← All articles
Compliance · Apr 18, 2026 · 7 min read

Preparing for the EU AI Act: A Checklist for US Companies

A common assumption inside US companies is that the EU AI Act is a European problem. It is not. Like the privacy regulation that preceded it, the Act reaches across borders by design, and plenty of US teams are already in scope without realizing it. If you wait for certainty before preparing, you will be preparing under deadline pressure with auditors already asking questions.

Why US companies are in scope

The Act does not care where your company is headquartered. It applies based on where your AI system lands and who it affects. If you place an AI system on the EU market — selling it, embedding it in a product European customers use, or offering it as a service there — you are covered. You are also covered if the system’s output is used within the EU or affects people located there. A US company with European users, European customers, or a European sales motion is very likely already inside the perimeter.

The risk tiers

The Act sorts AI systems into tiers, and your obligations follow the tier. Knowing where each of your systems sits is the first real step.

Transparency obligations

Transparency is where many otherwise-compliant teams trip. People interacting with an AI system generally must be told so. AI-generated or manipulated content often has to be disclosed and, in some cases, machine-marked. These are not buried clauses you can address after launch — they shape how the product presents itself to every user, and retrofitting honesty into an interface is harder than building it in.

The Act rewards the teams that can show their work. The question on audit day is never “do you believe you are compliant?” — it is “show me the records,” and the only acceptable answer is records you cannot have altered.

Documentation and logging expectations

For higher-risk systems, the Act expects technical documentation that describes what the system does, the data it was built and operates on, the risks you identified, and the controls you put in place. It also expects logging — durable records of how the system behaved over time, so that an incident can be reconstructed and accountability established. The standard is not a polished policy document. It is evidence, kept continuously, that survives scrutiny.

How GovCraft maps controls and keeps the record

This is the work GovCraft is built for. It maps your AI systems to the controls the Act expects — classifying each system by risk tier, attaching the documentation and oversight requirements that follow, and showing you where the gaps are before an auditor does. As your systems operate, GovCraft keeps an immutable audit trail: a tamper-evident record of decisions, disclosures, and behavior that you can hand to a regulator without scrambling to assemble it after the fact. Compliance stops being a quarterly fire drill and becomes a property of the system itself.

A checklist of first steps

You do not need to solve everything at once. You need to start, in order.

Work that list top to bottom and you will move from “we think we are probably fine” to “we can prove it.” That shift — from belief to evidence — is the entire posture the Act demands, and the companies that build it now will not be the ones scrambling later.