Shipping AI under the EU AI Act: governance without the theater

For anyone building or selling AI into Europe, governance has quietly moved from a legal afterthought to a delivery requirement. The EU AI Act entered into force on 1 August 2024, with obligations phasing in over the following years. If you’re shipping AI into regulated or data-heavy contexts, it now shapes how you design and document systems — not just how you sign contracts.

The timeline that matters

The rollout is staged: prohibitions and AI-literacy obligations began applying in February 2025, general-purpose AI obligations from August 2025, and the bulk of the requirements — including for high-risk systems — from August 2026. The practical takeaway is that documentation, risk management, and traceability stop being optional well before the headline deadline.

Governance is mostly good engineering

Here’s the part teams miss: most of what governance frameworks ask for is what you should be doing anyway.

• Traceability — knowing who or what produced an output, and why — is an audit requirement and the only way to debug an AI system.
• Model-risk management — identifying risks, adding controls, and monitoring — is the NIST AI Risk Management Framework and basic reliability work.
• Data-handling clarity — controller / processor boundaries and sub-processor controls — is compliance and good security hygiene.

Build these in from the start and compliance becomes a byproduct of doing the work well, rather than a retrofit under deadline pressure.

Avoid the theater

Governance theater — binders of policy no one follows — helps no one. What buyers and regulators actually want is evidence: traceable systems, documented risks, monitored quality, and clean data boundaries. We design for that from day one, so the honest answer to “can you show us how this works and why we should trust it?” is always yes.

Governance done right isn’t a tax on shipping. It’s part of what makes the system worth shipping.