EU AI Act Goes Live: Establishing the Defensibility Posture

AI governance has crossed from strategic concern into binding obligation. The EU AI Act — the world's first comprehensive legal framework for artificial intelligence — entered force 1 August 2024 and reached its most consequential milestone three weeks ago on 2 August 2025, when the EU AI Office became operational and General-Purpose AI (GPAI) obligations took binding effect. For any organisation that develops, deploys, or procures AI serving EU customers, the question from the board has shifted from are we exposed to can we evidence Defensibility.

What is binding today

Three categories of obligation now apply directly to any organisation in scope:

Prohibited practices. Social scoring, manipulative AI, mass facial scraping, and certain biometric inference systems are outright banned. Liability extends to both providers and deployers — including organisations using unvetted third-party tools, the canonical Shadow AI exposure under Risk Taxonomy 2026 Class 8.

Transparency obligations. AI systems that interact with humans, use biometrics, or generate synthetic content must disclose their AI nature clearly. Deepfakes and public-facing AI-generated content require explicit labelling.

GPAI obligations under Article 53. Every GPAI model placed on the EU market must publish technical documentation, transparency reports, training-data summaries, and — for models exceeding 10²⁵ FLOPs — systemic-risk assessments. The procurement implication is direct: every GPAI vendor in the stack must produce these artefacts on request. The general counsel's compliance posture is the sum of the vendor postures behind it.

The phased rollout — twelve months to the next deadline

Four milestones structure the operational calendar from here:

• February 2025 — bans on unacceptable-risk AI took effect; AI literacy programmes became mandatory for staff who interact with AI systems
• August 2025 — GPAI obligations binding; EU AI Office operational (today)
• August 2026 — full rules for high-risk AI systems (employment, biometrics, healthcare, education, public services)
• August 2027 — final compliance deadline for legacy GPAI and high-risk systems already on the market

Twelve months to prepare governance for high-risk categories. Twenty-four months to remediate the legacy posture. This is a roadmap, not breathing room — GDPR precedent shows the cost of retrospective remediation runs roughly 3× pre-deadline operationalisation.

GPAI Article 53: now a procurement deliverable

If the function develops, integrates, or procures large AI models, the GPAI obligations apply upstream and downstream. Four artefacts are now contractually demandable from any GPAI vendor:

• Technical documentation — design, training methodology, evaluation results
• Transparency reports — summaries of capabilities, limitations, intended use, foreseeable misuse
• Training-data summaries — provenance, copyright compliance, bias controls
• Systemic risk assessments — for models exceeding 10²⁵ FLOPs (the systemic-risk threshold)

Action: refresh the procurement playbook to make these contractual obligations — not vendor self-attestations. See Module VEN-02 (Legal AI RFP Template), DAT-03 (Vendor DPA Checklist), and VEN-04 (Security & Compliance Checklist for Legal AI Vendors).

Enforcement architecture and the penalty matrix

Enforcement mirrors GDPR's federated model: the EU AI Office oversees GPAI and coordinates across member states; national regulators handle day-to-day enforcement and audits. Penalty tiers per AI Act Articles 99–101:

• Banned practices: up to €35 million or 7% of global turnover
• GPAI violations: up to €15 million or 3%
• False information to regulators: up to €7.5 million or 1%

Early cases will focus on guidance and cooperation — not leniency. As GDPR demonstrated, the first enforcement decisions define the regime.

Where the AI Act meets GDPR

The AI Act extends GDPR; it does not replace it. The result is dual exposure when an AI system mishandles personal data — with overlapping documentation, DPIA, consent, and data-subject-rights obligations under both regimes. The opportunity: build one unified governance framework that satisfies both. Legal operations is the natural function to lead the integration.

Five actions to operationalise this week

1. Stand up the AI BoM. Inventory every AI system the function depends on — internal, embedded, and Shadow AI. Without a current AI Bill of Materials, compliance cannot be evidenced because exposure cannot be enumerated.
2. Audit GPAI vendor contracts against Article 53. Demand documentation-on-request clauses, audit rights, and post-acquisition price protection. Self-attestation no longer survives audit.
3. Adopt the Defensible AI Governance Framework. Define committee remit, escalation path, and decision rights. See Module GOV-01.
4. Operationalise the AI Incident Response Playbook. Named on-call rotation, escalation tree, 72-hour regulator notification readiness, tabletop within ninety days. See Module GOV-05.
5. Roll out role-based AI literacy. Mandatory under the Act for any staff who interact with AI systems. Curriculum aligned to role: general counsel, data protection, procurement, business stakeholders. See Module TAL-01.

The shift: Defensibility begins now

Enforcement has begun. Penalties have teeth. But the deeper shift is that AI governance is now an evidenced posture, not an aspirational policy. The Defensibility Posture Statement — the canonical board-level artefact for AI exposure — is the format that survives audit. By embedding Defensible AI into operations now, the function builds the evidence the regulator will ask for next year — and the posture the board can defend on day one.