Most companies didn’t sit down one day and decide to deploy AI. It showed up in the tools they already used — the HR platform that now ranks candidates automatically, the CRM that scores leads, the customer service system that routes tickets without human input. AI adoption happened incrementally, across multiple teams, through vendor updates that nobody tracked centrally.
That’s fine. What’s less fine is not knowing what you have.
Before your enterprise clients start sending security questionnaires with AI-specific sections. Before your investors ask about AI governance. Mapping what AI runs inside your products and operations — what it does, what data it touches, what decisions it influences — is work most companies haven’t done. That’s what an AI audit is for.
The EU AI Act adds regulatory urgency to a problem most companies already had.
The regulatory context, briefly
Regulation (EU) 2024/1689 has been rolling out in phases since August 2024. The EU banned prohibited AI practices — social scoring, real-time biometric surveillance in public spaces — in February 2025. Obligations related to general-purpose AI models became enforceable in August 2025, as outlined in the official EU AI Act implementation timeline.
As of August 2, 2026, the EU AI Office holds full enforcement powers over GPAI requirements. Article 99 of the regulation sets the penalty structure: up to €35 million or 7% of global annual turnover for deploying prohibited AI; up to €15 million or 3% for high-risk system failures; up to €7.5 million or 1% for providing incorrect information to regulators.
For high-risk AI systems, the picture shifted in May 2026. The European Parliament and Council reached a provisional agreement under the Digital Omnibus initiative to extend the Annex III deadline: December 2027 for standalone high-risk systems, August 2028 for AI embedded in regulated products. Formal adoption is pending. The extension covers high-risk obligations only — transparency disclosures and generative content labeling remain on the original schedule.
AI classification and compliance obligations depend on each system’s intended purpose, technical design, and deployment context. Where classification is uncertain, legal counsel should be involved. Allmatics works on the technical and operational side: what your systems actually do, what risks they carry, and what documentation and infrastructure would support compliance.
Which industries are most exposed
Annex III of the EU AI Act defines eight categories of AI likely to be high-risk: biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to essential services (credit, insurance, benefits), law enforcement, migration and border control, and administration of justice.
Whether a specific system falls into these categories depends on how it’s deployed and what role it plays in the decision — not just what the vendor calls it. The European Commission’s draft guidelines on high-risk classification are intended to help, though they remain subject to revision. This is where technical assessment matters as much as legal interpretation.
Financial services
AI systems that influence creditworthiness assessments, loan origination, credit limit decisions, or insurance pricing for natural persons are likely high-risk under Annex III. That includes automated affordability checks, credit scoring models embedded in lending platforms, and underwriting tools in life and health insurance. The challenge is that AI sits inside core workflows as a component in platforms organizations bought years ago, often without anyone mapping it specifically. Many teams don’t know which models run, what data trained them, or whether teams retain the outputs anywhere.
HR and recruitment
AI systems that influence who gets shortlisted, ranked, or scored in a video interview are likely high-risk. So are tools that influence performance evaluations, promotion recommendations, or task allocation. Companies using third-party HR platforms with AI-assisted features are deployers under the Act — compliance isn’t something you can push to the vendor. Article 26 of the regulation requires deployers to inform affected individuals when AI influences decisions about them and to maintain genuine human oversight: not a click-through confirmation, but a person with the authority and information to review and override.
Healthcare and e-commerce
Healthcare is where the regulatory picture gets most layered. AI that assists with diagnosis, clinical decision support, patient triage, or treatment recommendations is likely high-risk. The complication is a dual compliance framework: AI systems that also qualify as medical devices under the EU MDR or IVDR must satisfy both sets of requirements. AI-enabled medical devices that went through MDR Notified Body assessment have an extended transition period until August 2027. Purpose-built AI clinical tools that don’t qualify as medical devices don’t get that buffer. For most healthcare organizations, the first question isn’t “do we comply” — it’s “what classification applies to which tool,” and that mapping usually doesn’t exist yet.
In e-commerce and retail, the picture is more varied. Most AI — recommendation engines, personalization models, the majority of support chatbots — falls under limited risk or no-risk categories, with minimal obligations. But there are categories that catch retailers off guard: AI used to assess creditworthiness for buy-now-pay-later products is likely high-risk, as is AI that prices insurance add-ons on a per-customer basis. AI-powered profiling that feeds into access decisions for financial products can push an otherwise ordinary system into Annex III territory. Companies that assume their AI is low-risk because it’s consumer-facing may be right — or may be carrying undisclosed high-risk exposure they haven’t looked at.
For B2B SaaS companies with AI features, the exposure is often unexpected. If your product touches any of the Annex III domains — and many do, particularly in HR, finance, and operations — your compliance posture is already part of your sales story whether you’ve addressed it or not. Enterprise procurement in the EU is asking about AI governance. Companies that can answer with documented specifics are moving faster through deal cycles.
What an AI audit actually checks
A legal team can tell you what the regulation requires. They can’t tell you whether your RAG pipeline has data isolation gaps, whether your third-party LLM is receiving customer PII in prompts, or whether your AI-driven decisions are reproducible after the fact. That’s the technical side of readiness — and that’s where Allmatics works.
Inventory and model mapping
The starting point is always inventory: which AI features are actually active in your product or operations? This requires going through products, vendor agreements, and infrastructure — not asking teams to self-report. AI appears in platforms through feature updates that product managers approved without fully understanding the AI component. Companies consistently find more AI than they expected.
From there, we map models and APIs: what’s running, in-house or third-party, which APIs feed into which decisions. If you build on a foundation model — GPT-4, Claude, Gemini, or similar — the chain from API call to user-facing output matters for both data governance and accountability.
Data, logging, and risk checks
Third-party LLM exposure is where companies regularly underestimate their risk. What data do you send to external models? Does customer PII appear in prompts? Does your DPA cover how the vendor processes that data? This is where the first meaningful surprises tend to surface.
For products using Retrieval-Augmented Generation, we look at what sits in the knowledge base, who controls it, how teams scope retrieval, and whether isolation controls prevent one customer’s data from appearing in another’s responses. RAG architectures that look clean at the design level frequently have isolation gaps in production.
Logging and auditability is a consistent gap across sectors. Can you reconstruct a specific AI-driven decision after the fact — what input the system received, what it returned, what confidence indicators showed, what a human did with that output? Without this, internal review and regulatory audit are both difficult. The GPAI guidelines from the European Commission are explicit about documentation requirements. The technical infrastructure to support them is a separate matter.
Prompt injection is a live risk most organizations haven’t formally tested: can adversarial inputs manipulate system behavior in ways that affect other users or internal data? Data leakage raises a parallel question: can the model return information it shouldn’t — from training data, other sessions, or connected databases?
We also look at human review and fallback mechanisms. Does a meaningful oversight step exist before high-stakes outputs reach production? Does the system have a functional fallback when it returns low-confidence outputs or goes down? After a model goes live, does anything watch for drift, degraded accuracy, or unexpected behavior — or does the system run until someone notices something wrong?
This is the assessment a legal team can’t conduct and that most organizations haven’t done for themselves. Legal interpretation of the regulation matters, but it depends on first understanding what’s actually running.
An AI audit is not a conformity assessment
Worth stating clearly. An AI audit from Allmatics is not a formal conformity assessment, and it doesn’t produce an EU Declaration of Conformity or any official certification.
What it is: a structured readiness process. We help companies map their AI landscape, identify which systems may fall into regulated categories, surface documentation and technical gaps, and build a remediation roadmap — clarity about what you have, where the risks are, and what needs to be built or documented before formal compliance obligations apply.
Formal conformity assessment, as defined in Article 43 of the regulation, is a separate step. For most Annex III systems, companies can conduct it internally once the required documentation and processes are in place. For certain biometric AI systems without harmonized standards applied, the Act requires a third-party notified body. Allmatics helps you get to the starting line for that process.
Definitive legal classification decisions — whether a specific system is high-risk under the Act — should involve qualified legal counsel. We work alongside that process, not in place of it.
Why starting now matters more than December 2027 suggests
The extended Annex III deadline gives more time than originally planned. It doesn’t make the work smaller.
A thorough AI inventory and gap analysis takes weeks. Remediation — building out documentation, risk management systems, logging infrastructure, human oversight mechanisms — takes months. If a notified body assessment is required, that needs to be scoped and scheduled well ahead of the deadline. The conformity assessment process itself has preparation requirements that most companies are underestimating.
Research from the Cloud Security Alliance found that companies with existing AI governance practices adapted to the Act’s requirements significantly faster than those starting from zero. The compliance structure the regulation demands — documented risk management, controlled data practices, meaningful human oversight, continuous monitoring — is also just sound AI operations. Organizations that treat this as a compliance checkbox will do the minimum and stop. Organizations that treat it as a chance to understand what their AI actually does will come out ahead regardless of whether a regulator ever comes knocking.
There’s also a commercial dimension that’s harder to defer. EU enterprise procurement teams are already evaluating AI governance posture — in questionnaires, security reviews, and board-level conversations. The companies closing those deals faster are the ones that can answer those questions precisely, not with “we’re working on it.”
Allmatics helps companies understand the technical, data, product, and operational readiness of their AI systems — from initial AI inventory and risk mapping through gap analysis and remediation planning. Legal interpretation of AI Act obligations should be validated with qualified counsel where needed. To understand your current AI posture before clients or regulators start asking, reach out.