EU AI Act Compliance: What Enterprise AI 'Deployers' Need to Know
The EU AI Act isn't just for model builders. If your organization uses third-party AI tools like Microsoft Copilot, ChatGPT, and Claude, you're likely subject to EU AI Act compliance requirements as a "deployer" of AI systems. While many security leaders assume this regulation only applies to companies developing AI systems, the reality is far more expansive.
The stakes are significant. The EU AI Act officially entered into force on August 1, 2024. However, it’s important to note that for Deployers of high-risk AI systems, most obligations will not be fully enforceable until August 2, 2026. Once active, the Act employs a tiered penalty structure: non-compliance with prohibited AI practices can reach up to €35 million or 7% of global revenue, while violations of high-risk obligations (the most likely risk for deployers) can reach up to €15 million or 3% of global revenue., emphasizing the need for early preparation.
For security leaders, this presents both a challenge and an opportunity. AI adoption can drive significant competitive advantage, but doing so responsibly requires robust risk management and strong data protection practices. In other words, compliance and safety are not just regulatory hurdles, they’re enablers of trustworthy and effective AI deployment.
Why the Risk-Based Approach Changes Everything for Enterprise AI
The EU AI Act establishes a four-tier risk classification system that fundamentally changes how organizations must think about AI governance. Unlike traditional compliance frameworks that apply blanket requirements, the AI Act's obligations scale based on risk level.
The critical insight for security leaders: classification depends on use case, not the technology itself. A general-purpose AI tool like ChatGPT or Microsoft Copilot starts as "minimal risk" but becomes "high-risk" based on how your organization deploys it. This means the same AI platform can have different compliance obligations across different business units within the same company.
Deployer vs. Developer: Most Enterprises Are "Deployers"
The EU AI Act establishes distinct responsibilities for two main groups: AI system providers (those who develop and place AI systems on the market) and deployers (those who use AI systems within their operations).
Most enterprises today, especially those using third-party tools such as ChatGPT, Copilot, or other AI services are deployers. This means they face compliance obligations related to how they use AI, not necessarily how it was built.
Providers bear primary responsibility for:
- Risk management systems
- Data governance and documentation
- Technical transparency and conformity assessments
- Automated logging capabilities
For security and compliance leaders, this distinction is critical. Vendor due diligence becomes a key control point, ensuring that AI providers can demonstrate compliance before deployment.
However, being a deployer does not eliminate obligations. Deployers must meet several important requirements under the Act, particularly when using high-risk AI systems, as outlined below.
The Hidden High-Risk Scenarios
Security teams must map AI usage across the organization to identify high-risk deployment scenarios that many organizations overlook:
When AI Use Becomes “High-Risk”
Under the EU AI Act, risk classification is based on how AI is used, not which product or vendor provides it. The same tool, whether ChatGPT, Microsoft Copilot, or any other AI system—can fall into a high-risk category depending entirely on its purpose and context of deployment.
Examples of High-Risk Use Cases:
AI systems are considered high-risk when they are used for purposes such as:
- Biometric identification or categorization of individuals
- Operation of critical infrastructure (e.g., energy, water, transportation)
- Education and vocational training (e.g., grading, admission decisions)
- Employment and worker management, including access to self-employment
Access to essential private or public services, including credit scoring and insurance pricing - Law enforcement and public safety
Migration, asylum, and border control - Administration of justice or democratic processes
Illustrative Examples
- Using ChatGPT to draft marketing emails → Not high-risk
- Using ChatGPT to rank job candidates → High-risk (employment context)
Using Copilot to summarize code reviews → Not high-risk
Using Copilot to approve credit applications → High-risk (credit scoring)
In other words, the legal trigger is the use case, not the data type or the brand of tool. Processing sensitive data like PHI (Protected Health Information) may increase compliance obligations under other frameworks (like GDPR or HIPAA), but it doesn’t itself define an AI system as high-risk under the EU AI Act, the function and impact of the system do.
Even seemingly innocuous uses like analyzing customer data for business insights can become high-risk if they influence individual treatment or access to services.
The "shadow high-risk" problem represents a significant blind spot for many organizations. Employees often deploy AI tools for legitimate business purposes without understanding the compliance implications. A marketing team using AI to analyze customer demographics for targeting campaigns may unknowingly create high-risk AI deployments if the analysis influences individual treatment or access to services.
The “Shadow High-Risk” Problem
Many organizations face a growing blind spot: shadow high-risk AI usage. Employees often deploy AI tools for legitimate business tasks without realizing the compliance implications.
For example, an HR team using a custom-prompted ChatGPT to filter or rank job applicants inadvertently creates a high-risk deployment under Annex III of the Act. While simple marketing copy generation remains "limited risk," any AI use that evaluates employees or influences recruitment triggers the full weight of high-risk compliance. Without visibility, such cases can expose organizations to significant fines.
The Eight Critical Deployer Obligations for High-Risk AI Systems
1. AI System Inventory & Classification
Organizations must maintain comprehensive inventories of AI systems documenting vendors, use cases, risk classifications, data flows, system integrations, and current governance maturity. Security teams must implement automated discovery tools to identify shadow AI usage and ensure complete visibility.
2. Data Governance for AI
For high-risk AI systems, deployers who control the input data must ensure that the data is relevant and sufficiently representative for the system’s intended purpose.
This responsibility includes maintaining data quality standards, tracking data lineage, and verifying the statistical properties of datasets used in training and operation, but only where the deployer has control over the input data.
3. Continuous Monitoring
System monitoring represents a critical security function requiring continuous oversight of AI system operation and performance against intended purposes. Organizations must implement real-time monitoring capabilities, automated alert systems for anomalies, and comprehensive performance tracking.
4. Logging & Retention
Organizations must maintain automatically generated logs for minimum six-month periods, with financial institutions facing longer retention requirements. Logs must capture start and end dates/times for each system use, input data and reference database information, and identification of personnel involved in result verification.
5. Workplace Notification
Workplace notification requirements mandate informing employees and representatives before deploying AI systems that monitor or evaluate work performance. This creates change management obligations for security teams implementing AI-powered monitoring tools.
6. Incident Reporting
Serious incident reporting requires immediate notification to both providers and authorities when AI systems directly or indirectly lead to death, serious harm to a person's health, serious and irreversible disruption of critical infrastructure, infringement of fundamental rights obligations, or serious harm to property or the environment. Security teams must establish AI-specific incident response procedures.
7. Fundamental Rights Impact Assessments (FRIAs)
Organizations using high-risk AI systems must conduct FRIAs before deployment. FRIAs are mandatory for public bodies, organizations providing public services, and specific use cases like credit scoring or insurance risk assessment. Security teams must integrate FRIA processes with existing privacy impact assessments.
8. Vendor Due Diligence
Organizations must verify AI provider compliance status throughout the supply chain, assess vendor security controls adequacy, negotiate appropriate service level agreements for AI incidents, and establish ongoing monitoring procedures for vendor compliance changes.
Recommended Steps for Security Leaders
Once you’ve identified which AI systems may qualify as high-risk under the EU AI Act, the next step is to establish a practical roadmap for compliance and governance readiness.
While the Act does not prescribe an implementation timeline, organizations should take immediate, proactive measures to prepare for enforcement. The following are Sentra’s recommended best practices for AI governance and security readiness, not legal deadlines.
1. Build an AI System Inventory: Map all AI systems in use, including third-party tools and internal models. Automated discovery can help uncover shadow AI use across departments.
2. Assess Vendor and Partner Compliance: Evaluate each vendor’s EU AI Act readiness, including whether they follow relevant Codes of Practice or maintain clear accountability documentation.
3. Identify High-Risk Use Cases: Map current AI deployments against EU AI Act risk categories to flag high-risk systems for closer governance and oversight.
4. Strengthen AI Data Governance: Implement standards for data quality, lineage, and representativeness (where the deployer controls input data). Align with existing data protection frameworks such as GDPR and ISO 42001.
5. Conduct Fundamental Rights Impact Assessments (FRIA): Integrate FRIAs into your broader risk management and privacy programs to proactively address potential human rights implications.
6. Enhance Monitoring and Incident Response: Deploy continuous monitoring solutions and integrate AI-specific incidents into your SOC playbooks.
7. Update Vendor Contracts and Accountability Structures: Include liability allocation, compliance warranties, and audit rights in contracts with AI vendors to ensure shared accountability.
*Author’s Note:
These steps represent Sentra’s interpretation and recommended framework for AI readiness, not legal requirements under the EU AI Act. Organizations should act as soon as possible, regardless of when they begin their compliance journey.
Critical Deadlines Security Leaders Can't Miss
August 2, 2025: GPAI transparency requirements are already in effect, requiring clear disclosure of AI-generated content, copyright compliance mechanisms, and training data summaries.
August 2, 2026: Full high-risk AI system compliance becomes mandatory, including registration in EU databases, implementation of comprehensive risk management systems, and complete documentation of all compliance measures.
Ongoing enforcement: Prohibited practices enforcement is active immediately with €35 million maximum penalties or 7% of global revenue.
From Compliance Burden to Competitive Advantage
The EU AI Act represents more than a regulatory requirement, it's an opportunity to establish comprehensive AI governance that enables secure, responsible AI adoption at enterprise scale. Security leaders who act proactively will gain competitive advantages through enhanced data protection, improved risk management, and the foundation for trustworthy AI innovation.
Organizations that view EU AI Act compliance as merely a checklist exercise miss the strategic opportunity to build world-class AI governance capabilities. The investment in comprehensive data discovery, automated classification, and continuous monitoring creates lasting organizational value that extends far beyond regulatory requirements. Understanding data security posture management (DSPM) reveals how these capabilities enable faster AI adoption, reduced risk exposure, and enhanced competitive positioning in an AI-driven market.
Organizations that delay implementation face increasing compliance costs, regulatory risks, and competitive disadvantages as AI adoption accelerates across industries. The path forward requires immediate action on AI discovery and classification, strategic technology platform selection, and integration with existing security and compliance programs. Building a data security platform for the AI era demonstrates how leading organizations are establishing the technical foundation for both compliance and innovation.
Ready to transform your AI governance strategy? Understanding your obligations as a deployer is just the beginning, the real opportunity lies in building the data security foundation that enables both compliance and innovation.
Schedule a demonstration to discover how comprehensive data visibility and automated compliance monitoring can turn regulatory requirements into competitive advantages.
<blogcta-big>
Shiri is a Product Manager at Sentra with a background in engineering and data analysis. Before joining Sentra, she worked at ZoomInfo and in fast-paced startups, where she gained experience building products that scale. She’s passionate about creating clear, data-driven solutions to complex security challenges and brings curiosity and creativity to everything she does, both in and out of work.
