EU AI ActOperating model

EU AI Act (Regulation (EU) 2024/1689) Compliance program

A workable AI Act program connects legal duties to product delivery and operations.

This page sets out how to structure governance, owners, evidence, and steady state reviews so compliance survives beyond one launch cycle.

Back to main artifact Review sources

Author

Sorena AI

Published

Mar 4, 2026

Updated

Mar 4, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Mar 4, 2026

Updated Mar 4, 2026

Overview

A publication grade AI Act program is not a single policy and it is not only for legal teams. It is a cross functional operating model that decides scope, classifies obligations, turns those obligations into build work, and then keeps the resulting evidence current as systems, models, and markets change.

Section 1

Program architecture

Build the program around a shared AI inventory, a role matrix, and a classification workflow. Every system and model should move through the same logic: scope, Article 5 screening, high risk analysis, transparency analysis, GPAI analysis, and release controls.

Make one team accountable for the operating model, but keep execution distributed. Product owns intended purpose and release. Engineering owns implementation and evidence. Security owns threat and resilience controls. Legal and compliance own classification review and authority response.

Single AI register across products, internal tools, and supplier dependencies.
Formal review forum for ambiguous scope and classification decisions.
Named owner for each evidence artifact and each release gate.
Escalation path for prohibited practice, systemic risk, serious incident, and authority notice events.

Section 2

Phasing by legal date

The dates matter because the obligation mix changes over time. Entry into force was 1 August 2024. From 2 February 2025, the general provisions, prohibited practices, and AI literacy requirements apply. From 2 August 2025, Chapter V for GPAI, governance provisions, and penalties provisions begin to matter. The main application date is 2 August 2026, with later special dates for some product safety and transition scenarios.

A mature program turns each date into deliverables. That means owners, acceptance criteria, artifact templates, and review calendars tied to the applicable phase.

Before 2 February 2025: inventory, Article 5 gate, AI literacy, and role mapping live.
Before 2 August 2025: GPAI provider workflow, AI Office readiness, and supplier evidence demands live.
Before 2 August 2026: high risk system controls, FRIA process, and transparency product components live.
Before 2 August 2027 and 31 December 2030: transition cases tracked and revalidated.

Section 3

Core control stack

The control stack should be simple to describe and strong enough to survive challenge. The minimum set is inventory, classification, approvals, evidence retention, incident response, corrective action, and recurring review. Everything else should attach to those foundations.

Where possible, connect the AI Act program to existing release, security, procurement, and audit processes. Standalone AI governance tools often fail because they drift away from the systems that actually govern shipping.

Release gate for Article 5, Article 50, and high risk checks.
Supplier onboarding gate for model level documentation and incident terms.
Evidence repository with version control and retention logic.
Complaint, redress, and serious incident handling flow with named responders.
Quarterly review of system changes, model upgrades, and open findings.

Section 4

High risk and GPAI specialist workstreams

Some systems need deeper specialist tracks. High risk systems need Annex IV planning, conformity work, human oversight design, logging design, post market monitoring, and, in certain contexts, FRIA and EU database registration. GPAI providers need model level documentation, copyright policy, training content summary publication, and systemic risk response readiness.

Do not bury these specialist tracks inside generic AI governance. They need named SMEs, templates, and evidence standards of their own.

High risk workstream with provider and deployer playbooks.
GPAI workstream with Article 53 to 55 artifact templates.
Transparency workstream with design system components and QA evidence standards.
Authority response workstream for requests, market surveillance, and corrective action.

Section 5

What good program evidence looks like

A strong program can prove both design intent and actual operation. That means training records, meeting outcomes, release gates, technical documentation, and monitoring results all point to the same current system state.

If your evidence is only narrative and not version linked, your program will look stronger on paper than it is in practice.

Current inventory and role assignments.
Decision records and signed approvals for major classification outcomes.
Version linked product and model evidence, including release notes and test outputs.
Incident and corrective action records that show the program is operating, not dormant.

Recommended next step

Turn EU AI Act (Regulation (EU) 2024/1689) Compliance program into an operational assessment

Assessment Autopilot can take EU AI Act (Regulation (EU) 2024/1689) Compliance program from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU AI Act (Regulation (EU) 2024/1689) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for EU AI Act (Regulation (EU) 2024/1689) Compliance program

Start from EU AI Act (Regulation (EU) 2024/1689) Compliance program and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through EU AI Act (Regulation (EU) 2024/1689)

Review your current process, evidence gaps, and next steps for EU AI Act (Regulation (EU) 2024/1689) Compliance program.

Explore next step

Primary sources