The Compliance Officer's EU AI Act Survival Guide

The Compliance Officer's New Reality

If you are a compliance officer, you have likely spent the last few years navigating GDPR, anti-money laundering regulations, sanctions compliance, and a growing list of sector-specific requirements. Now, the EU AI Act adds another major regulatory framework to your responsibilities — and it comes with its own vocabulary, risk framework, and documentation requirements.

The good news: your existing compliance skills are directly transferable. Risk assessment, documentation, audit preparation, stakeholder management — these are the core skills the AI Act demands. The challenge is applying them to a domain (artificial intelligence) that many compliance professionals are still learning.

This guide provides a practical, step-by-step approach to building your EU AI Act compliance program. No AI expertise required — just the systematic, methodical approach that good compliance officers already bring to every regulatory challenge.

Phase 1: Discovery — What AI Do We Actually Have?

Before you can comply, you need to know what you are dealing with. This is the AI inventory phase, and it is almost always more revealing than organizations expect.

Step 1: Define "AI System" for Your Organization

The AI Act defines an AI system as "a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments" (Article 3(1)). This is broad — it covers machine learning models, expert systems, optimization algorithms, and many tools that teams may not think of as "AI."

Step 2: Cast a Wide Net

Send questionnaires to every department. Interview team leads. Check procurement records for AI-related purchases. Review vendor contracts for AI capabilities. Common hiding spots for AI systems include:

• HR: Resume screening, candidate ranking, employee analytics
• Customer service: Chatbots, sentiment analysis, ticket routing
• Finance: Fraud detection, credit scoring, algorithmic trading
• Marketing: Personalization engines, predictive analytics, content generation
• IT/Security: Anomaly detection, threat analysis, automated patching
• Operations: Demand forecasting, logistics optimization, quality inspection
• Product: Recommendation engines, search algorithms, content moderation

Step 3: Create Your AI Register

For each AI system, record: the system name, vendor/developer, intended purpose, deployment status, data types processed, affected populations, business owner, and current governance measures. This register becomes the foundation of your entire compliance program.

Phase 2: Classification — What Are Our Obligations?

With your inventory complete, classify each AI system according to the AI Act's risk framework.

Step 1: Screen for Prohibited Practices

Run every system through the Article 5 prohibited practices checklist. This should be your first filter — if any system falls into prohibited territory, it needs immediate attention regardless of anything else.

Step 2: Assess High-Risk Classification

For remaining systems, evaluate against both pathways to high-risk classification: Pathway A (safety component of regulated product, Article 6(1)) and Pathway B (Annex III use cases, Article 6(2)). Pay close attention to the Article 6(3) exception — it is narrow, and relying on it requires documented justification and notification to authorities.

Step 3: Identify Limited-Risk Transparency Obligations

Check whether any systems trigger Article 50 transparency obligations — chatbots, emotion recognition, deepfake generators, and other systems that interact directly with people.

Step 4: Classify and Prioritize

Tag each system with its classification and create a prioritized compliance roadmap. High-risk systems get the most resources and the tightest timelines. Our free risk classification tool can help you work through this systematically.

Phase 3: Gap Analysis — Where Do We Stand?

For each high-risk system, assess your current state against the AI Act's requirements:

Requirement Checklist

• Risk management (Art. 9): Do you have a documented risk management system for this AI system? Is it continuous and iterative?
• Data governance (Art. 10): Are your training, validation, and testing data practices documented? Do you assess for bias?
• Technical documentation (Annex IV): Do you have comprehensive technical documentation covering all required sections?
• Logging (Art. 12): Does the system automatically log events? Can you produce records upon request?
• Transparency (Art. 13): Do deployers receive adequate instructions for use?
• Human oversight (Art. 14): Are human oversight measures designed into the system? Can operators effectively monitor, intervene, and override?
• Accuracy and robustness (Art. 15): Have you documented and validated the system's accuracy, robustness, and cybersecurity measures?
• Quality management (Art. 17): Do you have a quality management system covering the AI system's lifecycle?
• Conformity assessment (Art. 43): Have you completed (or planned) the required conformity assessment?
• EU database registration (Art. 49): Is the system registered in the EU database?
• FRIA (Art. 27): For deployers — have you conducted a Fundamental Rights Impact Assessment?
• Post-market monitoring (Art. 72): Do you have a post-market monitoring system in place?

For each gap, document the current state, the target state, the remediation actions required, the responsible owner, and the target completion date.

Phase 4: Implementation — Building Your Compliance Program

Governance Structure

Establish clear roles and responsibilities for AI governance:

• AI Governance Lead: Overall accountability for AI Act compliance (this might be you)
• System Owners: Business owners responsible for each AI system's compliance
• Technical Leads: Engineers responsible for implementing technical requirements
• Risk Committee: Cross-functional body that reviews risk assessments and classification decisions
• Legal/DPO: Legal review of classification decisions, FRIA, and regulatory submissions

Documentation Strategy

Do not try to create all documentation from scratch. Use templates and auto-generation tools to accelerate the process. Prioritize high-risk systems with the nearest compliance deadlines.

Training and AI Literacy

Article 4 requires AI literacy for all staff involved with AI systems. Implement role-specific training:

• Board/Executive: AI Act overview, governance obligations, penalty exposure
• Compliance team: Detailed requirements, classification methodology, audit preparation
• Technical teams: Technical documentation, risk management implementation, monitoring
• Business users: Safe use of AI systems, reporting obligations, human oversight responsibilities

Vendor Management

If you deploy third-party AI systems, your vendor management program needs updating. Include AI Act compliance requirements in vendor assessments, contracts, and ongoing monitoring. Request Annex IV documentation and conformity assessment evidence from AI system providers.

Phase 5: Monitoring and Continuous Compliance

Post-Market Monitoring

High-risk AI systems require ongoing monitoring throughout their lifecycle. Implement:

• Performance monitoring dashboards tracking accuracy, fairness, and reliability metrics
• Automated alerting when metrics breach predefined thresholds
• Regular review cycles (at minimum quarterly) for each high-risk system
• Incident reporting procedures for AI system failures or unexpected behaviors

Change Management

Any significant change to a high-risk AI system may require updated documentation, re-testing, and potentially a new conformity assessment. Build change management triggers into your governance process.

Audit Readiness

Maintain your compliance documentation in an always-ready state. National market surveillance authorities can request information at any time. You should be able to produce:

• Complete AI system register
• Risk classifications with supporting evidence
• Annex IV technical documentation for each high-risk system
• Conformity assessment records
• FRIA documentation
• Quality management system documentation
• Post-market monitoring records
• Incident reports and remediation records
• Training records demonstrating AI literacy compliance

Common Questions from Compliance Officers

"How do I get engineering teams to cooperate?"

Frame it as risk management, not bureaucracy. Engineering teams respond to concrete requirements with clear deliverables. Provide them with structured templates (not open-ended requests), integrate documentation into their existing workflows, and make the business case clear: non-compliance means fines up to 3% of global turnover and potential market access restrictions.

"What if we can't classify a system clearly?"

When in doubt, classify conservatively (higher risk) and document your reasoning. You can always reclassify downward with evidence. The alternative — classifying too low and being found non-compliant — is far more costly.

"How do we handle legacy AI systems?"

Legacy systems that are already on the market before August 2026 are still subject to the regulation if they are significantly modified after that date. However, legacy high-risk systems that are safety components of products (Pathway A) have until August 2027. Regardless, we recommend beginning compliance work on all systems now — legacy systems often have the largest documentation gaps.

"What resources should I request from management?"

At minimum: dedicated compliance staff time, budget for tooling (like Haffa.ai), access to engineering teams for documentation, legal support for classification decisions, and executive sponsorship for cross-functional governance.

Your 90-Day Quick-Start Plan

If you are starting from zero, here is a 90-day plan to establish foundational compliance:

• Days 1-30: Complete AI inventory and initial risk classification for all systems
• Days 31-60: Conduct gap analysis for high-risk systems; establish governance structure and assign owners
• Days 61-90: Begin Annex IV documentation for highest-priority systems; implement AI literacy training; set up compliance dashboard

Our platform is designed to support exactly this journey. Start with a free risk assessment to understand your obligations, then see our plans for the full compliance toolkit. For organizations that need hands-on help, our compliance officer solution provides the tools and expert support to get compliant on time.