The Current #2 — 90 days to the EU AI Act's high-risk deadline. What US teams actually have to do.

This is the AI-pillar issue of The Current, which means we are looking at the regulatory calendar. And the date on the regulatory calendar right now is August 2, 2026 — the point at which the EU AI Act's obligations for high-risk AI systems stop being a consultation draft and start being enforceable against providers and deployers, including a number of US-based organizations that have been hoping this lands somewhere other than them.

It lands on them. The territorial scope is deliberately broad. If your AI system is placed on the market in the EU, used in the EU, or produces outputs used in the EU, you are in scope — regardless of where your company is headquartered. If you ship a US-built hiring tool that evaluates a candidate in Berlin, or a credit-adjacent scoring model that touches a customer in Paris, you are a provider or a deployer under the Act.

What the August 2, 2026 date actually triggers#

The Act entered into force on August 1, 2024. The obligations phase in over three-plus years. The dates that matter for most readers:

• Feb 2, 2025 — prohibited-practices provisions live (social scoring, exploitative subliminal manipulation, certain real-time biometric ID). Compliance was mostly 'stop doing the thing.'
• Aug 2, 2025 — General-Purpose AI (GPAI) model obligations live. Mostly a provider-side concern — OpenAI, Anthropic, Google, Meta, etc. — but deployers inherit downstream documentation requirements.
• Aug 2, 2026 — most obligations for high-risk AI systems kick in, including risk management, data governance, technical documentation, human oversight, logging, accuracy/robustness testing, post-market monitoring, and the CE-marking regime for listed high-risk categories.
• Aug 2, 2027 — remaining obligations for high-risk systems embedded in already-regulated products (medical devices, machinery, toys) under existing EU product-safety laws.

The 2026 date is the one most teams should be building toward right now. 'High-risk' is the Act's term of art, and it maps to specific use cases listed in Annex III — employment decisions, worker management, access to essential services (credit, insurance, public benefits), law enforcement support, migration and border control, administration of justice and democratic processes, and biometric identification. If you operate a system in any of those categories and touch an EU person, you are building a provider or deployer compliance pack, whether you call it that or not.

The provider vs. deployer split#

Most confusion at the Monday morning meeting is about which hat your organization wears. The short version:

1. You are a provider if you develop an AI system and place it on the market under your name or trademark — or if you put a general-purpose model into a high-risk use and distribute the result. Providers carry most of the obligations, including the CE-marking process.
2. You are a deployer if you use an AI system under your authority — in a recruiting workflow, a credit decision, a benefits determination — regardless of who built the model. Deployer obligations are lighter, but real: risk assessment, human oversight, transparency to affected individuals, post-deployment monitoring, and logging.

A single AI use case can produce both roles in the same organization — you are a deployer of a third-party resume-screening tool, but a provider of the internal scoring overlay your team built on top. The Act does not let you collapse those into one role when the documentation gets inconvenient.

The 10-item starter pack — what US teams should have on file by August#

Assume a mid-market organization with one or two high-risk use cases (a hiring tool and a customer-facing scoring model is a common combination). The minimum viable compliance pack for August includes:

1. AI use-case inventory with EU-exposure flag — every active use case, classified by risk tier, with an explicit 'EU-data' or 'EU-user' indicator.
2. Provider/deployer determination per use case — documented, with reasoning, so your counsel can defend the classification in 30 seconds.
3. Risk management file per high-risk system — identified risks, mitigations, residual risk, and the review cadence that refreshes them.
4. Data governance documentation — training/validation/test data, representativeness, bias mitigations, and data-quality measures.
5. Technical documentation summary — aligned to Annex IV. Not the full engineering spec, but a traceable summary that a market-surveillance authority could work with.
6. Human oversight design — who reviews which outputs, under what conditions, with what authority to override or stop the system.
7. Transparency notices to affected persons — where people are interacting with, or being evaluated by, an AI system, they need a plain-language notice and a route to human review.
8. Post-market monitoring plan — the detection and escalation path when a model degrades, drifts, or produces a material incident.
9. Logging retention — the Act expects meaningful logs of high-risk system operation. Figure out retention, privacy, and access control before the first audit request.
10. Incident reporting route — serious incidents and malfunctions must be reported to national competent authorities within specified windows. Build the escalation path now, not during the incident.

What does not need to be perfect by August#

Two categories of work are genuinely allowed to lag the August 2026 date without creating immediate exposure:

• CE-marking artifacts for high-risk systems under harmonized standards that themselves are still being drafted. Track the JRC and CEN-CENELEC calendars, but don't burn Q2 2026 trying to finalize against a moving target.
• Conformity assessments involving notified bodies for categories where the notified-body network is still being stood up. The Act recognizes this — the pragmatic response is a robust internal conformity record that can be converted when the external route opens.

Everything else on the 10-item list above should be in place before August or have a named owner and a dated plan.

What US teams tend to get wrong#

Three recurring patterns from the engagements the field team has run this year:

1. Treating the Act as a privacy law. It is not — it is a product-safety law for AI. The obligations read like CE-marking for medical devices, not GDPR. If your response plan is authored entirely by your privacy team, the provider-side obligations are going to surprise you.
2. Assuming general-purpose API usage insulates downstream deployers. It does not. If you are deploying an OpenAI- or Anthropic- or Gemini-powered system into a high-risk use case, you inherit deployer obligations on top of whatever the provider handles upstream.
3. Waiting for the guidelines to be final. The European Commission's AI Office is producing implementation guidelines in tranches — the first tranches are already out, more are coming. The final-form guidance will land after the August date, not before.

Ship-day plan for Q2 2026#

A realistic eight-week plan to be credible on August 2:

Weeks 1–2 — Inventory and classification

• Complete the AI use-case inventory, tagged by EU exposure.
• Classify each use case by Annex III high-risk category — yes/no/maybe, with reasoning.
• Flag the gray-area use cases for legal review by end of week 2.

Weeks 3–4 — Provider/deployer determination

• For each high-risk use case, document the provider vs. deployer call and who signs the determination.
• Identify third-party vendor evidence gaps and open them as formal requests.

Weeks 5–6 — Documentation and oversight

• Draft the risk management file and technical documentation summary for each high-risk system.
• Design the human-oversight and transparency-notice pattern; pilot on one system.

Weeks 7–8 — Monitoring and incident path

• Stand up the post-market monitoring dashboard and incident escalation runbook.
• Run a tabletop on a simulated model failure — fix whatever the tabletop surfaces.
• Executive review and sign-off.

What we are shipping in response#

The AI pillar products on our roadmap are all moving up a sprint because of the August date. The AI Audit Prompt Pack Professional edition (90 prompts) is adding an EU-AI-Act module in v1.3 — provider/deployer determination prompts, risk management file drafts, transparency-notice templates, and Annex IV technical-documentation outlines. Existing Pro customers get the update free.

For the broader governance story, the long-form companion to this issue is AI Governance for Enterprise Leaders. If you have not built the four-pillar governance framework yet (Inventory / Risk Assessment / Controls / Monitoring), start there — the EU AI Act compliance pack snaps onto that skeleton cleanly.

One last thing#

If you want us to work through a specific AI use case on-record in a future issue — provider/deployer call, risk classification, documentation outline — reply to this email. We do not publish company names, but we will anonymize and walk through the reasoning so other readers can steal from it. That is how this newsletter gets sharper, and how everyone moves faster toward August.

See you in two weeks.