All Posts
AI & Governance

The EU AI Act and What It Means for Delivery Teams

27 February 20262 min read

The EU AI Act is the most significant piece of AI regulation in the world, and it is already affecting how I plan enterprise AI programs. If you are a program manager and you have not read at least the risk classification framework, you are operating with incomplete information.

The Risk-Based Framework

The Act classifies AI systems into four risk categories: unacceptable, high, limited, and minimal. Most enterprise applications I manage fall into the high-risk or limited-risk categories. High-risk systems face the heaviest requirements: conformity assessments, technical documentation, risk management systems, data governance obligations, human oversight mechanisms, and ongoing monitoring.

What This Means for Sprint Planning

Risk classification happens early. I now include an AI risk classification exercise in the discovery phase of every AI program. The classification determines the compliance overhead, which directly impacts capacity planning and timeline estimates.

Documentation requirements are substantial. High-risk systems require technical documentation covering design specifications, development methodology, testing procedures, and performance metrics. I allocate dedicated sprint capacity for this documentation from day one.

Human oversight is not optional. High-risk systems must be designed to allow effective human oversight. This is an architecture decision that affects the product from the first sprint, not a feature you bolt on later.

Practical Impact

I worked on a program last quarter where the EU AI Act classification changed a feature from a four-sprint deliverable to a seven-sprint deliverable. The additional three sprints covered conformity assessment preparation, documentation, and human oversight implementation. That is a 75% increase in delivery effort from regulation alone.

The PM's Role

Program managers must become fluent in this regulation. You do not need to be a lawyer, but you need to understand the risk classification system, the documentation requirements, and the timeline implications. When a stakeholder asks "why is this AI feature taking so long?", you need to explain the regulatory landscape clearly and confidently.

Ignorance of the EU AI Act is not a defense. It is a delivery risk.

Back to all posts