AI Act 2026 Checklist for Chatbots, HR Tools, and Internal AI Workflows
The AI Act is not only a topic for model providers and large technology companies. It also affects regular companies using AI in customer communication, HR, internal workflows, marketing, and decision processes.
The practical first step is not an 80-page legal memo. It is an AI register: a list of tools, purposes, data, owners, vendors, risks, logging, and human review. Without that list, a company often does not even know what needs to be assessed.
This article is not legal advice. It is a technical and organizational checklist for management, IT, and product owners.
Timeline to know
The European Commission states that the AI Act entered into force on 1 August 2024. Full application is planned from 2 August 2026, with exceptions and transition periods. Prohibited practices and AI literacy obligations started applying from 2 February 2025. GPAI model rules started applying from 2 August 2025. Some high-risk systems embedded into regulated products have a longer transition period.
It also matters that the European Commission proposed simplification measures in 2025. Companies should follow current guidance instead of relying on one old PDF forever.
Which AI uses to check first
Start where AI talks to people, processes personal data, or may influence a decision.
Typical areas:
- website or app chatbot,
- AI in customer support,
- HR screening, CV ranking, or worker management,
- internal agent with access to CRM, ERP, email, or documents,
- generated marketing content, images, voice, or video,
- scoring of customers, priorities, risks, or access to a service.
HR deserves special attention. If you use AI in hiring or employment, read our article on AI Act and high-risk HR AI.
AI register as the minimum
| Item | What to record | | ------------ | --------------------------------------------------- | | Tool name | for example web chatbot, CRM agent, HR screening | | Owner | business owner and technical owner | | Purpose | what the tool does and why | | Data | inputs, personal data, sensitive data, sources | | Vendor | custom solution, SaaS, API provider, model provider | | Users | employees, customers, candidates, partners | | Risk | low, medium, high, and why | | Human review | where a person checks or approves output | | Transparency | how the user is informed | | Logging | what is logged and for how long | | Status | idea, pilot, production, disabled |
An AI register is useful even outside compliance. Management can see where AI is duplicated, where data may leak, and where technical controls are missing.
Technical controls for an AI workflow
Ask these questions for every internal AI workflow:
- Does the tool have a clear owner?
- Is the purpose and scope documented?
- Do we know what data it processes?
- Is the user told when they interact with AI or when AI materially contributes to the output?
- Are permissions limited to the minimum?
- Are inputs, outputs, tools, and decisions logged?
- Can a person stop or change a risky output?
- Is there an incident process?
- Can the vendor provide documentation?
- Does the company have rules for generated content?
With custom software, these controls can be designed from the start. With SaaS tools, you need to ask what the vendor can actually provide.
What to do in the first 30 days
- Map all AI tools in the company.
- Assign an owner to every tool.
- Split use cases by risk.
- Mark AI used in customer interaction, HR, and decisions.
- Review vendors and data.
- Put risky agent actions behind approval.
- Add basic logging.
- Prepare rules for generated content.
- Train users on safe AI use.
- Choose one workflow to harden first.
Where RISE can help
RISE does not act as legal counsel. Our value is in technical implementation: AI registers, logging, approval workflows, role management, secure integrations, audits of existing tools, and lower-risk pilot design.
Compliance without implementation stays a document. Implementation without governance is a risk. A company needs both. If you want to map your AI tools and add technical controls, start with AI automation or contact us.
Sources
- European Commission: AI Act
- AI Act Service Desk: Frequently Asked Questions
- European Commission: GPAI Code of Practice
FAQ
Does the AI Act apply to companies that only use AI?
Yes. Depending on the use case, deployers or users of AI systems may have obligations. The scope depends on purpose and risk category.
Are AI agents a separate category?
According to the AI Act Service Desk, AI agents are not a separate category. The rules depend on what the agent does and which risk category the use case falls into.
Does a chatbot need to be labelled as AI?
Systems that interact with natural persons need transparency. The exact wording and format depend on the implementation.
Is this legal advice?
No. This is a technical and organizational checklist. For legal assessment, involve a lawyer or compliance specialist.
Read Next
Your AI hiring tool might be high-risk under the AI Act. Here's what that means.
The AI Act applies fully from August 2, 2026. AI used for job ads, CV screening, and candidate scoring falls under high-risk rules. Practical compliance guide.
AI Agent Governance Checklist Before You Connect CRM, ERP, or Email
An AI agent can save hours, but only if permissions, logs, approvals, owners, and failure paths are designed before it touches production systems.
NIS2 for developers: security baseline for SaaS, ERP and HR systems
Your enterprise clients will start sending NIS2 compliance questionnaires. Here's what software companies need to know about security baselines, incident response, and supply chain obligations.