AI Act 2026 — a readiness checklist for the board

Full enforcement of the AI Act begins on 2 August 2026. The obligations also apply to companies that “merely use” off-the-shelf AI tools. Here are ten questions every board should be able to answer — and what to do with every “I don’t know”.

1. What uses AI, and where?

Start with an inventory: production systems, integrations, but also the private ChatGPT accounts and plugins that IT cannot see (“shadow AI”). Without that list, no risk classification makes sense.

2. Which systems are “high-risk”?

The AI Act classifies systems by risk. Most business uses are limited or minimal risk, but recruitment, scoring, or safety-relevant systems can be “high-risk” — requiring full documentation and oversight.

3. Do employees have the required AI literacy?

Article 4 requires ensuring “AI literacy”. This is not a prompt workshop, but a practical understanding of where AI helps, where it hallucinates, and how to oversee its output.

4. Are we sure we use no prohibited practices?

Some bans have applied since February 2025 (Art. 5): social scoring, manipulative techniques, and emotion recognition at work and school, among others. Close this one first — a ban cannot be “documented” away; you simply must not break it.

5. Do people know they are talking to AI?

Article 50 requires transparency: a user must know they are talking to a chatbot, and AI-generated content (including deepfakes) must be labelled. Check every customer touchpoint — this is usually the cheapest compliance to implement.

6. Who oversees the system and can stop it?

For higher-risk uses the AI Act requires meaningful human oversight (Art. 14) — not a dummy button. There must be a person who understands the model’s output, can challenge it, and can switch the system off before it does harm.

7. Where does the data come from, and what goes into the models?

Data quality and provenance decide both compliance and whether the model discriminates against anyone. The flip side: watch what employees paste into public models — personal data and company secrets should not leave the organisation unchecked (this is where the AI Act meets GDPR).

8. Which models (GPAI) do our tools run on?

Most companies use AI through general-purpose models (GPT, Gemini, Llama). Some obligations sit with their providers, but you are responsible for how you use them. You need to know which model sits under each tool, and on what terms.

9. Would we pass an inspection — and what do we do when AI fails?

High-risk systems need technical documentation and operating logs (Art. 11–12). Whatever the risk level, keep a simple procedure: who responds when the model is wrong, and how you report a serious incident. Compliance is a process, not a binder.

10. Who in the company owns AI?

Name an owner: the person or role accountable for AI oversight, decisions, and contact with the regulator. Check vendor contracts too — who takes on which part of compliance. Without clear accountability, every point above becomes nobody’s job.

What’s next

A compliance audit closes the inventory and classification topic within weeks and gives you an action plan right away. It is a working document, not a decorative binder.