EU AI Act: a practitioner guide for global corporates

The EU AI Act regulates how AI systems are placed on the EU market and used in the EU, regardless of where the provider is headquartered. Its core mechanism is a risk-based classification: prohibited, high-risk, limited-risk and minimal-risk systems, each with proportionate obligations.

Prohibited practices include social scoring, manipulative biometric profiling at scale and certain real-time biometric surveillance. High-risk systems - including AI used in employment, education, access to essential services and critical infrastructure - carry the heaviest obligations: risk management, data governance, technical documentation, human oversight, accuracy and cybersecurity.

General-purpose AI models (foundation models) have their own track of obligations, with stricter rules for systemic-risk models above a compute threshold.

Prohibitions and AI literacy obligations took effect from February 2025. Obligations on general-purpose AI models from August 2025. High-risk obligations from August 2026 with extended timing for AI already in regulated products. Most enterprises should be operating under a working AI Act programme by mid-2026.

The penalty regime is meaningful: up to seven percent of worldwide annual turnover for prohibited practices, up to three percent for breach of obligations, and up to one and a half percent for misleading information to authorities.

Inventory first. The single most common mistake we see is jumping to policy authoring before the AI inventory is mapped. The inventory drives everything else: classification, remediation priority, conformity pathway, transparency record.

Classification with the business in the room. Risk classification under Article 6 is a judgement call. Run classification with the relevant operational lead, not in a back office. They are the only people who can describe the actual decisional autonomy of the system.

Remediate in parallel. Documentation, post-market monitoring and conformity-assessment artefacts should accumulate as the system is built, not retrofitted at launch.

Build the operating model. AI Risk Committee, quarterly attestation, audit-pack template, reviewer rota. Without this, the inventory and policy decay within two quarters.

We deliver AI Act-aligned engagements as our default - never as an extra. Our reference 14-week working plan has been run with multiple European mid-cap corporates, with the inventory-classification-remediation pattern publishing transparency records well ahead of the statutory deadline.

Our governance practice partners with notified bodies for formal conformity assessment on high-risk systems, and we publish AI Act-format technical documentation as part of every production audit pack.