The EU AI Act takes shape. You can prepare before the text is final.
The EU AI Act is still a moving text. Parliament's committees have just voted their position, the Council has its own, and the trilogue ahead will change details that lawyers are rightly refusing to predict. It is tempting for enterprises to conclude that nothing useful can be done until the ink is dry.
We would argue the opposite. The Act's architecture, a risk-based classification of AI systems, with obligations of documentation, oversight, and transparency attached, has been stable through every draft. The details will move; the shape will not. And the shape is enough to act on.
What every draft agrees on
- You will need to know which AI systems your organization uses, for what purposes, with what data. An inventory, in short, and inventories built in a hurry are always wrong.
- Higher-risk uses will carry documentation and oversight duties. Distinguishing your risky uses from your trivial ones requires the same inventory, plus honesty.
- Accountability will follow the deployer as well as the provider. "The vendor handles compliance" will not survive contact with the final text.
Regulation rewards organizations that can see themselves clearly. That capability takes years to build and is useful every day you have it, whatever Brussels decides.
Separate the durable from the debatable
The useful discipline while a regulation is still in flux is to sort its requirements into two piles: the ones that depend on the exact wording, and the ones that do not. The precise risk thresholds, the contents of a conformity assessment, the specific annexes, these will move in the trilogue, and building against them now is a genuine waste of effort. But the requirement to know your own AI footprint does not depend on a single comma, and it will not soften in any version of the text.
Everything in the durable pile can be started today with no regulatory risk, because it is simply good practice that the Act happens to make mandatory. An accurate inventory of your AI systems, visibility into what data they touch, and the habit of classifying uses by risk are valuable whether the final threshold lands here or there. You are not betting on a particular outcome; you are building the capability every outcome will require.
Starting before the starting gun
The practical first step costs nothing legal: route your organization's AI usage through infrastructure that records it. Every system discovered, every data flow made visible now is one less archaeology project when the classification exercise becomes mandatory. Enterprises that did this for data flows before GDPR spent 2018 confirming what they knew; the others spent it excavating.
There will be time enough to argue about annexes. The inventory, the visibility, and the habit of asking "should this system be doing this?" can start today, and none of it will be wasted whichever compromise emerges from the trilogue.