The EU AI Act Has a Question Your Board Will Ask in August. 83% of Enterprises Can't Answer It.

The headline your board saw

A Vision Compliance report published April 1 in the National Law Review contains a number I had to read twice. 83% of enterprises have no formal inventory of the AI systems they use or deploy. The EU AI Act’s August 2, 2026 compliance deadline is four months away. Risk tier classification, the first requirement under the Act, is structurally impossible without knowing what AI is running. You can’t classify what you haven’t counted.

The overall finding: 78% of enterprises assessed are not prepared for their EU AI Act obligations. That’s not a niche segment of unaware companies. Most of the leaders in that sample have known about the Act since 2023.

What it actually means

The usual assumption is that someone on the leadership team knows what AI the company is running. In practice, this assumption almost never survives contact with the actual list.

Legal doesn’t track what engineering deployed last quarter. IT knows the enterprise licenses but not the AI tools individual teams are paying for on company credit cards. Marketing is running three platforms nobody approved. A model someone fine-tuned on customer data last spring lives in a GitHub repo that two people know about, and one of them left.

This is what makes the 83% figure land differently than a typical compliance statistic. It’s not a knowledge gap about the regulation. It’s a structural fragmentation problem. AI system knowledge is distributed across functions that don’t speak the same vocabulary and have no shared incentive to build a unified view.

74% of organizations have no designated internal owner for AI compliance. This compounds the inventory problem in a predictable way. Regulations don’t fail because of malice. They fail because nobody owns them.

61% of organizations have no process for generating the technical documentation the Act requires for high-risk systems: data governance records, model performance metrics, and human oversight procedures. The Act doesn’t require these to be perfect. It requires them to exist and to be producible on request. For a lot of companies, that’s a wider gap than it sounds.

The contrast here is worth sitting with. Microsoft’s enterprise AI research, published this week, found that the organizations scaling AI most successfully are treating governance as foundational rather than as overhead. Trust acts as an accelerator, not a brake. The companies that established governance structures early are moving faster, not slower, than those who deferred it.

Three questions your board will ask

I’ve been in enough governance discussions this year to know which questions come up reliably.

“What AI systems are we actually running?”

This is the question 83% of companies can’t answer today. The board isn’t asking about the official AI strategy. They’re asking about the complete picture: approved tools, shadow AI, SaaS products with embedded AI features that no one evaluated, models engineering built and stopped maintaining. Someone needs to own building this inventory before August. It doesn’t have to be comprehensive on day one. It has to exist.

“Are we in a high-risk category under the Act?”

High-risk designation applies to AI systems operating in employment, creditworthiness, education, essential services, and law enforcement. If the organization uses AI in any of these areas, the documentation requirements are substantial. If it doesn’t, the obligations are lighter but still real. The board will want clarity here because the fines for misclassifying exposure reach €35 million or 7% of annual global turnover, whichever is higher. Boards pay close attention to numbers structured that way.

“Who is accountable for AI compliance inside this company?”

74% of organizations haven’t answered this question with a name. The board will want one. It should belong to someone with authority, board-level access, and a mandate that predates the deadline by at least a quarter. This is not a job for the general counsel’s office to absorb as an afterthought. The third question is the root cause of the first two: without a named owner, the inventory doesn’t get built and the risk classification doesn’t get done.

The 60-second brief

Here is what to say if the board asks and the team has one minute. The EU AI Act’s requirements are graduated by risk tier, and most organizations’ actual exposure is lower than the headlines suggest. The first priority is not a strategy document: it’s an inventory list. The second is a named compliance owner with a real mandate. Microsoft released open-source agent governance tooling this week that maps directly to the Act’s requirements, which means practical help already exists. The organizations that move on inventory and ownership now will approach August with control. The ones that don’t will be making consequential decisions under pressure they created for themselves.

What to watch

The November 2, 2026 watermarking deadline follows the August window. Watch for AI compliance ownership appearing in executive org charts as a named role rather than a distributed responsibility. That shift, when it arrives broadly, will mark the moment the regulation stopped being a background item. It’s already happening at the companies paying attention.