EU AI Act readiness checklist for AI-using companies

Visibility

• Y / N Do you have an inventory of every AI tool and model in use across the business?Including shadow AI — tools adopted by teams without IT sign-off.
• Y / N Can you see which data flows into each AI system?Customer data, source code, PII, confidential documents.

Policy

• Y / N Do you have a written, communicated acceptable-use policy for AI?Covering what staff may and may not put into AI tools.
• Y / N Are PII and secrets blocked or masked before they reach a model provider?Technical enforcement, not just a policy document.

Logging & record-keeping

• Y / N Is every AI request logged with enough detail to reconstruct what happened?Model, inputs/outputs metadata, decision, timestamp, who triggered it.
• Y / N Are those logs tamper-evident and retained for a defined period?Append-only storage with a retention policy you can defend.
• Y / N Could you produce an audit trail for a specific user or system on request?Within a regulator's or customer's expected timeframe.

Vendor DPAs

• Y / N Do you hold a Data Processing Agreement with every model provider you use?And have you reviewed their retention and training-use terms?
• Y / N Have you confirmed no provider trains on your prompts without consent?Zero-retention / no-training modes enabled where available.

Data residency

• Y / N Do you know which regions your prompts are processed in?Both your own infrastructure and each upstream provider's.
• Y / N Can you keep traffic on EU endpoints where required?And fail closed when no compliant route is available.

Incident response

• Y / N Do you have a plan for an AI-related incident?Data leak via a prompt, harmful output, runaway cost — who acts, and how fast.