EU AI Act 2026: What Developers Need to Comply with Now

The EU AI Act is no longer a policy document you can skim and file away. As of February 2, 2025, the prohibition on unacceptable-risk AI systems became enforceable. By August 2025, obligations for general-purpose AI (GPAI) models took effect. And the big one, full enforcement of rules for high-risk AI systems, lands on August 2, 2026. If you are building, deploying, or integrating AI systems that touch EU citizens, the compliance clock is already running.

Meanwhile, in the United States, a patchwork of state-level AI legislation is creating its own enforcement timeline. Texas's AI governance law took effect in January 2026. California's AB 2013 (training data transparency) and Illinois's AI Video Interview Act amendments are enforced as of Q1 2026. Colorado's AI Consumer Protection Act hits full enforcement in mid-2026. The regulatory surface is expanding on both sides of the Atlantic simultaneously.

I have spent the last six months helping Ailog's clients navigate these requirements. This article distills what I have learned into a practical compliance guide for developers and engineering leaders.

The Risk Classification System

The EU AI Act organizes AI systems into four risk tiers. Your compliance obligations depend entirely on which tier your system falls into.

Unacceptable risk (banned). These are already prohibited. Social scoring systems by public authorities, real-time remote biometric identification in public spaces (with narrow law enforcement exceptions), AI that exploits vulnerabilities of specific groups (age, disability), and subliminal manipulation techniques. If your system does any of these, stop.

High risk. This is where most compliance work concentrates. High-risk systems include AI used in: critical infrastructure (energy, transport, water), education (admissions, grading), employment (recruitment, performance evaluation, termination decisions), essential services (credit scoring, insurance pricing), law enforcement, migration and border control, and administration of justice. The Act also covers AI systems that are safety components of products already regulated under existing EU legislation (medical devices, vehicles, machinery).

Limited risk. Systems with specific transparency obligations. This includes chatbots (must disclose they are AI), emotion recognition systems, biometric categorization systems, and AI that generates or manipulates content (deepfakes). The key obligation: users must be informed they are interacting with AI.

Minimal risk. Everything else. No specific obligations under the AI Act, though general consumer protection and data protection laws still apply.

The classification is not always obvious. A customer support chatbot is "limited risk" (transparency obligation), but if that chatbot makes credit decisions, it is "high risk." Context matters more than technology.

Obligations for High-Risk AI Systems

If your system qualifies as high-risk, here is what you must implement. These are not suggestions; they are legal requirements with penalties up to 35 million euros or 7% of global annual turnover.

Risk Management System (Article 9)

You need a documented, continuous risk management process. Not a one-time assessment, but a living system that identifies risks, estimates their likelihood and severity, implements mitigation measures, and evaluates residual risks. The system must be updated throughout the AI system's lifecycle.

In practice, this means maintaining a risk register that maps each identified risk to a mitigation strategy, an owner, and a review cadence. If you are deploying autonomous agents that interact with external tools, the risk surface includes prompt injection, tool misuse, credential theft, and unintended side effects, all of which must be documented and mitigated.

Data Governance (Article 10)

Training, validation, and testing datasets must meet quality criteria. The Act requires that datasets be "relevant, sufficiently representative, and to the best extent possible, free of errors and complete." You must document: the source and origin of training data, data collection methods, any data preprocessing or labeling operations, assumptions about what the data represents, and an assessment of potential biases.

For organizations using privacy-preserving techniques like federated learning, documentation should explain how these techniques affect data quality and what additional validation was performed.

Technical Documentation (Article 11)

Before a high-risk AI system enters the market, you must produce comprehensive technical documentation. This includes: a general description of the system, design specifications, development process details, monitoring and functioning information, and validation and testing procedures.

Record-Keeping and Logging (Article 12)

High-risk AI systems must automatically log events during operation. Logs must enable tracing of the system's operation throughout its lifecycle. At minimum, you need to record: the period of each use, the reference database against which input data was checked, input data for which the search led to a match, and identification of the persons involved in verification of results.

Transparency and Information (Article 13)

High-risk AI systems must be designed to be sufficiently transparent. Users must receive clear information about: the system's capabilities and limitations, the degree of accuracy and known failure modes, any human oversight measures, and the expected lifetime and maintenance needs.

Human Oversight (Article 14)

High-risk systems must allow effective human oversight. This does not mean a human rubber-stamps every decision; it means the system is designed so a human can understand its outputs, intervene when necessary, and override or stop the system.

What US State Laws Add

The US regulatory landscape adds requirements on top of EU compliance that catch many teams off guard.

Colorado AI Consumer Protection Act (SB 24-205, full enforcement mid-2026). Requires deployers of "high-risk AI systems" to conduct impact assessments, provide consumer notifications when AI makes "consequential decisions" (employment, financial services, healthcare, insurance, housing, education), and maintain records. Colorado's definition of "high-risk" is broader than the EU's and explicitly includes any system that makes or substantially contributes to a consequential decision.

Texas Responsible AI Governance Act (HB 1709, effective January 2026). Requires notice to consumers when AI is used in decisions affecting them, prohibition on AI-based discrimination, and an obligation to provide human review upon request. Applies to businesses operating in Texas or serving Texas residents.

California AB 2013 (effective 2026). Requires GPAI developers to disclose training data summaries, including data sources, data types, and whether copyrighted material was used. This intersects directly with the EU AI Act's GPAI transparency obligations.

Illinois AI Video Interview Act (amended 2025). Requires notice and consent when AI analyzes video interviews, prohibits exclusive reliance on AI for hiring decisions, and mandates annual bias audits. This is already the subject of active enforcement.

The practical impact: if you serve users in both the EU and US, you need a compliance program that satisfies the union of all applicable requirements. Building to the strictest standard (typically the EU AI Act for process requirements and Colorado for consumer-facing notifications) is often the simplest approach.

Implementing Audit Logging for AI Decisions

Across both EU and US requirements, a common thread is the need for comprehensive audit logging of AI decisions. Here is a practical implementation:

import json
import hashlib
import time
from dataclasses import dataclass, asdict
from datetime import datetime, timezone
from typing import Any
from enum import Enum


class RiskLevel(Enum):
    HIGH = "high"
    LIMITED = "limited"
    MINIMAL = "minimal"


class DecisionOutcome(Enum):
    APPROVED = "approved"
    DENIED = "denied"
    REFERRED_TO_HUMAN = "referred_to_human"
    INCONCLUSIVE = "inconclusive"


@dataclass
class AIDecisionRecord:
    """Immutable audit record for an AI system decision.
    Satisfies Article 12 (EU AI Act) and Colorado SB 24-205 logging requirements.
    """
    # System identification
    system_id: str
    system_version: str
    risk_level: RiskLevel

    # Decision context
    decision_type: str          # e.g., "credit_scoring", "resume_screening"
    request_id: str
    timestamp: str
    timezone_info: str

    # Input tracking (hashed for privacy, raw stored separately if needed)
    input_data_hash: str
    input_schema_version: str
    features_used: list[str]

    # Model details
    model_id: str
    model_version: str
    prompt_version: str | None  # For LLM-based systems

    # Decision output
    outcome: DecisionOutcome
    confidence_score: float | None
    explanation: str            # Human-readable rationale

    # Human oversight
    human_review_required: bool
    human_reviewer_id: str | None
    human_override: bool
    human_override_reason: str | None

    # Compliance metadata
    applicable_regulations: list[str]
    data_subjects_notified: bool
    consent_reference: str | None

    # Integrity
    record_hash: str = ""

    def compute_hash(self) -> str:
        """Compute a tamper-evident hash of the record."""
        record_data = asdict(self)
        record_data.pop("record_hash", None)
        canonical = json.dumps(record_data, sort_keys=True, default=str)
        return hashlib.sha256(canonical.encode()).hexdigest()


class ComplianceAuditLogger:
    """Audit logger that satisfies EU AI Act and US state law requirements."""

    def __init__(self, storage_backend, system_id: str, system_version: str,
                 risk_level: RiskLevel):
        self.storage = storage_backend
        self.system_id = system_id
        self.system_version = system_version
        self.risk_level = risk_level

    def log_decision(
        self,
        decision_type: str,
        request_id: str,
        input_data: dict[str, Any],
        features_used: list[str],
        model_id: str,
        model_version: str,
        outcome: DecisionOutcome,
        explanation: str,
        confidence_score: float | None = None,
        prompt_version: str | None = None,
        human_review_required: bool = False,
        consent_reference: str | None = None,
    ) -> AIDecisionRecord:
        """Log an AI decision with full compliance metadata."""

        now = datetime.now(timezone.utc)

        # Determine applicable regulations based on decision type
        regulations = self._determine_regulations(decision_type)

        # Hash input data rather than storing raw PII in the audit log
        input_hash = hashlib.sha256(
            json.dumps(input_data, sort_keys=True, default=str).encode()
        ).hexdigest()

        record = AIDecisionRecord(
            system_id=self.system_id,
            system_version=self.system_version,
            risk_level=self.risk_level,
            decision_type=decision_type,
            request_id=request_id,
            timestamp=now.isoformat(),
            timezone_info="UTC",
            input_data_hash=input_hash,
            input_schema_version="1.0",
            features_used=features_used,
            model_id=model_id,
            model_version=model_version,
            prompt_version=prompt_version,
            outcome=outcome,
            confidence_score=confidence_score,
            explanation=explanation,
            human_review_required=human_review_required,
            human_reviewer_id=None,
            human_override=False,
            human_override_reason=None,
            applicable_regulations=regulations,
            data_subjects_notified=False,
            consent_reference=consent_reference,
        )
        record.record_hash = record.compute_hash()

        # Persist to immutable storage
        self.storage.append(asdict(record))

        # If high-risk, validate completeness
        if self.risk_level == RiskLevel.HIGH:
            self._validate_high_risk_record(record)

        return record

    def _determine_regulations(self, decision_type: str) -> list[str]:
        """Map decision types to applicable regulations."""
        regulation_map = {
            "credit_scoring": [
                "EU AI Act (High-Risk, Annex III.5b)",
                "Colorado SB 24-205",
                "ECOA / Reg B",
            ],
            "resume_screening": [
                "EU AI Act (High-Risk, Annex III.4a)",
                "Colorado SB 24-205",
                "Illinois AI Video Interview Act",
                "Texas HB 1709",
            ],
            "insurance_pricing": [
                "EU AI Act (High-Risk, Annex III.5c)",
                "Colorado SB 24-205",
            ],
            "content_generation": [
                "EU AI Act (Limited Risk, Art. 50)",
                "California AB 2013",
            ],
            "customer_support": [
                "EU AI Act (Limited Risk, Art. 50)",
            ],
        }
        return regulation_map.get(decision_type, ["EU AI Act (General)"])

    def _validate_high_risk_record(self, record: AIDecisionRecord):
        """Ensure high-risk decisions meet all mandatory fields."""
        required_fields = [
            ("explanation", "Human-readable explanation required for high-risk decisions"),
            ("features_used", "Feature list required for transparency"),
            ("model_version", "Model version required for traceability"),
        ]
        for field_name, message in required_fields:
            value = getattr(record, field_name)
            if not value:
                raise ValueError(f"Compliance validation failed: {message}")

        if record.confidence_score is not None and record.confidence_score < 0.7:
            if not record.human_review_required:
                raise ValueError(
                    "Low-confidence high-risk decisions must require human review"
                )


# Usage example
logger = ComplianceAuditLogger(
    storage_backend=[],  # Replace with your immutable log store
    system_id="ailog-credit-scorer-v2",
    system_version="2.3.1",
    risk_level=RiskLevel.HIGH,
)

record = logger.log_decision(
    decision_type="credit_scoring",
    request_id="req-2026-04-03-001",
    input_data={"applicant_id": "A-12345", "annual_income": 85000, "debt_ratio": 0.32},
    features_used=["annual_income", "debt_ratio", "payment_history_score", "employment_length"],
    model_id="credit-model-xgb",
    model_version="3.1.0",
    outcome=DecisionOutcome.APPROVED,
    explanation="Approved based on debt-to-income ratio below threshold (0.32 < 0.40) "
                "and payment history score above minimum (720 > 650).",
    confidence_score=0.89,
)

A few things to note about this implementation. The input data is hashed, not stored in the audit log directly, because storing PII in audit logs creates its own data privacy risks. The raw data should be stored separately in a privacy-compliant data store with appropriate retention policies. The record hash provides tamper evidence: if any field changes after the record is written, the hash will not match. And the regulation mapping is explicit, so you can trace every logged decision back to the specific legal requirement it satisfies.

Aligning with ISO 42001 and NIST AI RMF

Two voluntary frameworks significantly ease AI Act compliance because they map closely to its requirements.

ISO/IEC 42001:2023 is the international standard for AI management systems. It provides a systematic framework for organizations that develop, provide, or use AI. If you implement ISO 42001, you will cover roughly 70% of the EU AI Act's process requirements. The standard's Annex D provides a mapping to the AI Act's articles, which saves significant compliance engineering time.

Key areas where ISO 42001 maps to the AI Act: risk management (Article 9), data governance (Article 10), documentation (Article 11), transparency (Article 13), and human oversight (Article 14). Where they diverge: ISO 42001 is more flexible on implementation details, while the AI Act prescribes specific outcomes.

NIST AI Risk Management Framework (AI RMF 1.0) uses a "Govern, Map, Measure, Manage" structure. It is voluntary in the US but is increasingly referenced by state laws as a safe harbor or evidence of due diligence. Colorado's SB 24-205, for instance, considers adherence to a "nationally or internationally recognized risk management framework" as a factor in enforcement.

My recommendation: implement ISO 42001 as your primary framework, use NIST AI RMF profiles for US-specific compliance needs, and document the mapping between both frameworks and the AI Act's specific articles. This gives you a single compliance program that satisfies multiple jurisdictions.

Automating Compliance

Manual compliance is not sustainable when you are shipping model updates weekly. Here are the tools and processes that work at scale.

Automated bias testing in CI/CD. Every model update should trigger fairness tests across protected characteristics. Tools like Fairlearn, AI Fairness 360, and Evidently AI can run in your CI/CD pipeline and block deployments that exceed bias thresholds. The EU AI Act requires that high-risk systems minimize risks of discriminatory outcomes (Article 10.2f); automated testing is the only practical way to enforce this continuously.

Model cards and data sheets. Standardize technical documentation using model cards (for systems) and datasheets (for datasets). Tools like Hugging Face's model card generator or custom templates can auto-populate fields from model metadata. Update them automatically on each release.

Continuous monitoring. The AI Act requires ongoing monitoring (Article 72), not just pre-deployment testing. Set up drift detection, performance monitoring, and fairness tracking in production. When metrics degrade beyond thresholds, trigger re-assessment workflows automatically. Existing ML monitoring infrastructure can be extended with compliance-specific alerts.

Impact assessments as code. Treat regulatory impact assessments like infrastructure as code: version-controlled, peer-reviewed, automatically validated against templates, and linked to the specific model version they assess. When a model changes, the assessment is flagged for update.

A Practical Compliance Checklist

For teams starting from scratch, here is the minimum viable compliance program:

1. Classify your systems. Map every AI system to a risk tier. When uncertain, classify higher.
2. Inventory your data. Document sources, collection methods, preprocessing, and known biases for all training data.
3. Implement audit logging. Every AI decision should be logged with the fields shown above. Use immutable storage.
4. Set up human review flows. High-risk decisions with low confidence must route to a human. Design the UX for this now.
5. Add transparency notices. If users interact with AI (chatbots, generated content), disclose it clearly. This is the easiest obligation to satisfy.
6. Run bias audits. Test for discriminatory outcomes across protected characteristics. Automate this in CI/CD.
7. Document everything. Technical documentation, risk assessments, testing results, monitoring reports. If it is not documented, it did not happen.
8. Assign a compliance owner. Someone needs to be accountable. In the EU, high-risk AI providers must designate a responsible person.
9. Plan for conformity assessment. Some high-risk categories require third-party assessment. Know whether yours does and budget for it.
10. Monitor regulatory updates. Both the EU and US landscapes are evolving rapidly. What is open source policy today may shift significantly by year's end.

Key Takeaways

• The EU AI Act is enforceable now for prohibited systems and GPAI models; full high-risk enforcement arrives in August 2026, giving teams roughly four months to comply.
• Risk classification determines your obligations: high-risk systems face the most stringent requirements, including mandatory risk management, data governance, audit logging, transparency, and human oversight.
• US state laws (Colorado, Texas, California, Illinois) layer additional requirements on top of EU compliance, particularly around consumer notification and bias auditing.
• Audit logging must capture system identification, decision rationale, input data hashes (not raw PII), model versions, confidence scores, and applicable regulations for every AI decision.
• ISO 42001 and NIST AI RMF provide structured frameworks that map to roughly 70% of EU AI Act process requirements; implementing them first saves significant compliance engineering effort.
• Automated compliance (bias testing in CI/CD, auto-generated model cards, continuous fairness monitoring) is the only practical approach for teams shipping frequent updates.
• Classify higher when uncertain; the penalties for getting it wrong (up to 35 million euros or 7% of global turnover) far outweigh the cost of over-compliance.
• Start with audit logging and transparency notices, as they satisfy requirements across every jurisdiction and provide the foundation for more advanced compliance measures.