The EU AI Act is one of the most significant regulatory developments for organisations using, developing or deploying AI. But as our webinar showed, the real challenge is not only understanding the legislation but also figuring out what it means for your company.
Participants raised a wide range of thoughtful and practical questions. They wanted to know how the Act applies to UK organisations, what counts as high-risk AI, who is responsible when third-party systems are used, and what organisations should be doing now to prepare. Many questions also focused on training, governance, documentation and how to build confidence around AI without slowing down innovation.
This FAQ guide brings together all the questions you had, with clear answers to help organisations better understand their obligations and next steps. It is designed to support companies as they begin turning the requirements of the EU AI Act into practical policies, processes and safeguards.
- What are the impacts of AI on sanctions and export controls?
AI can support screening, monitoring and anomaly detection, but it also creates risks such as false positives, false negatives, opaque matching logic and overreliance on automated tools. Compliance teams should validate AI tools, keep human escalation in place and ensure restricted technical data is not entered into unapproved AI platforms. - What measures should we take to stay ahead of AI, and how does this interact with ISO 27001?
You cannot fully “get ahead” of AI, but you can govern it. Keep an AI inventory, assess risk by use case, approve tools, train staff and build AI into ISO 27001 controls such as access management, supplier risk, data classification and incident response. - Are there EU-based AI solutions from a data protection perspective?
Yes, but location alone is not enough. Organisations still need to check where data is processed, whether prompts are used for training, sub-processors, security controls, contractual terms and GDPR compliance. - Can we use AI for creating policies, processes and similar documents?
Yes, AI can help with first drafts, structure and summaries. But it should not be treated as a legal or compliance authority. Human review is essential, especially for accuracy, legal requirements and organisational context. - What are the most important aspects to include in an AI policy to ensure compliance?
Include permitted and prohibited uses, approval processes, data handling rules, use of personal or confidential data, human review, supplier approval, high-risk use controls, record-keeping, training, incident reporting and consequences for misuse. - What must regulated sectors do to be compliant?
They must comply with the EU AI Act where in scope and with their existing sector rules. Financial services, healthcare, education, employment, critical infrastructure and public services should map AI use cases, identify high-risk systems, document oversight and test controls. - What is the impact of AI on personalised delivery?
AI can make content, training and services more personalised by adapting to user needs or risk profiles. The risk is that personalisation can become intrusive, biased or inaccurate, so it should be transparent, monitored and based on appropriate data. - How will the Act impact the use of AI in the workplace?
Workplace AI will need stronger governance, especially in recruitment, performance monitoring, task allocation, promotion, termination and employee profiling. Some uses may be high-risk and require more documentation, oversight and transparency. - Is there a preferred option for the AI system used?
No single AI system is preferred by the Act. The right option depends on the use case, risk, data sensitivity, security, supplier terms, and whether the tool can meet your governance needs. - What impact will the EU AI Act have on outbound sales and marketing?
It may affect AI used for profiling, targeting, lead scoring, automated content and customer interaction. Teams should review transparency, data protection, consent or legitimate interests, accuracy, bias and whether people know when they are interacting with AI. - What would collaboration look like?
Good AI collaboration means legal, compliance, HR, IT, security, and procurement teams working together. AI governance should not sit with one team only. - We are AI deployers in a general Copilot sense. Which staff require AI training?
Staff who use, manage, approve or supervise AI tools should receive AI literacy training. A basic level should apply broadly, with deeper training for HR, legal, compliance, IT, procurement, marketing, managers and anyone using AI in decisions affecting people. - What is AI bias?
AI bias is when an AI system produces unfair or skewed results because of its training data, design, prompts or deployment context. It can disadvantage certain groups even when no discrimination was intended. - What safeguarding measures are needed to safely manage and embrace AI?
Use approved tools, define permitted uses, restrict sensitive data, require human review, log important uses, monitor bias, check suppliers, train staff and create a clear route for escalating errors or concerns. - What is a high-risk AI area in an organisation?
High-risk areas include employment, education, essential services, critical infrastructure, law enforcement, migration, justice and certain biometric uses. In ordinary businesses, HR and recruitment are often the most relevant high-risk areas. - What are the risks of using AI to draft disciplinary or grievance investigation reports?
Risks include factual errors, invented details, bias, inappropriate tone, confidentiality breaches and loss of procedural fairness. AI may help structure notes, but it should not make findings or replace the investigator’s judgement. - What are the essential elements of AI governance and change management policy frameworks?
Include ownership, risk classification, approval workflows, impact assessments, data governance, supplier due diligence, testing, monitoring, human oversight, staff training, incident management, audit trails and review cycles. - How do you see the use of AI in business changing over the next five years?
AI will move from ad hoc prompting to embedded workflows, automated decision support and AI agents. The biggest shift will be from individual experimentation to governed, integrated and measurable business use. - Where is the line drawn between users and developers, for example where an AI tool is modified by a user?
A business is usually a deployer when it uses a third-party AI tool as intended. It may become a provider if it substantially modifies the system, changes its intended purpose, puts it on the market under its own name or integrates it into a new product. - How will the Act be interpreted and enforced across industries and Member States?
There will be EU-level coordination, but national regulators will also play a key role. Interpretation will develop through guidance, standards, enforcement decisions and sector practice. - How can organisations prevent erroneous outputs?
Errors cannot be eliminated completely. Use good prompts, reliable data sources, human review, output testing, confidence checks, version control and clear rules about when AI output must be independently verified. - Should organisations have an AI policy?
Yes. Even a short policy is useful because it tells staff what tools they may use, what data they may enter, where human review is required and when approval is needed. - What impact will the EU AI Act have on UK legislation?
The UK has not copied the EU AI Act, but UK businesses may still be in scope where their AI systems or outputs affect the EU market. The Act is also likely to influence supplier due diligence and customer expectations in the UK. - How does the Act interact with existing regulations such as FCA PS21/3 and EU DORA? Will the UK adopt it?
The AI Act sits alongside, not instead of, existing regulation. Financial services firms should also consider operational resilience, outsourcing, ICT risk, customer outcomes and model risk. The UK is currently taking a more sector-led approach rather than adopting a direct equivalent. - What practical steps should organisations take to prepare, including policies, vendor checks and monitoring?
Start with an AI inventory. Classify use cases by risk, identify high-risk systems, update policies, train staff, review vendors, check data flows, set human oversight rules, monitor outputs and keep evidence. - What obligations do we have to provide AI training to staff?
The EU AI Act requires providers and deployers to ensure sufficient AI literacy for staff and others using AI on their behalf. Training should reflect the person’s role, technical knowledge, the AI tools used and the risks involved. - Who falls in scope?
Providers, deployers, importers, distributors, product manufacturers and authorised representatives can all fall in scope. Non-EU organisations may also be covered where AI systems are placed on the EU market or outputs are used in the EU. - What are some high-risk uses of AI when processing employee data?
Examples include CV screening, candidate scoring, performance monitoring, promotion or dismissal recommendations, task allocation based on personal traits, productivity scoring and emotion recognition. - How will the AI Act affect UK organisations?
Some UK organisations will be directly in scope. Others will be indirectly affected because EU clients, partners and suppliers may ask for evidence of AI governance, training, risk assessments and contractual controls. - What is meant by “steering the learning process” in Annex III, point 3(b)? Are formative assessments included?
It means using AI to influence how someone is taught, assessed, progressed or directed in education or vocational training. Formative assessments could be included if AI evaluates learning outcomes and shapes the learner’s path, support, level or opportunities. - What key points should those training others within their firm on AI governance address?
Cover what AI is, where the firm uses it, key risks, approved tools, data rules, bias, hallucinations, human oversight, high-risk use cases, escalation routes and practical do’s and don’ts. - What is the one takeaway from the new Act? Would you agree that it is to make sure you are up to date?
Being up to date matters, but the stronger takeaway is to know where and how your organisation uses AI, then apply controls proportionate to the risk. An AI inventory is the foundation. - How can companies ensure supplier due diligence asks the right AI risk questions?
Ask what AI is used, for what purpose, where data is processed, whether customer data trains models, what sub-processors are involved, how outputs are tested, how bias is managed, what logs are kept and what happens if the system fails. - What upcoming changes do you foresee, and how can organisations future-proof?
Expect more guidance, standards, enforcement activity and contract pressure from customers. Future-proof by using flexible policies, regular reviews, AI inventories, supplier monitoring and role-based training rather than one-off compliance exercises. - Where do recruitment activities fall?
AI used for recruitment or selection, including targeted job adverts, CV filtering and candidate evaluation, is treated as high-risk under Annex III. This means stronger governance, transparency, oversight and documentation will be needed. - What guidance should be included in employee handbooks?
Include simple rules on approved tools, prohibited uses, confidential and personal data, checking outputs, declaring AI use, avoiding automated decisions about people, reporting concerns and seeking approval for higher-risk uses. - What can and cannot be used in the fintech industry, and how should AI be embedded into operations?
Fintech firms can use AI for areas such as fraud detection, customer support, compliance monitoring and operational efficiency, but must manage risks around consumer harm, bias, explainability, outsourcing, cybersecurity, resilience and data protection. AI should be embedded through governance, testing, monitoring and clear accountability. - What are the privacy requirements and implications of the EU AI Act, and how does it interact with GDPR?
The AI Act does not replace GDPR. If personal data is used, organisations still need a lawful basis, transparency, data minimisation, purpose limitation, security, retention controls and rights handling. High-risk AI may also require additional documentation and oversight. - How can we identify a secure, built-in legal AI?
Look for AI systems with embedded security and governance features. This includes encrypted data handling, clear user access controls, audit logs, and the ability to operate in a certified secure environment. And don’t forget transparency. The system should be able to trace how a decision or recommendation was generated.
- How do we conduct a risk assessment for AI systems?
Begin by mapping each AI system to potential impacts on people, processes, or rights. Ask things like what decisions does it influence? Who is affected? Could it create bias or safety issues? Then look at data quality, model limitations, and operational controls. Document your findings and assign ownership. Regulators want evidence that you’ve thought through risks before deployment and be sure to maintain monitoring after launch.
- At what point does an AI feature become regulated as a high-risk AI system?
High-risk classification is all about impact. If an AI system influences things like legal rights or access to services or employment, it’s high-risk. That includes tools making recruitment recommendations, scoring loan applications or managing infrastructure.
