The most common AI Act mistakes and how to avoid them
Adopted 2026-06-22 ยท ≈ 2 min read ยท 
edited by Dirk Baaijen
The biggest AI Act pitfalls are not exotic edge cases: overlooking hidden AI, misjudging your role, classifying too heavily or too lightly, forgetting transparency, and treating compliance as a one-off project.
Short answer: The most common AI Act mistakes are rarely technically complex. They stem from wrong assumptions: that you don't use AI, that the obligations don't apply to you, or that compliance is a one-off tick-box. Below are the five you'll meet most often.
Mistake 1 โ Overlooking hidden AI
Many organisations think "we don't use AI", while models sit embedded in standard software, HR tools, chatbots and marketing platforms. What you don't inventory, you can't classify. Always start with a complete AI register, including bought-in functionality.
Mistake 2 โ Misjudging your role
The AI Act assigns obligations by role. Anyone who thinks "I'm just a user" but substantially modifies a system or puts their own name on it becomes a provider โ with heavier duties. Determine your role deliberately, per system.
Mistake 3 โ Classifying too heavily or too lightly
Some organisations treat all AI as high-risk and drown in needless documentation. Others underestimate a use that actually is high-risk. Both cost money or risk. Justify the risk class per system; consult the high-risk obligations overview.
Mistake 4 โ Forgetting transparency
Even at limited risk there is a duty: users must know they are dealing with AI, and certain AI-generated or manipulated content must be identifiable as such. This is often forgotten because it seems "light", but it is mandatory.
Mistake 5 โ Treating compliance as a one-off project
Finishing a gap analysis is not the same as staying compliant. Systems change, models get updated and the rules apply in phases. Without an AI governance framework and periodic reassessment, your compliance quietly expires.
What to do
- Inventory all AI, including hidden features in standard software.
- Deliberately determine your role (provider or deployer) per system.
- Classify proportionately and justify every assessment.
- Arrange transparency notices, even at limited risk.
- Embed ongoing oversight; follow the AI Act timeline for deadlines.
- Work structurally through the AI Act roadmap.
Most mistakes cost nothing to prevent โ they only ask that you don't run on assumptions.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Regulation (EU) 2024/1689 (AI Act): role delineation, risk classification and transparency obligations. - https://artificialintelligenceact.eu/article/50/
Article 50 AI Act: transparency obligations, including notice that users are interacting with AI.
Read next
AI for strategic workforce planning: usually not high-risk, as long as it does not become individual
AI for strategic workforce planning and skills forecasting at organisation level is usually not high-risk under the AI Act. But once it steers individual decisions, it can tip over. Data quality, governance and transparency remain crucial.
Agentic AI: how do autonomous AI agents fall under the rules?
Agentic AI โ systems that plan, use tools and take actions on their own โ has no dedicated category in the AI Act. Yet it is covered: through the GPAI regime, risk classification that follows the use, and the transparency and human-oversight duties. Open question: liability for autonomous actions.
AI Act board briefing: a template for the board and management team
A concise template to get the AI Act and AI use onto the board table: what is happening, which risks and deadlines, which decisions are needed, and which oversight questions the board should ask. Adopt it for your next board/management meeting.