EU AI Act ambiguity grows

A lot of teams in Europe are now stuck on a question that sounds simple and turns out not to be: is a personalization feature actually an artificial intelligence system, or is it just software with rules and scores. The European Union’s Artificial Intelligence Act uses a broad definition built around systems that infer outputs like predictions, recommendations, or decisions, which leaves gray areas for ranking engines and recommendation tools. (eur-lex.europa.eu) That matters now because the law is not arriving all at once. The Act entered into force on August 1, 2024, bans on certain uses started applying on February 2, 2025, and the bigger compliance wave for many systems lands on August 2, 2026. (artificialintelligenceact.eu) The hard part is that the law regulates by use case more than by buzzword. A recommendation model picking movies is very different from a recommendation model helping decide who gets a job interview, a loan, or access to a public service. (eur-lex.europa.eu) The European Union lists employment, credit scoring, insurance risk assessment, education, migration, and parts of law enforcement as high-risk areas. Once a system lands in one of those buckets, the paperwork stops being optional and starts looking like product engineering with auditors attached. (eur-lex.europa.eu) That is why product teams are dragging compliance into the design phase instead of waiting for launch review. Security and governance guidance now tells companies to inventory every artificial intelligence system, classify its risk level, document how it works, and monitor it across its full lifecycle. (securityboulevard.com) For high-risk systems, the law names the checklist in plain categories: risk management, data quality, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity. If a team cannot explain what data went in, what the model is supposed to do, and what a human can override, it is already behind. (eur-lex.europa.eu) Data is becoming the part that changes product specs the fastest. The Act requires training, validation, and testing data to be relevant and sufficiently representative, and it ties that requirement to governance practices instead of treating data as a black box that engineering can hand-wave away. (artificialintelligenceact.eu) (eur-lex.europa.eu) The same shift is hitting documentation. The European Union’s code of practice for general-purpose artificial intelligence models says providers should keep up-to-date model documentation covering technical specifications, use cases, datasets, and other operational details, and store it for up to ten years. (artificialintelligenceact.eu) So a product requirement document for a recommender system now needs sections that would have looked unusual two years ago: model behavior, input data sources, known failure modes, logging, and fallback paths when the system is uncertain or unavailable. That is not just legal hygiene; it is the evidence a company may need if a regulator asks how the system behaves in practice. (securityboulevard.com) (artificialintelligenceact.eu) The awkward twist is that many teams still do not know whether their feature is fully inside scope until they map the whole workflow. A ranking model, a rules engine, a human reviewer, and a downstream business decision can each look harmless alone and still add up to a regulated system when combined. (eur-lex.europa.eu) (securityboulevard.com) That is why the European Union Artificial Intelligence Act is turning compliance into discovery work. Before teams can prove they follow the rules, they first have to answer a more basic question with names, diagrams, and logs: what exactly did we build. (eur-lex.europa.eu) (artificialintelligenceact.eu)