EU AI Act Compliance for SMBs: What You Need to Do Before August 2026

The EU AI Act is not a proposal, a draft, or a discussion paper. It entered into force on August 1, 2024. The first set of prohibitions took effect on February 2, 2025. The next major enforcement milestone - covering general-purpose AI models and the transparency obligations - lands on August 2, 2025. And the full set of high-risk AI system requirements becomes enforceable on August 2, 2026.

That is less than five months away.

For large enterprises with dedicated legal and compliance teams, the EU AI Act is already a known quantity. They have been preparing for years. For small and mid-sized businesses, the situation is different. Most SMBs deploying AI systems have not yet started a formal compliance process. Many are not sure the regulation applies to them. Some have not heard of it at all.

This guide is for those companies. It covers what the EU AI Act actually requires, how its risk classification system works, what SMBs specifically need to worry about, and how to get from zero to compliant before the August 2026 deadline.

Key Takeaways

• The EU AI Act applies to any company whose AI systems affect people in the EU, regardless of company size or location
• Most SMBs deploy AI that falls into the high-risk or limited-risk categories, both of which carry specific compliance obligations
• Penalties are severe: up to 35 million euros or 7% of global annual revenue for the most serious violations
• SMBs benefit from proportionality provisions but are not exempt from core requirements
• The practical path to compliance starts with an AI inventory and risk classification, not with buying tools or hiring consultants
• Existing compliance work on GDPR, SOC 2, or ISO 27001 provides a foundation, but AI-specific gaps remain

The EU AI Act Timeline: What Is Enforceable and When

The EU AI Act uses a phased enforcement schedule. Not everything hits at once. Understanding which obligations apply at each stage is the first step to prioritizing your compliance work.

February 2, 2025 - Prohibited AI practices. The ban on AI systems deemed to pose an unacceptable risk is already in effect. This includes social scoring systems, real-time biometric identification in public spaces (with narrow exceptions for law enforcement), AI that exploits vulnerabilities of specific groups, and subliminal manipulation techniques. Most SMBs do not deploy these types of systems, but you should verify that none of your AI features cross these lines.

August 2, 2025 - General-purpose AI (GPAI) model obligations and governance structure. Providers of general-purpose AI models must comply with transparency requirements, including technical documentation, copyright law compliance, and publishing training data summaries. GPAI models with systemic risk face additional requirements around adversarial testing and incident reporting. If you are building on top of a GPAI model (like GPT-4, Claude, or Gemini) rather than providing one, this stage primarily affects your upstream vendors. But you should be asking those vendors for their compliance documentation now.

August 2, 2026 - High-risk AI system requirements. This is the big one. The full set of obligations for high-risk AI systems becomes enforceable: risk management systems, data governance, technical documentation, record-keeping, transparency to users, human oversight, accuracy, and cybersecurity requirements. If your AI system falls into a high-risk category, you need to meet all of these by August 2.

August 2, 2027 - Certain high-risk AI embedded in regulated products. High-risk AI systems that are components of products already covered by existing EU product safety legislation (medical devices, aviation systems, vehicles) get an extra year. This is unlikely to apply to most SMBs.

The critical deadline for the majority of SMBs is August 2, 2026. That is the date by which your high-risk AI systems must have a complete risk management system, proper documentation, human oversight mechanisms, and all the other requirements detailed later in this guide.

The Risk Classification System: Where Your AI System Fits

The EU AI Act organizes AI systems into four risk tiers. Your compliance obligations depend entirely on which tier your AI system falls into. Getting this classification right is the single most important step in your compliance process.

Unacceptable Risk (Prohibited)

These AI applications are banned outright, effective February 2025:

• Social scoring by governments or private actors that leads to detrimental treatment of individuals
• Real-time remote biometric identification in publicly accessible spaces for law enforcement (with very limited exceptions)
• Exploitation of vulnerabilities - AI that targets people based on age, disability, or socioeconomic circumstances to distort their behavior
• Subliminal manipulation - AI techniques that deploy subliminal components people cannot perceive to materially distort behavior
• Emotion recognition in workplace and educational settings
• Biometric categorization that infers sensitive attributes like race, political opinions, sexual orientation, or religious beliefs
• Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases

If any of your AI features fall into these categories, the only compliant action is to shut them down. There is no exception process for SMBs.

High-Risk

This category carries the heaviest compliance burden and is where most SMBs need to pay the closest attention. An AI system is classified as high-risk if it falls into one of two buckets:

Bucket 1: AI systems that are safety components of products covered by existing EU legislation. This includes medical devices, vehicles, machinery, toys, lifts, pressure equipment, radio equipment, aviation systems, and more. If your AI is embedded in a regulated product, it inherits high-risk classification.

Bucket 2: AI systems in specific use-case domains listed in Annex III. These include:

• Biometrics - Remote biometric identification (non-real-time), biometric categorization, emotion recognition (outside the banned categories)
• Critical infrastructure - AI used in the management or operation of road traffic, water, gas, heating, or electricity supply
• Education and vocational training - AI that determines access to education, evaluates learning outcomes, or monitors students during exams
• Employment and workforce management - AI used for recruitment, candidate screening, performance evaluation, promotion decisions, task allocation, or termination
• Access to essential services - AI for credit scoring, insurance pricing, evaluating eligibility for public benefits, or emergency service dispatching
• Law enforcement - AI for risk assessment, polygraphs, evidence analysis, or crime prediction
• Migration, asylum, and border control - AI for risk assessment, document authentication, or application processing
• Administration of justice - AI that assists judicial authorities in fact-finding or applying the law

Here is where it gets real for SMBs. If you have built an AI-driven hiring tool, a credit assessment feature, an insurance underwriting model, a student evaluation system, or an employee performance analysis tool, you are deploying a high-risk AI system. The obligations that follow are substantial.

Limited Risk

Limited-risk AI systems have transparency obligations. The primary requirement is disclosure: users must be informed that they are interacting with an AI system. This category covers:

• Chatbots and conversational AI - Users must know they are talking to AI, not a human
• AI-generated content - Content generated or manipulated by AI (text, images, audio, video) must be labeled as such
• Deepfakes - Any AI-generated or manipulated image, audio, or video that resembles real people, places, or events must be clearly marked
• Emotion recognition and biometric categorization (where not banned or high-risk) - Users must be informed these systems are in operation

Most SMBs using AI chatbots for customer support, AI content generation for marketing, or AI-based communication tools fall into this category. The compliance burden is lighter than high-risk but still requires documented processes and user-facing disclosures.

Minimal Risk

AI systems that do not fit into the above categories are minimal risk. Spam filters, AI-enabled video games, inventory management systems, and most internal analytics tools fall here. The EU AI Act imposes no specific obligations on minimal-risk AI, though the Commission encourages voluntary codes of conduct.

What SMBs Specifically Need to Worry About

Large enterprises tend to have AI use cases spread across all risk categories. SMBs typically concentrate in two areas: high-risk (often without realizing it) and limited-risk.

The "We Didn't Know It Was High-Risk" Problem

The most common mistake we see at BeyondScale is SMBs that have built or deployed AI features without realizing they fall under Annex III. A few real patterns:

• A recruiting SaaS platform that uses AI to rank and filter job applicants. That is Annex III, category 4(a): AI for recruitment and candidate screening. High-risk.
• A fintech startup that uses an ML model to assess creditworthiness for loan applications. That is Annex III, category 5(a): AI for credit scoring. High-risk.
• An edtech company that uses AI to grade student essays or evaluate exam performance. That is Annex III, category 3(a): AI to determine access to or evaluate learning outcomes. High-risk.
• An HR platform that uses AI to flag employees for performance reviews or recommend promotions. That is Annex III, category 4: employment and workforce management. High-risk.

In each of these cases, the SMB built the feature because it added value for their customers. None of them set out to build a "high-risk AI system." But under the EU AI Act, that is what they have, and they must comply accordingly.

The Deployer vs. Provider Distinction

The EU AI Act distinguishes between providers (who develop or place AI systems on the market) and deployers (who use AI systems under the provider's authority). Most SMBs occupy one of three positions:

Pure deployer. You use a third-party AI system (like integrating an LLM API for customer support). Your obligations focus on proper use, monitoring, transparency, human oversight, and cooperating with the provider.

Provider. You developed an AI system and offer it to others. You bear the full weight of high-risk obligations: risk management, data governance, documentation, conformity assessment, and post-market monitoring.

Deployer who becomes a provider. This is the trap. If you take a third-party AI system and substantially modify it, put your own name on it, change its intended purpose, or make a substantial modification, you become a provider under the Act. This is common among SMBs that fine-tune foundation models or build significant application layers on top of APIs.

Understanding which role you occupy determines the scope of your obligations. Get this wrong and you will either over-invest in compliance you do not need or, worse, under-invest in compliance you do.

Practical Compliance Checklist for SMBs

This checklist applies to SMBs that deploy or provide AI systems classified as high-risk or limited-risk under the EU AI Act. Work through it sequentially.

Phase 1: Discovery and Classification (Weeks 1-3)

• [ ] Build a complete AI inventory. List every AI system your company develops, deploys, or uses. Include third-party AI tools used by employees (ChatGPT, Copilot, etc.). For each, document the use case, the data it processes, and who it affects.
• [ ] Classify each system by risk level. Map each AI system against the prohibited practices list and the Annex III high-risk categories. When in doubt, classify higher rather than lower.
• [ ] Determine your role. For each AI system, determine whether you are a provider, deployer, or distributor. Document any modifications you have made to third-party systems.
• [ ] Identify EU touchpoints. Even if you are headquartered outside the EU, determine whether your AI systems produce outputs affecting people in the EU.

Phase 2: Gap Analysis (Weeks 3-6)

• [ ] Assess current documentation. For each high-risk system, evaluate whether you have: a risk management system, data governance procedures, technical documentation, record-keeping systems, user transparency measures, human oversight mechanisms, accuracy metrics, and cybersecurity controls.
• [ ] Map existing compliance work. Identify what you already have from GDPR, SOC 2, ISO 27001, or other frameworks that can be reused or extended for AI Act compliance.
• [ ] Document gaps. Create a prioritized list of compliance gaps, sorted by risk level and effort to close.

Phase 3: Implementation (Weeks 6-14)

• [ ] Establish a risk management system. For high-risk AI, implement a continuous risk management process: identify risks, estimate and evaluate them, adopt mitigation measures, and test effectiveness. This is not a one-time assessment. It must be maintained throughout the AI system's lifecycle.
• [ ] Implement data governance. Document data sources, quality measures, bias detection procedures, and data preparation methods for training, validation, and testing datasets.
• [ ] Create technical documentation. Document system architecture, design choices, algorithms used, training methodology, performance metrics, known limitations, and intended purpose.
• [ ] Set up record-keeping. Implement automatic logging of system operations with enough detail to verify compliance. Logs must be retained for a period appropriate to the system's intended purpose, and at least six months.
• [ ] Build transparency mechanisms. Ensure users are informed about the nature and limitations of the AI system. For high-risk systems, provide clear instructions for use.
• [ ] Implement human oversight. Design systems so that humans can effectively oversee operation, interpret outputs, decide not to use the system, or intervene and stop it. Document how oversight works in practice.
• [ ] Establish accuracy and robustness metrics. Define, measure, and document the accuracy, robustness, and cybersecurity properties of each high-risk AI system. Implement monitoring for drift and degradation.
• [ ] Set up post-market monitoring. Create a system to actively collect and analyze data on AI system performance after deployment. Define triggers for corrective action.

Phase 4: Verification and Maintenance (Weeks 14-18)

• [ ] Conduct internal audit. Review all documentation, controls, and processes against the full set of EU AI Act requirements for your risk category.
• [ ] Prepare for conformity assessment. Depending on the type of high-risk system, you may need a third-party conformity assessment or self-assessment. Determine which applies and prepare the necessary evidence.
• [ ] Register in the EU database. High-risk AI systems must be registered in the EU database before being placed on the market.
• [ ] Establish ongoing review cadence. Compliance is not a one-time event. Schedule regular reviews of your AI systems, risk assessments, and documentation.

Common Compliance Gaps BeyondScale Finds in Audits

After working with organizations across multiple industries on AI governance and compliance, we consistently find the same gaps. These are ordered by how frequently we encounter them.

1. No AI Inventory

You cannot classify what you have not cataloged. The most common gap is simply not knowing what AI systems are in use. Shadow AI - employees using AI tools without IT knowledge or approval - makes this worse. We routinely find organizations with 3-5x more AI touchpoints than they initially reported.

Start by surveying every team. Check procurement records for AI vendor contracts. Review API keys and cloud service subscriptions. Check browser extensions, desktop applications, and internal tools. The inventory is the foundation that everything else builds on.

2. Incorrect Risk Classification

The second most common gap is classifying a high-risk system as limited or minimal risk because the team building it did not check the Annex III categories. This is especially prevalent with HR, recruitment, and fintech applications where the AI feature was added incrementally to an existing product.

Incorrect classification means you are not meeting the obligations that apply to your system. When a regulator examines your compliance posture, this is one of the first things they will look at.

3. Missing or Inadequate Documentation

Even when systems are correctly classified, the documentation is often incomplete. Common gaps include:

• No description of the AI system's intended purpose and foreseeable misuse
• No documentation of training data characteristics and preparation methods
• No record of design choices and architectural decisions
• Performance metrics that cover accuracy but ignore fairness, robustness, and cybersecurity
• No documentation of known limitations and conditions where the system may underperform

The EU AI Act requires technical documentation that is "drawn up before that system is placed on the market or put into service and shall be kept up to date." Retroactively documenting a system you built two years ago is harder than documenting as you go.

4. Insufficient Human Oversight

Many SMBs have automated AI-driven processes end-to-end without meaningful human oversight. The EU AI Act requires that high-risk AI systems be "designed and developed in such a way, including with appropriate human-machine interface tools, that they can be effectively overseen by natural persons."

This does not mean a human has to approve every AI output. It means the system must be designed so that a human can understand what it is doing, interpret its outputs, decide to override it, and stop it if necessary. If your AI system auto-rejects loan applications, auto-screens resumes, or auto-flags students for review with no human in the loop, you have a gap.

5. No Post-Market Monitoring

Compliance does not end at deployment. High-risk AI systems require a post-market monitoring system that actively and systematically collects, documents, and analyzes relevant data on system performance throughout its lifetime. Most SMBs have basic uptime monitoring but nothing specifically designed to track AI-specific metrics like accuracy drift, fairness degradation, or changes in output distribution.

6. Provider-Deployer Confusion

SMBs that fine-tune foundation models or build substantial application logic on top of third-party AI systems often do not realize they have assumed provider obligations. If you have modified a third-party model beyond what the original provider intended, changed its intended purpose, or put your name on it as the AI system, you are a provider. This confusion leads to compliance gaps because the SMB believes their upstream vendor's compliance covers them, when in fact it does not.

How the EU AI Act Intersects with GDPR, NIST AI RMF, and ISO 42001

The EU AI Act does not exist in isolation. It overlaps and interacts with several other regulatory and standards frameworks. Understanding these intersections helps you avoid duplicate work and build a compliance posture that satisfies multiple requirements simultaneously.

EU AI Act and GDPR

The intersection between these two regulations is significant. Almost every AI system processes personal data, which means GDPR applies alongside the AI Act. Key overlaps:

• Data Protection Impact Assessments (DPIAs). GDPR requires DPIAs for processing that is "likely to result in a high risk" to individuals. The AI Act requires risk assessments for high-risk AI systems. These assessments overlap substantially. A well-structured DPIA that covers AI-specific risks can satisfy elements of both.
• Transparency. GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing. The AI Act's transparency requirements build on this, requiring disclosure of AI system use and meaningful information about the logic involved.
• Data minimization and purpose limitation. GDPR principles constrain what data you can use for AI training and inference. The AI Act's data governance requirements for high-risk systems add layer of specificity around training data quality and bias.
• Data subject rights. The right to access, rectification, and erasure under GDPR applies to AI systems. If your model was trained on personal data, you need a documented approach to handling data subject requests, even if full erasure from a trained model is technically challenging.

If you are already GDPR-compliant, you have a head start. Your data processing records, DPIAs, consent mechanisms, and data subject rights processes form a foundation. But you will need to extend them to cover AI-specific requirements that GDPR does not address: risk management systems, technical documentation of AI systems, conformity assessments, and post-market monitoring.

EU AI Act and NIST AI RMF

The NIST AI Risk Management Framework is a voluntary framework widely adopted in the United States. While it does not carry legal force, many organizations use it as their primary AI governance structure, and U.S. federal agencies are expected to align with it.

The NIST AI RMF and the EU AI Act share conceptual foundations but differ in approach:

• Risk-based thinking. Both frameworks center on identifying and managing AI risks. The AI Act prescribes specific risk categories and obligations. NIST provides a more flexible framework for organizations to define their own risk tolerance and controls.
• Governance. The NIST AI RMF's GOVERN function maps to the AI Act's requirements around organizational accountability, roles, and compliance management.
• Mapping and measuring. NIST's MAP and MEASURE functions align with the AI Act's requirements for risk assessment, testing, and performance monitoring.
• Managing. NIST's MANAGE function corresponds to the AI Act's post-market monitoring and incident response requirements.

For SMBs already using NIST AI RMF, the mapping to EU AI Act requirements is relatively straightforward. The key additions are the prescriptive nature of the Act (NIST is flexible; the AI Act has hard requirements), the conformity assessment process, the EU database registration, and the specific documentation format.

EU AI Act and ISO 42001

ISO 42001 is the international standard for AI management systems, published in December 2023. It provides a framework for establishing, implementing, maintaining, and continually improving an AI management system within an organization.

The relationship between ISO 42001 and the EU AI Act is especially relevant for SMBs because ISO 42001 certification can serve as evidence of compliance posture. The European Commission has indicated that harmonized standards, including ISO standards, may be recognized as a means of demonstrating conformity with the AI Act.

Key alignments:

• AI management system structure. ISO 42001 requires a systematic approach to managing AI risks, which maps directly to the AI Act's risk management system requirements.
• Documentation. ISO 42001's documentation requirements overlap significantly with the AI Act's technical documentation requirements for high-risk systems.
• Risk assessment. ISO 42001's risk assessment processes are compatible with the AI Act's risk classification and assessment requirements.
• Continuous improvement. ISO 42001's continuous improvement cycle aligns with the AI Act's post-market monitoring and ongoing compliance requirements.

If you are considering ISO 42001 certification, the work you do to prepare will directly support EU AI Act compliance. The reverse is also true - building toward AI Act compliance puts you in a strong position to pursue ISO 42001 certification.

For a deeper look at how these frameworks connect with SOC 2 audit requirements, see our SOC 2 for AI systems guide. For a broader view of enterprise AI governance frameworks, see our AI governance framework guide.

Step by Step: Getting from Zero to Compliant

If you have not started any EU AI Act compliance work yet, here is the sequence that gets results with the least wasted effort.

Step 1: Appoint an AI Compliance Owner

Compliance work without a clear owner does not get done. Assign one person with the authority and accountability to drive the process. In an SMB, this is often the CTO, VP of Engineering, or Head of Product. It does not have to be a lawyer, but it does have to be someone who understands both the technical architecture and the business context of your AI systems.

If your AI systems affect EU residents and you do not have an EU presence, you must also appoint an authorized representative in the EU. This is a legal requirement under Article 22.

Step 2: Catalog Every AI System

Do a thorough audit. Walk through every product feature, every internal tool, every vendor integration. Ask every team lead: "What AI tools does your team use or build?" Document each system with:

• Name and version
• Provider (in-house, third-party, or modified third-party)
• Intended purpose
• Data inputs and outputs
• Who is affected by the system's outputs
• Whether it processes personal data
• Whether it makes or supports decisions about individuals

This inventory becomes your source of truth for all subsequent compliance work.

Step 3: Classify and Prioritize

Map each AI system against the Act's risk categories. Be conservative in your classification. If a system is borderline between limited and high-risk, treat it as high-risk until you can confirm otherwise.

Prioritize your compliance work based on risk level and business exposure. High-risk systems that affect EU residents and are core to your revenue should be addressed first.

Step 4: Conduct a Gap Assessment

For each high-risk system, evaluate your current state against the full set of Article 9-15 requirements:

• Article 9: Risk management system
• Article 10: Data and data governance
• Article 11: Technical documentation
• Article 12: Record-keeping
• Article 13: Transparency and provision of information to deployers
• Article 14: Human oversight
• Article 15: Accuracy, robustness, and cybersecurity

For limited-risk systems, evaluate against the Article 50 transparency requirements.

Document every gap with a clear description, a severity rating, and an estimated effort to close.

Step 5: Build Your Risk Management System

This is the backbone of high-risk AI compliance. The risk management system must be a continuous, iterative process that runs throughout the AI system's lifecycle. It must:

• Identify and analyze known and reasonably foreseeable risks
• Estimate and evaluate risks that may emerge when the system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse
• Evaluate risks based on post-market monitoring data
• Adopt suitable risk management measures

The risk management system must be documented and maintained. It is not a spreadsheet you fill out once. It is a living process.

Step 6: Document Everything

For high-risk AI systems, create and maintain technical documentation covering:

• General description of the AI system
• Detailed description of the elements and development process
• Information about monitoring, functioning, and control
• Description of the risk management system
• Description of changes made over the system's lifecycle
• A list of harmonized standards or common specifications applied
• A copy of the EU declaration of conformity

Start this documentation now, even if incomplete. It is far easier to fill in gaps incrementally than to create everything from scratch at the deadline.

Step 7: Implement Required Controls

Based on your gap assessment, implement the technical and organizational controls needed for compliance:

• Data governance procedures for training and testing data
• Automatic logging and record-keeping systems
• User-facing transparency measures (disclosures, instructions for use)
• Human oversight interfaces and processes
• Accuracy monitoring and drift detection
• Cybersecurity measures appropriate to the risk level
• Post-market monitoring procedures

Step 8: Prepare for Conformity Assessment

Depending on your AI system type and the applicable Annex III category, you may need to undergo a third-party conformity assessment by a notified body, or you may be able to perform a self-assessment using internal procedures. Review Annex VI (internal control) and Annex VII (conformity assessment by notified body) to determine which applies.

For self-assessment, prepare a quality management system and technical documentation package that demonstrates conformity. For third-party assessment, begin engaging with notified bodies early - their capacity is limited and demand will increase as the deadline approaches.

Step 9: Register and Declare Conformity

Before placing a high-risk AI system on the market or putting it into service in the EU:

• Register the system in the EU database (Article 71)
• Draw up an EU declaration of conformity (Article 47)
• Affix the CE marking (Article 48)

Step 10: Operationalize Ongoing Compliance

Compliance is not a project with an end date. After achieving initial conformity:

• Run post-market monitoring continuously
• Report serious incidents to market surveillance authorities within 15 days
• Update risk assessments when you detect new risks or when the system is substantially modified
• Keep documentation current
• Re-assess conformity when you make substantial modifications to the system

Why SMBs Should Start Now, Not Wait

We hear the same objections from SMBs considering whether to begin compliance work:

"We'll wait for final guidance and implementing acts." The regulation is final. The text is published. While some implementing acts and standards are still being developed, the core obligations are clear enough to begin work today. Waiting for perfect clarity means starting too late.

"We're too small to be a target for enforcement." This is the same logic that led many small companies to ignore GDPR until they received their first complaint or data subject access request. EU member state regulators have repeatedly shown willingness to enforce regulations against companies of all sizes. The penalties are proportional to revenue, which means an SMB faces fines calibrated to hurt at their scale, not just at enterprise scale.

"Our AI vendor handles compliance." If you are a pure deployer using a compliant AI system exactly as the provider intended, your vendor's compliance posture helps. But deployer obligations still apply to you: monitoring, transparency, human oversight, and record-keeping. And if you have modified the system in any way, you may have assumed provider obligations without realizing it.

"We can do it quickly when we need to." No, you cannot. Building a risk management system, documenting your AI systems thoroughly, implementing human oversight mechanisms, and establishing post-market monitoring takes months, not weeks. The organizations that get caught scrambling at the deadline are the ones that assumed compliance was a quick project.

The practical argument for starting now is simple. Compliance work done early is less expensive, less disruptive, and higher quality than compliance work done under deadline pressure. You have the time to make thoughtful decisions about risk management, to build documentation into your development process, and to implement controls that actually improve your AI systems rather than just checking a regulatory box.

Five months is enough time to achieve compliance if you start now. It is not enough time if you start in July.

Where BeyondScale Fits

BeyondScale works with SMBs and enterprises to close AI compliance gaps. Our work covers AI system inventories, risk classification, gap assessments, documentation, and the technical implementation of controls required by the EU AI Act, GDPR, SOC 2, and ISO 42001.

If you are starting from zero or if you have partial compliance and need to identify what is missing, reach out to our team. We have seen enough AI compliance projects to know where the gaps hide and how to close them efficiently.