EU AI Act: What UK Boards Must Do Before Enforcement Bites

The Act classifies AI systems by risk level: unacceptable, high, limited, and minimal. High-risk systems — those used in hiring, credit scoring, benefits assessment, education, or critical infrastructure — carry the heaviest obligations. These include conformity assessments, data governance documentation, human oversight mechanisms, and registration with EU authorities.

Most UK SMEs assume they fall into the minimal-risk category. That assumption is frequently wrong. If you use AI to shortlist job applicants, score customer creditworthiness, or assist in any public-sector service decision, you are likely operating a high-risk system under the Act's definitions.

Prohibited AI practices were banned from February 2025. Obligations for general-purpose AI models apply from August 2025. High-risk system requirements apply from August 2026. Fines reach €35 million or 7% of global annual turnover for the most serious violations.

These are not hypothetical figures. EU data protection authorities have already demonstrated willingness to pursue non-EU organisations. The same enforcement posture is expected under the AI Act.

First, map every AI system your organisation uses. This includes third-party tools embedded in your HR, finance, or customer service platforms. You cannot manage risk you have not identified. Most UK organisations have no complete inventory.

Second, classify each system by risk category against the Act's definitions. This is not an IT task. It requires legal, operational, and board-level input. Misclassification carries the same penalties as non-compliance.

Third, assign accountability at board level. The Act requires documented human oversight of high-risk AI systems. That oversight must be real, recorded, and auditable — not a line in a policy document that nobody reviews.

Brexit did not insulate UK businesses from EU regulation. Any organisation that sells to EU customers, employs EU nationals, or operates within EU supply chains is within scope. The UK government's own AI governance framework does not replace or exempt you from EU obligations where they apply.

UK councils face a particular challenge. Many are piloting AI in benefits processing, planning decisions, and public communications. Several of these use cases sit in the high-risk category. Without a governance framework in place before August 2026, these programmes carry material legal and reputational exposure.

AI governance is no longer a technology department concern. It is a board-level fiduciary responsibility. The organisations that treat it that way now will be in a materially stronger position in 12 months than those that do not.

If your board cannot currently answer the question "which AI systems do we operate and how are they governed," that is the gap that needs addressing first.

Simon Steggles is a Fractional AI Director working with UK SMEs and councils on AI governance and board-level strategy. Royal Navy 1984–90 (Cat 3 PV at the time, now superseded by DV); current NPPV3 Police vetting; ISACA AI Governance certified. Has delivered over £300,000 in documented AI-driven savings for UK organisations.