The EU AI Act Hits High-Risk Systems on August 2. If Your AI Agent Touches Hiring or Finance, Here Is What Changes.
If you use an AI tool anywhere near hiring, promotions, or how you manage staff, the EU has a date for you: August 2, 2026. That is when the bulk of the high-risk rules in the EU AI Act start to apply, and "high-risk" is not some exotic edge case. Annex III, point 4 puts a plain label on it: AI used in employment and worker management. Recruitment, screening and ranking applicants, promotion and termination decisions, task allocation, and monitoring workers all sit squarely in the category.
That sweeps in a lot of small businesses who do not think of themselves as running high-risk AI. You bought a tool that screens CVs. You turned on a feature that scores candidates. You let an assistant draft interview shortlists. Under the Act, the moment that system influences an employment decision in the EU, it is high-risk, and you have obligations. Here is the part most coverage skips: you have those obligations even if you did not build the thing.
Employment is the example I will use throughout because it is the one that catches the most people by surprise, but it is not the only category. Annex III also tags AI used to assess creditworthiness and credit scoring, and to price and risk-assess life and health insurance, as high-risk. If your AI touches who gets a loan or what they pay for cover, the same playbook below applies to you, almost line for line.
Provider versus deployer, and why you are probably a deployer
The Act splits responsibility in two. The provider is whoever builds or sells the high-risk system. The deployer is whoever uses it under their own authority. If you are an SMB running someone else's AI on your own hiring, you are a deployer, and Article 26 is the part with your name on it.
Deployer duties are lighter than a provider's, but they are real, and several of them require you to actually change how you operate, not just file a document.
What August 2 actually asks of you
Strip away the legalese and the deployer checklist comes down to seven things.
Use it as intended. Run the system according to the provider's instructions for use. Going off-label, using a recruitment tool for something it was not assessed for, pushes responsibility back onto you.
Put a human genuinely in charge. You must assign human oversight to named people who have the competence, training, and authority to intervene. Meaningful is the operative word. The person has to be able to override or stop the system, not just rubber-stamp its output. A human who cannot say no is not oversight.
Watch it and keep the receipts. Monitor how the system performs in real use, and retain the logs it generates for at least six months. If a candidate later challenges a decision, the log is your evidence.
Tell your people. Before you put a high-risk AI system to work in the workplace, you must inform affected workers and their representatives that they will be subject to it. This is not buried fine print. It is an explicit notification duty, and in many member states it plugs into existing works-council and consultation rules.
Mind the data going in. To the extent you control the input data, you are responsible for it being relevant and representative for the system's purpose. Garbage in is not just a quality problem now, it is a compliance one.
Run a rights assessment where required. Certain deployers must complete a Fundamental Rights Impact Assessment before going live, a structured look at who could be harmed and how you will mitigate it.
Make sure your people are AI-literate. Everyone involved in operating or overseeing the system needs sufficient AI literacy. This particular duty has actually been live since February 2025, so if you have ignored it, you are already behind.
One honest caveat on the date
There is genuine movement on the timeline, and pretending otherwise would be doing you a disservice. The Commission's Digital Omnibus package, under discussion right now, proposes tying the high-risk obligations to the availability of harmonized technical standards. If those standards are not formally confirmed in time, parts of the high-risk regime could slip to as late as December 2027 or August 2028, depending on the system.
So the date may move. But betting your compliance posture on a proposal that has not passed is a gamble, and the duties themselves are not going away, only possibly arriving later. The smart move is to be ready for August 2 and pleasantly surprised if you get more runway, not the reverse.
Why architecture is doing half the compliance work
Read that deployer list again and notice what it actually rewards. Human override. Logs you can produce on demand. Knowing exactly what data the system saw. Telling people what is running and being able to show it. Keeping the whole thing inside your control.
That is not a legal posture you bolt on at the end. It is an architecture decision you make at the start. An AI system that impersonates a user, leaves no readable trail, runs on someone else's servers, and cannot be cleanly paused is a compliance liability before a regulator ever shows up. An AI system with its own identity, scoped permissions, an auditable record of every action, human oversight built into the workflow, and self-hosted deployment so the data and the logs stay on your infrastructure is most of the Article 26 checklist already satisfied by design.
This is the case we have been making on this blog for months, long before a deadline forced the issue. Trust, audit trails, scoped access, and owning your own stack were good ideas when they were just good engineering. August 2 turns them into the difference between a tool you can defend and one you cannot. Build on the side of the line where the regulator's questions already have answers.
Want to test the most advanced AI employees? Try it here: https://Geta.Team
