The postponement of part of the obligations relating to high-risk systems should not mislead businesses: the AI Act is already being rolled out progressively. From 2 August 2026, a major new deadline will apply, notably for transparency obligations. Chatbots, AI-generated content, deepfakes, HR tools, AI-enhanced SaaS, conversational agents: IntelligenceArtificielle.com recalls, in a reference note, that organizations must now move from regulatory monitoring to an operational inventory of their AI uses.
In many companies, the AI Act is still filed under “legal,” “compliance,” or “to deal with later.” That is a bad bet.
The European regulation on artificial intelligence is no longer a distant text. It entered into force on 1 August 2024 and applies progressively. The bans on certain AI practices and the AI literacy requirement have applied since 2 February 2025. The governance rules and obligations relating to general-purpose AI models have applied since 2 August 2025. The next major milestone arrives on 2 August 2026, with the general application of many provisions, especially the transparency obligations set out in Article 50.
In other words, the question is no longer: “What does the AI Act provide?” But rather: “Do we know where, how, and why we are already using AI in the company?”
The delay for high risk does not delay the AI Act
The Digital Omnibus may have created a sense of breathing room. The rules applicable to high-risk AI systems must now be adjusted, with application expected on 2 December 2027 for standalone systems falling under Annex III, and on 2 August 2028 for systems integrated into products subject to sector-specific regulation. The European Parliament approved these simplification measures on 16 June 2026, but the text still has to be formally adopted by the Council before it enters into force.
But this delay does not suspend the rest of the regulation.
It does not postpone the already applicable prohibited practices. It does not postpone the AI literacy obligation. It does not postpone the obligations relating to general-purpose AI models. And it should not lead businesses to ignore the 2 August 2026 deadline.
That is precisely the trap: believing that the AI Act starts only with high-risk systems. In reality, the first operational wave concerns many much more common uses: conversational assistants, customer chatbots, AI-generated content, text published with the help of AI, synthetic images, artificial voices, deepfakes, and content generation tools embedded in business software.
What changes on 2 August 2026
From 2 August 2026, transparency obligations become central. They are intended in particular to prevent people from interacting with an AI without knowing it, to ensure synthetic content is not circulated without proper labeling, and to prevent deepfakes and certain public-interest content generated by AI from being presented as if they were entirely human-made.
The European Commission published a Code of Practice on the transparency of AI-generated content on 10 June 2026. It is intended to help providers and deployers comply with the marking, labeling, and detection obligations laid down in Article 50. Adherence to the code is voluntary, but the transparency obligations in Article 50 are legal obligations.
For a company, this can translate into very concrete questions:
- does a customer know they are talking to a chatbot?
- has content published on a matter of public interest been generated or heavily modified by AI?
- is an image, video, or synthetic voice labeled as such?
- does an internal tool produce text, recommendations, or analyses that influence human decisions?
- do marketing, HR, customer service, or product teams know what they must disclose, archive, or verify?
The Digital Omnibus also provides until 2 December 2026 for certain labeling obligations for AI-generated content concerning systems already placed on the market before 2 August 2026. But this transitional period should not be understood as a general postponement of transparency: it covers a specific scope.
The real risk: invisible AI
The biggest risk for businesses is not always the major AI project presented at executive committee level. It is often the AI that is already there.
AI features enabled in a CRM. A scoring module added to a marketing tool. An HR assistant tested by a recruitment team. A content generator used by communications. A conversational agent connected to a document repository. An office copilot deployed without a precise mapping of uses. A vendor using AI in its deliverables without explicitly flagging it.
Le Hub France IA rightly emphasizes the need to identify the AI systems present in the organization, including those embedded in market solutions, those under development, those in production, and those that emerge as early as the ideation stage. Its guide “Premiers pas vers l’IA de Confiance” recommends maintaining an AI systems register with data sources, technical architectures, business use cases, affected populations, deployment context, and prior risk analysis.
The same document warns about systems supplied by third parties — publishers, service providers, integrators — that increasingly embed AI components that are sometimes invisible to the end user. It also highlights the phenomenon of “Shadow AI”: informal uses of general-purpose tools, AI options added by vendors, small SaaS contracts taken out outside procurement processes, and internal experiments that fly under the IT radar.
That is where AI Act compliance becomes a governance issue, not just a legal one.
Compliance starts with a register
For many organizations, the first useful action is not to launch a major legal project. It is to build a simple register of AI uses.
This register does not need to be perfect on day one. It should make it possible to answer a few essential questions:
- which AI tool or system is being used?
- by which department?
- for which business purpose?
- with what data?
- on which people or categories of people might the use have an effect?
- is the company acting as a mere user, deployer, integrator, or provider?
- does the use fall under a transparency obligation?
- could the use qualify as high-risk?
- what evidence is retained?
- which vendor is responsible for what?
The goal is not to block innovation. It is to regain control.
A company that does not know where it is using AI cannot demonstrate that it controls it. And a company that does not know who is using what, with which data and for what purpose, will have a very hard time responding to a request from a customer, auditor, insurer, partner, public buyer, or supervisory authority.
The checklist to start now
With only a few weeks left before the 2 August 2026 deadline, businesses can already move forward with a pragmatic approach.
1. Appoint an AI Act lead.
That does not necessarily mean creating a new role. But there needs to be an identified owner capable of coordinating IT, legal, procurement, business teams, HR, compliance, security, and communications.
2. Launch the inventory of AI uses.
Start with visible tools: chatbots, content generators, copilots, internal agents, model APIs, HR solutions, marketing tools, scoring tools, and document analysis tools.
3. Look for invisible AI.
Question business teams, procurement, and vendors. Critical uses are not always in official projects. They may be in SaaS options, individual accounts, or local experiments.
4. Create a minimal register.
For each use: tool, vendor, purpose, user department, data processed, people concerned, estimated risk level, possible transparency obligation, human oversight, evidence available.
5. Identify sensitive uses.
HR, recruitment, employee evaluation, education, credit, insurance, health, biometrics, security, access to essential services: these areas should be analyzed first.
6. Prepare transparency.
For chatbots, conversational agents, generated content, synthetic images, artificial voices, deepfakes, or public-interest text, the company must decide what to disclose, where, with what wording, in which interface, and with what evidence.
7. Review vendor contracts.
Purchasers should ask publishers and service providers for the necessary information: role in the value chain, available documentation, model used, data used, training conditions, logs, security, version changes, service withdrawal, subcontractors.
8. Train teams.
AI literacy is not limited to generic training. A recruiter, marketer, lawyer, developer, procurement manager, or line manager do not face the same risks or have the same needs.
9. Put supervision in place.
For the most important uses, define who checks, when, with which alert thresholds, and what corrective actions apply. Le Hub France IA recommends in particular continuous supervision, human oversight, logs, alerts, bias monitoring, an incident reporting protocol, and documentation updates.
10. Build an evidence file.
Compliance is not just about doing. It is also about being able to show what was done: register, decisions, risk analyses, training, vendor clauses, screenshots of user information, internal procedures, logs, and review minutes.
Shareable checklist in condensed format:
Penalties are only part of the story
The AI Act provides for significant penalties: up to EUR 35 million or 7% of annual worldwide turnover for prohibited practices, up to EUR 15 million or 3% for many other breaches, including transparency obligations, and up to EUR 7.5 million or 1% for providing incorrect, incomplete, or misleading information to authorities.
But the most immediate risk for many companies may be less dramatic: losing a tender, being unable to respond to a supplier questionnaire, discovering that an HR tool was not properly assessed, finding that a customer chatbot is not labeled, or being unable to prove that an AI-assisted decision is actually supervised by a human.
AI compliance is therefore also becoming a matter of commercial trust.
In the coming months, large companies, public buyers, insurers, investors, and technology partners will increasingly ask: which AI systems do you use? With what data? For which uses? With what supervision? With what vendor guarantees? With what evidence?
Do not wait for perfect compliance
The trap would be to wait for the final version of all guides, all standards, and all market practices before starting. At this stage, the challenge is not to have a perfect setup. It is to have an initial mapping, a first register, an initial analysis of sensitive uses, and a first response capability.
AI Act compliance does not start with a legal binder. It starts with an operational question: do we know what we are running, where, for what purpose, with what data, under whose responsibility, and with what evidence?
Companies that can answer will have an advantage. The others will discover that AI, once deployed without mapping, quickly becomes impossible to govern.
This article is based on the reference note dedicated to the operational countdown of the AI Act in business, with a consolidated timeline, already applicable obligations, key points on general-purpose AI models, transparency, high-risk systems, vendors, and the AI register.
This article provides general information and does not replace legal advice tailored to each organization’s specific situation.