EU AI Act pushes policy‑as‑code

Reply and Quest Software used product launches this week to show how AI governance is moving into software pipelines rather than staying in policy documents. Reply on May 14 introduced “Model Factory,” a system for building enterprise generative AI models with versioning, controlled interfaces, embedded quality gates and what it called built-in alignment with the European Union’s AI Act. (morningstar.com) Quest on May 13 said it had added AI-powered policy management, governance, lineage and compliance capabilities to its Trusted Data Management Platform. The timing matters because the EU’s AI Act is already applying to some model providers. The European Commission says obligations for providers of general-purpose AI models entered into application on Aug. 2, 2025, and that its enforcement powers for those obligations will apply from Aug. 2, 2026. (digital-strategy.ec.europa.eu) The Commission says the law sets out risk-based rules for AI developers and deployers and is supported by guidance and voluntary tools such as the AI Pact and the General-Purpose AI Code of Practice. ### What exactly did Reply put into the engineering stack? Reply said its Model Factory is an “industrial production line” for frontier generative AI models grounded in corporate knowledge. The company said customers can bring internal documentation, software repositories, business data, domain knowledge and process records into secure vaults, then move through data preparation, training, evaluation, deployment and continuous improvement in a controlled lifecycle. (morningstar.com) Each model and each derived customer dataset is released as a versioned enterprise asset, Reply said. The company said those assets include controlled interfaces, embedded quality gates and built-in alignment with the EU AI Act, while the training layer includes pre-training, supervised fine-tuning, reinforcement learning, distillation and speculative decoding. (digital-strategy.ec.europa.eu) ### What did Quest add, and where does “policy-as-code” fit? Quest Software on May 13 announced new releases for Quest Data Modeler and Quest Data Intelligence inside its Trusted Data Management Platform. The company said the additions include cloud-native data modeling, AI-powered policy management and AI assistants spanning governance, lineage, compliance, data products, data quality and natural-language access to governed data. (morningstar.com) Quest said many organizations still use separate modeling tools, governance suites and AI assistants, which can create broken audit trails and leave assistants running on ungoverned data. The company said its platform is designed to provide “one platform, one audit trail, and one shared understanding of data from how it is structured to how it is consumed.” (morningstar.com) ### Why are vendors talking about audit trails and lifecycle controls now? The European Commission’s guidance says providers of general-purpose AI models need to understand whether the obligations apply to them, assess model risks and prepare for compliance. The Commission says the guidelines complement the General-Purpose AI Code of Practice, which it describes as a practical tool for showing how providers can fulfill obligations under the AI Act. (quest.com) NIST’s AI Risk Management Framework points in a similar operational direction, though it is voluntary rather than regulatory. NIST says the framework is intended to help organizations incorporate trustworthiness considerations into the design, development, use and evaluation of AI products, services and systems, and that its July 26, 2024 generative AI profile is meant to address risks specific to generative AI. (quest.com) ### What changes for companies building or buying AI systems? The product language from both vendors points to compliance work being attached to model and data lifecycles. Reply described governance, quality gates, operational safety, model traceability and continuous monitoring as part of the factory architecture, while Quest described policy management, lineage, compliance and audit trails as part of a unified SaaS platform for trusted, AI-ready data. (digital-strategy.ec.europa.eu) That does not replace legal review. The European Commission says the AI Act remains a risk-based legal framework with obligations that vary by actor and use case, including separate timelines for providers of general-purpose models and other parts of the law. But the vendor releases show suppliers packaging those obligations into developer and data-management workflows that can produce records, controls and version history alongside the models themselves. (nist.gov) That last point is an inference from the product descriptions and the Commission’s timeline, not a regulatory statement. ### What happens next as the EU timetable advances? Aug. 2, 2026 is the next concrete deadline in this part of the rulebook. The European Commission says that is when its enforcement powers for obligations on providers of general-purpose AI models begin, while providers of models placed on the market before Aug. 2, 2025 must comply by Aug. 2, 2027. (reply.com) (digital-strategy.ec.europa.eu)