80% of Companies Are Already Out of Step With the AI Act and Don't Know It

Hero image for 80% of Companies Are Already Out of Step With the AI Act and Don't Know It

The tool worked. That was never the problem. A business manager had specced it with AI, straight from the business need, and the result did what he asked: it ran, it produced output, it looked finished. What it did not have was a single log line. No trace of why it produced a given answer. Nothing that could explain, later, a bad call made on real employee data. Nobody had asked for any of that, so the AI built none of it.

That absence is the gap nobody priced in. Scaled across a company and pointed at the wrong category of system, it puts you out of step with the EU AI Act without a single person acting in bad faith.

The AI Act assumes an engineering floor you may not have built

Here is the collision worth sitting with. The AI Act (Regulation (EU) 2024/1689) does not ask high-risk system operators to start testing their AI. It assumes they already do. Read the high-risk obligations and you will notice they are written on top of an engineering discipline that is taken for granted. Article 12 and Article 19 require automatic record-keeping and logging, with logs retained at least six months. Annex IV and Article 11 define what the technical documentation must contain; Article 18 requires keeping it at the disposal of authorities for ten years after the system is placed on the market. Article 14 requires human oversight designed in, with real intervention and stop capability, and it clearly calls out automation bias — the tendency to over-trust a machine's output — which tells you the drafters understood exactly how people behave around confident machines. Article 15 requires testing for accuracy, robustness, and resistance to adversarial manipulation.

Every one of those clauses assumes a working baseline: that you log what your systems do, that you test them against errors, that a human can see inside the decision and pull the lever when it goes wrong. The Act regulates on top of that floor. It does not build the floor for you.

Now hold that next to the data. The ServiceNow and ThoughtLab Enterprise AI Maturity Index for 2026 surveyed 4,500 executives and 2,000 employees across 19 countries and 12 industries. The number that matters: only 20% of organizations have implemented AI testing, auditing, and risk-assessment processes. Read that the way an engineer reads a red alert on a dashboard. Four out of five organizations have not built the discipline the high-risk regime stands on.

So the inference — and I want to be precise that it is an inference, not a directly measured compliance figure — is that roughly 80% of companies are structurally out of step with what the Act assumes, for any system that falls in the high-risk tier. The obligations exist on paper; the engineering they depend on does not.

Almost everything written about the AI Act treats it as a legal question: what does "high-risk" mean, what exactly does Article 14 require. Read it that way and the hard part is understanding the text, and the logging, testing, and oversight would somehow build themselves once the reading is done. They do not build themselves. The Act is an engineering problem wearing legal language, and the harder question is whether the infrastructure it takes for granted — the logging, the testing, the oversight — exists in your organization at all. For most companies the honest answer is no, and they have never checked.

Scope this before you panic

The alarm only applies to a specific subset of systems, and saying so is the difference between analysis and fear-mongering. The Act tiers systems by risk. Most internal tools — the meeting summarizer, the draft-email assistant, the thing that reformats your reports — sit in the minimal-risk tier and carry none of these obligations. You can run those with a clear conscience and a thin paper trail.

The obligations attach to the high-risk tier, defined largely by Annex III: systems used in employment and worker management, access to essential services, credit scoring, critical infrastructure, biometric categorization, and a handful of others. A tool that screens job candidates, ranks employees, or gates someone's access to a service is in a different legal universe than one that summarizes a PDF.

So the first move is not legal. It is classification. You cannot assess your exposure until you know which of your systems are in scope, and in my experience companies have done this for zero of them. They know the AI Act exists. But they have not mapped their own deployments against it. The business manager with the AI-specced tool could not have told you which tier it fell in, because the question never came up, and depending on what that tool actually decides, the answer changes everything about what he owed under the law.

The reason capability outran the floor

The same maturity report explains how we got here. 59% of organizations are past piloting agentic AI, but only 9% have working autonomous multistep workflows. Capability is being deployed far faster than the governance layer beneath it. Only 16% have replaced fragmented legacy systems with an integrated platform; 41% still cite siloed data as a blocker. You cannot log and audit a decision cleanly when the data feeding it lives in six disconnected systems and the workflow stitching them together is held up with visual no-code duct tape.

I have lived the small version of this, spending months building AI automation pipelines in visual tools. They produced output. But when a node failed silently, I had no clean trace of what happened or why, and debugging meant clicking through visual steps trying to find which one died. I eventually rewrote the core of it as proper code, and what changed was not speed. I could finally see inside it. Now imagine that same opacity at a corporate level sitting under a system that decides who gets a loan or who keeps a job. That is the engineering gap the Act assumes you closed before it ever showed up.

There is a cultural tell in the data too. 57% of employees think leadership is not keeping up with fast-changing trends. That is what the governance gap feels like from below: the people closest to the work can sense that the controls are not there, even when the official version says they are.

What this actually requires of you

Stop treating this as a question of whether you have read the regulation correctly. The exposure for anything you run in the high-risk tier comes down to one thing: whether the testing, logging, and oversight discipline — the one the entire regime takes for granted — actually exists under your systems. If it does not, you are not one clause away from compliance. You are one engineering layer away, and that layer takes months to build and tune, not an afternoon with a lawyer.

The work is two concrete steps, in order. First, classify your AI systems by tier so you know which ones carry high-risk obligations and which ones you can leave alone. Most of your tools will fall out of scope, and that is the point. You want to spend your effort where the law actually bites. Second, for the systems that remain, check whether the assumed baseline is there: automatic logging you retain, documentation you can produce, testing against accuracy and adversarial failure, and a human who can both see the decision and stop it.

When that human can pull the stop lever in time and understands what they are overriding, you have oversight. When the data feeding the decision lives across four disconnected systems with no trace of what changed, you have a documentation requirement you cannot satisfy and an audit you would fail. A structured workflow audit is one way to surface exactly where those traces break down.

Most companies have done neither step. They have not classified their systems, and they have not audited the foundation under the ones that matter. Start with the first. Pull a list of every AI-assisted system that touches employment, access, credit, or essential services, and ask one question of each: if a regulator asked us to show six months of logs and explain a single decision, could we. The systems where the answer is no are your real exposure — and that one hour of asking will tell you more than another month of reading the Act.