EU AI Act August 2026 — A Practical Compliance Checklist for UK Regulated Organisations

The regulatory direction is not changing. Here is what your organisation actually needs to have in place.

The EU AI Act applies to UK firms. Five areas. Five things to have in place. The clock is running.

This is a plain-English checklist of what the Act requires in practice — written for the people who will have to deliver it, not the lawyers who will advise on it.

Who this applies to

The Act applies to any organisation that deploys or uses AI systems in the UK or EU — regardless of where the organisation is based.

For most UK regulated organisations, the relevant question is not whether the Act applies. It is which of your AI systems fall into the high-risk category — and whether you can evidence compliance for those systems before August.

High-risk AI systems under Annex III of the Act include systems used in:

• Employment and workforce management — screening CVs, scoring candidates, managing performance
• Access to essential private and public services
• Education and vocational training — assessing students, determining access
• Critical infrastructure management
• Law enforcement and administration of justice

Two sectors deserve particular attention because they are both explicitly named in Annex III and significantly underserved on governance guidance:

Recruitment and HR firms — if you use AI in any part of the hiring process, from CV screening to candidate ranking to interview scheduling, you are operating a high-risk AI system under the Act. This is one of the most clearly named categories in Annex III. It is also the sector with the least practical compliance guidance available in plain English right now.

Education providers — AI used in student assessment, admissions decisions, or learning personalisation falls within scope. Many EdTech platforms and further education providers are not yet aware of their exposure.

For financial services firms, solicitors, accountants and IFAs — the high-risk classification may or may not apply depending on what your AI is doing. The key question is whether your AI is making or materially influencing a decision that affects a person's access to services, employment, or legal rights. If the answer is yes or possibly yes, treat it as high-risk until you can evidence otherwise.

If you are not sure where your organisation stands, the TrustProof free AI accountability check identifies your specific governance gaps in five questions — no email required.

The checklist — what you need to have in place

The Act's requirements for high-risk AI systems are grouped below into five practical areas. This is not legal advice — it is a practitioner's summary of what compliance looks like in an organisation that has to deliver it.

1. Know Your AI (KYAI) — understand what you are running

In financial services we talk about KYC — Know Your Customer. The equivalent for AI governance is more urgent right now: Know Your AI. Before anything else, you need a documented inventory of every AI system in use across the organisation.

This sounds straightforward. It is not. Most organisations have AI embedded in tools they did not deploy as AI — Microsoft Copilot, automated decisioning in CRM systems, AI-assisted underwriting tools, chatbots with escalation logic. Staff are also using AI tools individually that the organisation has no visibility of.

What you need:

• A complete register of every AI tool in use — whether deployed centrally or used by individuals
• For each tool: what it does, who uses it, what decisions it informs or makes
• An initial risk classification for each tool against the Annex III categories

The Act refers to this obligation under Article 49 — the requirement to register high-risk AI systems. But the practical starting point is the inventory, not the registration. You cannot register what you have not found.

Under GDPR Article 30, you are also required to maintain a record of processing activities. If AI tools are processing personal data — and most are — this obligation already exists and the AI inventory should sit alongside it.

2. Assign accountability

For every AI system classified as high-risk, the Act requires a named individual who is accountable for its deployment, operation, and outcomes.

In financial services, this maps directly onto SM&CR. The FCA has confirmed that existing frameworks apply to AI — "the model decided" is not a governance position. A Senior Manager decided. The model was the mechanism.

For solicitors, the named accountable individual maps to the Compliance Officer for Legal Practice (COLP) — the SRA-designated role responsible for ensuring the firm complies with regulatory arrangements, now explicitly extended to AI use. For all UK firms, the Data Use and Access Act 2025 and the ICO's statutory Automated Decision-Making Code (in force May 2026) require that a named individual can account for any AI-assisted decision that materially affects a person — regardless of whether EU AI Act obligations have yet taken effect.

For other regulated sectors, the accountability requirement is the same even if the framework has a different name. Someone in the organisation needs to be able to answer, under regulatory scrutiny, for every material decision the AI system influenced.

What you need:

• For every high-risk AI system: a named accountable individual at senior level
• Documentation of that accountability — not informal understanding, written record
• A clear scope for what that individual is accountable for, including what constitutes an AI-assisted decision in their area

The accountability gap is the most common gap we see in practice. Organisations have deployed the AI. They have no clear answer to the question: if this produces an outcome that harms someone, who is responsible?

3. Document your human oversight arrangements

One of the Act's central requirements for high-risk systems is meaningful human oversight — not just a human in the loop, but a human who is genuinely able to understand, monitor, and where necessary override the AI's outputs.

What you need:

• A documented process for how AI outputs are reviewed before taking a decision
• Evidence that the person reviewing has the capability to challenge the output — not a tick-box sign-off exercise
• Clear escalation paths when the AI produces an unexpected or disputed output
• Records showing oversight is actually happening, not just that a process exists

The Act uses the phrase "appropriate human oversight measures" — the standard is not just that someone clicked approve. In practice, this means your oversight process needs to be documented, followed, and evidenced. A quarterly review meeting is not meaningful human oversight of a system making daily decisions.

The ICO has been explicit on this point: a review that amounts to rubber-stamping AI output does not satisfy the meaningful human involvement test under UK data protection law. The standard is not whether a human was present — it is whether that human was genuinely able to understand, challenge, and override the AI's output. Documenting that standard is being met is the compliance requirement.

4. Build your technical documentation

For high-risk AI systems, the Act requires technical documentation that describes what the system does, how it was developed, what it was tested on, and how its performance is monitored.

If you bought the AI from a third-party vendor, some of this documentation should come from the vendor. Many UK organisations are discovering that their vendors cannot provide it — either because the vendor is outside the EU and did not anticipate the requirement, or because the documentation does not exist in the required form.

What you need:

• Technical documentation covering: system purpose, development methodology, training data characteristics, performance metrics, known limitations
• If using a third-party system: vendor documentation plus your own record of how you have deployed and configured it
• Evidence of testing against your specific use case — not just the vendor's general testing

Organisations using large language models face particular uncertainty here. LLMs do not come with clean documentation of training data or performance characteristics in the way a traditional model does. If you are using an LLM in a high-risk context, the documentation challenge is significant and worth addressing now.

5. Complete your conformity assessment

Before a high-risk AI system can be put into service under the Act, it requires a conformity assessment — a formal evaluation that the system meets the Act's requirements.

For most systems, this is a self-assessment. It does not require a third party. But it does require documentation, and it needs to happen before August for systems already in operation.

What you need:

• A completed conformity assessment for every high-risk AI system in use
• A Declaration of Conformity — the formal statement that the system complies with the Act
• Registration in the EU database of high-risk AI systems where applicable

The penalty for non-compliance with the high-risk system requirements is up to €35 million or 7% of global annual turnover — whichever is higher. For a small professional services firm, the absolute figure is lower, but the proportional impact is the same.

The governance gap most organisations have right now

Research from Cambridge University's Centre for Alternative Finance, published April 2026 across 628 firms, found that 52% of organisations are already piloting or deploying autonomous AI agents — but accountability frameworks are absent or fragmented. 65% do not monitor their AI systems for bias or discrimination despite it being a regulatory priority.

These are organisations that deployed AI faster than governance could follow. The Act is, in effect, a forcing function — a hard deadline that requires the accountability architecture to catch up with the deployment reality.

The organisations that will navigate the August deadline well are not the ones with the most sophisticated AI. They are the ones that treated this as a delivery programme — assigned an owner, scoped the work, documented the outputs, and got sign-off before the deadline.

Where to start if you have not started

If your organisation has not yet begun this work, the practical starting point is the inventory. Not the legal framework, not the conformity assessment — the inventory.

List every AI tool in use. Classify each one against Annex III. Identify which require the full compliance treatment. Then work backwards from August with a realistic delivery plan.

That exercise alone — done honestly — will surface the gaps that matter. It is, in effect, your Know Your AI audit. It will also tell you whether you can close them internally before August, or whether you need external support to get there.

Eleven weeks is enough time if you start now. It is not enough time if you wait until the guidance feels complete.