The EU’s AI Act: do you have the knowledge to comply?

In nearly every enterprise marketing automation instance we’ve worked in, the same pattern shows up. Hundreds of active workflows across the marketing automation platform and CRM - scoring models, routing logic, nurture sequences, and data enrichment flows. Some have been running for years. When you ask who owns them, nobody knows for sure. 

 

These workflows touch prospect and customer data daily. They make decisions about how leads are scored and routed, which messages go to which people, and when. But there’s not often documentation, audit trails are murky, and no individual named owner.

 

This isn’t unusual. It’s the norm. And with the EU AI Act’s main provisions taking effect on 2 August 2026, it’s about to become a serious problem.

 

Enterprise AI governance programmes invest heavily at the strategic level - frameworks, policies, board-level oversight. What they’re not looking at is the operational layer: the automations and AI-assisted decisions that marketing teams have built incrementally over years, without documentation and without anyone who can explain what they do or why. When enforcement arrives, these teams will be asked to prove compliance for systems they barely know they have.

 

 

Strategic governance stops before it reaches the work

Most enterprise AI governance looks impressive from the top down. There’s a framework, a policy document, probably a committee. The NIST AI Risk Management Framework has been referenced. Responsible AI principles have been drafted and published. All necessary.

 

None of it reaches the place where AI is now actually being used.

 

The AI most enterprises should worry about isn’t the large language model someone in R&D is evaluating. It’s the lead scoring model configured by someone who has left. It’s the data enrichment flow pulling from a third-party source and writing values directly into CRM records without human review. It’s the AI-powered features bundled with the last platform upgrade, activated because someone saw them in a release note and thought they looked useful.

 

These systems make decisions. They act on personal data. They influence commercial outcomes. And in most organisations, they exist entirely outside the governance framework designed to manage exactly this kind of risk.

 

 

The EU AI Act timeline is not hypothetical

The EU AI Act entered into force on 1 August 2024 and has been rolling out in phases. Prohibited AI practices and AI literacy obligations applied from February 2025. Governance provisions and general-purpose AI model obligations kicked in last August. The main body of the Act - including transparency, documentation, and human oversight requirements - applies from 2 August 2026.

 

That’s four months away.

 

Most marketing automation won’t fall into the high-risk category. But this is where many enterprise leaders get the Act wrong. The transparency and documentation obligations apply more broadly, and the Act has extraterritorial reach - any company whose AI systems affect EU residents is within scope, regardless of where the company is headquartered. If your CRM contains European contacts and your workflows make automated decisions about them, the obligations apply to you.

 

The penalties aren’t symbolic. Prohibited practices carry fines of up to €35 million or 7% of global annual turnover, whichever is higher. Other infringements - including failures around transparency, documentation, and human oversight - reach €15 million or 3% of global turnover. Incorrect or misleading information to authorities: €7.5 million or 1%.

 

Member states have been designating competent authorities and market surveillance bodies. National enforcement capacity is being built out now. By the time the August 2026 deadline lands, the question "can you explain what your automated systems do, what data they use, and how decisions are made?" will have regulatory weight behind it.

 

For most Marketing Operations teams, the honest answer to that question today is no. Not because anyone is hiding something. Because nobody knows. The scoring model was configured two years ago and has never been reviewed. The territory routing changed last quarter, but the automation wasn’t updated. The enrichment flow’s data processing agreement may not cover its current use.

 

 

What closing the gap requires

Fixing this isn’t a six-month governance transformation. It’s unglamorous operational work that produces an inventory, a set of owners, and a documentation baseline.

 

Start with an operational audit. How many active workflows exist? What data do they consume? What decisions do they make? Which include AI-assisted components - predictive scoring, automated segmentation and AI-generated content? When were they last reviewed? For most workflows, that last answer is "never."

 

Assign ownership. Every active workflow needs a named person who can explain what it does and whether it’s still fit for purpose. Not one person owning everything - just someone accountable for each piece who’ll be the one answering questions when compliance or legal come calling.

 

Build a lightweight documentation standard. A one-page record per workflow: what it does, what data it uses, what decisions it makes, who owns it, when it was last reviewed. That’s enough to close the worst of the gap and provide a defensible foundation.

 

None of this is technically difficult. It’s organisationally difficult - it requires carving out time for work that doesn’t produce a campaign or a pipeline number. But the alternative is doing it reactively, under regulatory pressure, after an incident, without the luxury of choosing where to start.

 

 

The gap isn’t where leadership thinks it is

The AI governance conversation is happening at the wrong altitude. Board-level frameworks and strategic policy documents are necessary, but the automated decisions carrying the most operational risk are being made six layers below the governance committee, inside platforms nobody on that committee has ever logged into.

 

Marketing Ops is where this risk lives. Not because teams did anything wrong - they built what the business asked for, as fast as it was demanded. But the result is an operational layer that’s ungoverned, undocumented, and about to meet a regulatory environment that expects both.

 

Those hundreds of workflows aren’t going away. With the August 2026 deadline approaching, the question is whether someone maps them before they’re asked to explain them.

 

---

 

Margarita Savytska is a Marketing Executive at Sojourn Solutions, a Marketing Operations consultancy working with Enterprise clients across the UK, Europe and North America.

 

Main image courtesy of iStockPhoto.com and ismagilov