EU AI Act compliance: the audit trails regulators will ask for on August 2, 2026

Probably yes if your AI takes or shapes decisions in any of the domains listed in Annex III of the AI Act: recruitment and employment management (CV screening, performance evaluation), credit or insurance scoring, education and training (grading, access), access to essential services (healthcare, energy, social benefits), law enforcement, migration management, critical infrastructure, biometric identification. Customer chatbots and product recommendation systems are generally out of high-risk scope, but the devil is in the detail. The first deliverable of any compliance engagement is precisely the documented classification, because misclassifying exposes you as much as not complying. This classification also dialogues with your production AI discipline: an AI system that does not hold up in production will not hold up in audit either.

Yes, and this is the most misunderstood point in the AI Act. The text distinguishes the foundation model provider (OpenAI, Anthropic, Google) from the deployer (you) who integrates it into a high-risk system. The deployer carries the bulk of Articles 12 to 14 obligations: audit trail, transparency to downstream users, human oversight. OpenAI does not give you a defensible log of every request from your application with its business context; you have to log it yourself. Anthropic does not document your human gates; you have to wire them. Multi-agent AI governance is precisely the layer that turns an API call into a compliant, auditable system.

Three passes. Pass 1, per-request instrumentation: intercept every model call to capture prompt, response, model, version, cost and latency (Langfuse, OpenTelemetry, or a custom wrapper). Pass 2, source attribution: for outputs that depend on external data, wire traceability all the way to URL, date and source version. Pass 3, documented human gates: identify high-impact outputs and insert a review point whose every decision is logged. Traceable data research is almost always the heaviest workstream, and the one that pays back the most in reliability beyond compliance alone.

The two regulations overlap and reinforce each other. GDPR governs the processing of personal data; the AI Act governs high-risk AI systems. When your AI processes personal data, both apply. Concretely, Article 10 of the AI Act on data quality and governance picks up and extends the GDPR principles of minimisation, accuracy and purpose limitation. Impact assessments (DPIA under GDPR, FRIA under the AI Act) can and should be coordinated. If your DPO is in place, they become the natural pivot: the AI Act adds technical obligations GDPR does not cover (human oversight, technical documentation, AI system register). The custom business tools I build integrate both layers from the start.

At best, a formal notice from the competent authority with a remediation window. At worst, financial penalties up to EUR 35 million or 7% of global annual turnover (whichever is higher), plus a market or operational ban on non-compliant systems. National authorities (CNIL in France, BfDI in Germany) will enforce, and citizen or NGO complaints accelerate inspections. Reputational risk piles on top: being publicly named for AI non-compliance in 2026 will hurt more than any fine. The right reading is not to wait until August: the patterns the AI Act demands are the same patterns that make AI reliable in production. You pay their cost in reliability before you ever pay it in compliance; see AI that works in production for the engineering detail and internal tools for ops teams for how the same discipline applies to your back-office stack.