Preparing for the EU AI Act: A Checklist for US Companies
A common assumption inside US companies is that the EU AI Act is a European problem. It is not. Like the privacy regulation that preceded it, the Act reaches across borders by design, and plenty of US teams are already in scope without realizing it. If you wait for certainty before preparing, you will be preparing under deadline pressure with auditors already asking questions.
Why US companies are in scope
The Act does not care where your company is headquartered. It applies based on where your AI system lands and who it affects. If you place an AI system on the EU market — selling it, embedding it in a product European customers use, or offering it as a service there — you are covered. You are also covered if the system’s output is used within the EU or affects people located there. A US company with European users, European customers, or a European sales motion is very likely already inside the perimeter.
The risk tiers
The Act sorts AI systems into tiers, and your obligations follow the tier. Knowing where each of your systems sits is the first real step.
- Prohibited. A small set of uses — manipulative systems, certain biometric and social-scoring applications — are banned outright. If anything you run lives here, the only remediation is to stop.
- High-risk. Systems used in areas like employment, credit, education, and critical infrastructure carry the heaviest obligations: risk management, data governance, documentation, human oversight, and logging.
- Limited risk. Systems that interact with people or generate content carry transparency duties — chiefly, telling people they are dealing with an AI.
- Minimal risk. Most everyday applications fall here, with few formal obligations, though good practice still applies.
Transparency obligations
Transparency is where many otherwise-compliant teams trip. People interacting with an AI system generally must be told so. AI-generated or manipulated content often has to be disclosed and, in some cases, machine-marked. These are not buried clauses you can address after launch — they shape how the product presents itself to every user, and retrofitting honesty into an interface is harder than building it in.
The Act rewards the teams that can show their work. The question on audit day is never “do you believe you are compliant?” — it is “show me the records,” and the only acceptable answer is records you cannot have altered.
Documentation and logging expectations
For higher-risk systems, the Act expects technical documentation that describes what the system does, the data it was built and operates on, the risks you identified, and the controls you put in place. It also expects logging — durable records of how the system behaved over time, so that an incident can be reconstructed and accountability established. The standard is not a polished policy document. It is evidence, kept continuously, that survives scrutiny.
How GovCraft maps controls and keeps the record
This is the work GovCraft is built for. It maps your AI systems to the controls the Act expects — classifying each system by risk tier, attaching the documentation and oversight requirements that follow, and showing you where the gaps are before an auditor does. As your systems operate, GovCraft keeps an immutable audit trail: a tamper-evident record of decisions, disclosures, and behavior that you can hand to a regulator without scrambling to assemble it after the fact. Compliance stops being a quarterly fire drill and becomes a property of the system itself.
A checklist of first steps
You do not need to solve everything at once. You need to start, in order.
- 1. Inventory your AI systems. List every system that touches EU users, customers, or output. You cannot govern what you have not named.
- 2. Classify each by risk tier. Prohibited, high, limited, or minimal. The tier sets the workload.
- 3. Confirm your scope. Verify, in writing, whether and how each system reaches the EU market or affects EU persons.
- 4. Close any transparency gaps. Ensure people are told when they are interacting with AI and that generated content is disclosed where required.
- 5. Stand up documentation. For high-risk systems, assemble the technical file: purpose, data, risks, and controls.
- 6. Turn on durable logging. Capture system behavior in records you cannot quietly change later.
- 7. Assign ownership. Name a person accountable for each system’s compliance, not a committee.
Work that list top to bottom and you will move from “we think we are probably fine” to “we can prove it.” That shift — from belief to evidence — is the entire posture the Act demands, and the companies that build it now will not be the ones scrambling later.