Your 90-Day EU AI Act Compliance Sprint: A Week-by-Week Action Plan
Only 8 of 27 EU member states have designated their national AI enforcement authorities — seven months past the deadline to do so. A 2026 compliance assessment across eight industries found that 83% of enterprises have no formal AI system inventory, and 78% haven't taken meaningful compliance steps. And the EU AI Act deadline for high-risk AI systems is August 2, 2026.
If you're a compliance officer or IT manager who just got handed this problem, this article is your playbook. Not a legal explainer — a project plan. Twelve weeks, three phases, one goal: a defensible compliance posture before the deadline hits.
What's Actually Due by August 2, 2026
First, let's scope the problem. August 2 is the deadline for Annex III high-risk AI systems — AI used in employment decisions, credit scoring, education, critical infrastructure, law enforcement, and a few other categories. If your organization deploys AI in any of these eight areas, you have obligations.
The specific requirements:
- Article 9: A documented risk management system for each high-risk AI system
- Article 11: Technical documentation covering nine mandatory sections (Annex IV)
- Article 17: A quality management system covering your AI operations
- Article 49: Registration of each high-risk system in the EU database (Annex VIII — 13 required fields)
- Article 72: A post-market monitoring plan for ongoing oversight
None of these are possible without knowing what AI systems you have, who owns them, and how risky they are. That's why an AI inventory is the prerequisite for everything else.
What about the Omnibus delay? The European Commission proposed delaying these obligations to December 2027 via the Digital Omnibus package in November 2025. Parliament voted overwhelmingly in favor (569-45) in March 2026, and trilogue negotiations are underway with a political agreement targeted for late April. But as of today, the delay hasn't been formally adopted and published in the Official Journal. August 2, 2026 remains the legally binding date. Planning around a delay that may not come is not a compliance strategy.
Penalties for getting it wrong: Up to €15 million or 3% of global annual turnover — whichever is higher. For prohibited practices, it's €35 million or 7%.
The Sprint: 12 Weeks, 3 Phases
Phase 1: See What You Have (Weeks 1–4)
You can't govern what you can't see. The first month is about building a complete picture.
Week 1: AI Discovery
Most organizations have 2-5x more AI systems than management realizes. Your job this week:
- Pull IT asset management records — look for SaaS subscriptions with AI capabilities (Copilot, ChatGPT Enterprise, Salesforce Einstein, ServiceNow AI)
- Review finance invoices from the past 24 months for AI vendor payments
- Send a five-question survey to department heads: "What AI tools does your team use? For what purpose? What data goes in?"
- Check DevOps: CI/CD pipelines, model serving infrastructure, API gateway logs calling AI endpoints
Week 2: Build Your Raw Inventory
For every AI system you found, capture the basics:
- System name and vendor
- Business purpose and who uses it
- What data it processes (personal, confidential, public?)
- Your role: are you the provider (you built it) or deployer (you use someone else's)?
Don't overthink the format yet. A spreadsheet works for week 2. You'll move it to proper tooling in Phase 2.
Week 3: Risk Classification
This is the critical step. For each system, walk through the decision tree:
- Is it prohibited? (Social scoring, real-time biometric identification in public spaces, emotion recognition at work) → Decommission immediately.
- Is it Annex III high-risk? Check all eight categories — employment, credit scoring, education, critical infrastructure, law enforcement, migration, justice, biometrics.
- Does the Article 6(3) exception apply? A system listed in Annex III is NOT high-risk if it performs a narrow procedural task, improves a previous human activity, is preparatory to a decision made by a human, or detects decision-making patterns without replacing human assessment.
- Is it a general-purpose AI? (ChatGPT, Copilot) → Obligations mainly fall on the provider (OpenAI, Microsoft), not you as deployer.
- Everything else → Limited risk (chatbots need disclosure) or minimal risk (no obligations).
Reality check: Most mid-market companies find 0-3 genuinely high-risk systems. The rest are minimal risk. Your compliance effort concentrates on those few high-risk systems.
Week 4: Assign Ownership
Every AI system needs three names attached:
- Business owner — accountable for the use case and business value
- Technical owner — responsible for the system's operation and maintenance
- Compliance contact — your point of contact for regulatory questions
No anonymous AI. No "IT department owns it." Named individuals who can answer questions when the regulator calls.
Phase 2: Build Your Governance Infrastructure (Weeks 5–8)
You now know what you have and how risky it is. Phase 2 is about building the systems to manage it.
Week 5: Move to Proper Tooling
Your week-2 spreadsheet won't survive audit. You need a tool that provides:
- Structured fields for each AI system (not free-text cells)
- Immutable audit trail (who changed what, when — no editable history)
- Role-based access control (business owners edit, auditors read)
- Workflow states (Draft → Active → Monitoring → Retired)
If your organization uses Jira, you already have audit trails, RBAC, and workflow engines built in. A model inventory app on top of Jira can give you a compliance-ready registry without procuring a new vendor.
Week 6: AI Governance Policy
Write a 3-5 page policy covering:
- Registration gate: No new AI system enters production without an inventory record
- Classification process: How new systems get risk-classified
- Review cadence: Quarterly for high-risk, annually for the rest
- Incident reporting: What to do when something goes wrong
- Training requirements: Who needs AI literacy training (hint: everyone — Article 4 has been in force since February 2025)
Week 7: High-Risk Deep Dive — Documentation
For each high-risk system (you likely have 0-3), start the heavy paperwork:
- Risk Management System (Art. 9): Document known risks, mitigation measures, and residual risk acceptance
- Technical Documentation (Annex IV): Nine sections covering design, data, performance, monitoring, and risk management. For third-party systems, demand this from your vendor.
- Fundamental Rights Impact Assessment: Required for deployers of high-risk AI
Week 8: EU Database Preparation
Annex VIII requires 13 specific data points per high-risk system for EU database registration. If your inventory tool captures the right fields, this becomes an export — not a separate project. Key fields: system name, intended purpose, provider details, operating logic summary, deployment status, member states, and EU Declaration of Conformity.
Phase 3: Operationalize and Verify (Weeks 9–12)
Week 9: Vendor Management
For third-party AI systems classified as high-risk:
- Request technical documentation from the vendor
- Verify they have an EU Declaration of Conformity
- Check their EU database registration
- Add AI Act clauses to your contracts (incident reporting obligations, documentation updates)
Week 10: Training
AI literacy training (Article 4) has been mandatory since February 2025. If you haven't done it, you're already behind. Two tracks:
- All staff: Basic awareness — what AI your company uses, how to report issues
- AI system overseers: Specific training on their oversight responsibilities for high-risk systems
Week 11: Post-Market Monitoring Setup
For high-risk systems, set up:
- Performance monitoring dashboards
- Scheduled review reminders (quarterly at minimum)
- Incident reporting process (serious incidents → national authority within 15 days)
- Data retention policies (logs: 6 months minimum; technical documentation: 10 years)
Week 12: Readiness Audit
Run a gap assessment against your inventory:
- Does every AI system have an owner? ✓
- Are all high-risk systems classified correctly? ✓
- Is technical documentation complete for high-risk systems? ✓
- Are EU database registrations prepared? ✓
- Is your governance policy published and communicated? ✓
- Are monitoring systems operational? ✓
Any gaps become your remediation backlog for the final weeks before August 2.
What If the Deadline Shifts?
The Digital Omnibus may push the Annex III deadline to December 2027. If it does, you've built your governance infrastructure 18 months early — which is exactly when Deloitte says you should start (69% of organizations expect 1+ year for AI governance implementation). You haven't wasted time. You've bought yourself a head start while competitors scramble later.
If it doesn't shift, you're ready.
The Real Risk Isn't Fines
The €15 million headline gets attention, but the real risk for mid-market companies is operational. Organizations without an AI inventory can't answer basic questions:
- "How many AI systems do we have?" — Board and investors are asking this now.
- "Which ones process personal data?" — Your DPO needs to know.
- "What happens if this vendor's AI fails?" — Business continuity depends on it.
- "Are we exposed to the EU AI Act?" — The question that started this whole thing.
An AI inventory answers all four. The EU AI Act just gives you a deadline to build one.
What to Do This Week
- Monday: Send the five-question AI survey to department heads
- Tuesday: Pull SaaS subscription and vendor payment records
- Wednesday: Start a simple inventory — even a spreadsheet
- Thursday: Identify your likely high-risk systems (employment AI, credit scoring)
- Friday: Assign an owner for the compliance project and block 2 hours per week for 12 weeks
Ninety days is enough. But only if you start this week.
Try FreeModel Inventory for Jira helps teams build a compliance-ready AI registry in their existing Jira — with EU AI Act risk classification, guided onboarding, and structured fields mapped to Annex VIII. Learn more →