Compliance readiness

EU AI Act readiness for AI agents and chatbots

Scan your codebase for transparency, disclosure, human approval, and audit trail gaps before August 2, 2026. Free read-only scan, evidence-ready JSON, free registry upload.

By August 2, 2026, Article 50 transparency obligations start to apply, and companies using AI in the EU need practical evidence: where AI runs, when users interact with AI, where AI-generated content appears, which actions require human review, and what audit trail exists. This is not a blanket full high-risk deadline for every company. It is a readiness moment for AI systems that are no longer invisible.

Run the free AI Act gap scanner

Create a free account to copy the scanner prompt into your code agent. It will produce an AI inventory, disclosure gaps, approval gaps, and an evidence-ready JSON report.

Start free scan

Key takeaways

August 2, 2026 is when Article 50 transparency obligations start to apply - not a blanket full high-risk deadline for every chatbot.
Most teams fail AI governance not because they lack a policy, but because nobody can prove what happened: which systems ran, when users were notified, which actions were reviewed, and where the evidence lives.
The first useful step is an inventory: know where AI runs, who owns it, what it can do, and what evidence currently exists.
Contro1 turns scan findings into operating controls: AI registry, disclosure logging, human approval routing, signed callbacks, audit trails, and evidence packets.

Why teams need to act now

Most companies do not fail AI governance because they lack a policy. They fail because nobody can prove what AI systems are running, what those systems can do, when users were notified, which actions were reviewed, and where the evidence lives.

This page is not a legal certification checklist. It is an operational readiness scan for the code, workflows, and agents that create EU AI Act exposure.

Who this page is for

This page is for teams that already have AI in production.

Customer support chatbots, sales assistants, internal copilots, and customer-facing agents
AI agents connected to tools, APIs, databases, CRMs, payments, or external services
AI-generated emails, reports, posts, documents, or public-interest content
Workflows where AI updates CRM records, triggers refunds, sends communications, or makes decisions affecting users

What August 2, 2026 means in practice

The EU AI Act applies in phases. By August 2, 2026, Article 50 transparency obligations start to apply for AI systems interacting with people or generating synthetic content. The European Commission and AI Act Service Desk both describe August 2, 2026 as the main application date for the regulation, with specific exceptions and later dates for some obligations.

This is not a blanket full high-risk compliance deadline for every chatbot. It is the point where invisible AI workflows become hard to defend.

Transparency

Show and log when a user is interacting with AI or exposed to AI-generated content.

Evidence

Record the agent, model, prompt, output, tool call, reviewer, decision, reason, timestamp, and final outcome.

Operational control

Route sensitive agent actions to the right human before execution - with escalation, rejection reasons, and signed callbacks.

Not full high-risk for everyone

High-risk obligations depend on use case: employment, credit, education, healthcare, biometrics, and essential services require deeper legal review.

Article 50: what to scan for

Article 50 is the EU AI Act section on transparency obligations for providers and deployers of certain AI systems. Because the official legal text is long, this page links to the full EUR-Lex source and summarizes the operative duties for implementation planning.

Short official excerpt: "informed that they are interacting with an AI system". Use the EUR-Lex link below for the full Article 50 wording and legal context.

AI systems that interact directly with people must be designed so people are informed that they are interacting with AI, unless this is obvious from context.
Providers of AI systems that generate synthetic audio, image, video, or text content must support machine-readable marking and detection where required.
Deployers must disclose deepfakes and certain AI-generated or manipulated content, including public-interest text unless human review/editorial responsibility applies.
Deployers of emotion recognition or biometric categorisation systems must inform exposed people, subject to exceptions and applicable law.

Full EU AI Act text on EUR-Lex · AI Act Service Desk timeline · European Commission AI Act overview

The five gaps every AI agent team should scan first

The first useful scan should be small enough to run this week and concrete enough for legal, security, product, and engineering to act on.

These five gaps capture the largest EU AI Act exposure for most teams running AI in production.

1. AI systems found

Detect model calls, agent frameworks, workflow automations, AI endpoints, tools, workers, and provider dependencies.

2. Missing user disclosures

Find chatbots, copilots, assistants, auto-replies, and customer-facing agents without disclosure text or disclosure logging.

3. AI-generated content without labeling or review

Find generated emails, posts, documents, media, reports, and public-interest content without review, labeling, or publishing evidence.

4. Sensitive agent actions without approval

Find sensitive actions like refunds, payments, CRM updates, database writes, external API calls, and HR/finance/legal decisions without approval gates. Not all agent actions need human review - only the ones your policy marks as sensitive.

5. Missing audit trail

Find AI actions where prompt, model, input, output, tool call, reviewer, reason, timestamp, affected user, or final outcome is missing.

Full scanner checklist

Scanner	Why it matters	Contro1 control to close the gap
AI System & Agent Inventory Scanner	You cannot manage transparency or oversight for systems you have not mapped.	AI Agent Registry with owner, department, tools, permissions, systems, environment, and risk flags.
AI User Interaction Disclosure Scanner	Article 50 may require users to know when they interact with AI. Unlogged disclosure cannot be evidenced.	AI Disclosure Logging with user/session, agent, disclosure text, timestamp, channel, and disclosure version.
Synthetic Content / AI-Generated Output Scanner	AI-generated public content may need labeling or human review. Without a review trail there is no evidence it was checked.	AI Content Governance with label required/not required, approval before publish, public-interest flags, synthetic media flags, and publishing audit trail.
Human Approval Routing Scanner	Sensitive agent actions need traceable human review before execution. A policy is not evidence - a signed approval record is.	Human-in-the-Loop Approval Routing with role, department, SLA, quorum, escalation, rejection reason, signed callback, and evidence packet.
AI Audit Trail Scanner	Policies are not useful if evidence does not exist. Every AI action that matters needs a traceable, immutable record.	Agent Decision Audit Trail: every AI action gets a timeline.
Policy Gap Scanner	Code paths where stated policies are not enforced at runtime, such as customer-facing messages without disclosure or public AI-generated content without review.	Policy-Based AI Controls that turn policies into runtime review, routing, and evidence.
Model & Vendor Usage Scanner	Provider, model, endpoint, region, API key usage, embeddings, image/audio/video models, fine-tuning, self-hosted models, and GPAI dependencies.	AI Vendor & Model Registry with provider, model, purpose, data sent, owner, production/dev, customer-facing/internal, and risk category.
Deepfake / Synthetic Media Risk Scanner	Image generation, image editing, video generation, voice cloning, avatar generation, face swap, synthetic spokesperson, and public synthetic media.	Synthetic Media Disclosure Workflow with required disclosure, approval, evidence, synthetic marking, and publishing trail.
Emotion Recognition / Biometric Categorisation Scanner	Face analysis, emotion detection, voice/face sentiment, age/gender estimation, biometric categorisation, identity matching, and employee/student monitoring.	Sensitive AI Use Escalation to legal, DPO/privacy, human approval, disclosure requirement, and audit trail.
Compliance Evidence Export	Detected systems, missing disclosures, missing approvals, missing logs, high-risk candidates, synthetic content flows, sensitive AI use, and recommended controls.	AI Act Readiness Report for legal, compliance, security, and product owners.

Run the free gap scan

The Contro1 AI Act Gap Scanner is a coding-agent skill. Paste it into your code agent after signing up, and it will inspect the codebase in read-only mode before proposing any changes.

The scanner creates two artifacts: a human-readable Markdown gap report and a structured JSON inventory (contro1-ai-act-inventory.json) that you upload straight into your free Contro1 AI Registry.

It does not change code unless you explicitly approve implementation later.
It marks uncertain legal classification as unclear and asks for customer/legal confirmation.
It maps each gap to the relevant Contro1 control and writes the exact recommended fix into the JSON item for that gap.

contro1-ai-act-inventory.json

{
  "ai_systems_found": [],
  "missing_user_disclosures": [],
  "ai_generated_content_without_labeling_or_review": [],
  "agent_actions_without_human_approval": [
    {
      "name": "Code Deployment Agent",
      "recommended_fix": "Create a Contro1 approval request before production deploys.",
      "contro1_control": "Human-in-the-Loop Approval Routing",
      "contro1_implementation": "Wrap the deploy tool call with risk_level, policy_trigger, action summary, target environment, reviewer requirement, and continuation.webhook_url."
    }
  ],
  "missing_audit_trails": [],
  "model_and_vendor_usage": [],
  "high_risk_candidates": [],
  "sensitive_ai_uses": [],
  "recommended_contro1_controls": []
}

Get a free report - and manage your team in one place

Get a free report of where your AI systems stand on the EU AI Act, and manage your organization’s compliance progress in one place. Free.

Create your free account

No credit card. Storing your inventory and tracking progress in Contro1 is free.

Run the scan skill

Copy the AI Act Gap Scanner skill and give it to your engineering team. Their code agent produces contro1-ai-act-inventory.json.

Upload the file here

Open your Contro1 AI Registry and upload the JSON. It becomes a prioritised checklist of every gap.

Track and assign

Instantly see every gap, follow your progress over time, and assign each task to a person on your team to handle.

Open your AI Registry

What this scan is not

This scan is not legal advice, a conformity assessment, or a certification that your organization is compliant with the EU AI Act.

It is an operational readiness scan. It helps engineering, product, security, and legal teams find the AI systems, transparency gaps, approval gaps, and missing evidence that are usually absent before a formal AI governance review.

Legal classification of high-risk AI systems depends on the intended use case, deployment context, sector, and applicable law. The scanner marks high-risk candidates and gives your legal or governance team the evidence they need to review them.

Fix these gaps with Contro1

EU AI Act readiness is not just a legal checklist. It is an operations problem.

Your teams need to prove which AI systems exist, who owns them, what they can do, when users were notified, when content was reviewed, when humans approved or rejected an action, and what evidence exists if something goes wrong.

Contro1 gives AI agents an operating standard: registry, disclosure logs, approval routing, escalation, signed callbacks, and audit evidence.

The goal is not to move legal classification into Contro1. Your governance and legal teams still own the policy. Contro1 makes the operational control path visible, routed, and auditable.

Run the free AI Act gap scan · Requests API reference · Webhooks reference

Frequently asked questions

Does every company need full high-risk AI compliance on August 2, 2026?

No. The EU AI Act has staged application dates and category-specific obligations. August 2, 2026 is when Article 50 transparency rules start to apply. High-risk system obligations and their full requirements depend on the system category, use case, and deployment context.

Does Contro1 make a company EU AI Act compliant?

No. Contro1 provides operational controls and evidence for AI agent workflows. Legal compliance depends on the system, role, use case, jurisdiction, and governance program. Contro1 is not a conformity assessment tool and does not provide legal advice.

Do I need this if I only use OpenAI or Claude through an API?

Yes. The model provider may have its own obligations, but your organization still needs to know where AI is used, what data is sent, how users are informed, and what evidence exists around AI actions and decisions.

Do all agent actions need human approval?

No. Contro1 is designed to route only the actions your policy marks as sensitive: payments, refunds, publishing, account changes, HR decisions, legal or finance actions, database writes, or high-risk workflows. Low-risk actions can be logged as audit-only records without routing.

Can Contro1 classify our AI system as high-risk?

Contro1 can flag high-risk candidates based on use case signals found in the code, but your legal or governance team owns the final classification. The scanner marks candidates as unclear if it cannot determine the classification from the code alone.

What does the scanner change in my code?

Nothing during the scan. The skill operates in read-only mode first and produces Markdown and JSON artifacts. Implementation of any fix happens only after explicit approval from your team.

What happens after the scan?

You upload the JSON inventory into your free Contro1 AI Registry, assign owners, mark gaps, activate disclosure logging, define approval policies, and start producing evidence packets. Each gap in the checklist maps to a Contro1 control you can activate.