AI & Agentic Systems

The EU AI Act Is Now Live. Here Is What Organizations Must Actually Do.

The EU AI Act's high-risk requirements hit in August 2026. Organizations with EU operations using AI in hiring, credit, or healthcare are not ready.

2026-05-14 · 6 min read AI & Agentic SystemsComps & Reflections
EuPart 3 of 3
Eu Ai Act InstitutioEu Ai Act Is Implica3

The EU AI Act's high-risk requirements become mandatory in August 2026, three months from today as I write this. The European Commission's digital strategy page has had this date marked for two years (https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai). From where I sit as an IS researcher studying AI governance, the compliance gap between what the regulation requires and what most organizations have actually done is the most important story in enterprise technology right now. It is not a story about whether AI is useful or whether regulation is wise. It is a story about whether organizations can translate a complex, prospective compliance obligation into working governance infrastructure before an enforcement deadline. Based on what I can observe in the field, most cannot.

The Act's risk framework is built on a four-tier classification. Prohibited practices, which applied from February 2025, include social scoring by governments, most real-time biometric surveillance in public spaces, and AI that manipulates behavior in harmful ways. Minimal-risk AI, which covers most commercial chatbots and recommendation systems, faces no specific obligations. Limited-risk AI, including systems that interact with humans without making it clear they are automated, carries transparency obligations. The tier that matters most for the largest number of enterprises is high risk, and that tier's requirements take effect in August 2026.

The high-risk list is broader than most organizations realize. It covers AI used in hiring and candidate screening, AI used in educational assessment and access decisions, AI used in creditworthiness scoring, AI used in healthcare triage and diagnosis support, AI used in critical infrastructure management, AI used in law enforcement for risk assessment, and AI used in border control. The geographic scope of these obligations is determined by where the AI system's output affects people, not where the vendor is incorporated or the system is operated. An American company using an AI-powered resume screener for its Berlin office is in scope. The system is high risk. The company is the deployer. August 2026 applies to it.

For organizations that deploy high-risk AI, the obligations are substantial and technically demanding. They must maintain a technical file documenting the system's design, data governance practices, training methodology, and performance metrics. They must implement a risk management system that is ongoing, not a one-time assessment. They must ensure sufficient human oversight so that a person can understand, monitor, and intervene in the system's outputs. They must retain logs of operations where the system influences consequential decisions. And they must register the system in the EU's official database for high-risk AI systems. None of these requirements can be satisfied with a one-page policy statement and a contract clause with the AI vendor. They require process design, documentation infrastructure, and organizational roles that most technology teams have not built.

The IS theory I keep returning to here is institutional isomorphism from DiMaggio and Powell (1983). Their concept of coercive isomorphism describes how organizations adopt practices not because the practices produce internal operational value, but because external legal or regulatory pressure makes non-adoption untenable. The EU AI Act is a paradigmatic case: organizations will move toward compliance not because maintaining a risk management system for AI produces better AI outcomes (though it might), but because the enforcement consequences of non-compliance are material. Fines under the Act can reach 30 million euros or six percent of global annual turnover for violations involving prohibited practices, with lower but still significant penalties for high-risk non-compliance. That is coercive pressure of the kind DiMaggio and Powell described.

The problem with coercive isomorphism is that it produces compliance on paper with variable operational reality underneath. Feldman and Pentland's (2003) routine dynamics framework makes this distinction visible: there is the ostensive routine, which is what the organization says it does, and the performative routine, which is what people actually do when auditors are not watching. An organization that builds an AI risk management system because the regulation requires it, without genuine organizational buy-in or clear internal ownership, will likely produce documentation that satisfies a conformity assessment while the actual governance of AI deployment remains informal and inconsistent. That gap between ostensive and performative compliance is exactly where AI governance failures tend to live.

Absorptive capacity (Cohen and Levinthal, 1990) is the other framework that matters here. The EU AI Act's requirements are technically and legally complex. Understanding what a conformity assessment requires, how to document training data quality in a way the Act recognizes, what "sufficient human oversight" means in practice for a specific system, all of this demands organizational knowledge that is not widely distributed. Organizations with low absorptive capacity, meaning those that have not been building internal AI governance expertise, will struggle to understand what compliance actually requires even if they intend to comply. They will hire consultants to produce documentation. The documentation will look correct. The underlying governance practices may still be weak. Absorptive capacity is not just about whether you can implement a policy. It is about whether you understand it well enough to implement it meaningfully.

The prospective nature of the compliance obligation is what makes this different from GDPR. GDPR compliance, while demanding, was largely retrospective: audit your data, fix your consent mechanisms, update your contracts, appoint your data protection officer. The EU AI Act requires prospective compliance. Before you deploy a high-risk AI system, you must demonstrate that the risk management system is in place, that training data meets the Act's quality and representativeness standards, that logging infrastructure is operational, and that human oversight mechanisms are functional. There is no window of deploying first and cleaning up the documentation afterward. The documentation is a prerequisite for deployment.

I have not seen strong evidence that most organizations with EU operations have completed this work. What I have seen is the same pattern that preceded GDPR: awareness that the deadline exists, a sense that it will be handled closer to the effective date, and an underestimation of how much organizational infrastructure the compliance actually requires. GDPR produced a scramble in the months before May 2018. Incomplete data inventories, rushed vendor agreements, consent mechanisms built in weeks that should have taken months. The EU AI Act is technically more demanding. The scramble, if it follows the same pattern, will be worse.

The question this raises for my IS research is about how organizations build genuine compliance capability versus compliance performance. It is not enough to know what the regulation requires. It is not enough to hire a law firm to produce a conformity assessment document. The governance of high-risk AI, done in the spirit the Act intends, requires ongoing processes, clear accountability, and organizational routines that treat AI risk management as a real operational concern, not a periodic audit exercise. Whether organizations can build that capability under deadline pressure, or whether August 2026 will produce a wave of formal compliance documentation with informal governance gaps underneath, is something IS researchers should be tracking carefully. That gap, between what organizations say they do with AI and what they actually do, is one of the most important empirical questions in the field right now.

---
claims_checked:
- "EU AI Act high-risk requirements effective August 2026": "https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai"
- "EU AI Act entered into force 2024-2025, prohibited practices February 2025": "https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai"
- "High-risk AI categories including hiring, credit, education, healthcare, infrastructure, law enforcement": "public text of EU AI Act Annex III (Regulation EU 2024/1689)"
- "Fines up to 30M EUR or 6% of global turnover for prohibited practices violations": "public text of EU AI Act Article 99"
- "DiMaggio & Powell 1983 institutional isomorphism": "academic reference, consistent with field knowledge"
- "Feldman & Pentland 2003 routine dynamics": "academic reference, consistent with field knowledge"
- "Cohen & Levinthal 1990 absorptive capacity": "academic reference, consistent with field knowledge"
claims_unverified:
- "Most organizations have not completed AI inventories or conformity assessment groundwork: directional assessment based on field observation, not from a single empirical source"
sources_used:
- "https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai"
word_count: 1070

About the author

A
Ali Safari
PhD Student in IS, University of North Texas

Researching AI governance, trust in intelligent systems, and agentic AI. Writing while studying for comps.

in gs

Share

More notes

← Previous
Why Everyone Keeps Extending TAM Instead of Replacing It
Next →
The EU AI Act and What It Means for IS Practitioners

Related notes

AI & Agentic Systems
When an AI Agent Makes a Decision, Who Is Accountable?
5 min read
AI & Agentic Systems
AI Governance Theater: When Policies Are Performative, Not Protective
7 min read
Comps & Reflections
DSR Is Not About the Prototype
5 min read