What is actually required right now
Obligations are in force for prohibited AI practices, high-risk AI systems (Annex III), and GPAI models with systemic risk. If you deploy AI in HR decisions, credit scoring, biometric categorization, or critical infrastructure, you are in scope for the full high-risk requirements.
The five documents you must have
Technical documentation describing the system's purpose and limitations. A risk management system record. Data governance documentation covering training data lineage. A conformity assessment for Annex III systems. And human oversight procedures showing how your team can intervene when the system behaves unexpectedly.
The CISO's specific obligations
CISOs are increasingly named as the accountable party for cybersecurity requirements under Article 15: adversarial robustness testing, incident logging with EU AI Office notification timelines, and access controls preventing unauthorized modification of high-risk AI systems. Own these proactively.
Building the audit trail in 30 days
Week 1: inventory every AI system and classify against Annex III. Week 2: map existing controls to Article 15 gaps. Week 3: deploy logging that captures inputs, outputs, and decisions for every high-risk system. Week 4: draft technical documentation templates and schedule your first internal conformity review.
The enforcement picture
The EU AI Office began supervisory inquiries in Q1 2026. Fines for non-compliant high-risk systems reach €30M or 6% of global turnover. The firms most at risk are deploying AI in HR and credit scoring without audit trails. The cost of compliance is a rounding error compared to the exposure.