On 2 August 2026, in less than 40 days, most provisions of the EU AI Act become enforceable. If your company operates in a regulated industry and uses AI, there is one question that needs an answer today, not after the first audit.
Can your AI explain what it did, why it did it, and where it found the information? If the answer is “no” or “I don’t know”, you are already exposed.
What the EU AI Act Changes for Regulated Companies
The penalties set the stakes. High-risk violations carry fines of up to €15M or 3% of global turnover, and prohibited practices up to €35M or 7%. Alongside the fines come obligations that have to be built into the system itself, risk management, technical documentation, human oversight, an audit trail, and post-market monitoring. On top of that, every citizen gains the right to request an explanation for a decision that affects them.
And none of this replaces what already applies. It stacks on top of DORA, MiFID II, Solvency II, NIS2, and GDPR.
Why Most AI Deployments Are Already Exposed
Here is the truth few are willing to say. Most AI deployments of the past 18 months, from enterprise ChatGPT to custom copilots, were not built with governance in their DNA. They do not explain their decisions. They do not cite their sources. They leave no audit trail that can withstand regulatory scrutiny.
In a bank, an insurer, an audit firm, a pharmaceutical company, or a law firm, this is not a risk. It is a countdown.
What This Means for Your AI Strategy
If you invested in AI without first designing the governance architecture, your strategy needs to be reconsidered. This is not a technology problem. It is a question of legal exposure, reputation, and operational continuity, and the first organization regulators target will become the case study for everyone else.
The question is not whether the audit will come. It is how ready you will be when it does.