Over the past month, I’ve had two consultations that perfectly capture the extreme ends of the EU AI Act’s risk spectrum.

The first was a medical institution looking to integrate AI across both their clinical and admin workflows. We spent 90 minutes sorting out what was actually safe to deploy right now. Things like scheduling, billing, transcription, and HR? Good to go. But AI-assisted diagnosis, treatment planning, and patient risk scoring? Those are off the table until they have a rock-solid compliance framework in place, and definitely not before the August 2 deadline.

The second consultation was with a judge who simply wanted to know if he could use AI to process case documents. The answer was a very specific “yes, but.” Legal research and summarization are permitted, assuming strict quality assurance is in place to catch hallucinations. However, using AI for evidence analysis, sentencing support, or pretrial detention scoring is absolutely prohibited. Under the Act, judicial AI is inherently classified as high-risk.

Those are the extreme edge cases. For most FutureBrief readers, the compliance reality is much simpler.

The May 7 agreement did not move August 2

Let’s clear up a major point of confusion right away. Yes, the EU Council and Parliament reached a political agreement on May 7 to delay the Act’s Annex III high-risk obligations to December 2027. But that is strictly a provisional agreement, not finalized law.

Until the Digital Omnibus is formally adopted and published in the Official Journal, August 2, 2026, remains the legally operative deadline. Major authorities like IAPP, Travers Smith, and ISMS.online all issued the exact same warning recently: businesses treating the provisional agreement as a done deal are leaving themselves exposed to full liability starting in August.

The deadline is still August 2. Before it hits, you need to verify three things: your official role under the Act, whether you trip any prohibited practice wires, and, if you build AI for clients, your standard contract clauses.

Three roles, three very different obligations

The AI Act doesn’t care about your industry or company size; it assigns compliance based entirely on your role. Figuring out where you fit dictates exactly how much work you have ahead of you.

• Users: You fall into this camp if you use off-the-shelf AI tools for internal operations. Think using ChatGPT for copywriting, Claude for document summaries, Cursor for coding, or Notion AI to run your knowledge base. If this is you, your obligations are minimal: just screen for the five prohibited practices to ensure you aren’t doing them, and you’re basically done. Standard GDPR handles your data privacy. There is no registration, no complex assessment, and no heavy documentation required.

• Deployers: You’re a deployer if you configure or run an AI system for a specific purpose, especially if it interacts with customers. This includes customer-facing chatbots, AI phone agents, or medical transcription tools. If this describes your setup, you have one extra step beyond the User requirements: you must clearly disclose that the user is interacting with an AI right at the start of the interaction. One clear sentence per touchpoint is usually enough.

• Providers: This is the heavy-duty category. You are a provider if you build and market AI systems, for example, an automated hiring tool that ranks candidates, or a credit-risk scoring engine baked into a SaaS product. Providers face the full weight of compliance: conformity assessments, registrations, system logging, and extensive human oversight documentation. If you fall into this bucket, the August 2 timeline is a massive deal, and you need specialist legal counsel immediately (a generalist who handles your standard GDPR won’t cut it).

The agency trap: where implementers get misclassified

There’s a tricky edge case that frequently catches agency operators and no-code implementation partners off guard.

If you are integrating AI into a system that makes decisions about your client’s customers in heavily regulated areas (like hiring, credit scoring, healthcare data, or legal proceedings), the law might view you as a Provider, rather than just a service contractor. If you build the same AI workflow for ten different clients, you might accidentally be carrying the heavy compliance obligations that your clients assumed you were handling.

The workaround is relatively simple: include a specific clause in your standard contracts explicitly stating that the client is the Deployer and holds the compliance responsibility once the system is delivered. Without that written statement, the liability gap just floats between you and your client with no agreed owner. (I cover exactly what this looks like in practice in Section 7A of the guide.)

The EU AI Act compliance checklist

At the end of the day, everything hinges on one question: Are you a User, a Deployer, or a Provider?

Our free checklist tackles this right at the top. For most of you, the rest of the process will take less than five minutes. If you’re running customer-facing AI or building AI products for clients, block out a structured afternoon. You’ll know exactly which group you fall into before you even reach page two.

📥 You can grab it for free here.

There is a specific kind of relief in knowing which category you are in.

Not optimism. Just clarity.

Before August 2, you are not racing to comply with something enormous. You are answering one question about your role, then following the path that belongs to that role. That is all it was.

You just needed someone to tell you where the question starts.

Build with calm,

– Yuri

Yuri Vonchitzki
LinkedIn · YouTube · My services

Reach 21,000+ business founders and operators implementing AI: sponsorship details are here.