Deploying AI is easy. Governing it is another story.
#AIAct #AIGovernance #AICompliance #RegTech #SME #StartupEU #ArtificialIntelligence
This post was originally written in French and translated with the assistance of an AI. Some nuances may differ from the source text.
Only 13% of companies are truly ready to govern AI.
That figure comes from the Cisco AI Readiness Index 2025. It has been stable for three years. Meanwhile, adoption has exploded: 20% of European companies use AI in 2025, up from 13.5% a year earlier.
Adoption is accelerating. Readiness is stalling. The gap is widening.
And that's exactly the problem.
Deploying AI has become trivial.
An API. A model. A bit of fine-tuning. Within a few weeks, you have an AI system in production.
What nobody told you is that this fine-tuning can be enough to flip your status.
Under Article 25 of the AI Act, if you rebrand, substantially modify, or repurpose a system toward a high-risk use, you legally become a "Provider" — with all the heavy obligations that entails. Automatically. Without notification. And your contract with your model supplier does not protect you: it's a factual qualification, not a contractual one.
The most common mistake I see: believing the foundation model provider bears the responsibility. For a service SME, this is the most underestimated regulatory trap.
"But we already do versioning and testing."
That's the objection I hear most from CTOs. And it's the most dangerous illusion.
Code versioning and regression testing are good engineering practices. But before an auditor, technique without a procedural framework — a Quality Management System (Art. 17), a risk register, an Annex IV technical file — is worth nothing.
AI compliance is not a technical artifact. It's a chain of enforceable evidence.
And the field data is unforgiving (Vision Compliance, April 2026):
- 8% of organisations have taken no meaningful steps toward AI Act compliance
- 83% have no formal inventory of their AI systems
- 74% have designated no owner for AI governance
- 61% have no process to produce the required technical documentation
This is not a problem of goodwill. It's a structural problem.
Compliance cannot be declared on the eve of an audit. It is built into the lifecycle of systems — in the code, in the pipelines, in the documentation, in day-to-day governance.
And unlike GDPR, the AI Act doesn't ask how you manage data. It asks how you govern the systems that use it.
Two distinct scopes. Two different logics. Two types of proof.
In this carousel: the reclassification trap (Art. 25), what the law actually requires, the documentation that must flow up your value chain (Art. 53), and 3 questions to find out where you really stand.
👇 In the comments:
Do you have a complete inventory of your AI systems? Yes / No / In progress
And do you know whether you're a Provider or a Deployer for each of them?
Sources
-
13% ready / AI agent adoption / ROI measurement → Cisco AI Readiness Index 2025 (Oct. 2025) : https://www.cisco.com/c/m/en_us/solutions/ai/readiness-index.html
-
20% EU adoption in 2025 vs 13.5% in 2024 → Eurostat (Dec. 2025) : https://ec.europa.eu/eurostat/web/products-eurostat-news/w/ddn-20251211-2
-
Vision Compliance, EU AI Act Readiness Analysis (April 2026) : https://www.einnews.com/pr_news/903074846/vision-compliance-releases-2026-eu-ai-act-readiness-report-finds-78-of-enterprises-unprepared-for-obligations
-
Provider/Deployer reclassification → AI Act, Article 25 : https://artificialintelligenceact.eu/article/25/
-
Quality Management System → AI Act, Article 17 : https://artificialintelligenceact.eu/article/17/
-
GPAI documentation / value chain → AI Act, Article 53 & Annex XII : https://artificialintelligenceact.eu/article/53/
-
Full official text → Regulation (EU) 2024/1689 : https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
The views expressed in this article are strictly personal and do not necessarily reflect those of my employer. The content is provided for informational purposes only and does not constitute individualised legal advice. References to Regulation (EU) 2024/1689 and Directive (EU) 2024/2853 refer to the texts published