The EU AI Act: a practical checklist for companies

The EU AI Act is now in force, and most provisions affecting businesses deploying AI systems apply from August 2026. If your organisation uses AI to support decisions in areas such as HR, credit assessment, access to education, or critical infrastructure management, you are likely dealing with a high-risk system under the Act's classification. This checklist is a practical starting point — not legal advice — to help you understand what is required and why on-premise AI with Privonis can make compliance considerably easier.

Step 1: classify your AI system by risk category

The Act divides AI systems into four tiers: unacceptable risk (prohibited), high risk (strict obligations), limited risk (transparency obligations) and minimal risk (no specific requirements). Most enterprise AI deployments — recruitment tools, customer scoring, document processing for regulated decisions — fall into high risk or limited risk. Misclassifying a high-risk system as limited risk is the single most common compliance error at this stage.

Step 2: build your technical documentation

High-risk systems must be accompanied by detailed technical documentation before they are placed on the market or put into service. This documentation must describe the intended purpose, the training data used, the performance metrics, the foreseeable misuse scenarios and the risk management measures. If you are deploying a third-party foundation model via an API, obtaining this documentation from the provider may be difficult or impossible. Self-hosted models give you full visibility into the stack.

• General description: intended purpose, version history, interaction with other systems.
• Design and development: data governance, training methodology, architecture description.
• Validation and testing: performance metrics, test datasets, known limitations.
• Risk management: identified risks, mitigation measures, residual risk assessment.
• Post-market monitoring: plan for tracking performance once deployed.
• Logs and records: audit trail of system outputs, especially for high-stakes decisions.

Step 3: implement human oversight mechanisms

The Act requires that high-risk AI systems be designed to allow natural persons to effectively oversee and intervene during use. This means the system must be able to be stopped, overridden or corrected by a human operator. It also means that the interface must present outputs in a way that a competent human can meaningfully interpret and challenge. Autonomous decision-making without a human in the loop is permissible only in tightly scoped scenarios, and even then with full logging.

Compliance is not a checkbox — it is an architecture decision. Build oversight in from day one, not as an afterthought.

Step 4: data governance and overlap with GDPR

The AI Act introduces data governance requirements for training and validation datasets that sit alongside — and in some areas overlap with — your existing GDPR obligations. You must document the provenance of training data, ensure it is representative and free from biases that could lead to discriminatory outputs, and retain records of data processing decisions. If personal data is involved (and in most enterprise contexts it will be), your AI system's data processing activities must also be covered by a GDPR-compliant lawful basis, a data processing agreement with any processor, and where applicable a data protection impact assessment (DPIA).

Why on-premise AI simplifies compliance

When you send data to a cloud AI API, you introduce a third-party processor, a potential cross-border data transfer, and a dependency on that provider's documentation and audit capabilities — all of which create compliance complexity. Running AI on your own infrastructure with Privonis eliminates the third-party data flow entirely. You control the model, the logs, the access permissions and the retention policy. Your data stays in the EU. Your audit trail is yours. This is not just about privacy: it is about being able to demonstrate compliance to a regulator with evidence you actually hold. The AI Act is complex, but the companies best placed to meet its demands are those that maintain genuine control over their AI systems from the start.