AI interaction disclosure
Find chatbots, assistants, copilots, and agent surfaces where users are not told they are interacting with AI.
Compliance readiness
Scan your codebase for Article 50 transparency, disclosure, inventory, and evidence gaps under the updated 2026 EU AI Act timeline. Free read-only scan, evidence-ready JSON, free registry upload.
Updated Jun 22, 2026
By August 2, 2026, Article 50 transparency obligations start to apply. Under the May 2026 Digital Omnibus political agreement, high-risk obligations move to later dates: December 2, 2027 for Annex III systems and August 2, 2028 for Annex I product-embedded systems. The agreement is provisional until formal adoption and publication in the Official Journal.
Create a free account to copy the scanner prompt into your code agent. It will produce an AI inventory, Article 50 transparency gaps, upcoming high-risk review items, and an evidence-ready JSON report.
Most companies do not fail AI governance because they lack a policy. They fail because nobody can prove what AI systems are running, what those systems can do, when users were notified, which actions were reviewed, and where the evidence lives.
This page was updated on June 22, 2026 to reflect the May 2026 Digital Omnibus political agreement. The changed high-risk dates are provisional until formal adoption and publication in the Official Journal, so treat this as implementation planning, not legal advice.
This page is not a legal certification checklist. It is an operational readiness scan for the code, workflows, and agents that create EU AI Act exposure.
The European Parliament and Council reached a provisional political agreement on May 7, 2026 to simplify parts of the AI Act implementation timeline. The agreement does not repeal the AI Act. It moves the main high-risk obligation dates while leaving near-term transparency work in place.
As provisionally agreed, the high-risk regime moves to fixed later dates: December 2, 2027 for standalone Annex III high-risk AI systems, and August 2, 2028 for high-risk AI systems embedded in regulated products under Annex I. These amendments take legal effect only after formal adoption and publication in the Official Journal.
| Date | What applies | Planning tier |
|---|---|---|
| February 2, 2025 | Prohibited practices and AI literacy. | In force |
| August 2, 2025 | GPAI model obligations and AI governance infrastructure. | In force |
| August 2, 2026 | Article 50 transparency: disclose AI interactions and relevant AI-generated content. | Active / due now |
| December 2, 2026 | Machine-readable marking grace for some existing AI-generated content systems and new nudifier/CSAM prohibition. | Near-term |
| December 2, 2027 | High-risk Annex III obligations, such as recruitment, credit, education, employment, biometrics, and essential services. | Upcoming |
| August 2, 2028 | High-risk Annex I obligations for AI embedded in regulated products. | Upcoming |
The August 2, 2026 workstream is mainly transparency and evidence. Teams should know where AI interacts with people, where AI-generated content appears, whether users are told they are interacting with AI, and whether those disclosures are logged.
The scanner therefore treats Article 50 disclosure and transparency gaps as active. It also keeps prohibited-practice and GPAI checks active because those obligations already apply.
Find chatbots, assistants, copilots, and agent surfaces where users are not told they are interacting with AI.
Find generated text, image, audio, video, or public-interest content without labeling, review, or publishing evidence.
Record user/session, agent, disclosure text, timestamp, channel, and disclosure version.
Keep prohibited-practice and GPAI usage checks visible because those obligations are already in force.
High-risk obligations did not disappear. Under the provisional Omnibus agreement, they moved. Annex III high-risk obligations are planned for December 2, 2027, and Annex I product-embedded high-risk obligations are planned for August 2, 2028.
That means high-risk candidates should not be scored as overdue for August 2, 2026 simply because they may require legal classification. They should be tracked as upcoming, assigned to legal or governance owners, and connected to the inventory and evidence program now.
Organizations needed inventory, ownership, approvals, and audit trails before the AI Act existed. The deferral changes the deadline, not the operational gap.
The practical question is still the same: which AI agents exist, who owns them, what can they access, which actions need review, and what evidence exists after something happens?
Teams with AI already in production should start with inventory, transparency checks, and evidence capture.
The EU AI Act applies in phases. By August 2, 2026, Article 50 transparency obligations start to apply for AI systems interacting with people or generating relevant synthetic content. High-risk obligations are now planned for later dates under the provisional Omnibus agreement.
This is not a blanket full high-risk compliance deadline for every chatbot. It is the point where invisible AI interactions and unlabeled AI-generated content become hard to defend.
Show and log when a user is interacting with AI or exposed to AI-generated content.
Record the agent, model, prompt, output, tool call, reviewer, decision, reason, timestamp, and final outcome.
Keep ownership, approval routing, escalation, rejection reasons, and signed callbacks ready before the later high-risk dates.
High-risk obligations depend on use case and are now planned for December 2027 or August 2028 under the provisional Omnibus timeline.
Article 50 is the EU AI Act section on transparency obligations for providers and deployers of certain AI systems. The operative duties for implementation planning are easiest to scan as concrete system behaviors.
Short official excerpt: "informed that they are interacting with an AI system". Use the EUR-Lex link below for the full Article 50 wording and legal context.
Full EU AI Act text on EUR-Lex · AI Act Service Desk timeline · European Commission AI Act overview · Council update on the May 2026 Omnibus agreement
The first useful scan should be small enough to run this week and concrete enough for legal, security, product, and engineering to act on.
These five gaps capture the largest EU AI Act exposure for most teams running AI in production.
Detect model calls, agent frameworks, workflow automations, AI endpoints, tools, workers, and provider dependencies.
Find chatbots, copilots, assistants, auto-replies, and customer-facing agents without disclosure text or disclosure logging.
Find generated emails, posts, documents, media, reports, and public-interest content without review, labeling, or publishing evidence.
Find sensitive actions like refunds, payments, CRM updates, database writes, external API calls, and HR/finance/legal decisions without approval gates. Not all agent actions need human review - only the ones your policy marks as sensitive.
Find AI actions where prompt, model, input, output, tool call, reviewer, reason, timestamp, affected user, or final outcome is missing.
| Scanner | Tier | Why it matters | Contro1 control to close the gap |
|---|---|---|---|
| AI System & Agent Inventory Scanner | Active | You cannot manage transparency or oversight for systems you have not mapped. | AI Agent Registry with owner, department, tools, permissions, systems, environment, and risk flags. |
| AI User Interaction Disclosure Scanner | Active - August 2, 2026 | Article 50 may require users to know when they interact with AI. Unlogged disclosure cannot be evidenced. | AI Disclosure Logging with user/session, agent, disclosure text, timestamp, channel, and disclosure version. |
| Synthetic Content / AI-Generated Output Scanner | Active / near-term | AI-generated public content may need disclosure, labeling, or human review. Some machine-readable marking requirements for existing systems have a December 2, 2026 grace period under the provisional Omnibus. | AI Content Governance with label required/not required, approval before publish, public-interest flags, synthetic media flags, and publishing audit trail. |
| Prohibited Practices Scanner | Active - February 2, 2025 | Certain AI practices are already prohibited and should be escalated immediately if detected. | Sensitive AI Use Escalation to legal, DPO/privacy, and governance owners with audit evidence. |
| GPAI Usage Scanner | Active - August 2, 2025 | Provider, model, endpoint, region, API key usage, embeddings, image/audio/video models, fine-tuning, self-hosted models, and GPAI dependencies. | AI Vendor & Model Registry with provider, model, purpose, data sent, owner, production/dev, customer-facing/internal, and risk category. |
| Human Approval Routing Scanner | Upcoming when tied only to high-risk classification | Sensitive agent actions still need traceable human review as an operating control, but high-risk AI Act obligations are not scored as overdue for August 2, 2026. | Human-in-the-Loop Approval Routing with role, department, SLA, quorum, escalation, rejection reason, signed callback, and evidence packet. |
| AI Audit Trail Scanner | Active evidence layer | Policies are not useful if evidence does not exist. Every AI action that matters needs a traceable, immutable record. | Agent Decision Audit Trail: every AI action gets a timeline. |
| Annex III High-Risk Candidate Scanner | Upcoming - December 2, 2027 | Recruitment, credit, education, employment, biometrics, essential services, and similar uses should be identified for legal classification. | AI Act Transparency Readiness Report and owner-assigned high-risk candidate review. |
| Annex I Product-Embedded High-Risk Scanner | Upcoming - August 2, 2028 | AI embedded in regulated products follows the later Annex I timeline under the provisional Omnibus. | AI Act Transparency Readiness Report and product/legal owner review. |
| Compliance Evidence Export | Active / upcoming | Detected systems, missing disclosures, missing approvals, missing logs, high-risk candidates, synthetic content flows, sensitive AI use, and recommended controls. | AI Act Transparency Readiness Report for legal, compliance, security, and product owners. |
The Contro1 AI Act Gap Scanner is a coding-agent skill. Paste it into your code agent after signing up, and it will inspect the codebase in read-only mode before proposing any changes.
The scanner creates two artifacts: a human-readable Markdown gap report and a structured JSON inventory (contro1-ai-act-inventory.json) that you upload straight into your free Contro1 AI Registry.
Get a free report of where your AI systems stand on active EU AI Act transparency work, and manage upcoming high-risk review tasks in one place. Free.
No credit card. Storing your inventory and tracking progress in Contro1 is free.
Copy the AI Act Gap Scanner skill and give it to your engineering team. Their code agent produces contro1-ai-act-inventory.json.
Open your Contro1 AI Registry and upload the JSON. It becomes a prioritised checklist of every gap.
Instantly see every gap, follow your progress over time, and assign each task to a person on your team to handle.
This scan is not legal advice, a conformity assessment, or a certification that your organization is compliant with the EU AI Act.
It is an operational readiness scan. It helps engineering, product, security, and legal teams find the AI systems, transparency gaps, approval gaps, and missing evidence that are usually absent before a formal AI governance review.
Legal classification of high-risk AI systems depends on the intended use case, deployment context, sector, and applicable law. The scanner marks high-risk candidates and gives your legal or governance team the evidence they need to review them.
EU AI Act readiness is not just a legal checklist. It is an operations problem.
Your teams need to prove which AI systems exist, who owns them, what they can do, when users were notified, when content was reviewed, when humans approved or rejected an action, and what evidence exists if something goes wrong.
Contro1 gives AI agents an operating standard: registry, disclosure logs, approval routing, escalation, signed callbacks, and audit evidence.
The goal is not to move legal classification into Contro1. Your governance and legal teams still own the policy. Contro1 makes the operational control path visible, routed, and auditable.
Run the free AI Act gap scan · Requests API reference · Webhooks reference
No. The EU AI Act has staged application dates and category-specific obligations. August 2, 2026 is when Article 50 transparency rules start to apply. Under the May 2026 Omnibus political agreement, high-risk Annex III obligations move to December 2, 2027 and Annex I product-embedded obligations move to August 2, 2028, pending Official Journal publication.
No. Contro1 provides operational controls and evidence for AI agent workflows. Legal compliance depends on the system, role, use case, jurisdiction, and governance program. Contro1 is not a conformity assessment tool and does not provide legal advice.
Yes. The model provider may have its own obligations, but your organization still needs to know where AI is used, what data is sent, how users are informed, and what evidence exists around AI actions and decisions.
No. Contro1 is designed to route only the actions your policy marks as sensitive: payments, refunds, publishing, account changes, HR decisions, legal or finance actions, database writes, or high-risk workflows. Low-risk actions can be logged as audit-only records without routing.
Contro1 can flag high-risk candidates based on use case signals found in the code, but your legal or governance team owns the final classification. The scanner marks candidates as upcoming review items unless it also finds an active Article 50, prohibited-practice, or GPAI gap.
Nothing during the scan. The skill operates in read-only mode first and produces Markdown and JSON artifacts. Implementation of any fix happens only after explicit approval from your team.
You upload the JSON inventory into your free Contro1 AI Registry, assign owners, mark gaps, activate disclosure logging, define approval policies, and start producing evidence packets. Each gap in the checklist maps to a Contro1 control you can activate.