← ALL POSTS

The EU AI Act Gets Real on August 2, 2026. Most Companies Are Not Ready to Prove Anything.

Next month the bulk of the EU AI Act becomes applicable, including the high-risk regime. The gap in most compliance programs isn't policy. It's evidence.

If your company sells into Europe, employs people in Europe, or has European users, circle August 2, 2026. That's the date the bulk of the EU AI Act stops being a future problem and becomes an applicable one, including the high-risk regime and the Commission's enforcement powers over general purpose AI models.

The prohibitions have been live since February 2025. Obligations for general purpose AI providers landed in August 2025. But this August is when the Act broadly applies, and when the fines stop being theoretical: up to 35 million euros or 7% of global turnover for prohibited practices, and up to 15 million or 3% for most other violations.

Here's the part that keeps getting missed in the compliance decks.

You're probably a deployer, and deployers have homework

Most coverage of the Act talks about the companies building models. But the Act also regulates deployers: organizations that use AI systems in the course of business. That's you, even if you've never trained anything.

Deployer obligations include using systems in line with their instructions, ensuring human oversight, monitoring operation, and keeping logs. There's also an AI literacy requirement (Article 4, live since February 2025) that expects staff who work with AI to actually understand what they're doing with it.

Notice the shape of all of those obligations. Every one of them assumes you know which AI systems your organization uses, who uses them, and for what.

The inventory problem nobody wants to own

Ask a compliance lead for the company's AI inventory and you'll get the sanctioned list: the enterprise Copilot deal, maybe a coding assistant, a vendor tool or two. Ask the network and you get a different answer.

We recently measured a 30-person company whose leadership put their AI usage at zero. Five work devices produced 2,888 AI requests in five days, across two vendors, none approved. The anonymized report is here. That gap between the official inventory and the actual traffic is exactly the gap a regulator, an auditor, or an enterprise customer's due diligence questionnaire will walk straight into.

You cannot claim human oversight of systems you don't know you're running. You cannot keep logs of usage you can't see. An AI governance program built on the sanctioned list alone is a program that governs the minority of your AI usage.

What "ready" actually looks like

Strip away the legal language and the operational requirements come down to three capabilities:

  1. A live inventory. Not a survey, not a spreadsheet from Q1. A current picture of which AI tools your fleet actually talks to, updated by observation rather than by asking nicely.
  2. Attribution. Usage tied to devices and users, because "someone, somewhere, used something" satisfies no obligation ever written.
  3. Records. When the questionnaire asks how you monitor AI use, "we have a policy" is an answer about intentions. A log is an answer about facts.

None of this requires blocking anything or slowing anyone down. It requires seeing. Control is a decision you make after visibility, not instead of it.

A pragmatic first step before August

You don't need a transformation program to close the inventory gap. You need a measurement.

We run a free 7 day audit: up to ten machines, no workflow changes, and at the end you hold the actual list of AI tools in use at your company, with per-device attribution. It's the difference between walking into an audit with an estimate and walking in with evidence.

The Act was written on the assumption that companies know what AI they use. Next month, that assumption starts getting tested. Better to test it yourself first.

THEMISTO LABS

See it. Control it. Protect it.

If anything in this post resonated, tell us what you're seeing. A founder reads every request and reaches out personally within 24 hours.

REQUEST ACCESS →