EU AI Act: What PMs Need to Know

The EU AI Act passed earlier this year, and most project managers I talk to either have not read it or assume it is someone else's problem. If your product touches AI in any way — and increasingly, every product does — it is your problem.

I am not a lawyer. But I manage programs where teams are integrating AI features, and I have spent time understanding what this regulation means for how we plan and deliver work.

The Risk-Based Framework

The Act classifies AI systems into risk tiers: unacceptable, high-risk, limited, and minimal. Most enterprise software falls into limited or minimal risk. But if you are building anything that touches hiring, credit scoring, healthcare, or critical infrastructure, you might be in high-risk territory.

High-risk means mandatory requirements around data governance, documentation, human oversight, and accuracy testing. These are not optional checkboxes. They are legal obligations with real penalties.

What Changes for Delivery Teams

Documentation requirements increase. High-risk AI systems need technical documentation that describes training data, model behavior, and known limitations. This is not a one-time effort. It needs to be maintained throughout the lifecycle.

Testing becomes more rigorous. You need to demonstrate that your AI system performs as documented, including testing for bias and edge cases. This means your test plans need new categories.

Human oversight is mandatory. For high-risk systems, there must be a mechanism for human review of AI decisions. This impacts your system architecture, not just your process.

My Recommendation

If you are managing a program that includes AI features, start a risk classification exercise now. Do not wait for legal to tell you. Map your AI features against the Act's risk categories and flag anything that might be high-risk.

The teams that start thinking about this in October 2024 will be far better positioned than the ones scrambling in 2025 when enforcement timelines start hitting.