Artificial intelligence is no longer just a trend to become a central piece in the digital transformation of companies. Whether in process automation, data analysis or service personalization, AI has been reshaping markets and creating new growth opportunities.

However, the advancement of this technology imposes concrete regulatory challenges that directly impact its implementation in the corporate environment.

After all, to what extent can an AI system make decisions without human supervision? How to ensure that algorithms are fair and transparent? What are the legal and financial risks involved in the use of technology?

With these issues in mind, the European Union stepped forward: the EU AI Act, the world's first comprehensive AI regulation, came into force in August 2024. And in August 2026, the main obligations for high-risk systems begin to stand for real.

Is your company ready?

What changed from 2024 to here (and what will still change)

The EU AI Act was not implemented all at once. It is a phased project, planned to give companies time to adapt. But time is running out.

Official Timeline:

• August 2024: Entry into force.

• February 2025: Bans begin to apply (unacceptable risk practices).

• August 2025: Obligations for GPAI (General-Purpose AI) models+AI Office operational + general penalties in force.

• August 2026: General application for high-risk systems (most companies enter here).

• August 2027: High risk systems in already regulated products (medical devices, automotive, etc.).

• December 2030: Large-scale legacy systems (deadline).

And the penalties? They have been valid since August 2025. With the exception of GPAI models, whose fines start only in August 2026.

The problem is that only 3 Member States have appointed supervisory authorities so far. 14 have not yet started. But this does not mean that companies can relax.

Finland was the first country to have powers of strengtheningt complete (December 2025). And Italy was not far behind: in October 2025, it passed Law 132/2025, which criminalizes deepfakeswith a sentence of 1 to 5 years in prison and increases penalties for market manipulation via AI.

We are selling enforcementreal happening now.

The requirements that your company needs to meet (or pay dearly)

The EU AI Act classifies AI systems by level of risk. And the higher the risk, the greater the obligations.

1. Classification of Risks

“High risk” systems include those used in:

• Credit and insurance decisions.

• Selective employment processes.

• Law enforcement and justice.

• Critical infrastructure.

• Education and access to essential services.

If your company uses AI for any of these purposes, you're within the scope. And the demands are heavy.

2. Mandatory Transparency

Companies should clearly report when a user is interacting with an automated system. In addition, it is mandatory:

• Complete technical documentation of the system.

• Public summary of training data (for GPAI).

• Regular transparency reports.

• Clear explanations about how the algorithms work.

It is no longer optional. It's a law.

3. Data Protection and Governance

Compliance with LGPD in Brazil and GDPR in Europe becomes even more critical. The AI Act requires:

• Robust information security practices.

• Adequate storage and handling of sensitive data.

• Privacy by Design (Article 25 GDPR) applied to AI systems.

• Detailed record of who trained the model, with what data, and why.

4. Human Supervision and Auditing

The monitoring of AI systems will be mandatory in critical sectors, with:

• Frequent audits to mitigate undue visits.

• Continuous human supervision (cannot be “set and forget”).

• Validation that models continue to operate ethically over time.

And here is the crucial point: substantial modification, as retraining or fine-tuning that changes functionality or risks, requires mandatory legal review.

What happens to those who don't adapt?

The penalties of the EU AI Act are calculated similarly to the GDPR. And they are brutal:

• Tier 1 (prohibited practices): Up to €35 million OR 7% of annual global turnover (whichever is greater)

• Tier 2 (other violations): Up to €15 million OR 3% of annual global turnover

• Tier 3 (incorrect information): Up to €7,5 million OR 1% of annual global turnover

To put it in perspective: if your company invoices €1 billion per year and violates prohibited practices, the fine can reach €70 million.

In addition, companies that use AI inappropriately face:

• Litigation

• Irreparable damage to reputation

• Difficulty in strategic partnerships

• Removal of investors, who prioritize organizations aligned with governance and compliance

In Italy, the consequences go beyond: disqualifying measures of up to 1 year for serious cases and aggravating criminal for AI-supported crimes.

Ignoring is not an option.

How your company can adapt (before it's too late)

With regulation in full force, adapting is no longer a choice, it is a strategic need. And the data shows: companies with AI governance platforms are 3.4x more effective (Gartner, 2025).

Some essential actions include:

1. Complete Inventory of AI Systems

Identify which areas of the company use artificial intelligence and assess whether these systems can be framed as high-risk under the AI Act.

Don't know where to start? It starts with the systems that make decisions about people: hiring, credit, access to services, monitoring.

2. Implement Governance Controls

Creates mechanisms to ensure algorithms are trained with quality data, minimizing glitches and ensuring decisions are fair and explainable.

This includes:

• Technical documentation of each model • Traceability of training data • Continuous validation of performance and viés

3. Train Teams

Teams involved in the development, operation and supervision of AI need to be up to date on legal requirements and technology governance best practices.

The AI Act requires “AI literacy” since February 2025. Training your teams is not only compliance, it is a basic operation.

4. Adopt Continuous Monitoring Tools

Automated monitoring and auditing software facilitates compliance with the rules and avoids future penalties.

The AI governance platform market is expected to grow from $340 million (2025) to $1,21 billion by 2030. And there's a reason: effective governance can reduce regulatory costs by 20% (Gartner, 2026).

That is not a cost. It's an investment.

GPAI (General-Purpose AI): if you use LLMs, it affects you

If your company uses large-scale language models (LLMs) such as GPT, Claude, Gemini or similar, even via API, you are within the scope of GPAI.

As of August 2025, GPAI providers must:

• Publish summary of training data.

• Create transparency reports.

• Implement Code of Practice (published by AI Office in May 2025).

• Document substantial modifications (fine-tuning that changes functionality).

And attention: fine-tuning in business applications requires mandatory legal review.

Companies that rely on generative AI for critical operations need to ensure their suppliers are compliant. Because if the supplier fails, the responsibility falls on you too.

What's coming: 2026 and beyond

We are in March 2026. There are 5 months left for the general application of the AI Act (August 2026). And the market is moving fast:

• 50% of large companies will use AI for continuous regulatory compliance checks by the end of 2025 (Gartner) - against less than 10% in 2021.

• 90% of companies use AI on a daily basis, but only 18% have complete governance frameworks (Secure Privacy, 2025).

• By 2030, fragmented AI regulations will quadruple, covering 75% of global economies.

The AI Act is not an isolated case. It is the first of many. And the European standard tends to become a global standard, just as it happened with the GDPR.

More than compliance: a strategic opportunity

Adapting to the regulation of artificial intelligence is not just about avoiding fines. It is an opportunity to differentiate your company in the market.

By demonstrating a commitment to transparency, safety and ethics, your organization will:

• Strengthens the trust of customers and partners.

• Reduces legal and reputational risks.

• It attracts investors who prioritize sound governance.

• It guarantees sustainable growth in a market where compliance is a strategic differential.

Companies that anticipate requirements not only reduce risks, they create a competitive advantage.

Is your company ready?

The regulation of artificial intelligence marks a new stage in the maturation of technology and its responsible application. August 2026 is 5 months away. O enforcement has already started. The fines are already in effect.

The time to act is now.

Stay ahead of the changes and major updates of the GRC and technology market.

Talk to one of the Vennx experts and start adapting your business environment!

‍