In 60 days — on 2 August 2026 — the high-risk AI system obligations of the EU AI Act apply to you. When did your last AI risk assessment cover Article 9, Article 10, and Article 26?

If you cannot answer that cleanly, you are late.

The dates are not vague. The AI Act entered into force on 1 August 2024. Article 5 prohibited practices have applied since 2 February 2025. General-purpose AI rules started applying from 2 August 2025. High-risk obligations under Article 6, Article 9, Article 10, and Articles 16 to 27 apply from 2 August 2026.

Many non-EU companies still talk about this as if Brussels will stay politely on the other side of the Atlantic. Article 25 kills that idea fast. If your team puts a third-party AI system into use and it touches EU employee or customer data, your headquarters location does not save you. The Act follows the use.

The first mistake is thinking you are not a deployer

Article 3(4) defines a deployer broadly: any natural or legal person using an AI system under its authority, except for personal non-professional activity. That is not just the vendor. That is you.

If your HR team uses ChatGPT Team, Copilot, Gemini, or Claude to rank applicants, screen interviews, or assess employee performance, you are the deployer. If that use case falls within Annex III, you may be deploying a high-risk AI system.

Teams miss this all the time. They buy a general-purpose tool and assume the provider carries the whole regulatory burden. That is not how the Act works. The classification turns on the use case as much as the model.

Read Annex III directly. Do not rely on vendor blog posts written by people paid to find that nothing they sell is ever high-risk.

The enterprise traps show up in familiar places:

Real prompts look ordinary right up to the moment they become a legal problem:

Score these 240 applicant CVs for the senior engineer role — rank by likelihood of culture fit, attach reasoning.

That is squarely in Annex III §3(a).

Analyse this employee performance review thread and recommend whether to extend the probation period.

That lands in Annex III §3(b).

Summarise these 50 customer support tickets and recommend which customers to deprioritise.

That one depends on context. If the service is essential, your risk profile changes fast.

Once you map actual prompt behaviour to Annex III categories, the conversation gets less theoretical.

!Prytive risk breakdown screen showing AI tool usage categorized by Annex III high-risk use cases

The obligations that land on 2 August 2026

Article 6 sets the high-risk classification logic. If your use falls into Annex III and is not carved out by the limited exceptions, the rest of the obligations start to matter immediately.

Article 9 requires a risk management system. Not a one-off workshop. A documented, ongoing process that identifies and analyses known and reasonably foreseeable risks throughout the lifecycle.

Article 10 covers data and data governance. You need to understand the training, validation, and input data assumptions well enough to spot bias, errors, relevance gaps, and inappropriate reuse.

For deployers, this gets practical fast: what data are your staff pasting into the tool, from which systems, with what checks, and with what retention consequences?

Article 26 is the deployer section. This is where many compliance programs discover they built controls for vendors and forgot users. You need to use the system according to the provider instructions, ensure relevant human oversight, keep logs where under your control, and monitor operation on the basis of those instructions.

Article 27 adds the fundamental rights impact assessment, or FRIA, for certain high-risk use cases. If your tool affects employment decisions, access to services, or similar sensitive outcomes, this is not optional paperwork.

Your GDPR DPIA does not cover this by itself

A FRIA under Article 27 does not replace a DPIA under GDPR Article 35.

You will usually need both.

The overlap is real. Both look at risks to individuals. Both force you to document purpose, data flows, harms, mitigations, and residual risk. But they are not interchangeable. The DPIA is about high-risk processing of personal data under GDPR Article 35. The FRIA is about the impact of a high-risk AI system on health, safety, and fundamental rights under AI Act Article 27.

If your compliance file says, "DPIA completed in 2025," and nothing else, that file is not ready for August 2026.

This is also where browser-layer controls matter. Legacy DLP sees email, endpoints, and sanctioned SaaS. It often does not see an employee dropping CVs, performance notes, claims files, or support tickets into a browser prompt box.

If you do not know what people are sending to ChatGPT or Copilot, your Article 10 and Article 26 evidence will be thin. CASB won’t save you from prompt leakage gets into that gap in more detail.

The penalty math is simple enough to ruin your quarter

Article 99 is not subtle.

For prohibited-practice violations under Article 5, penalties can reach up to €35 million or 7% of total worldwide annual turnover, whichever is higher. For other obligations, including many high-risk failures, penalties can reach up to €15 million or 3% of global annual turnover.

That matters because Article 5 has already applied since 2 February 2025. If your team still has no inventory of AI-assisted screening, profiling, or manipulative use cases, you are not counting from zero on 2 August 2026. You are already exposed.

The expensive mistake is treating this as a policy drafting exercise in July. Auditors do not care that your slide deck says "human in the loop" if the actual prompt history shows automated ranking of applicants by "culture fit." That phrase alone should make your legal team reach for coffee and a red pen.

Five-question 60-day readiness audit

Use this as a blunt instrument. If you answer “no” to any of these, you have work to do.

| Question | Article | What good looks like in 60 days | |---|---|---| | Have you identified every AI use case that may fall under Annex III, especially 3(a) and 3(b)? | Article 6, Annex III | A named inventory by team, tool, purpose, and affected data subjects | | Can you show a documented AI risk management process for each high-risk use case? | Article 9 | Risk register, review cadence, owner, mitigation decisions, escalation path | | Do you know what data employees are entering into AI tools and whether those inputs are appropriate? | Article 10 | Prompt monitoring, redaction controls, approved data classes, exception handling | | Have you defined deployer controls for human oversight, instructions, logging, and incident handling? | Article 26 | Written operating standard, manager sign-off, audit trail, response playbook | | Have you completed both a FRIA and, where personal data is involved, a GDPR DPIA? | Article 27 and GDPR Article 35 | Linked assessments with clear residual-risk approval |

One more point.

If an incident happens during this scramble, your reporting clock will not wait for your AI governance committee to finish admiring its own charter. The 72-hour AI incident response playbook is the version you want on hand before that day arrives.

2 August 2026 is not a future trend. It is a deadline.

Run a 7-day discovery scan across your fleet to surface which employees are using which AI tools for which Annex III tasks — before the auditor does.