Definition

The EU AI Act (Regulation 2024/1689, effective August 2024; high-risk obligations applying from August 2026) applies to any provider or deployer that places an AI system on the EU market or whose system's output is used in the EU — regardless of where the provider is established. GCC and Indian vendors supplying AI outputs (API calls, scored decisions, generated content) consumed by EU-based entities are therefore in scope. High-risk systems (Annex III categories) face conformity assessments, technical documentation (Article 11), and notified-body audits.

Why it matters

The pressure on AI Governance (ISO 42001) programmes is shifting in specific, observable ways:

• Article 2(1)(c) explicitly covers providers outside the EU whose AI outputs affect EU persons — CBUAE-licensed fintechs with EU payment corridors or EU-based parent companies are directly exposed.
• Annex III lists credit scoring, biometric identification and employment screening as high-risk; GCC banks and HR-tech vendors using these systems face conformity assessments and Article 9 risk-management obligations from August 2026.
• Non-compliance penalties reach €30 million or 6% of global annual turnover (Article 99), which at typical GCC mid-market revenue (AED 200–500M) equates to AED 12–30M exposure.
• EU financial institution clients are already inserting AI Act compliance warranties into vendor contracts; GCC SaaS providers without a documented readiness roadmap risk contract termination or exclusion from RFPs.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Product inventory — AI system name, deployment geography, EU-nexus flag (output consumed by EU entity Y/N), Annex III category mapping.
• Technical documentation package (Article 11) — system description, training methodology, accuracy metrics, intended purpose, foreseeable misuse.
• Conformity assessment records — internal assessment checklist or notified-body audit report, CE declaration of conformity draft.
• Contractual chain — data-processing agreements with EU deployers citing Article 25 obligations; sub-processor registers.
• Post-market monitoring logs (Article 72) — performance drift reports, incident logs, corrective-action tickets.
• Legal counsel opinion — extraterritoriality analysis, Annex III classification rationale, timeline to Article 26 obligations.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: Legal and Product Manager map all AI systems against Annex III categories; flag any system with EU-nexus; obtain legal opinion on extraterritorial exposure per Article 2(1)(c).
• Day 31–60: For each high-risk system, AIMS Manager drafts Article 11 technical documentation outline and identifies whether a notified body or internal conformity assessment applies (Article 43).
• Day 61–90: Engineering Lead implements Article 9 risk-management system requirements (logging, human oversight, accuracy thresholds) and drafts Article 13 transparency disclosures for end users.
• Day 90+: Compliance Officer registers the organisation as an EU AI Act-compliant provider via the EU database (Article 71) and prepares for notified-body engagement where mandatory.
• Ongoing: Monitor Commission delegated acts and GPAI model guidance; reassess classification annually or on material product change.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Annex III classification completion: 100% of AI products classified (high-risk / limited-risk / minimal-risk) within 30 days.
• Technical documentation readiness: Article 11 documentation drafted for ≥100% of high-risk systems 6 months before August 2026 obligations date.
• Conformity assessment lead time: notified-body engagement initiated ≥9 months before target market date for mandatory-assessment systems.
• Contractual coverage: ≥95% of EU-facing contracts include AI Act compliance clauses within 60 days of legal review.
• Post-market monitoring: performance drift reports generated monthly; incidents reported to market surveillance authority within 15 days per Article 73.

What the rule actually says

Read against the EU AI Act timeline (general-purpose model obligations live), ISO/IEC 42001 (AI Management System), NIST AI RMF 1.0, the operative text lands in three places: human-oversight design; the model card / system card; the AI policy.

Where the regulator has chosen prescriptive language, the room for interpretation is narrow — the safer position is to mirror the language in policy. Where the language is outcome-based, the practice has to evidence the outcome, not the activity.

• Scope. Confirm which entities, systems and data are in the regulated population. Most disputes begin here.
• Required artefacts. Identify the documents the regulator expects to exist and the cadence on which they must be refreshed.
• Evidence of operation. Map each requirement to a control owner, an evidence source and a review frequency before the next supervisory cycle.

Pitfalls we keep seeing

Across MAST Consulting Group's AI Governance (ISO 42001) portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: data lineage that breaks at the embedding store. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: shadow AI use cases that never reached the intake. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: model cards that document the model but not the deployed system. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: no human-oversight design for high-risk use cases. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on AI Governance (ISO 42001) engagements because the integrations are cheap and the evidence is defensible:

• model registries (MLflow, SageMaker Model Registry, Vertex) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• evaluation harnesses (Ragas, DeepEval) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• policy-as-code for model guardrails — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs AI Governance (ISO 42001) programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this regulatory note is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for AI Governance (ISO 42001) programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.