Implications from the EU AI Act

Written By Toby DeRoche

Artificial intelligence is moving from experimentation to embedded business infrastructure. Regulators have taken notice. The European Union Artificial Intelligence Act, commonly referred to as the EU AI Act, is the world’s first comprehensive regulatory framework governing the use of AI. While it is an EU regulation, its reach extends well beyond Europe and directly impacts many of the organizations that internal auditors serve.

For internal audit, the EU AI Act is not simply a legal compliance issue. It represents a shift toward product safety, risk governance, and accountability for algorithmic decision making. Understanding its structure and intent is now a foundational skill for auditors working in technology, risk, compliance, and governance.

What Is the EU AI Act

The EU AI Act is a risk based regulation designed to protect individuals and fundamental rights from harmful uses of artificial intelligence. Rather than regulating AI as a single technology, the Act focuses on how AI is used and the level of risk it creates. The regulation applies to organizations that develop, sell, deploy, or use AI systems that affect individuals in the European Union. This includes many non EU companies that offer products or services into the EU or use AI systems that impact EU residents. The Act is being implemented in phases, with some requirements already in effect and others coming into force through 2026 and 2027. This staged rollout makes early awareness and readiness particularly important for internal audit planning.

The Risk Based Framework

At the heart of the EU AI Act is a four tier risk model.

  • Prohibited risk AI systems are uses that are considered fundamentally unacceptable. These include certain forms of biometric surveillance, manipulation, or social scoring. These uses are banned outright.

  • High risk AI systems are permitted but subject to strict requirements. Examples include AI used in hiring, credit decisions, access to education, or other areas that can materially affect individuals’ rights or opportunities. Most of the Act’s detailed control requirements apply here.

  • Limited risk AI systems must meet transparency obligations. Users must be informed when they are interacting with AI or consuming AI generated content.

  • Minimal or no risk AI systems are largely unregulated under the Act, though organizations are encouraged to follow voluntary codes of conduct.

For auditors, the most important takeaway is that compliance obligations are driven by use case and impact, not by whether a system uses sophisticated technology.

Providers Versus Deployers

The EU AI Act introduces a critical distinction between providers and deployers. Providers are organizations that develop AI systems or place them on the market under their own name. Deployers are organizations that use AI systems developed by others. This distinction matters because obligations differ significantly. However, the line is not always clear. An organization that materially modifies, retrains, or rebrands a third party AI system may be treated as a provider even if it did not originally build the model. Internal auditors should expect role ambiguity to be a common risk area, particularly where business units customize or fine tune vendor tools.

Key Obligations Internal Auditors Should Understand

For high risk AI systems, the EU AI Act introduces requirements that will feel familiar but broader in scope.

Organizations must perform documented risk assessments that consider impacts on individuals and fundamental rights. Human oversight must be designed into the system, not added after deployment. AI outputs must be traceable through logging and record keeping. Accuracy, robustness, and cybersecurity controls must be demonstrable. Data governance expectations apply regardless of whether the data is personal or non personal.

The Act also introduces AI literacy requirements. Organizations must ensure that employees who design, deploy, or use AI systems understand their risks and limitations. This is already in effect and is one of the earliest areas regulators may scrutinize.

Why This Matters to Internal Audit

The EU AI Act signals a broader shift in how regulators view technology risk. AI is being treated as a product safety and governance issue, not just an IT or privacy concern. This places internal audit in a central role. Auditors are well positioned to assess whether management actually understands its AI landscape, whether governance is operating in practice, and whether documentation exists to defend decisions in areas where regulatory guidance is still evolving. This is not a checklist exercise. Regulators recognize that AI is changing rapidly. What they expect is evidence of thoughtful, risk based decision making, supported by governance, controls, and documentation.

How Internal Auditors Should Prepare

Internal audit teams should begin by building foundational knowledge of the Act and its risk framework. Audit plans should consider AI governance and compliance readiness as emerging risk areas, even where enforcement deadlines are still approaching. Auditors should also expect AI compliance to intersect with existing programs such as GDPR, cybersecurity, third party risk management, and enterprise risk management. The EU AI Act does not replace these frameworks. It builds on them.

Final Thought

The EU AI Act is not just a European issue, and it is not just a legal issue. It represents the next stage in how organizations are expected to govern advanced technology. For internal auditors, understanding the basics now is essential. The questions audit committees will ask in the next few years will not be whether AI is used, but whether it is governed responsibly, transparently, and defensibly.

 

Download EU Act Audit Program
Toby DeRoche https://www.insightcpe.com
Next

Bridging the Gap Between InfoSec and IT Audit: From Misalignment to Measurable Assurance