top of page

The First Step to EU AI Act Compliance: Are You Flying Blind?

  • Richard Foley
  • Jun 10
  • 4 min read

Updated: Jun 12

Magnifying glass over a circuit board with 'AI Act' text, representing EU AI compliance
Understanding the EU AI Act for business compliance

You use Salesforce to manage your sales pipeline, Microsoft 365 for your documents, and maybe a tool like Intercom for customer chat. You’re using modern software to run your business efficiently. But what you might not realise is that you are also running an AI company.

Embedded within these everyday tools are powerful AI features—predicting sales, suggesting email text, powering chatbots. They are working invisibly in the background. And with the arrival of the EU AI Act, Europe's landmark regulation, "invisible" is no longer an option.

The Act introduces new rules and obligations for any business that deploys or develops AI systems in the European Union. The starting point for compliance, and for building a responsible AI strategy, is a simple but powerful question: Do you actually know what AI you are using?



You Cannot Govern What You Cannot See


Imagine a Chief Financial Officer trying to run a company without a complete list of all its bank accounts. It would be impossible. They couldn't manage risk, ensure compliance, or build a financial strategy.

In the age of AI, many businesses are operating with this exact blind spot.

An AI inventory—a comprehensive register of every AI system touching your business—is the foundational first step for any risk assessment under the EU AI Act. Without it, you are flying blind, unable to identify potential high-risk systems or meet your new legal obligations.


Building Your AI Inventory: A Leadership Team Sport


Creating a complete inventory is a strategic task that empowers your entire leadership team. To be successful, your CTO or Head of IT needs active collaboration from sales, marketing, and operations to get a full picture of how AI is being used across the business. Here are the three critical categories you need to explore together. 1. Third-Party AI: The "Invisible" Systems

Examples of third-party AI systems including lead scoring, CV screening, and ad personalization.
Third-party AI systems in business tools.

This is the largest and most overlooked category for most SMEs. These are the AI features embedded in the SaaS products you pay for every month.


  • What to look for: Does your CRM have AI-powered lead scoring? Does your HR software use AI to screen CVs? Does your marketing platform use AI for ad personalization?


  • The Checklist:


    • Create a register of all third-party software you use.

    • For each tool, investigate if it uses AI features. A quick look at the vendor's website or a question to their support team is a great start.

    • Note the purpose of the AI (e.g., "CV screening," "customer segmentation").


2. Internally-Developed AI: The "Visible" Systems

An illustration of internally-developed AI systems, showing churn prediction, process automation, and data insights
Examples of internally-developed AI systems

This is what most people think of when they hear "AI." These are the custom machine learning models or AI applications your own team has built.

  • What to look for: Any custom software developed to solve a unique business problem, like predicting customer churn, automating a factory process, or analysing internal data.

  • The Checklist:

    • Document every custom AI model currently in production or development.

    • Assign a clear "owner" within the business for each system.

    • Note the type of data used to train and run the model (e.g., historical sales data, user behaviour data).


3. The Data Dimension: The Fuel for the Engine

Illustration showing the central role of data, including customer, financial, and employee data, in AI systems, representing the data dimension for AI compliance.
The Data Dimension: Understanding the types of data AI systems process is crucial for compliance

An AI system is defined by the data it processes. Noting the type of data is a critical layer of your inventory.


  • What to look for: Does the system process personal data? Financial data? Sensitive health information? Employee data?

  • The Checklist:

    • For every system on your inventory (both third-party and internal), add a column noting the primary categories of data it touches.

  • Why it Matters: Under the EU AI Act, a system's risk level is often determined by its purpose and the data it uses. An AI that analyses anonymous website traffic is very different from one that analyses employee performance data, and your inventory must reflect this.


Your First Actionable Step


Creating a complete AI inventory can feel daunting. But you can start today with a simple spreadsheet.

Create a new file named "AI Register" with the following columns:


System Name | Owner/Dept | Purpose | Internal/Third-Party | Data Type | Vendor | High-Risk Candidate? (Y/N)


Begin by listing the top 5-10 software tools your business relies on and start filling in the columns. This simple act will move you from being reactive to proactive. It is the first, most crucial step towards building a trusted, responsible, and compliant AI strategy.


Ready to turn your inventory into an intelligent action plan?


Identifying your AI systems is the first step. The real value comes from understanding the specific risks and opportunities each one presents.

At Artellis, I help business leaders move beyond the checklist.


I offer a practical "AI Opportunity & Risk Masterclass" for leadership teams to analyse these findings and build a clear, prioritized roadmap for the future.


Schedule a complimentary 30-minute discovery call to discuss your AI inventory and map out your next steps toward responsible innovation.


 
 
 

Comments

bottom of page