The AI Playbook (Part 2): Deconstructing the EU AI Act

Introduction: A Law with Sharp, Extraterritorial Teeth
The "High-Risk" Trap: You're in It, Even if You Don't Think You Are
The New Crushing Operational Burden
The Mandate That Breaks Manual Compliance: "Post-Market Monitoring"
Conclusion

Introduction: A Law with Sharp, Extraterritorial Teeth

In Part 1, we established the fragmented global landscape. Now, we focus on the single most aggressive and comprehensive law in that landscape: the EU AI Act.

This is not a suggestion. It is not a framework. It is a law with sharp, extraterritorial teeth, and it will be enforced with penalties that rival GDPR—up to 7% of your global group annual revenue.

Like GDPR, the AI Act has massive extraterritorial reach. It does not matter if your company has offices in the EU. If your AI system's "output" is "used in the EU," your organization is on the hook. This applies to "providers" (those who build) and "deployers" (those who use) AI systems, meaning both you and your customers are now accountable.

The "High-Risk" Trap: You're in It, Even if You Don't Think You Are

The Act's power comes from its risk-based categorization: Unacceptable (banned), High, Limited, and Minimal. The critical mistake leaders make is assuming "High-Risk" only applies to niche applications like medical devices or critical infrastructure.

This is fundamentally incorrect. The Act's "High-Risk" list explicitly includes common, widespread enterprise use cases.

If your company uses AI for:

Employment: Recruitment, candidate selection, or performance evaluation
Finance: Assessing creditworthiness or calculating insurance risk
Access to Services: Determining eligibility for public assistance benefits
Legal: Any AI system intended to influence judicial functions

...then you are now operating "High-Risk AI." Your new HR resume-screening tool is a High-Risk AI system. Your bank's loan origination model is a High-Risk AI system. And with that classification comes a new, crushing operational burden.

The New Crushing Operational Burden

Being "High-Risk" is not a fine; it is a permanent, continuous compliance mandate. This is the "new work" your teams must now perform, and it is extensive.

The Act demands that providers of High-Risk AI systems establish and maintain:

1. A Mandatory "Risk Management System"

This is not a one-time check. It must be maintained "throughout the high risk AI system's lifecycle".

2. Strict Data Governance

You must prove your training data is "relevant, sufficiently representative" and, "to the best extent possible, free of errors" to avoid bias.

3. Technical Documentation and Logging

You must create and maintain extensive technical documentation before the model is placed on the market. The system must also be designed for "record-keeping" to log events automatically.

4. Human Oversight

The system must be designed to allow and facilitate effective human oversight.

5. Accuracy, Robustness, and Cybersecurity

You must design and test your system to achieve "appropriate levels" of all three.

The Mandate That Breaks Manual Compliance: "Post-Market Monitoring"

The mandates listed above are difficult. This one is the killer. The law demands a Post-Market Monitoring (PMM) system.

This is the provision that makes your old governance playbook obsolete. The EU AI Act has effectively codified the technical practices of MLOps (Machine Learning Operations) into law.

Requirements like "risk management throughout the...lifecycle" and "Post-Market Monitoring" mean that compliance is no longer a "snapshot-in-time" audit. It is a continuous video.

Your legal team is now on the hook for proving a model is safe, accurate, and fair in real-time, after deployment, forever. You cannot "set it and forget it." The Act operationalizes compliance and makes any static, manual system—like a spreadsheet—instantly indefensible.

Conclusion

The EU has given you the "what" (the law). Now, your technical teams need the "how." Next in Part 3: NIST's AI RMF, we'll explore the US-led practitioner's guide.