5 Signs Your Organisation Isn't Ready for the EU AI Act

August 2, 2026. That's the compliance deadline for high-risk AI systems under the EU AI Act. Five months away. It sounds like plenty of time. For some organizations, it is. For others, it's a disaster waiting to happen because they lack basic foundations. Here are five clear signs you're not ready, and what you actually need to do about each one.

Sign 1: You Don't Have an AI System Inventory

If you cannot answer the question "What AI systems do we actually use?", you're not ready. You cannot classify risk for systems you don't know exist. You cannot implement compliance controls for systems you haven't identified. Many organizations think they run 3-5 AI systems. When they actually investigate, the number is usually 15-50.

What to do: Run an inventory workshop. Spend 2-3 days with representatives from every department. Have them list every system they know about that uses machine learning, predictive logic, or automated decision-making. Include systems embedded in enterprise software, SaaS tools you subscribe to, and homegrown systems. Aim for completeness, not perfection. You need a list of candidates, not a final directory.

Sign 2: Your Legal Team Is Running This Alone

If this is a legal compliance initiative with zero technical involvement, it will fail. Article 9 requires technical documentation of system design. Article 14 requires deep knowledge of system behavior to implement human oversight. Article 15 requires understanding bias detection and testing. Legal cannot do this alone. It's like asking someone to run a pharmaceutical validation program who has never worked in pharma.

What to do: Immediately involve engineers, product managers, and data scientists. Legal's role is to interpret requirements and enforce deadlines. Technical people's role is to design and implement controls. You need both perspectives, and they need to work together from now on.

Sign 3: You're Treating This Like GDPR 2.0

GDPR is about data. The EU AI Act is about systems. GDPR asks: what data do you collect, who has access, how long do you store it? The AI Act asks: what does this system do, how does it make decisions, what risks arise from those decisions, how do you control for those risks? They're different governance problems requiring different expertise. If your response to AI Act compliance is "we'll add it to our data governance framework," you're not ready.

What to do: Build a separate AI governance structure. You still need data governance for GDPR. But AI governance requires its own inventory, risk classification, documentation standards, and oversight mechanisms. Don't conflate them.

Sign 4: Nobody Owns AI Governance

"Everyone's responsibility" is another way of saying "nobody's responsibility." If your organization hasn't named a single person with clear authority over AI governance—someone who can escalate issues, halt deployments, and answer for violations—then governance won't happen. Committees cannot own accountability. People can.

What to do: Name an AI governance owner today. Not a committee. One person. Give them budget authority, escalation rights, and clear mandate. In a smaller organization, this might be the CTO or Chief Product Officer. In a larger one, it should be a dedicated role. That person is now accountable for compliance. Make this decision explicit.

Sign 5: You're Waiting for Final Guidance

Guidance is useful. But the legal text is final. The requirements are knowable. You have Article 11 (technical documentation requirements), Article 12 (logging requirements), Article 14 (human oversight requirements), Article 9 (continuous risk management). These are concrete. Stop waiting for clarification and start implementing against what you already know.

What to do: Use the assessment tool on this site to classify your systems as high-risk or limited-risk. Once classified, the requirements are clear. For high-risk systems, document the system design, establish human oversight, implement continuous monitoring, and maintain audit logs. For limited-risk, ensure transparency. You don't need more guidance. You need action.

Good News

Five months is enough time to address all of these if you start now. An inventory workshop takes one week. Bringing in technical leadership takes one conversation. Building a governance structure takes two weeks. Naming an owner takes one decision. The organizations that will struggle on August 2 are the ones waiting today. The organizations that will succeed are the ones that moved now.

You're either getting ready or you're getting caught. The time to choose is this week, not next month.