The Compliance Frame Is the Wrong Frame
The EU AI Act will enter force progressively from 2024 through 2026, with obligations for high-risk AI systems requiring compliance well before the largest fines apply. Most organisations encountering the Act for the first time are treating it as a compliance programme: identify which of our AI systems are in scope, implement the required controls, document the evidence, obtain the assessment. This is accurate but insufficient.
The compliance frame treats the AI Act as a cost and a constraint. The strategic frame recognises it as a market signal, a competitive differentiator, and a product design input. Organisations that build compliance programmes alone will spend money and achieve compliance. Organisations that build compliance programmes within a strategic frame will spend similar money and emerge with AI governance capabilities that are a competitive advantage in markets where enterprise customers care about how their vendors manage AI risk.
The difference in outcome from these two approaches will not be visible in the first year of implementation. It will be visible in year three.
What the Act Actually Requires
The AI Act applies a risk-based framework to AI systems. Most AI use cases fall into minimal or limited risk categories with light-touch obligations. The substantive compliance burden applies to AI systems classified as high-risk: AI in critical infrastructure, employment and HR decisions, education, essential services, law enforcement, migration, and administration of justice. AI systems that manipulate behaviour or exploit vulnerabilities are prohibited entirely.
For high-risk AI systems, the obligations are extensive. Conformity assessments, risk management systems, data governance documentation, technical documentation, logging requirements, human oversight mechanisms, accuracy and robustness requirements, and registration in a public EU database. These are not checkbox requirements. They require genuine architecture decisions, process design, and governance infrastructure.
The obligation for foundation model providers and GPAI systems adds a second category of significant compliance requirements, addressing the specific risks of general-purpose AI that may be integrated into third-party products in ways the original developer cannot fully anticipate.
For most enterprises, the practical scope question is: which of our current or planned AI deployments involve high-risk AI systems as defined by the Act? The answer requires legal interpretation of the Act’s category definitions, and for many organisations it will be narrower than an initial reading suggests. But the narrowing of scope from the initial assessment is not a licence to stop the strategic analysis.
The Three Business Decisions Hidden Inside the Compliance Question
The AI Act compliance programme reveals three business decisions that require board-level attention, not IT governance attention.
The first is product strategy. For organisations that build AI-powered products or incorporate AI into their services, the Act’s high-risk classification determines which products face the heaviest compliance burden. In some cases, the compliance burden is a design input that should affect product architecture decisions made now, before compliance infrastructure is built around architectures that are harder to make compliant. The product team and the legal team need to be in the same room for these decisions, with a technology leader who can translate between the regulatory requirements and the product architecture options.
The second is procurement strategy. Most enterprises are AI consumers rather than AI developers: they purchase AI capabilities from vendors and integrate them into their processes. The AI Act creates obligations for these integrators, not just for the model developers. An enterprise that deploys a high-risk AI system bears compliance obligations regardless of whether they built the underlying model. Procurement processes need to evaluate vendor AI Act compliance postures, and contracts need to address liability allocation. This is a procurement governance decision with legal, commercial, and technology dimensions that the IT function cannot resolve alone.
The third is talent and geographic strategy. The Act applies to AI systems that affect persons in the EU, regardless of where the AI system is developed or operated. European subsidiaries of non-European companies are in scope. Conversely, AI systems deployed exclusively outside the EU are not. For multinational organisations with global AI programmes, the Act’s territorial scope is a variable in the AI deployment strategy, and optimising for it requires coordination between legal, HR, product, and technology strategy.
The Governance Gap That Is Almost Universal
The EU AI Act requires organisations to have AI inventory, AI risk classification, and AI governance processes. Assessments of enterprise AI governance maturity consistently reveal the same gap: most organisations do not have a systematic inventory of their AI systems, and cannot confidently answer which of their AI deployments would be classified as high-risk under the Act.
The shadow AI problem compounds this. AI capabilities are now embedded in productivity tools, CRM platforms, HR systems, and dozens of other enterprise applications purchased by business units, often without central IT or governance involvement. The AI inventory required for Act compliance needs to include these embedded AI capabilities, which requires a discovery process that is broader than any existing IT asset inventory process.
Building the AI inventory is the prerequisite for everything else. Without it, the risk classification is incomplete, the conformity assessment process cannot be scoped, and the compliance programme is addressing a subset of the actual exposure. The inventory work is not glamorous and it is not technically complex, but it is the foundation that the strategic and compliance work rests on.
The Market Positioning Opportunity
The AI Act compliance that most organisations are treating as a cost is a market differentiator for the organisations that treat it as a product. In sectors where enterprise customers care about AI risk, an AI governance posture that meets EU AI Act requirements at high-risk level is a procurement differentiator. Financial services, healthcare, public sector, and critical infrastructure customers are increasingly including AI risk management in vendor assessments. The organisation that can demonstrate a credible AI governance programme wins business from the one that cannot, in markets where AI governance is a purchasing criterion.
This is the strategic frame that the compliance programme should be embedded in. Not: how do we achieve compliance with the minimum investment? But: how do we build AI governance capability that meets the Act’s requirements and that is demonstrably superior to our competitors in the markets where it matters?
The organisations that answer the second question will be in a different competitive position in three years than the ones that only answered the first.
Where does your AI governance investment sit on that spectrum today?