EU AI Act's August Deadline Is Five Months Out. Most Companies Haven't Solved the Documentation Problem.

The European Parliament Think Tank published its AI Act enforcement explainer today. The August 2, 2026 deadline — when high-risk AI obligations become legally enforceable across EU member states — is now five months out.

Most coverage of the EU AI Act focuses on governance structures, model risk classifications, and whether enforcement will actually be consistent across 27 countries. Those are real questions. But they're not where the operational problem lives for most companies.

The compliance gap that's going to cause the most damage isn't a strategy question. It's a documentation question. Specifically: who is maintaining your AI system's documentation after you deploy it?

What the enforcement picture actually looks like right now

The AI Act uses a hybrid enforcement model. High-risk AI systems are regulated at the national level — each member state designates its own market surveillance authorities who handle compliance assessment and can impose penalties.

Here's the catch: as of March 2026, only 8 of 27 EU member states have designated their single points of contact. The infrastructure for enforcement is still being built.

Some companies are reading this as a signal to wait. They shouldn't.

Uneven member state readiness doesn't eliminate exposure — it just makes exposure unpredictable. The companies that will get caught first are the ones deploying into regulated sectors (healthcare, HR, critical infrastructure, education) in member states that are further ahead in setting up their enforcement apparatus. And the ones that get caught with incomplete or outdated documentation won't have much of a defense.

Fines for high-risk failures run up to €15 million or 3% of global annual turnover, whichever is larger. For a mid-size enterprise, that's not an abstract number.

What high-risk AI documentation actually requires

The AI Act is specific about what documentation high-risk systems need. According to the official regulation text, providers must maintain:

• Technical documentation describing the system's purpose, design, and intended deployment context
• Data governance information — where training data came from, how it was selected and processed, and known limitations
• Human oversight mechanisms — what controls exist, who can intervene, and under what conditions
• Accuracy, robustness, and cybersecurity information — including test results and performance evidence
• Post-market monitoring procedures — how the system is tracked after deployment

That last one gets under-discussed. The regulation doesn't just require documentation at launch. It requires ongoing monitoring and documentation updates as the system operates in the real world.

This is where most compliance programs break down.

The drift problem: when documentation becomes false

Think about how high-risk AI systems actually work in practice. A healthcare AI for clinical decision support gets deployed in January. The documentation package is assembled, reviewed, and submitted. It's accurate at the time.

Then, three months in, the underlying model gets updated. The training data shifts. A new integration is added. Performance on a particular patient subgroup drops. None of these changes automatically update the documentation.

By April, the technical documentation describes a system that no longer exists.

This isn't a hypothetical. It's the default trajectory for any AI system that isn't managed with documentation as a first-class concern. The readiness gap for enterprise AI is already significant — and most organizations haven't designed their AI programs around documentation maintenance at all.

The EU AI Act calls this "post-market monitoring," but the reality is simpler and harder: your compliance documentation can become legally false without anyone in your organization noticing.

Three ways documentation goes wrong

Classification happens too late. Many companies still haven't systematically inventoried whether their deployed AI systems qualify as high-risk under the Act. High-risk categories include AI used in hiring, credit scoring, education, healthcare, critical infrastructure, and others. An HR screening tool deployed two years ago and quietly updated since then may now qualify — and nobody has done the paperwork.

Documentation is treated as a one-time deliverable. Legal and compliance teams assemble the initial documentation package, check it off the list, and move on. Nobody owns the ongoing job of keeping it accurate. When auditors arrive, the documentation describes a system that has since been modified, retrained, or redeployed into new contexts.

Performance claims go stale. The Act requires accuracy and robustness documentation. If a system was tested on a specific dataset at deployment and that dataset no longer reflects current operating conditions, the performance claims in the documentation are potentially misleading. The FTC has already taken action against companies whose AI tools produced wrong answers in consumer-facing contexts — EU regulators are watching the same problem through a compliance lens.

The harder question: who owns this?

The documentation maintenance problem is partly technical and partly organizational. Most enterprises don't have a clear owner for the job of keeping AI system documentation current as systems evolve.

Legal owns the initial compliance assessment. Engineering owns the system. Product owns the roadmap. Nobody owns "update the technical documentation when the model gets retrained."

This organizational gap is what turns a solvable problem into a liability. The fix isn't complicated in principle: version-controlled documentation that updates when the system changes, contradiction detection when new configurations conflict with existing compliance claims, and an audit trail that shows what changed and when.

What makes it operationally hard is that it requires treating compliance documentation the same way good engineering teams treat code — as something that needs active maintenance, not a file you archive and forget. AI agent governance more broadly has a similar blind spot around knowledge accuracy, and the EU AI Act is going to expose it in regulated sectors first.

For companies building on RAG or document-grounded AI systems, this is where a knowledge management platform earns its place in a compliance stack. Not as a compliance tool specifically, but as infrastructure that makes it possible to maintain accurate, current, auditable documentation at all — rather than relying on someone to remember to update a PDF when the system changes.

What to watch before August

The next five months will see continued pressure on several fronts. Member states that have designated their enforcement authorities will start making noise about expectations. Regulated sectors — particularly healthcare and financial services — are likely to see early guidance from national regulators. The European AI Board will issue more implementation clarifications.

Companies that wait for all of this to settle before starting documentation work will run out of runway. The August 2 deadline doesn't care about the enforcement patchwork. If your high-risk AI documentation is incomplete or out of date on August 2, that's a fact that exists independently of how many member states have finished standing up their audit machinery.

The least glamorous part of EU AI Act compliance is also the most operational. Getting documentation right once is hard. Keeping it accurate as systems change is a process problem, and five months is not a lot of time to build one from scratch.