A lot of U.S. companies are going to misunderstand the EU AI Act until it is too late.
They will assume it only applies to European companies.
They will assume it only applies to OpenAI, Google, Meta, Anthropic, Microsoft, and other model providers.
They will assume it only matters if they are building their own large language model.
They will assume their vendor is responsible.
They will assume a privacy policy update is enough.
They will assume that because they are based in the United States, Europe’s AI law is someone else’s problem.
That is the mistake.
The EU AI Act is not just a European Big Tech law. It is a risk-based AI law that can reach U.S. companies when their AI systems are placed on the EU market, used in the EU, or produce outputs used in the EU. It can matter for SaaS companies, HR platforms, healthcare companies, fintech companies, insurance companies, education technology companies, ecommerce businesses, marketing platforms, data brokers, customer support tools, productivity platforms, and professional service providers.
The real problem is that most U.S. companies do not yet know which of their AI systems could even be in scope.
They have not built a complete AI inventory.
They have not classified their AI systems by risk.
They have not mapped whether they are a provider, deployer, importer, distributor, or product manufacturer.
They have not reviewed whether they use AI in employment, education, credit, insurance, healthcare, biometric identification, critical infrastructure, access to essential services, or other high-risk areas.
They have not checked whether their customer-facing chatbot needs transparency language.
They have not reviewed whether their vendors use customer data for model training.
They have not assigned human oversight.
They have not built an evidence trail.
That is where the EU AI Act becomes very uncomfortable.
The law is not asking companies to say nice things about responsible AI. It is pushing companies toward operational AI governance: inventory, classification, documentation, human oversight, monitoring, transparency, data governance, vendor control, and proof.
For American companies, that means EU AI Act compliance is not a one-time legal memo. It is a system.
The first thing U.S. companies get wrong
The first mistake is thinking the EU AI Act only applies to companies physically located in the European Union.
That is not how modern digital regulation works.
U.S. companies already learned this lesson with GDPR. A company does not need an office in Paris, Berlin, Madrid, Dublin, or Amsterdam to create European compliance exposure. If the business serves European users, sells into the European market, monitors people in Europe, processes EU personal data, or supports EU customers, European law may matter.
The EU AI Act follows the same basic commercial reality.
If a U.S. company builds, offers, deploys, distributes, imports, integrates, or uses AI systems connected to the EU market, it should not casually assume it is out of scope.
A U.S. SaaS company with EU customers may need to assess the AI features inside its product.
A U.S. HR technology company that screens EU job applicants may need to assess whether its tool is high-risk.
A U.S. healthcare platform serving EU patients or providers may need to review whether AI supports clinical or access-related decisions.
A U.S. fintech company using AI to score, classify, or recommend financial products to EU users may need to examine high-risk and transparency obligations.
A U.S. marketing platform that uses AI for profiling, targeting, personalization, or behavioral scoring may need to review transparency and privacy overlap.
A U.S. company using a customer-facing chatbot for EU users may need to disclose that users are interacting with AI.
A U.S. employer using AI to evaluate EU applicants or workers may need to look closely at high-risk employment categories.
The point is not that every AI use by every U.S. company is automatically high-risk.
That is not true.
The point is that U.S. companies need to do the work to know.
The EU AI Act is a classification problem before it is a compliance problem
Most companies want to jump straight to the question: “What do we have to do?”
That is the wrong first question.
The first question is: “What AI systems do we have, and how are they classified?”
The EU AI Act is built around risk classification. Different categories of AI systems create different obligations. A prohibited AI practice is not treated the same way as a high-risk AI system. A customer-facing chatbot is not treated the same way as a low-risk internal drafting tool. A general-purpose AI model is not treated the same way as a company using a vendor’s AI feature inside its HR workflow.
For U.S. companies, the practical categories to understand are:
- Prohibited AI practices
- High-risk AI systems
- Transparency-risk AI systems
- General-purpose AI models
- Lower-risk AI systems
That sounds simple until a company looks at its actual AI footprint.
One department may use generative AI for internal drafting.
Another may use AI to rank sales leads.
HR may use an applicant tracking system with AI screening features.
Product may use an AI API inside the customer platform.
Support may use a chatbot.
Marketing may use AI for audience segmentation.
Security may use AI for threat detection.
Finance may use AI for fraud review.
Legal may use AI for contract analysis.
Each one needs to be classified by use case, not by hype level.
A company cannot classify what it has not inventoried. That is why the practical starting point is an AI inventory.
The AI inventory is where EU AI Act readiness actually starts
U.S. companies that want to prepare for the EU AI Act should not start by writing a broad “responsible AI” policy and calling it done.
They should start with the inventory.
The inventory should identify every AI system used by the company, including:
- Internally built AI systems
- Third-party AI tools
- AI features embedded in existing SaaS platforms
- AI APIs used in products
- Customer-facing chatbots
- Employee-facing copilots
- HR and recruiting tools
- Marketing and personalization tools
- Fraud detection tools
- Healthcare or patient support tools
- Financial scoring tools
- Education or assessment tools
- Biometric tools
- AI agents and autonomous workflows
- Generative AI tools used by employees
For each system, the company should document:
- System name
- Vendor or provider
- Internal owner
- Department using it
- Business purpose
- AI function
- Data categories processed
- Whether personal data is used
- Whether sensitive data is used
- Whether EU users, employees, applicants, patients, students, or consumers are affected
- Whether the system is customer-facing
- Whether the system influences decisions
- Whether the system is used in a high-risk area
- EU AI Act risk category
- Company role under the AI Act
- Required controls
- Review date
This inventory does more than help with the EU AI Act. It also helps with state AI laws, privacy laws, vendor reviews, enterprise questionnaires, security reviews, and board reporting.
But for EU AI Act compliance, the inventory is the gate. Without it, the company is guessing.
Provider, deployer, distributor, importer: the role question matters
One of the most important parts of the EU AI Act is role classification.
U.S. companies need to understand what role they play in relation to each AI system.
The main roles include:
- Provider
- Deployer
- Importer
- Distributor
- Product manufacturer
- Authorized representative
The role matters because obligations differ.
A provider is generally the party that develops an AI system or has one developed and places it on the market or puts it into service under its name or trademark.
A deployer is generally the party using an AI system under its authority, except for purely personal non-professional use.
An importer places on the EU market an AI system that bears the name or trademark of a person outside the EU.
A distributor makes an AI system available on the EU market without being the provider or importer.
A product manufacturer may have obligations when an AI system is integrated into a regulated product.
This is where many U.S. companies get uncomfortable.
A company may think it is “just using a vendor tool,” but if it changes the system, rebrands it, integrates it into its own product, controls the deployment, or makes it available to EU users in a certain way, its role may be more complicated.
A U.S. SaaS company using a third-party model inside its own product should not assume it is only a passive user.
A U.S. HR platform that sells an AI candidate-ranking tool into Europe may not be in the same position as an employer merely deploying that tool.
A U.S. company using an AI chatbot internally is not in the same position as a company selling that chatbot to EU customers.
Role classification should happen system by system.
There is no shortcut.
The vendor does not make the problem disappear
One of the worst assumptions a U.S. company can make is that the AI vendor owns the entire compliance problem.
The vendor may have significant obligations. That does not mean the deploying company has none.
If a company uses a high-risk AI system, it may need to use the system according to instructions, assign competent human oversight, monitor the system, preserve logs where applicable, make sure input data is appropriate when under its control, and inform the provider or relevant parties when serious issues arise.
That is not vendor-only compliance.
That is shared governance.
Here is the practical version:
If your company uses AI to screen EU job candidates, you cannot simply say, “Our HR vendor handles the AI Act.”
If your company uses AI to classify EU consumers for credit, insurance, fraud, or access decisions, you cannot simply say, “The model provider is compliant.”
If your company deploys a chatbot to EU customers, you cannot ignore transparency because the chatbot vendor supplied the widget.
If your company uses AI outputs in a regulated workflow, you need records showing how the system was reviewed, configured, monitored, and controlled.
Vendor due diligence is part of EU AI Act readiness. It is not the whole thing.
When a U.S. company may be dealing with high-risk AI
The EU AI Act’s high-risk category is where the heavier compliance work begins.
U.S. companies should pay close attention to AI systems used in areas such as:
- Biometric identification or categorization
- Critical infrastructure
- Education and vocational training
- Employment, recruitment, and worker management
- Access to essential private or public services
- Creditworthiness and credit scoring
- Insurance risk assessment in certain contexts
- Law enforcement
- Migration, asylum, and border control
- Administration of justice and democratic processes
- AI embedded in certain regulated products
For most U.S. commercial companies, the most relevant high-risk areas are employment, education, credit, insurance, healthcare-adjacent use cases, biometric systems, and access to essential services.
That does not mean every AI tool in those industries is automatically high-risk. The specific use case matters.
An AI tool used by HR to format interview notes is different from an AI tool used to rank candidates.
An AI tool used by a fintech marketing team to draft social content is different from an AI tool used to recommend credit eligibility.
An AI tool used by a healthcare company to summarize internal meeting notes is different from a system used to prioritize patient outreach or support clinical decisions.
The classification depends on the system, its intended purpose, its actual use, the affected individuals, the data involved, and the decision impact.
This is why U.S. companies need an AI governance workflow, not a generic checklist.
Employment AI is the obvious danger zone
If a U.S. company has EU workers or EU applicants, employment AI should be one of the first areas reviewed.
AI used in employment can include:
- Resume screening
- Candidate ranking
- Job matching
- Interview analysis
- Video interview scoring
- Promotion recommendations
- Performance monitoring
- Task allocation
- Productivity scoring
- Termination risk analysis
- Worker behavior evaluation
This is high-stakes because employment decisions affect opportunity, income, promotion, reputation, and livelihood.
A company using AI to rank candidates or evaluate employees should be able to answer:
- Is the system high-risk under the EU AI Act?
- Who is the provider?
- Who is the deployer?
- What instructions for use has the provider supplied?
- What human oversight is assigned?
- What input data does the company control?
- What logs are retained?
- What notice is provided to candidates or workers?
- What vendor documentation is available?
- What bias or impact testing has been performed?
- What happens if a candidate challenges the decision?
Employment AI is also risky under U.S. state and local laws. That means companies operating globally should not build one employment AI process for Europe and another disconnected process for the United States. A single governance process should map EU AI Act, state AI laws, state privacy laws, and employment discrimination obligations together.
Customer-facing AI has its own problem: transparency
Not every AI system is high-risk.
But even lower-risk systems can create transparency obligations.
Customer-facing chatbots are the most obvious example.
If users are interacting with AI, the company may need to tell them. If content is AI-generated or manipulated, disclosures may be needed depending on the context. If AI is used in a way that could mislead users, the risk becomes even greater.
For U.S. companies, customer-facing AI is often the fastest-moving category because it feels easy to deploy.
A website chatbot can be installed quickly.
A support assistant can generate responses quickly.
An AI sales agent can qualify leads quickly.
An AI onboarding assistant can answer questions quickly.
But fast deployment can create messy compliance.
Companies should review:
- Whether users know they are interacting with AI
- Whether the chatbot collects personal data
- Whether users may enter sensitive data
- Whether transcripts are retained
- Whether transcripts are used for training
- Whether the chatbot can provide regulated advice
- Whether the chatbot can make commitments on behalf of the company
- Whether the chatbot escalates sensitive issues to humans
- Whether outputs are monitored
- Whether the vendor changes the model or prompts
Transparency is not a footer link nobody reads.
For AI interactions, disclosure should appear where the interaction happens.
General-purpose AI is not the same as using AI
Another common point of confusion for U.S. companies is general-purpose AI.
The EU AI Act contains specific obligations for providers of general-purpose AI models. That does not automatically mean every company using a general-purpose model becomes a general-purpose AI model provider.
A company using a third-party model through an API is not always in the same position as the company that trained and released the model.
But that does not mean the user has no obligations.
The company still needs to understand:
- What model provider is involved
- Whether the company is building a product on top of the model
- Whether the company is substantially modifying the system
- Whether the company is placing an AI system on the EU market
- Whether the company is deploying the AI system in a high-risk context
- Whether transparency obligations apply
- Whether data is used for training or fine-tuning
- Whether vendor documentation is sufficient
The role analysis matters.
“We use an API” is not a complete compliance answer.
AI literacy is already part of the compliance picture
The EU AI Act includes AI literacy obligations for providers and deployers.
For U.S. companies with EU AI Act exposure, this should be taken seriously.
AI literacy does not mean every employee needs to become a machine learning engineer.
It means the company should make sure people who operate or use AI systems on its behalf have appropriate knowledge, training, and awareness for the context in which the systems are used.
That training should be role-specific.
HR teams need to understand employment AI risk.
Marketing teams need to understand profiling, disclosure, and AI-generated content risk.
Customer support teams need to understand chatbot escalation and sensitive data handling.
Engineering teams need to understand secure AI development, logging, model changes, and prompt injection risk.
Legal and compliance teams need to understand classification, vendor review, risk assessments, and documentation.
Executives need to understand accountability, risk acceptance, and board reporting.
Generic “use AI responsibly” training is not enough.
The training should match the AI systems people actually use.
The documentation problem nobody wants to deal with
EU AI Act readiness is going to expose weak documentation.
Many U.S. companies have AI tools in use but no durable record explaining how those tools were approved.
The evidence may be scattered across Slack messages, procurement tickets, vendor emails, security questionnaires, legal comments, HR notes, spreadsheets, product specs, and engineering logs.
That is not an AI governance file.
For AI systems with EU exposure, companies should maintain records showing:
- AI system name
- Business purpose
- Internal owner
- Vendor or provider
- Company role under the AI Act
- Risk classification
- Data categories
- EU users or affected individuals
- Legal analysis
- Vendor documentation
- Instructions for use
- Human oversight measures
- Input data controls
- Transparency notices
- Logs and monitoring
- Incident escalation process
- Approval decision
- Review date
This is exactly why AI compliance software matters.
Companies will not manage this well through disconnected documents forever.
Human oversight has to be real
The EU AI Act places heavy emphasis on human oversight for high-risk AI systems.
That creates a practical problem for companies that use “human in the loop” as a slogan.
Human oversight is not a person glancing at an AI output.
Human oversight is not a manager clicking approve because the AI score looks credible.
Human oversight is not a recruiter trusting the ranked list because the vendor says the system is objective.
Human oversight is not a customer support agent accepting an AI-generated answer without checking it.
Real human oversight means:
- The reviewer has the competence and training needed to understand the system’s role
- The reviewer has authority to override the AI output
- The reviewer has enough information to evaluate the output
- The reviewer understands system limitations
- The reviewer knows when to escalate
- The review is documented where appropriate
- The company monitors whether humans are rubber-stamping the system
This matters most in high-risk use cases.
If AI affects hiring, promotion, credit, insurance, healthcare, education, fraud, access, safety, or legal services, the company should not be casual about human review.
A weak human review process is not a safeguard.
It is evidence that the company knew oversight was needed and did not make it meaningful.
Input data can become a deployer problem
U.S. companies using high-risk AI systems should pay attention to input data.
If the company controls the data entered into the AI system, it may need to ensure that the input data is relevant and sufficiently representative for the intended purpose.
That sounds technical, but the business issue is straightforward.
If an employer uses poor-quality applicant data, the AI output may be unfair or inaccurate.
If a lender uses incomplete financial data, the AI recommendation may be unreliable.
If a healthcare company uses inconsistent patient data, the AI output may create safety or access issues.
If an education platform uses biased historical performance data, the AI recommendations may disadvantage certain students.
Bad input data creates bad AI.
Bad AI creates compliance problems.
Companies should document:
- What input data is used
- Who controls the input data
- Where the data comes from
- Whether the data is relevant
- Whether the data is complete enough for the use case
- Whether the data is representative
- Whether sensitive or protected-class proxy data is involved
- Whether data quality is monitored
- Whether data can be corrected
This is one of the areas where privacy, data governance, and AI governance overlap heavily.
Monitoring is not optional once AI is live
AI systems change.
Models update. Vendors change features. Employees change prompts. Business teams expand use cases. Data changes. Outputs drift. Users interact with the system in unexpected ways. Complaints surface. Laws evolve.
A system that was safe in the pilot can become risky in production.
That is why monitoring matters.
For EU AI Act readiness, monitoring should include:
- System performance
- Output quality
- Human override patterns
- Complaints
- Incidents
- Vendor updates
- Model changes
- Data changes
- Use-case changes
- Disclosure accuracy
- Log retention
- Legal updates
- High-risk classification changes
Monitoring should not be informal.
If a high-risk AI system is deployed, the company should know who monitors it, how often, using what criteria, with what escalation path, and where the records are stored.
The point is not to pretend risk can be eliminated.
The point is to show that risk is being managed.
The uncomfortable overlap with GDPR
For U.S. companies already dealing with GDPR, the EU AI Act should not be treated as a separate universe.
AI systems often process personal data. They may generate inferences. They may support profiling. They may influence decisions. They may involve sensitive data. They may require privacy notices, data protection assessments, vendor contracts, data minimization, retention limits, access controls, and rights workflows.
That means EU AI Act readiness should connect to the company’s privacy program.
Important overlap areas include:
- Data mapping
- Lawful basis and purpose limitation
- Transparency notices
- Profiling
- Automated decision-making
- Data protection impact assessments
- Processor and controller roles
- Vendor contracts
- International transfers
- Data minimization
- Retention
- Access and correction rights
- Deletion rights
- Security safeguards
For a U.S. company, this can actually be useful.
If the company already has a mature privacy program, it has some of the building blocks needed for AI governance. It likely already tracks data categories, vendors, subprocessors, retention, notices, rights requests, and risk assessments.
The work is to extend that structure into the AI layer.
Where U.S. SaaS companies should focus first
U.S. SaaS companies should pay close attention to EU AI Act compliance because they may both use AI internally and offer AI features to customers.
The first questions should be direct:
- Do we offer AI features to EU customers?
- Do our AI features affect EU users?
- Do we use AI outputs inside our customer-facing product?
- Do we use third-party AI APIs?
- Do we train or fine-tune models on customer data?
- Can customers disable AI features?
- Do we disclose AI interactions?
- Do our AI features influence decisions about people?
- Are any customers using our system in high-risk contexts?
- Do our contracts address AI use?
- Can we answer enterprise AI security and privacy questionnaires?
SaaS companies should also review whether they are changing their role by packaging, configuring, fine-tuning, or integrating AI in a way that makes them more than a passive deployer.
The biggest commercial risk for SaaS companies may be procurement friction.
Enterprise EU customers will ask AI governance questions. If the company cannot answer them, sales cycles will slow down.
Where U.S. employers should focus first
U.S. companies with EU employees or candidates should review employment AI immediately.
Start with:
- Applicant tracking systems
- Recruiting tools
- Candidate sourcing tools
- Resume screening
- Interview analysis
- Video interview tools
- Job matching
- Promotion tools
- Performance management tools
- Worker monitoring tools
- Task allocation systems
- Retention prediction
Employment AI should receive a high level of scrutiny because it is one of the most obvious high-risk areas.
Companies should be able to show:
- Which employment AI systems are used
- Whether EU candidates or workers are affected
- Who provides the system
- How the system is classified
- What data is used
- What human oversight exists
- Whether notice is provided
- Whether vendor documentation was reviewed
- Whether bias or fundamental rights risks were assessed
- What records are retained
Employment AI should not be governed casually through HR alone. Legal, privacy, compliance, procurement, security, and HR should be part of the review.
Where healthcare and life sciences companies should focus first
Healthcare and life sciences companies should treat EU AI Act readiness as a serious cross-functional project.
AI may appear in:
- Clinical decision support
- Patient triage
- Medical devices
- Health risk scoring
- Patient communications
- Appointment prioritization
- Claims and coding
- Clinical documentation
- Research and development
- Drug discovery workflows
- Diagnostics
- Remote monitoring
These systems can touch health, safety, fundamental rights, sensitive data, regulated products, and patient outcomes.
Healthcare AI should be reviewed for:
- Regulated product status
- High-risk classification
- Provider and deployer roles
- Clinical oversight
- Human review
- Accuracy and robustness
- Data quality
- Patient privacy
- Vendor documentation
- Post-deployment monitoring
- Incident escalation
The compliance file should be strong before the system is put into a patient-impacting workflow.
Where fintech and insurance companies should focus first
Fintech, lending, credit, and insurance companies should focus on AI systems that affect access, eligibility, pricing, underwriting, claims, fraud, or account restrictions.
AI may be used for:
- Credit scoring
- Loan recommendations
- Insurance underwriting
- Insurance pricing
- Claims review
- Fraud detection
- Account monitoring
- Collections prioritization
- Risk segmentation
- Customer eligibility
These use cases can become high-risk quickly because they affect access to essential services, financial opportunity, and consumer outcomes.
Companies should document:
- Decision impact
- Input data
- Protected-class proxy risk
- Human review
- Explainability
- Appeal or challenge process
- Vendor testing
- Monitoring
- Logs
- Regulatory cooperation
For these companies, EU AI Act compliance should also be coordinated with financial services regulation, anti-discrimination law, consumer protection law, state privacy law, and model risk management.
Where marketing, ecommerce, and adtech companies should focus first
Marketing and ecommerce teams often underestimate AI compliance risk.
They think AI governance is for HR, healthcare, and finance.
That is too narrow.
AI used in marketing can involve profiling, behavioral tracking, targeting, personalization, data broker data, audience segmentation, lead scoring, and dynamic content.
Companies should review AI used for:
- Audience segmentation
- Lead scoring
- Personalized recommendations
- Targeted advertising
- Lookalike modeling
- Dynamic pricing
- Product recommendations
- Customer journey prediction
- Churn prediction
- Chatbots
- AI-generated content
Some of these systems may not be high-risk under the EU AI Act, but they can still trigger transparency, privacy, consumer protection, and profiling concerns.
If AI interacts with EU users or uses EU personal data, the company should connect the AI review to privacy notices, consent management, cookie governance, DSAR workflows, and vendor contracts.
What U.S. companies should have in place before enforcement pressure arrives
A U.S. company preparing for the EU AI Act should build a practical readiness file.
That file should include:
- AI governance policy
- AI inventory
- EU AI Act applicability analysis
- Role classification
- Risk classification
- High-risk system list
- Transparency-risk system list
- Vendor documentation
- AI impact assessments
- Human oversight procedures
- Input data controls
- Disclosure language
- Monitoring plan
- Incident escalation process
- AI literacy training records
- Approval records
- Review calendar
That is the difference between saying “we are working on AI governance” and being able to prove it.
The AI Act readiness workflow
U.S. companies can approach readiness in a sequence that is actually manageable.
Find the AI first
Start with a company-wide inventory. Include internal tools, vendor tools, embedded AI features, customer-facing AI, employee-facing AI, and AI used by contractors or agencies.
Separate EU exposure from purely domestic use
Identify which AI systems are used in the EU, affect EU users, affect EU employees or applicants, are sold to EU customers, or produce outputs used in the EU.
Classify the company’s role
For each system, determine whether the company is likely acting as a provider, deployer, importer, distributor, product manufacturer, or another relevant actor.
Classify risk
Determine whether the system is prohibited, high-risk, subject to transparency obligations, related to general-purpose AI, or lower-risk.
Review vendors
Collect documentation from AI vendors and model providers. Review training practices, prompt retention, output retention, subprocessors, model changes, testing, logs, and contract terms.
Run impact assessments where needed
High-risk and high-impact systems should receive a deeper AI impact assessment. This should include legal, privacy, security, bias, human oversight, disclosure, and monitoring review.
Put human oversight in writing
Assign actual reviewers. Define their authority. Document when review happens. Make sure humans can override the AI output.
Update disclosures
Review chatbots, customer-facing AI, AI-generated content, employment AI, and other systems where users may need to be informed.
Build monitoring
Define who monitors system performance, complaints, incidents, model updates, vendor changes, and legal changes.
Keep evidence in one place
Do not scatter AI governance records across departments. Use a system of record.
Why spreadsheets will break
A spreadsheet may help start the first AI inventory.
It will not be enough for serious EU AI Act governance.
Spreadsheets do not manage role classification well. They do not route reviews. They do not trigger impact assessments. They do not maintain vendor documentation in a structured way. They do not assign human oversight. They do not track changes. They do not connect disclosures to systems. They do not preserve clean audit evidence. They do not keep pace with model updates and vendor changes.
AI governance software should help manage:
- AI inventory
- EU exposure mapping
- Risk classification
- Provider and deployer role analysis
- High-risk system review
- Transparency obligations
- Vendor documentation
- Impact assessments
- Human oversight
- Disclosure management
- Monitoring records
- Incident records
- Training records
- Audit exports
The point is not to make compliance look more complicated.
The point is to make it manageable.
The EU AI Act is built around system-level obligations. Companies need system-level records.
The questions U.S. companies should ask right now
Before assuming the EU AI Act does not apply, a U.S. company should answer these questions:
- Do we sell AI-enabled products or services to EU customers?
- Do EU users interact with our AI systems?
- Do we use AI to evaluate EU employees or applicants?
- Do we use AI in employment, education, credit, insurance, healthcare, biometric, or essential-service contexts?
- Do our AI systems produce outputs used in the EU?
- Do we use third-party AI models inside our own product?
- Do we rebrand, modify, or integrate AI systems into products sold in Europe?
- Do we know whether we are a provider, deployer, distributor, importer, or product manufacturer for each system?
- Have we classified each AI system by risk?
- Have we identified prohibited or restricted uses?
- Have we identified transparency obligations?
- Have we reviewed vendor training practices?
- Have we assigned human oversight where needed?
- Have we documented input data controls?
- Have we built monitoring?
- Have we trained employees who operate or use AI systems?
- Can we produce evidence if a regulator or customer asks?
If the honest answer is “we are not sure,” the company is not ready.
The mistakes that will hurt U.S. companies
Some EU AI Act mistakes are predictable.
Assuming the law only applies to EU companies
Territorial location is not the whole story. EU market connection, EU users, EU deployment, and EU outputs can matter.
Assuming all AI is either low-risk or high-risk
The Act is more nuanced. Some systems are prohibited. Some are high-risk. Some trigger transparency obligations. Some involve general-purpose AI. Some are lower-risk but still need governance.
Relying entirely on vendors
Vendors are important, but deployers still need their own controls, records, and oversight.
Ignoring embedded AI
AI may be inside tools the company already uses. Existing vendors need review when AI features are added.
Forgetting about human oversight
Human oversight has to be competent, authorized, supported, and documented. A rubber stamp does not count as governance.
Missing transparency obligations
Customer-facing AI and chatbot interactions are easy to launch and easy to forget. They still need review.
Failing to connect AI and privacy
AI systems often process personal data. Privacy notices, data mapping, DSARs, vendor contracts, consent, and retention may all be affected.
Keeping no evidence
If the company cannot produce the inventory, classification, assessment, vendor file, oversight record, notice, log, and monitoring plan, it will struggle to prove compliance.
The plain English version
For U.S. companies, the EU AI Act is not a problem to solve with a paragraph in the privacy policy.
It is a governance problem.
The companies that are prepared will know what AI systems they use, where those systems operate, who is affected, what data is involved, what role the company plays, what risk category applies, what vendor documentation exists, what controls are required, what human oversight is assigned, what disclosures are provided, and where the evidence lives.
The companies that are not prepared will have a familiar answer:
“We need to check with the team.”
That answer is not going to age well.
The EU AI Act is forcing companies to move from AI enthusiasm to AI accountability. For American businesses with European exposure, the smartest move is to build the system now: inventory, classify, assess, document, monitor, and train.
Not because every AI system is dangerous.
Because the risky ones need to be found before they become the reason a customer, regulator, employee, applicant, or plaintiff starts asking questions.