EU AI Act and Shadow AI: Compliance Checklist for 2026

EU AI Act Overview: What Changes in 2026

The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. Adopted in 2024, it establishes a risk-based regulatory approach that classifies AI systems into categories and imposes obligations proportional to the level of risk each system presents.

The enforcement timeline is staggered, with different provisions taking effect at different dates:

• February 2025: Prohibited AI practices become enforceable. This includes social scoring systems, manipulative AI, and certain biometric surveillance applications.
• August 2025: Obligations for general-purpose AI (GPAI) models take effect, including transparency requirements and technical documentation obligations for providers of foundation models.
• August 2026: The full regulatory framework for high-risk AI systems becomes enforceable. This is the deadline that will impact the largest number of organizations, as it includes requirements for AI systems used in employment, creditworthiness assessment, law enforcement, and critical infrastructure.

For organizations dealing with Shadow AI, the August 2026 deadline is critical. The EU AI Act requires organizations to maintain inventories of AI systems, conduct risk assessments, and ensure transparency in how AI is used. None of these obligations can be met if AI usage is invisible to the organization.

EU AI Act Penalty Tiers

The EU AI Act introduces a tiered penalty structure that reflects the severity of non-compliance. As defined in Article 99 of the regulation, the fines are among the most significant in European regulatory history:

Violation Type	Maximum Fine	Revenue Percentage
Prohibited AI practices	EUR 35 million	7% of global annual turnover
High-risk AI system violations	EUR 15 million	3% of global annual turnover
Incorrect information to authorities	EUR 7.5 million	1% of global annual turnover

The "whichever is higher" principle applies: organizations face either the fixed amount or the revenue percentage, depending on which produces the larger fine. For a company with EUR 1 billion in annual revenue, a prohibited practices violation could result in a fine of EUR 70 million (7% of turnover), far exceeding the EUR 35 million fixed cap.

These penalties are designed to be proportionate but dissuasive. For context, the GDPR's maximum fine is 4% of global annual turnover. The EU AI Act's 7% tier for prohibited practices represents a significant escalation in the EU's willingness to impose financial consequences for AI-related violations.

Why Shadow AI Makes EU AI Act Compliance Impossible

You Cannot Inventory What You Cannot See

Article 6 of the EU AI Act requires organizations to maintain a comprehensive inventory of all AI systems in use. This inventory must classify each system by risk level and document its intended purpose, data inputs, and operational context.

Shadow AI fundamentally undermines this requirement. When employees use ChatGPT, Claude, Copilot, Gemini, or other AI tools without organizational knowledge, those systems never appear in any inventory. The organization cannot classify what it does not know about, and it certainly cannot assess the risk of AI systems it has never evaluated.

Research from Gartner (2025) suggests that the average enterprise has 3-5x more AI tools in active use than IT is aware of. This means that most organizations' AI inventories are fundamentally incomplete, creating a compliance gap that no amount of manual auditing can close.

Risk Assessments Require Full AI Visibility

The EU AI Act mandates that organizations conduct risk assessments for AI systems, particularly those classified as high-risk. These assessments must evaluate the potential impact on fundamental rights, safety, and the environment.

Shadow AI makes meaningful risk assessment impossible. Consider a scenario where an HR department uses an unapproved AI tool to screen resumes. Under the EU AI Act, employment-related AI use is classified as high-risk and requires a conformity assessment, bias testing, and human oversight mechanisms. If the organization does not know the tool is being used, none of these protections are in place.

The risk is not hypothetical. According to a Salesforce survey (2024), 28% of employees using generative AI at work do so without their employer's knowledge. In regulated contexts, every one of these invisible uses represents a potential compliance violation.

Transparency Obligations Need Audit Trails

The EU AI Act imposes transparency obligations that require organizations to inform individuals when they are interacting with AI systems, particularly in contexts that could significantly affect them. Organizations must also maintain logs and audit trails that document how AI systems are used and the decisions they influence.

Shadow AI produces no audit trails. When an employee uses an unauthorized AI tool to draft a customer communication, generate a financial analysis, or make a hiring recommendation, there is no record of AI involvement. The organization cannot meet its transparency obligations because it has no documentation of where and how AI was used.

EU AI Act Compliance Checklist for Shadow AI

Organizations preparing for EU AI Act compliance must address Shadow AI as a foundational prerequisite. The following checklist provides a structured approach:

1. Conduct a complete AI inventory. Deploy discovery tools that identify all AI services being accessed from corporate networks and endpoints, including browser-based tools, IDE extensions, API integrations, and embedded AI features in approved SaaS platforms.
2. Classify each AI system by risk level. Map every discovered AI tool to the EU AI Act's risk categories: unacceptable risk (prohibited), high-risk, limited risk, or minimal risk. Pay special attention to AI used in HR, finance, legal, and customer-facing contexts.
3. Create transparency documentation. For each AI system in use, document its purpose, data inputs, decision-making scope, and the organizational processes it influences. This documentation is required for regulatory reporting.
4. Implement human oversight mechanisms. For high-risk AI systems, establish processes that ensure meaningful human review of AI-generated outputs before they are used in consequential decisions.
5. Establish data governance for AI. Define and enforce policies governing what data may be submitted to AI systems. This includes ensuring that personal data processed by AI tools complies with GDPR requirements.
6. Deploy continuous monitoring. Implement technical controls that provide ongoing visibility into AI tool usage across the organization. Point-in-time audits are insufficient; Shadow AI appears and evolves continuously.
7. Create an incident response plan for AI. Develop procedures for responding to AI-related incidents, including unauthorized data exposure through Shadow AI, biased AI outputs, and AI system failures.
8. Maintain comprehensive records. Establish systems for logging all AI interactions that could fall under regulatory scrutiny. These records must be available for inspection by national competent authorities.
9. Conduct conformity assessments. For high-risk AI systems, complete the required conformity assessment procedures, including testing for accuracy, robustness, cybersecurity, and non-discrimination.
10. Train employees on AI governance. Provide organization-wide training on approved AI tools, prohibited uses, data handling requirements, and the consequences of non-compliance under the EU AI Act.

How Organizations Are Preparing

Despite the approaching deadlines, many organizations are struggling to prepare for EU AI Act compliance, in large part because they lack visibility into how AI is actually being used within their operations.

According to Gartner (2025), 69% of enterprise leaders suspect that employees are using generative AI in ways that would violate corporate policy or regulatory requirements. This suspicion, combined with a lack of tools to confirm or deny it, leaves organizations in a precarious compliance position.

The most common preparation strategies include:

• Appointing AI governance officers who are responsible for overseeing AI compliance across the organization
• Establishing AI ethics committees that review and approve AI use cases before deployment
• Deploying Shadow AI detection tools that provide automated discovery and monitoring of AI usage
• Creating acceptable use policies that define which AI tools are approved and under what conditions
• Engaging external auditors to conduct independent assessments of AI compliance readiness

However, all of these strategies depend on a foundational capability: the ability to see and understand all AI usage across the organization. Without this visibility, governance frameworks operate on incomplete information, policies go unenforced, and compliance gaps remain hidden until a regulatory audit or data breach reveals them.

How Onefend Enables EU AI Act Compliance

Onefend's Anti-Shadow AI platform provides the foundational visibility layer that EU AI Act compliance requires. By operating at the network and endpoint level, Onefend discovers and monitors all AI tool usage across the organization, creating the complete AI inventory that serves as the starting point for every compliance obligation.

Specific capabilities that support EU AI Act compliance include:

• Automated AI discovery: Onefend identifies all AI services being accessed from corporate networks, including tools that employees use without IT knowledge. This creates the comprehensive AI inventory required by Article 6.
• Continuous audit trails: Every interaction with AI tools is logged and documented, providing the transparency records required for regulatory reporting and inspection.
• Data Loss Prevention (DLP): Onefend's DLP engine detects and prevents the transmission of personal data, regulated information, and sensitive content to AI services, supporting GDPR and EU AI Act data governance requirements.
• Risk classification support: By providing detailed information about how each AI tool is being used, Onefend helps organizations classify AI systems into the appropriate EU AI Act risk categories.
• Compliance reporting: Onefend generates reports that map directly to EU AI Act requirements, simplifying the documentation and reporting process for compliance teams.

The EU AI Act's compliance deadlines are approaching, and the window for preparation is closing. Organizations that lack visibility into their AI usage today will face significant challenges when enforcement begins.

Request a demo to see how Onefend can help your organization prepare for EU AI Act compliance.