AI Act roadmap: from inventory to compliance
Adopted 2026-06-22 · ≈ 2 min read · 
edited by Dirk Baaijen
A practical roadmap to becoming AI Act compliant — from inventorying your AI systems and determining your role and risk class to governance, documentation and ongoing oversight.
Short answer: AI Act compliance is not a single action but a staged journey: know which AI you have, determine your role and risk class, meet the corresponding obligations and keep all of that demonstrable. Start with an inventory; everything else hangs off it.
Step 1 — Inventory your AI systems
You cannot classify what you cannot see. Build a register of every AI system you develop, buy or deploy, including functionality, vendor, data used and business process. Don't forget "hidden" AI: features in standard software, embedded models and chatbots.
Step 2 — Determine your role
The AI Act assigns obligations by role. You are a provider if you develop a system or place it on the market under your own name, and a deployer if you use it within your organisation. Substantially modifying an existing system, or putting your name on it, can turn you into a provider. Role determines duty.
Step 3 — Classify the risk
Place each system in the risk pyramid: prohibited, high-risk, limited-risk (transparency) or minimal-risk. The heaviest obligations apply to high-risk uses — see the high-risk obligations overview. Most systems land lower, but you must be able to justify the assessment.
Step 4 — Meet the obligations
Each risk class carries a package of measures: risk management, data quality, technical documentation, logging, human oversight and user transparency. For limited risk, a transparency notice ("you are talking to AI") is often enough. Match the effort to the actual risk class — no heavier than necessary.
Step 5 — Embed governance and ongoing oversight
Compliance is not a one-off project. Capture roles, decision-making and monitoring in an AI governance framework. Mind the timeline of obligations: rules apply in phases, so prioritise by deadline and risk.
What to do
- Build an AI register and assign an owner.
- Determine your role (provider/deployer) and risk class per system.
- Work out the obligations per class; document the reasoning.
- Plan by deadline: see AI Act readiness in 90 days for a concrete starting sprint.
- Avoid the pitfalls in common AI Act mistakes.
A roadmap makes a large framework manageable: first visibility, then role and risk, then measures — and continuous oversight.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Regulation (EU) 2024/1689 (AI Act): risk classification, role-based obligations and phased entry into force. - https://artificialintelligenceact.eu/article/3/
Article 3 AI Act: definitions of provider, deployer and AI system.
Read next
Making HR AI compliant: a six-phase roadmap
A practical roadmap to make HR AI compliant: inventory every system, classify by risk, run a DPIA and FRIA, inform workers and involve the works council, set up human oversight, logging and bias monitoring, and lock down supplier arrangements.
AI Act readiness in 90 days: a practical plan
A concrete 90-day plan to build AI Act readiness, split into three one-month phases: inventory and classify, close the gaps, and embed governance with ongoing oversight.
AI Act board briefing: a template for the board and management team
A concise template to get the AI Act and AI use onto the board table: what is happening, which risks and deadlines, which decisions are needed, and which oversight questions the board should ask. Adopt it for your next board/management meeting.