Most Mid-Market Companies Cannot Name Every AI Tool in Their Stack. That Becomes a Problem August 2 2026.

Ask the average mid-market CFO, COO, or CTO to list every AI-enabled tool currently in their organisation's stack. They will name three to five. The actual number is usually between six and twelve. The gap is not a knowledge problem. It is a structural problem: AI features get added to existing tools (HubSpot, Microsoft 365, Salesforce, Slack, Notion, Atlassian, Adobe) by the vendor, not by a procurement decision. They appear in the stack without an entry on the stack.

That gap becomes operationally material on 2 August 2026, when the main obligations of the EU AI Act start applying. For US companies with EU customer exposure, Nordic companies with EU operations, and any company that processes EU resident data, the enforcement window is real, and the regulator has not signalled lenience.

The artifact that resolves the gap is an AI Vendor Exposure Map. This post covers what the map contains, why it has to be in place before the August deadline, and how to build one in a week.

Why the stack drifts

Three patterns explain why most mid-market companies cannot inventory their AI exposure today.

Vendors are activating AI features inside already-approved tools. Microsoft Copilot inside Microsoft 365. HubSpot Breeze. Salesforce Einstein. Notion AI. Slack AI. These did not go through a fresh procurement review because the vendor was already in the stack. The AI feature inherited the existing review status, which usually does not address AI-specific risk.

Shadow AI is now a meaningful category. Individual employees signing up for ChatGPT, Claude, Perplexity, Otter, Gamma, Loom AI, or specialised vertical tools. Most companies do not have central visibility into these subscriptions. Total spend is small, but data exposure can be large.

Acquisitions and integrations multiply the stack. Any company that has acquired or integrated with another in the past 18 months has inherited that company's AI-enabled tools. Few post-acquisition integrations include an AI exposure audit.

The result is consistent across BRAGI engagements: when we run the inventory exercise, the named-but-unknown gap is usually 3x. CEOs name 3 tools, the actual count is 9.

What goes in an AI Vendor Exposure Map

A useful vendor exposure map covers six columns per tool. The map is a working document, not a slide.

| Column | What it captures | |---|---| | Vendor and tool name | The specific AI-enabled tool, not the parent platform. "Microsoft 365 Copilot" not "Microsoft 365" | | Function and owner | Which business function uses it (Sales, Marketing, Service, Finance, HR, Operations) and the named owner | | Data classification | What categories of data the tool can access (employee personal data, customer personal data, financial data, trade secrets, third-party confidential) | | EU AI Act risk classification | Prohibited, high-risk, limited-risk, minimal-risk, or general-purpose AI (GPAI). Most mid-market tools fall in limited or minimal, but the high-risk classification has expensive consequences when it applies | | Vendor AI documentation status | Whether the vendor has published a model card, AI risk assessment, or conformance documentation that you can rely on | | Internal review cadence | When the tool was last reviewed against AI governance criteria, who reviewed it, and when the next review is scheduled |

A map covering 10 to 15 tools fits on one page. The point is not comprehensive documentation. The point is operational visibility.

Why this matters before 2 August 2026

The EU AI Act has a tiered enforcement timeline. Three dates matter for mid-market planning.

2 February 2025 (already passed). Prohibited AI practices became enforceable. Social scoring, manipulative AI, untargeted facial scraping. Most mid-market companies are not exposed here, but the date establishes that enforcement is active.

2 August 2025 (already passed). GPAI provider obligations, governance structures, and penalty provisions began applying. Member states had to designate their competent authorities. Denmark moved first with Law No. 467, three competent authorities, and criminal penalties for breaches.

2 August 2026 (the operational deadline). The main body of obligations for high-risk AI systems, transparency requirements for limited-risk systems, and conformance documentation requirements all apply. This is the date most mid-market companies will need to be operationally ready for.

The penalty structure has weight. The top tier is up to 35M EUR or 7% of global annual turnover, whichever is higher, for prohibited practices. High-risk system violations top out at 15M EUR or 3%. Other violations at 7.5M EUR or 1%. Even at the lowest tier, a small breach on a multi-tool stack can move into seven-figure exposure quickly.

The current Danish regulator readiness signal is also worth noting. 8 of 27 EU member states are operationally ready for enforcement, per recent McKinsey survey work. The other 19 are behind, but ready-or-not, the enforcement date does not move.

What a high-quality map enables

The map itself is the artifact, but it enables three operational moves that a stack without a map cannot make.

Targeted remediation. When the map flags a tool as high-risk under the EU AI Act and the vendor documentation is insufficient, remediation can be scoped (find a replacement, request additional documentation from the vendor, implement compensating controls, or retire the tool). Without the map, remediation is unscoped and tends to expand into "we need to audit everything", which stalls.

Vendor consolidation pressure. Most mid-market companies have stack overlap. Two tools that do similar things. The map surfaces this and creates the case for consolidation, which typically saves 15-30 percent of annual AI tool spend without losing capability.

Governance cadence. A map with review-cadence columns becomes the operational artifact for an AI governance function (whether owned by a CAIO, the CIO, or a cross-functional committee). Without the map, governance has nothing to govern against.

How to build one in a week

The exercise is faster than most CFOs expect. The blockers are organisational, not technical.

1. Pull the procurement and finance data. Every SaaS subscription line item, every credit card recurring charge, every annual contract renewal. This produces the universe of tools, not just the AI-enabled ones.
2. Filter for AI exposure. For each tool, mark whether it has AI features active. Most vendor sites publish this on their AI or trust pages. For tools that have AI in some plans only, mark the plan level your company is on.
3. Add shadow AI. Survey the heads of each function on which AI tools their team uses that are not on the procurement list. Make it non-punitive. Most shadow tools are productivity-positive; the goal is visibility, not enforcement.
4. Score each tool on the six columns. This takes a working day with the right people in a room (Finance, IT, Procurement, plus function heads).
5. Assign owners and next review dates. Every tool gets a named owner and a calendar entry for the next review. If a tool has no owner, that is itself a finding.

The output is a one-page operating artifact. The process is structured but not difficult. The hardest part is usually getting the right people in the same room.

What this means in practice

For a mid-market company with EU customer exposure (the most common Bragi ICP), three near-term moves.

1. Build the AI Vendor Exposure Map before end of Q3 2026. That gives one quarter of slack before the 2 August 2026 deadline lands, which is enough to remediate the typical 1 to 3 high-risk flags that surface in the average mid-market stack.
2. Assign a named owner per AI-enabled tool. No owner means no accountability when the regulator asks. This step alone closes the most common governance finding.
3. Establish review cadence. Every tool gets reviewed at least annually, high-risk tools every 6 months, GPAI dependencies after every major model version change. The cadence is the governance.

The companies that have this map in place before Q4 2026 will look operationally prepared to anyone who asks (regulators, customers in procurement reviews, board members on the risk committee). The companies that do not will spend Q4 in fire-drill mode.

How Bragi helps

The AI Vendor Exposure Map is one of the standard outputs of the four-week BRAGI Assessment. The assessment scores where AI activity currently sits across the five operating dimensions and produces three structural artifacts: a scored baseline, a prioritised opportunity recommendation, and the AI Vendor Exposure Map with EU AI Act risk classifications.

For companies that have already done a vendor inventory but need the EU AI Act risk overlay specifically, the heatmap can be scoped as a standalone two-week engagement.

Take the next step

If your company has not catalogued AI vendor exposure against EU AI Act risk classifications, the highest-leverage first step is the map. Build it now while Q3 2026 still gives remediation slack before the 2 August deadline lands.

---

Sources

• EU AI Act, Regulation (EU) 2024/1689, official enforcement timeline (2 August 2026 main obligations)
• Danish AI Act, Law No. 467 (first EU member state implementation)
• EU AI Act penalty structure (up to 35M EUR or 7 percent global turnover for prohibited practices)
• McKinsey 2025 survey on EU member state regulator readiness (8 of 27 ready)
• BRAGI engagement observations on mid-market AI vendor stack inventory gaps (typical 3x named-vs-actual ratio)