Code-Level AI Governance · Part 3
The EU AI Act applies to you through your buyers, not Brussels
If you are a US-based SaaS founder, you have probably heard about the EU AI Act and decided it does not apply to you.
It does. Not because you have offices in Europe. Because your enterprise buyers are already building their procurement requirements around it, and when they ask for your AI governance and you cannot show it, the deal dies quietly.
I have been through this exact cycle three times in thirty years. GDPR did not just change European data handling. It changed procurement everywhere. The EU AI Act is running the same playbook, faster.
The ripple, in plain terms
A regulation passes in one jurisdiction. Enterprise legal reads it and decides it is cheaper to hold every vendor to the higher standard than to run two tiers of due diligence. Within roughly eighteen months, those requirements land in procurement questionnaires worldwide.
GDPR did this with data privacy. US companies said “does not apply to us” right up until their largest customer said “it applies to us, so now it applies to you.”
It is happening again. Large-company security teams are adding AI-specific sections to vendor risk assessments and referencing EU AI Act concepts directly: risk classification, transparency, documentation. Even when everyone in the room is US-based. The questions are concrete:
- How have you classified your AI systems by risk level?
- What documentation do you keep about your AI models?
- Do you maintain an AI inventory, and can we see it?
These are in questionnaires now. The buyer does not care that you are in Texas. They have their own risk posture to manage, which means holding their supply chain to the highest standard they answer to.
The timeline that drives the questions
Enforcement is staggered, and each milestone sends a procurement ripple.
| Date | What takes effect | What buyers start asking |
|---|---|---|
| Feb 2025 | Prohibited practices banned | ”Confirm you use none of them” |
| Aug 2025 | Transparency rules active | ”Show your AI transparency docs” |
| Aug 2026 | High-risk requirements enforced | ”Full conformity evidence for high-risk uses” |
| Aug 2027 | All provisions apply | ”Complete governance framework expected” |
Penalties run up to 35 million euro or 7% of global turnover. Those numbers get a procurement team’s attention. But buyers are not waiting for the deadline. Preparing takes months, so they ask now to confirm their vendors are on the same trajectory.
What this looks like for a startup
You do not need a compliance team or a Big Four engagement. For a Series A through C company, the practical order is short.
Do now. Build your AI inventory: every model and provider in your product, written down. Better, scan the codebase so you get what is actually there instead of what you think is there. Classify each AI feature on the risk spectrum, because if you do not, the buyer’s risk team classifies it for you and defaults to the most conservative reading. Document your data flows: where customer data goes when it hits an AI API, whether the provider retains it, whether you have a DPA.
Do soon. Map your inventory to NIST AI RMF, ISO 42001, and EU AI Act controls. That mapping is what turns a list into the governance brief buyers expect, evidence that you have thought about AI risk systematically rather than scrambling when the questionnaire lands. Then decide who approves new model deployments and write it down. It does not need to be heavy. It needs to exist.
Can wait. Formal ISO 42001 certification is still early, so track it without rushing. Bias testing matters for high-risk use cases and is not the first move for a limited-risk B2B product.
The cost is not deferred, it is multiplied
Every quarter you wait, two things happen. More prospects adopt AI-inclusive procurement, and the regulatory deadline gets closer. Start now and your governance story is ready when the questions hit. Wait, and you assemble it under deal pressure against a clock, which means doing it badly and paying more for the privilege.
The inventory is the thing blocking everything else, and it is also the fastest part. It takes hours, not weeks, if you read the code instead of polling your engineers’ memory.
I have watched the GDPR version of this movie, the SOC 2 version, and now the AI version. The plot does not change. So the real question is not whether the EU AI Act reaches you. It is whether your evidence is ready the day a buyer decides it does.
Part 3 of a three-part series. Start with Part 1, you cannot secure the AI you never inventoried, and Part 2, your SOC 2 dashboard cannot answer the AI question.
Sources
- EU AI Act, official text and timeline: artificialintelligenceact.eu
- EU AI Act implementation timeline (European Commission): digital-strategy.ec.europa.eu
- NIST AI Risk Management Framework: nist.gov
- ISO/IEC 42001 (AI management systems): iso.org