A risk manager at a mid-sized fintech told us something that stuck: “We’ve had three internal presentations on the EU AI Act this year. Nobody has opened the codebase to count how many AI systems we even run.” Altamira product discovery team helped them figure out the hidden regulatory traps.
That gap between knowing a regulation exists and knowing what it means for your specific product is where most teams are sitting right now. As of April 2026, 78% of organizations had not taken meaningful steps toward compliance. August 2 is the date when that gap becomes a legal liability.
Why AI Act Readiness is now an execution issue
The Act didn’t arrive without warning. Prohibited AI practices became enforceable in February 2025. Obligations for general-purpose AI models followed in August 2025. What hits on August 2, 2026 is everything that requires actual engineering and documentation work: risk management systems, technical files, human oversight procedures, conformity assessments, CE marking, and EU database registration for high-risk AI systems.
The European Parliament voted to push Annex III obligations to December 2027 through the Digital Omnibus proposal but trilogue negotiations haven’t concluded, and the original deadline is still law.
Companies betting on the delay are gambling on an agreement that hasn’t been signed. And there’s a detail that makes that bet especially risky: the Act is not retroactive. AI systems already on the market before August 2 will be evaluated under different transitional rules than those deployed after. The timing of your compliance work affects what rules apply to you, not just whether you face a fine.
For product and risk teams, this is no longer a policy question. It’s a sequencing problem.
What product and risk teams should complete first
The instinct is to start with documentation. That’s wrong. Documentation without knowing what you’re documenting produces the wrong documents. The sequence matters, and it starts with your inventory.
AI system inventory
Most organizations don’t have an accurate count of the AI systems they run. Not because they’re careless, but because AI has entered through many doors: a vendor contract here, a developer prototype there, a third-party API embedded in a product nobody fully owns. The inventory step is finding all of it, intended purpose, deployment context, who built it, and what role your organization plays (provider, deployer, or both). Your role determines which obligations land on you.
What often surprises teams at this stage is how many systems turn out to be in scope. An HR tool that ranks candidates. A credit decision model from a partner bank. A customer-facing chatbot that routes complaints. None of these were described internally as “high-risk AI.” But under Annex III, the legal classification flows from what the system does, not what you call it.
Risk classification
High-risk is not a severity rating. It’s a legal status that Article 6 either confers or doesn’t, based on the system’s intended purpose and whether it falls under the categories in Annex III: employment, credit, education, access to public services, law enforcement, and others. A general-purpose model used to draft internal memos sits in a different category than the same model used to score loan applications.
The classification decision has to be documented and traceable. Regulators won’t accept “we assessed it and it seemed fine.” They’ll want to see the reasoning, who made it, and when.
Documentation gaps
Once you know what you have and what risk tier it sits in, the gap between your current documentation and what the Act requires becomes concrete. For high-risk systems, the Act specifies:
- Technical documentation covering purpose, design logic, training data, and known performance limitations
- A risk management process that runs continuous, not a one-time review
- Defined procedures for human oversight: how operators monitor the system, and how they can intervene or stop it
- Records of accuracy testing, robustness assessments, and post-market monitoring
The gap analysis at this stage is usually the most useful output of a readiness audit, because it converts a vague compliance obligation into a finite work list.
What a readiness audit should produce
A readiness audit is a gap analysis, not a certification. Done well, it answers three questions: what AI systems are you running, which ones trigger obligations under the Act, and what do you still need to produce or implement before August 2.
|
Audit Output |
What It Contains |
|
AI system inventory |
Every in-scope system, risk classification, role designation, third-party dependencies, current documentation status |
|
Gap register |
Specific missing documentation, governance controls, and technical requirements per system |
|
Remediation scope |
Ordered work items with ownership, estimated effort, and deadlines — not a generic framework |
The audit also clarifies something teams frequently get wrong: not every system requires the same level of work. High-risk systems under Annex III need conformity assessments, CE marking, and EU database registration. Lower-risk systems have lighter obligations. Knowing the difference determines how you allocate the next six weeks.
How Altamira supports early-stage discovery and controlled rollout planning
Most teams that come to us at this stage aren’t starting from zero. They already have AI in production, some internal documentation, and a compliance deadline they’re now taking seriously. The work isn’t to build governance from scratch. It’s to close specific gaps quickly, in the right order.
Discovery outputs
Altamira’s discovery phase produces the inventory and gap register described above: the two outputs that make every subsequent decision faster. This means reviewing existing documentation, working through classification decisions with your product and risk owners, and identifying which gaps need engineering work versus which can be closed with documentation.
The output is a clear picture of what’s in scope, what’s missing, and what order to address it in: structured so that your team can act on it immediately, not after another round of internal review.
Decision-ready implementation scope
After discovery, the work moves into implementation: authoring technical documentation, designing human oversight procedures, scoping QMS frameworks, and preparing for conformity assessment. For teams with multiple high-risk systems or vendors who can’t yet produce conformity documentation, Altamira also supports procurement review and supplier engagement.
The scope is built around your actual systems and timeline, not a compliance template that needs to be mapped back to reality.
A practical readiness checklist for 2026 planning
The following sequence reflects where the dependencies actually sit:
Before the end of June
- Complete AI system inventory across all products, vendors, and internal tools
- Confirm risk classification for each system and document the reasoning
- Identify documentation gaps per system and estimate remediation effort
July
- Author or update technical documentation for each high-risk system
- Define and document human oversight procedures
- Request conformity documentation from all AI vendors in scope
- Implement or formalize risk management processes with ongoing monitoring
First week of August
- Complete conformity assessments
- Prepare Declaration of Conformity and apply CE marking where required
- Register systems in the EU AI database
- Final audit readiness review
Conclusion
Compliance work for the EU AI Act is not a policy exercise anymore. It’s an engineering and documentation sprint with a hard deadline. What determines whether August 2 is a problem or a non-event is whether your team has done the inventory, classification, and gap work that everything else depends on.
The organizations that will have the hardest time are those that are still in the “we should address this” phase. The ones that will be fine started with an honest count of what they’re running.
If your team is ready to move from assessment to implementation, Altamira can run the discovery and scope the work.


