Skip to main content
DataVibe
SolutionsPricingResearchDocsAbout
Log inBook a DemoRequest API Access

AI governance

EU AI Act August 2026: what every B2B SaaS company must do now

Kshitij Bhatt, Founder · May 25, 2026 · 11 min read

The EU AI Act's GPAI and high-risk system obligations are live. General-purpose AI requirements took effect August 2025; first enforcement assessments began Q1 2026. Fines run to €30 million or 6% of global revenue. This is the practical compliance guide for B2B SaaS teams.

Enforcement clock: The EU AI Act's General-Purpose AI (GPAI) and high-risk system obligations took effect 2 August 2025. The first compliance assessments began in Q1 2026. Companies deploying AI in hiring, credit, insurance, legal, education, or critical infrastructure in the EU face fines up to €30 million or 6% of global annual turnover.

€30M

Max fine per violation

6%

Global revenue cap

Aug 2025

GPAI obligations live

2026

First assessments

What the EU AI Act actually requires

Most of the headlines focus on what AI systems are banned. But the enforcement risk for B2B SaaS companies isn't the prohibited-AI list — it's the high-risk AI system requirements in Annex III. If your AI makes or substantially influences decisions in these domains, you're in scope:

  • Employment and HR (CV screening, performance scoring, hiring recommendations)
  • Credit scoring and insurance underwriting
  • Education and vocational training access decisions
  • Law enforcement, border management, judicial decisions
  • Access to essential services (housing, healthcare, utilities)
  • Critical infrastructure management

For most B2B SaaS teams the triggering question is: does your AI agent take actions that affect whether a person gets a job, a loan, a service, or a legal outcome? If yes — you're a high-risk AI system operator.

The six requirements that catch companies unprepared

1. Risk management system (Article 9)

You must establish, implement, document, and maintain a risk management system throughout the AI system's entire lifecycle. "We reviewed it once before launch" is not compliant. You need ongoing risk identification, evaluation, and mitigation — documented and auditable.

2. Data governance (Article 10)

Training, validation, and testing datasets must be subject to governance practices including data quality criteria and relevance checks. If you fine-tune models on customer data, you need a documented data governance policy that covers how that data was collected, preprocessed, and biases examined.

3. Technical documentation (Article 11)

Before market placement, you must prepare technical documentation demonstrating the system meets Act requirements. This includes: intended purpose, performance metrics, data used, human oversight measures, post-market monitoring plan, and cybersecurity measures.

4. Automatic logging (Article 12)

High-risk AI systems must generate logs automatically during operation, capturing events relevant to post-incident investigation. The logs must be retained for at least six months (or longer per sector-specific rules). This is the requirement most SaaS teams completely miss.

Article 12 logging is not the same as your application logs. The EU AI Act requires logs that enable reconstruction of what decision was made, by which model, on which inputs, at what timestamp — in a form that investigators can read without access to your production infrastructure.

5. Human oversight (Article 14)

High-risk AI systems must be designed and developed with human oversight measures built in. This means: at least one natural person can understand and interpret the system's outputs, detect failures or unexpected behavior, and intervene or halt the system. You cannot satisfy this with a post-hoc "audit when something goes wrong" approach.

6. Accuracy, robustness, cybersecurity (Article 15)

Systems must achieve appropriate levels of accuracy and be resilient to errors, faults, inconsistencies, and adversarial attacks. You need documented testing against adversarial prompts and a process for handling hallucinations that would affect the AI's decisions.

What "human oversight" means in practice for AI outbound

Article 14 is the hardest requirement to satisfy architecturally. Most teams interpret "human oversight" as "a human can review logs after the fact." That does not meet the standard. The Act requires that a human can intervene — which means you need a mechanism to catch AI-generated outputs before they take effect.

For AI agents that send emails, create records, make API calls, or generate decisions: the human oversight mechanism is an intercept layer that holds the AI's output pending review. This is exactly what DataVibe's approval queue provides — every AI-generated action that crosses a risk threshold enters the queue; no action is taken until a reviewer explicitly approves it.

The GDPR interaction: data minimisation on AI outputs

The EU AI Act operates alongside GDPR. AI systems that process personal data in their outputs (names, contact details, inferred characteristics) must comply with both. This creates a specific problem: AI models frequently echo back personal data from their context window in outputs — a form of incidental disclosure that triggers GDPR Article 5(1)(c) data minimisation requirements.

DataVibe's PII scanner (regex patterns for name+email, SSN, passport number, EU national ID formats) runs on every outbound payload before dispatch, blocking or flagging any output that surfaces personal data outside the intended scope.

Practical compliance checklist for B2B SaaS

  1. Classify your AI systems against Annex III — document which are high-risk and why (or why not)
  2. Establish a risk register with identified risks, mitigations, and assigned owners
  3. Implement automatic logging: every AI decision with timestamp, model, inputs, output, and outcome
  4. Build a human oversight mechanism — not review-after-the-fact, but pre-dispatch review capability
  5. Document training data sources and governance decisions
  6. Prepare technical documentation before any high-risk system goes to production
  7. Test against adversarial inputs quarterly; document results
  8. Register with the EU AI database if required by your sector

The DataVibe angle: DataVibe satisfies Articles 12 (automatic logging — tamper-evident chain), 14 (human oversight — approval queue with mandatory review), and partially 15 (adversarial robustness — policy engine blocks jailbreak-induced policy violations). The audit log export is formatted for legal review.

What happens if you're non-compliant

National market surveillance authorities (the DPA equivalent for AI) have investigatory powers and can require access to technical documentation, logs, and source code. Fines for prohibited AI practices go up to €35M or 7% of turnover. Fines for non-compliance with obligations (which covers most of Article 9–15) go up to €15M or 3% of global turnover.

Beyond fines: non-compliant AI systems can be ordered off the market. For a SaaS company, that means disabling the AI feature in the EU — potentially affecting all EU customers simultaneously.

See DataVibe in action

30-minute live walkthrough: policy engine, approval queue, audit chain.

Book a demo →Integration guide

See the gateway in action

Book a 30-minute live walkthrough.

Book a demo
DataVibe

DataVibe is AI output governance infrastructure — the layer between AI systems and business operations. Runtime policy gates, human oversight, immutable evidence, public certification, and Enterprise Shield indemnification for valid claims.

Need help? Use our contact form.

Product

Agentic AIEU AI ActEnterprise ShieldGovernancePricing

Resources

Integration guideBlogCase StudiesChangelog

Company

AboutContactStatusSecurity

Legal

TermsPrivacyDPASLA

Get started

Request API AccessBook a DemoContact

© 2026 DataVibe

Trust CenterStatusArchitecturePrivacy PolicySecurityTerms Of UseCookie PolicyDPA