Most of the EU AI Act applies to a narrow set of high-risk systems. Article 4 is the exception, because it reaches every organization that builds or uses AI, no matter how harmless the tool looks.
It has also been in force since 2 February 2025, ahead of the high-risk obligations that land in August 2026. So while teams plan for the heavier duties, the literacy clause is already live and already enforceable.
Teams often treat the EU AI Act as a brand new rulebook that lands on a clean desk. It does not. If your AI system touches personal data, GDPR was already on that desk, and the AI Act stacks on top of it.
That stacking is where most of the confusion lives. The same project can owe a Data Protection Impact Assessment under one law and a Fundamental Rights Impact Assessment under the other, and nobody wants to run two parallel compliance tracks if one mapped program will do.
The EU AI Act does not treat every AI system the same way. It uses a risk-based design, so the obligations on a spam filter look nothing like the obligations on a CV-screening tool or a credit-scoring model.
That single decision, which risk category your system falls into, drives almost everything else: the controls you owe, the documentation you keep, and the size of the fine if you get it wrong.
The EU AI Act does not arrive on a single date. It applies in stages between 2024 and 2027, and each stage switches on a different set of obligations for the organizations that build or use AI systems in Europe.
Two of those stages are already live. The next one, the high-risk regime, lands on 2 August 2026, which makes the remaining months the window most compliance teams are working against right now.
Shadow AI is what happens when an employee signs up for ChatGPT with a work email, pastes a customer list into a free Gemini tab, or asks Copilot to draft a security policy nobody has reviewed. The tool solves a real problem in minutes. The data leaves the building on the way. The security team has no idea it happened. That gap is the core of the shadow AI problem, and it is growing faster than any governance framework in place.
