EU AI Act becomes system design task

A lot of companies thought European Union Artificial Intelligence Act compliance would look like privacy compliance in 2018: write policies, fill binders, survive the audit. The new guidance points in the opposite direction: if your systems cannot produce evidence as they run, you are already behind. (raconteur.net, securityboulevard.com) The law itself was adopted as Regulation (European Union) 2024/1689 in June 2024, and the European Commission describes it as the world’s first comprehensive legal framework for artificial intelligence. Its obligations land in phases, with major requirements still rolling in through August 2026 and some transitions extending to August 2027. (eur-lex.europa.eu, digital-strategy.ec.europa.eu, raconteur.net) The part changing software design is the high-risk section. High-risk artificial intelligence systems are the ones that can affect things like jobs, credit, education, critical infrastructure, and other decisions where errors can harm people’s rights or safety. (eur-lex.europa.eu, digital-strategy.ec.europa.eu) For those systems, the European Union Artificial Intelligence Act does not just ask what model you use. It asks where the training, validation, and test data came from, how quality was checked, what risks were logged, what human oversight exists, and what happened after deployment. (eur-lex.europa.eu, securityboulevard.com) That turns an audit into a map of plumbing. Raconteur’s April 10, 2026 guide says teams now need a complete inventory of external artificial intelligence endpoints, records of what data each endpoint receives, the purpose of each transfer, and flags for sensitive data. (raconteur.net) An inventory is just a parts list, but for software. If one customer support tool calls three large language model services, one moderation service, and one internal classifier, an auditor may want evidence for all five links, not a screenshot of the user interface. (raconteur.net, securityboulevard.com) Lineage is the next piece. Lineage means a chain-of-custody record showing which dataset, model version, prompt template, application programming interface call, and monitoring event produced a given output, the way a parcel tracker shows every warehouse scan between sender and doorstep. (securityboulevard.com, raconteur.net) Monitoring is no longer optional cleanup after launch. Article 72 requires providers of high-risk systems to run a post-market monitoring system across the system’s lifetime, with a plan included in the technical documentation. (artificialintelligenceact.eu, eur-lex.europa.eu) That is why compliance is moving into software development kits and runtime layers. If the platform does not automatically emit logs, model identifiers, data handling records, and lifecycle events in machine-readable form, someone will end up rebuilding the evidence by hand from tickets, spreadsheets, and cloud logs. (raconteur.net, securityboulevard.com) The penalty structure explains the urgency. Raconteur notes that the biggest infringements under the European Union Artificial Intelligence Act can reach €35 million or 7% of worldwide annual turnover, which is the kind of number that turns “governance” into a platform budget line. (raconteur.net, raconteur.net) So the real shift is simple: the audit trail is becoming part of the product. In 2026, a company using artificial intelligence in Europe increasingly needs systems that can explain themselves continuously, not lawyers who try to reconstruct the story a week before the regulator arrives. (raconteur.net, securityboulevard.com, digital-strategy.ec.europa.eu)