and intended purpose
  • Risk assessment and mitigation measures
  • Data governance procedures
  • Accuracy metrics and validation results
  • Human oversight mechanisms
  • Instructions for use

Step 6: Ongoing Compliance

Compliance isn't a destination—it's a process. Establish:

  • Regular bias testing and monitoring
  • Model drift detection
  • Documentation updates for system changes
  • Audit trails and incident response procedures
  • Regular compliance reviews

Practical Implementation Tips

Start with Credit Scoring

If you use AI for credit decisions, start there. Credit AI is clearly high-risk, well-understood by regulators, and typically your highest-impact system.

Leverage Existing Frameworks

Don't build from scratch. Use established tools:

  • MLflow for model registry and documentation
  • Evidently AI or WhyLabs for monitoring
  • Fairlearn for bias testing
  • SHAP for explainability

Build Templates

Once you've complied for one system, template the approach. Your second high-risk system should take half the time.

Get External Review

Before regulators audit you, pay someone else to. External compliance reviews identify gaps before they become violations.

The Competitive Opportunity

Compliance sounds defensive, but it's also a competitive opportunity:

  • Compliant AI is trustworthy AI. Use compliance as a sales differentiator.
  • The compliance process improves AI quality. Better documentation means better systems.
  • Early compliance builds expertise. You'll be helping partners and customers who started late.

Timeline Reality Check

You have roughly seven months. Is that enough time?

For organizations that have already started AI governance work: probably yes, if you prioritize aggressively.

For organizations starting from zero: it's going to be tight. Begin immediately. Consider external help to accelerate.

The August 2026 deadline is not flexible. The penalties are not negotiable. The time to act is now.

AI Disclosure: This article was created with AI assistance and reviewed by Mohammed Cherifi. AI tools were used in research, drafting, and editing.

Share:
Mohammed Cherifi
Mohammed Cherifi
Founder & Principal Consultant
Weekly AI Insights

The 30% Report

70% of AI pilots never reach production. Get the playbook for the 30% that does.

Unsubscribe anytime. No spam, ever.

Related Articles

Want to Discuss These Ideas?

Book a free consultation call to explore how these concepts apply to your specific situation.

AI Regulation

EU AI Act Countdown: What to Do Before August 2026

The EU AI Act enforcement deadline is approaching fast. Here's a practical compliance roadmap for enterprise AI teams — with timelines, risk classifications, and concrete action items.