51 Days: What EU AI Act Annex III Actually Requires from Your AI Agents

There are 51 days until the EU AI Act's August 2, 2026 enforcement date for high-risk AI systems under Annex III. Most enterprise teams are still treating that deadline as a documentation exercise — a spreadsheet of models, a policy PDF, a vendor questionnaire.

That is not what regulators will ask for.

The rule most teams are getting wrong

Risk is determined by use case, not by model.

Copilot for drafting emails is limited risk — transparency obligations only, no conformity assessment, no FRIA.

Copilot for screening CVs is Annex III high-risk — full Article 26 obligations, FRIA required before first deployment, 6-month log retention, human oversight assigned, workers notified.

The model is the same. The compliance exposure is completely different.

This is where most enterprise inventories fail. Teams list their AI tools. Regulators ask about their AI use cases.

The eight Annex III high-risk domains

Any AI system operating in these domains faces full Article 26 obligations from August 2:

• Employment and worker management — CV screening, performance evaluation, promotion and termination decisions
• Access to essential services — credit scoring, loan decisions, insurance underwriting
• Education and vocational training — exam grading, admissions, student assessment
• Biometric identification — facial recognition, identity verification
• Critical infrastructure — utilities, transport, safety systems
• Law enforcement — predictive policing, evidence assessment
• Migration and border control — eligibility, risk scoring
• Administration of justice — sentencing support, case outcome prediction

The two that hit most enterprises immediately: employment and essential services. If your organisation uses AI to help evaluate candidates, manage performance, or assist credit decisions — you are in scope.

What Article 26 actually requires from deployers

By August 2, deployers of high-risk AI systems must have:

1. AI use case inventory — every high-risk system classified with evidence
2. FRIA completed — Fundamental Rights Impact Assessment before first deployment
3. Human oversight assigned — named person with competence, training, and authority
4. Log retention — automated logs kept for minimum 6 months
5. Worker notification — employees informed when AI is used in decisions affecting them
6. Transparency disclosure — affected persons informed they are subject to AI-assisted decisions
7. Post-market monitoring — ongoing performance tracking and incident reporting

Zero of these are documentation-only. All require operational evidence.

The GPAI vendor compliance gap nobody is talking about

Before you can close your Article 26 checklist, you need to understand what your vendors have — and haven't — committed to.

The EU GPAI Code of Practice was published July 2025. Here is where every major vendor stands:

| Vendor | GPAI CoP | Systemic Risk | What it means for you | |---|---|---|---| | Anthropic Claude | ✅ Full | Yes | Compliance documentation available | | Microsoft (Copilot, M365) | ✅ Full | Yes | Compliance documentation available | | Google (Gemini) | ✅ Full | Yes | Compliance documentation available | | AWS (Bedrock) | ✅ Full | Yes | EU region data residency available | | IBM (Watsonx) | ✅ Full | No | First-class governance documentation | | Mistral | ✅ Full | No | Open-weight, Article 53(2) qualified | | xAI (Grok) | ⚠️ Safety only | Yes | Transparency + copyright via "alternative means" — verify docs | | Meta (Llama) | ❌ Refused | Yes | Zero upstream documentation |

The Llama situation is the most operationally significant gap in most enterprise stacks. Meta refused to sign any chapter of the GPAI Code of Practice. If you are running Llama in EU-facing workflows — self-hosted, via AWS Bedrock, or via Azure — you have no provider-supplied GPAI documentation for your evidence pack.

One important distinction: Llama deployed via AWS Bedrock sits under Amazon's CoP umbrella. Self-hosted Llama does not. That distinction belongs in your use case registry.

xAI signed only the Safety and Security chapter. The Transparency and Copyright chapters — the two required under Article 53 for all GPAI providers — are being demonstrated via alternative means. Enterprises using Grok in Annex III use cases should request xAI's alternative compliance documentation directly before August 2.

What to do in the next 51 days

Week 1 — Build the inventory List every AI use case, not every AI tool. For each use case: which vendor, which model, who it affects, what decisions it influences. Map each one against the eight Annex III domains above.

Week 2 — Classify and triage For every use case that touches an Annex III domain: confirm risk classification, identify the FRIA requirement, check your vendor's GPAI compliance status.

Week 3-4 — Close the Article 26 gaps For each high-risk use case: complete the FRIA, assign human oversight, confirm log retention is configured, notify affected workers, verify transparency disclosures are live.

Ongoing — Evidence and monitoring Export your AI Register. Connect your governance process to your incident reporting. Ensure policy violations route to human review, not email alerts.

The deadline is August 2. The Digital Omnibus political agreement may extend Annex III obligations to December 2027 — but it has not been formally adopted into law. The original date remains operative. Planning for the extension is a compliance risk.

See how PromptKing classifies your AI use cases →