The EU AI Act entered into force in August 2024, but it is in August 2026 that most obligations become fully applicable. This means that companies anywhere in the world — including those in Brazil and the US — that develop or deploy AI systems whose outputs are used in the EU need to be in compliance. This post explains what changes in practice, how to structure AI governance in your organization, and which pitfalls to avoid before the final deadline.

I have been working with language model integration in products for over two years, and I have followed the AI Act's evolution since the first draft. What struck me most throughout this period was the gap between what legal teams understood as "compliance" and what engineering teams actually needed to implement. Most companies I advised underestimated the technical effort — dataset documentation, automatic logging, bias assessments — and overestimated the legal complexity. In practice, the bottleneck is engineering, not lawyering.

What is the AI Act and why it matters now

The AI Act is the world's first comprehensive legislation focused exclusively on artificial intelligence. Approved by the European Parliament and the Council of the EU, it establishes a risk-based regulatory framework: the greater the potential harm of an AI system, the more stringent the compliance obligations.

The implementation timeline is staggered. Prohibited AI practices (such as social scoring and subliminal manipulation) have been illegal since February 2025. Governance rules for general-purpose AI models (GPAI) came into effect in August 2025. But the bulk of obligations — especially for high-risk systems — only become enforceable on August 2, 2026.

Fines for non-compliance can reach €35 million or up to 7% of global annual turnover, whichever is higher. This is not a recommendation: it is a legal obligation with severe financial consequences.

Risk classification: where does your AI system fit

The AI Act categorizes AI systems into four risk levels. Understanding where each of your company's systems fits is the first step in defining the scope of compliance.

Unacceptable risk (prohibited)

Systems that subliminally manipulate human behavior, exploit vulnerabilities of specific groups, perform governmental social scoring, or use real-time remote biometric identification in public spaces (with limited law enforcement exceptions). These have been banned since February 2025.

High risk

The category that demands the most attention. It includes AI systems used in:

  • Critical infrastructure (energy, transport, water)
  • Education and vocational training (admission, assessment)
  • Employment and worker management (recruitment, promotion, dismissal)
  • Essential services (credit, insurance, public services)
  • Law enforcement and migration management
  • Administration of justice and democratic processes

For these systems, requirements include: a documented risk management system, robust data governance, detailed technical documentation, automatic logging, human oversight, and guarantees of accuracy, robustness, and cybersecurity. Before placing on the market, a conformity assessment must be carried out, an EU declaration of conformity issued, CE marking affixed, and the system registered in the EU database.

Limited risk

Systems such as chatbots, deepfakes, and AI-generated content. The main obligation is transparency: users must know they are interacting with AI or consuming AI-generated content.

Minimal risk

The majority of AI systems — spam filters, AI-powered games, simple recommendation systems. No specific regulatory obligations, although the EU encourages voluntary adoption of good practices.

Corporate governance: what needs to exist in your company

Compliance with the AI Act is not just about the model itself — it is about the organizational structure around it. According to the LegalNodes compliance guide, companies need to establish:

  • AI Officer: someone with real authority to veto deployments, not just an honorary title. Ideally reports directly to the C-level.
  • AI Governance Committee: multidisciplinary — engineering, legal, product, compliance. Meets periodically to review the system inventory and risk assessments.
  • AI System Inventory: a centralized registry of all AI systems in use, with risk classification, technical owner, training dataset, performance metrics, and last audit date.
  • Impact Assessment Process: for high-risk systems, a fundamental rights impact assessment must be conducted before deployment.
Comparison: Minimum vs. recommended governance structure
ElementMinimum (compliance)Recommended (maturity)
AI OfficerFormally designatedC-level or direct board reporting
System inventoryUpdated spreadsheetPlatform with versioning and alerts
Risk assessmentBefore initial deploymentContinuous, with quarterly reassessment
Logging and monitoringLogs retained for legal periodReal-time dashboards with anomaly detection
Team trainingBasic AI literacyContinuous program with internal certification

Technical requirements: what engineering needs to deliver

For engineering teams, the AI Act translates into concrete technical requirements that need to be implemented before August 2026:

Risk management system

This is not a static document. It is an iterative, documented process that identifies known and foreseeable risks, estimates and evaluates risks arising from intended use and reasonably foreseeable misuse, and adopts mitigation measures. In practice, this means having automated evaluation pipelines that run on every release.

Data governance

Training, validation, and test datasets need documentation covering: data provenance, collection methodology, known biases, cleaning and enrichment measures, and limitations. If you use synthetic data, you need to document the generation process. If you fine-tune third-party models, you need to document which data was used and why.

Technical documentation

Each high-risk system needs documentation that includes: general system description, design elements and development process, monitoring and operational information, detailed description of the risk management system, and changes made throughout the lifecycle. Think of it as a "technical passport" for your model.

Automatic logging

High-risk systems must automatically record relevant events throughout their lifecycle. This includes: usage period, inputs that generated outputs, reference database used, and input verification results. Logs must be retained for a period appropriate to the system's purpose and applicable legal obligations.

Human oversight

High-risk systems must be designed so they can be effectively overseen by humans during the period of use. This does not mean having a human review every output — it means having technical mechanisms that allow the operator to understand the system's capabilities and limitations, monitor its operation, and intervene or shut down the system when necessary.

Impact on Brazil and Latin America

The AI Act has extraterritorial reach: it applies to any company whose AI systems are placed on the EU market or whose outputs are used in the EU, regardless of where the company is headquartered. For Brazilian companies that export software, offer global SaaS, or have European clients, compliance is mandatory.

In parallel, Brazil is advancing its own regulation. Bill 2,338/2023 was approved by the Federal Senate in December 2024 and is under review in the Chamber of Deputies. Although the Brazilian bill has its specificities, the risk-based approach is similar to the European AI Act, which facilitates cross-compliance for companies operating in both markets.

The global trend is clear: AI regulation is no longer hypothetical. Companies that get ahead spend less and suffer less disruption than those that wait until the deadline.

Practical checklist: how to prepare by August 2026

If your company uses or develops AI systems and has any exposure to the European market, here is a pragmatic roadmap:

  • Months 1-2: Conduct a complete inventory of all AI systems in use. Classify each one on the AI Act risk scale. Identify which are high-risk.
  • Months 3-4: For each high-risk system, begin technical documentation. Map datasets, document training processes, identify known biases.
  • Months 5-6: Implement automatic logging and human oversight mechanisms. Set up monitoring dashboards.
  • Months 7-8: Conduct fundamental rights impact assessments. Perform robustness and cybersecurity testing.
  • Months 9-10: Execute conformity assessments. Prepare EU declarations of conformity. Begin registration process in the European database.
  • Months 11-12: Review all documentation. Train teams. Conduct final internal audits before the August 2026 deadline.

Common mistakes companies make

Based on experience following companies through this compliance process, the most frequent errors are:

  • Treating it as a legal project: AI Act compliance is 70% engineering, 30% legal. The technical team needs to lead.
  • Classifying everything as "minimal risk": companies tend to underestimate the risk of their own systems. A content recommendation system may seem harmless, but if it influences credit or employment decisions, it is high-risk.
  • Ignoring extraterritorial reach: "we are not in Europe" is not a defense. If your model's output is used in the EU, you are in scope.
  • Leaving it to the last month: retroactive technical documentation is exponentially more expensive and less accurate than documentation done during development.
  • Confusing AI literacy with compliance: the AI literacy obligation (which came into effect in February 2025) is separate from high-risk system obligations. Meeting one does not exempt you from the other.

Tools and frameworks that help

The ecosystem of tools for AI Act compliance is maturing rapidly. According to an analysis by the Council of the EU, some approaches that have proven effective include:

  • Model cards and datasheets: standardized formats for model and dataset documentation. Frameworks like Google's Model Card Toolkit facilitate generation.
  • AI governance platforms: tools like IBM OpenPages, ModelOp, and Credo AI offer centralized inventory, automated risk assessment, and approval workflows.
  • Fairness and bias frameworks: Fairlearn, AI Fairness 360, What-If Tool — for evaluating and mitigating model biases before deployment.
  • MLOps pipelines with built-in compliance: integrating compliance checks directly into the model's CI/CD — bias evaluation, documentation validation, logging verification — avoids manual rework.

Conclusion

The AI Act is not just another bureaucratic regulation — it is a structural shift in how companies need to develop and operate AI systems. With the August 2026 deadline approaching, the window for adaptation is closing. Companies that treat AI governance as an integrated technical-organizational project, rather than just a legal checklist, will have a clear competitive advantage: they not only avoid multi-million-euro fines but also build more reliable and auditable systems. The time to act is now — not when the fine arrives.