ANALYSIS• 5 minPolicy
The EU AI Act is now ticking. Initial obligations for the most capable general-purpose AI models began on Aug 2, 2025; broader requirements phase in over the next year. Here’s what matters in the first 30–90 days.
Priority list: inventory your AI systems, classify risk, and wire policy-as-code into your orchestration and vendor contracts.
What’s actually starting now:
- Initial obligations for models with **systemic risk** (and their providers) began Aug 2, 2025; wider obligations phase in through 2026.
- Provider/Deployer responsibilities split; contracts and **audit trails** become day-one requirements.
- Penalties scale with global revenue; sandboxes and exemptions exist but require proactive planning.
Impact for enterprise buyers and builders:
**Governance shifts left**—from sign-off at launch to build-time controls with logs, evals, and attestations.
Vendors who can **prove** controls (observability, testing, incident response) gain advantage in RFPs.
Dates to plan around:
- Aug 2, 2025: First obligations kick in for the most capable GPAI models and their providers.
- 2026: Broader compliance windows open for additional classes; regulator capacity and audits ramp.
Next 30–90 day moves:
- Stand up **system inventory + risk tagging** for every AI surface (models, tools, agents, prompts).
- Ship **policy-as-code** guardrails into tool/agent orchestration (input/output filters, tool allowlists).
- Negotiate **logging & attestation** terms with vendors now (evals, red-team, incident SLAs).