AI Act: the last four weeks to get the company in order

Over the past few months, the AI Act has been an issue that many companies could put off dealing with. Today, there is practically no time left to delay—the coming weeks will reveal which organizations have incorporated these regulations into their AI management strategies, and which still don’t even know where artificial intelligence is being used within their structures.

12 Min Read
Unia Europejska Komisja Europejska

In a few weeks’ time, organisations using artificial intelligence will enter a new phase of accountability. Not because the entire AI market will change overnight, but because, from 2 August 2026, it will be much harder to explain that an organisation does not know where it is using artificial intelligence, who is responsible for it, and what risks are associated with its use.

The AI Act is no longer an abstract regulation from Brussels or a topic put off until the future. For many companies, it is becoming a practical test of operational maturity. In the final weeks leading up to this crucial date, the aim is not to rush into building a perfect compliance system. The aim is to address the highest-risk areas and demonstrate that the company is managing AI in a responsible manner.

The AI Act starts with the organisation, not with the law

The biggest mistake would be to treat the AI Act solely as a task for the legal department. Of course, regulations, definitions and obligations matter. However, the first question that should be asked within a company today is much simpler: where exactly are we using AI?

In many organisations, the answer is not obvious. Marketing uses content-generation tools, sales uses systems to support customer analysis, HR uses candidate selection applications, the finance department uses scoring models, and employees are independently testing publicly available generative tools. Some of these solutions have been formally implemented. Some operate as add-ons to systems already in use. Some exist without the IT department’s knowledge.

This is precisely why the final weeks leading up to 2 August should begin with a stock-take. Not with a multi-page policy, not with the purchase of yet another compliance platform, and not by blocking everyone’s access to AI tools. First, the company must know which systems it uses, in which processes, on what data, and what impact they have on customers, staff or business decisions.

Without this knowledge, it is impossible to assess risk sensibly. Nor is it possible to answer the question of which systems may be considered high-risk and which fall within the scope of lower obligations. The AI Act does not treat all applications of artificial intelligence equally. A chatbot answering questions about a product has a different significance to a system supporting recruitment, employee assessment, access to credit or insurance decisions.

The most important decision is to identify the owner of the AI

The second step should be to establish responsibility. In practice, this is one of the most underestimated issues. AI within a company often falls between departments. IT is responsible for the infrastructure, the business side for the process, the legal department for regulatory risks, compliance for procedures, and security for data protection. As a result, everyone is involved, but no one owns the whole picture.

The AI Act reinforces the need for a clear division of roles. A company should know whether, in a given case, it is the supplier of the AI system, the implementer, the importer, the distributor or the user of a solution provided by an external partner. This is not a mere formality. The scope of duties, documentation and liability depends on this classification.

That is why the board should ask a very specific question today: who in the organisation has the mandate to make decisions about AI? It is not about creating a new role for the sake of it. It is about a process in which new AI implementations no longer pass through the company haphazardly, but are assessed in terms of data, risk, the supplier, the intended use and the impact on the user.

In smaller companies, the role of coordinator may be fulfilled by the owner, the chief operating officer or the person responsible for IT. In larger organisations, a team combining technology, legal, security, HR and business will be needed. One thing, however, is key: responsibility for AI must not be spread thinly across departments.

Not all artificial intelligence poses a high risk

A great deal of misunderstanding has arisen around the AI Act. One such misconception is the belief that any company using AI automatically becomes a high-risk organisation. This is not true. The regulation is based on risk classification and differentiates obligations depending on the application of the technology.

For businesses today, the most important areas are those where AI affects people’s lives. Recruitment, employee assessment, education, credit scoring, access to services, security, health and law enforcement are categories in which regulatory risk is increasing significantly. A company using AI simply to support office work is in a different situation to an organisation that uses algorithms to pre-select candidates or automatically assess customers.

In the final weeks leading up to the key deadline, it makes no sense to treat all tools in the same way. Priority should be given to systems that make decisions, recommend decisions or have a real impact on people. These are the ones that require the most detailed description, documentation, oversight and risk assessment.

A register of AI systems is a good minimum requirement. It should include the name of the solution, the supplier, the business owner, the intended use, the type of data processed, the user group, a risk assessment and information on whether the system influences decisions concerning people. Such a document does not solve all problems, but it provides a starting point for further management.

The coming weeks should bring clarity to how AI is managed

Four weeks is not enough to build a comprehensive AI governance model in a large organisation. However, it is sufficient to mitigate the most obvious risks. A company can assess where it uses AI, assign system owners, identify potentially high-risk applications, review contracts with suppliers and prepare basic documentation.

Particular attention should be paid to suppliers. Many organisations use AI embedded in tools that were already part of their IT environment: CRM systems, HR systems, marketing platforms, analytics solutions and office suites. This is convenient, but it can create the illusion that responsibility lies solely with the software manufacturer. Meanwhile, the company implementing the system still needs to know what it is using it for, what data it processes and what decisions it supports.

The second area is staff training. AI literacy should not be treated as a mere formality to be ticked off a list. Staff must understand what they must not do with AI tools: enter confidential data into public systems, generate content without oversight, automate decisions affecting people without supervision, or use tools outside the organisation’s established policies. In practice, this is one of the simplest ways to mitigate risk.

The third element is documentation. This does not necessarily mean hundreds of pages of procedures straight away. As a first step, a set of basic information is sufficient: a register of systems, risk classification, owners, oversight rules, an incident reporting procedure, a policy on the use of generative AI, and confirmation that staff who come into contact with AI systems have undergone training.

What not to do in the final month

It is easy to make the wrong decisions when in a rush. The worst of these would be to treat the AI Act as a reason to halt all AI projects. The regulation is not intended to stifle innovation, but to enforce greater transparency and accountability. A company that simply bans the use of AI does not solve the problem. Often, it merely pushes it into a grey area.

It is equally risky to purchase tools labelled as ‘AI Act-compliant’ without understanding your own processes. No technological solution can replace organisational decision-making. If a company does not know who is using AI, for what purpose and on what data, even the best compliance platform will not clarify responsibilities.

Nor is it worth waiting for all interpretations and implementing regulations. Regulatory practice will continue to evolve for a long time to come, but the fundamental questions are already clear. Do we have a register of systems? Are we aware of high-risk applications? Do we know who is responsible for AI? Do employees understand the rules? Can we demonstrate to the regulator that we are managing risk?

The AI Act does not mark the end of work on AI. It merely brings order to it

2 August 2026 will not mark the end of the AI Act’s implementation. Rather, it will be the beginning of a new standard for managing artificial intelligence within organisations. In the coming months, we will see interpretations, regulatory practice, further guidelines, standards and contractual requirements from clients and partners.

Therefore, the greatest advantage will not be flawless documentation prepared at the last minute. It will be an organisation’s ability to manage AI on an ongoing basis: from the initial idea for implementation, through risk assessment, to monitoring the system’s operation and responding to incidents.

Companies that treat the AI Act solely as a legal obligation will most likely view it as a cost. Those that treat it as an opportunity to clarify responsibility for AI may gain something more: greater control over the technology, increased customer trust and a more mature approach to decision-making regarding automation.

So, in the coming weeks, there is no need to answer every question about the future of artificial intelligence. What is needed is to answer a few key questions about your own organisation. Where is AI being used? Who is responsible for it? What decisions does it support? What data does it process? And can the company document this?

This may well be the most important test ahead of 2 August.

Share This Article