The EU AI Act cares about evidence, not intent

When National Competent Authorities begin enforcement on August 2, 2026, they will ask organisations what AI systems they operate, how those systems are being used, and what controls are in place. Many organisations will struggle to answer these questions.

The Shadow AI Problem is Bigger Than You Think

We have been here before. When cloud computing arrived, IT departments spent years chasing down unauthorised SaaS subscriptions, known as Shadow IT. Shadow AI is the same problem running at a dramatically higher speed.

More than 80% of workers, including nearly 90% of security professionals, use unapproved AI tools in their jobs. The people responsible for enforcing your security policies are among the most likely to be circumventing them with AI tools you have never reviewed or approved.

The channels are varied and often invisible to security teams:

• Browser extensions. A marketing employee installs an AI writing assistant. A lawyer uses a browser-based summarisation tool to review contracts. Neither is reviewed by legal or IT.
• Embedded features. Enterprise software vendors have rolled out AI features that activate without a separate purchase decision. Your existing vendor agreements may not adequately govern what those features do with your data.
• Developer shortcuts. Engineers use unapproved large language models to refactor code, write tests, or debug production issues. Proprietary source code and data enter third-party model APIs without any review of where that data goes or how it is stored.

About 38% of employees share confidential data with AI platforms without approval. Every one of those interactions is a potential compliance issue under the EU AI Act.

Why the Spreadsheet Audit Fails

Most GRC teams begin their AI Act readiness work with what might be called a stock take. Department heads receive a survey and fill it in based on what they know about, or feel comfortable disclosing. The results get compiled into a spreadsheet. A compliance tick appears next to “AI Inventory.”

This approach has three fundamental problems under the EU AI Act.

First, it captures a moment in time. AI adoption inside organisations moves faster than any quarterly audit cycle. A new tool can be adopted by an entire department in an afternoon. A CRM platform can enable a new AI feature overnight, rendering the inventory obsolete.

Second, it relies on self-reporting from people who may not understand what they are using. A department head who approves an AI-assisted analytics tool may not know it routes queries through a third-party LLM, or that it qualifies as a high-risk system.

Lastly, it creates a false sense of control. A documented inventory that misses 60% of actual AI usage is not an adequate compliance asset in a regulatory investigation.

The High-Risk System

The EU AI Act classifies AI systems used for recruitment, employee evaluation, credit scoring, and access to essential services as high-risk under Annex III.

In practice, this means if an employee in your HR team is using an AI tool to screen CVs or score candidates without formal approval, your organisation has deployed a high-risk AI system. You are subject to the obligations that come with that classification, even if you didn’t know about it.

Article 12 states that deployers of high-risk systems must ensure those systems allow for the automatic recording of events throughout their lifetime, retained for a minimum of six months. You cannot log systems you have not discovered, or govern what you cannot see.

Regulation Requirements

The Act defines two primary roles. Providers, who develop and place AI systems on the market, and deployers, who use those systems in their own operations. Most European enterprises are deployers.

• Article 26 places ongoing monitoring obligations on deployers of high-risk AI systems. 
• Article 9 requires a documented risk management system. 
• Article 10 governs data quality and data governance. 

Together, these obligations require a technical foundation, not a document library.

Under Article 99, non-compliance with high-risk AI system requirements can result in fines of up to €15 million or 3% of total worldwide annual turnover. For violations of Article 5’s prohibited practices, that rises to €35 million or 7% of global turnover. 

The 15-Minute Standard

The question for every CISO and GRC leader is not whether they have completed an AI inventory, it’s whether their inventory is accurate, continuous, and audit-ready.

FireTail takes a different approach. Rather than relying on surveys and spreadsheets, we deploy automated discovery across your entire environment, covering cloud infrastructure, browser-based activity, and application-level AI integrations. Within 15 minutes of deployment, you have a living, continuously updated inventory of every AI model, integration, service and prompt.

This inventory is the foundation for everything else the EU AI Act requires: risk classification, logging, monitoring, and governance.

The August 2026 Deadline

The prohibited practices provisions of the Act have been in force since February 2025 and the governance rules for general-purpose AI models became applicable in August 2025. But the full obligations for high-risk AI systems take effect on August 2, 2026.

Organisations without a verified, technical AI inventory will not be able to demonstrate compliance with the most basic requirement the Act imposes. Regulators will not accept outdated spreadsheets as evidence of ongoing governance.

The first step to EU AI Act compliance is knowing what you are governing. This requires automation, not administration.

‍