EU AI Act: What Delivery Teams Need to Know

The EU AI Act is the most comprehensive AI regulation in the world, and its enforcement timeline is approaching fast. Even if your organization is not based in the EU, if you serve EU customers or process EU data, this matters. As a program manager, I have been working to understand what this means for our delivery teams in practical terms.

The Risk-Based Approach

The Act classifies AI systems into four risk categories. Unacceptable risk systems — like social scoring — are banned outright. High-risk systems require conformity assessments, documentation, and human oversight. Limited-risk systems need transparency obligations. Minimal-risk systems are largely unregulated.

For most enterprise delivery teams, the critical question is whether any of your AI components fall into the high-risk category. This includes AI used in employment decisions, creditworthiness assessments, and certain critical infrastructure applications.

What Changes for Delivery Teams

Documentation requirements increase. High-risk AI systems need technical documentation covering design, development methodology, training data, and performance metrics. If you are building AI features today without this documentation, you will need to retrofit it.

Human oversight becomes mandatory. For high-risk systems, there must be appropriate human oversight mechanisms. This means designing review gates and override capabilities into your AI systems from the start, not bolting them on later.

Risk management becomes ongoing. The Act requires continuous risk assessment, not a one-time evaluation. This aligns with what ISO 42001 and the NIST AI RMF already recommend, but now it carries legal weight.

What I Am Doing Now

I added AI Act classification to our AI governance inventory. Every AI touchpoint now has a preliminary risk classification. For the ones that might be high-risk, I am working with our legal team to understand the specific requirements.

I am also pushing for AI governance training for our engineering leads. The developers building these systems need to understand the regulatory context, not just the technical requirements. Program managers are well-positioned to bridge that gap — translating regulatory requirements into actionable engineering practices.

This is not a future problem. The compliance deadlines are already here for certain provisions. If you have not started, start now.