The EU AI Act applies to many US companies that assume it does not. Most of the time, exposure enters through three specific doors. Most US mid-market companies have already walked through two of them, often without noticing.
This post defines the three doors, explains what triggers each one, and lays out a practical first-week-of-work response. No legal advice. Operating guidance for executives whose AI activity is already in motion.
The headline timing
The EU AI Act's main obligations on high-risk AI systems take effect on 2 August 2026. General-purpose AI model obligations are already in force. Penalties for breaches scale up to 35 million EUR or 7 percent of global annual turnover, whichever is higher. That penalty math is significant for any mid-market company with EU exposure.
The question is not whether the Act applies in principle. It is whether it applies to your specific operating reality. That depends on which doors you have walked through.
Door one: vendor tools in your stack that have added AI features
This is the most common door, and the easiest one to miss. Most companies built their tech stack in 2018-2023. Many of those vendors have added AI features in 2024-2026. Those features can put you into scope without any deliberate action on your part.
Examples that have shown up repeatedly in BRAGI vendor audits.
- Your CRM or marketing platform has added an AI-assisted lead scoring or content generation feature
- Your HR or ATS platform has added an AI candidate-ranking module
- Your customer support platform has added an AI agent that talks to customers
- Your observability or fraud detection vendor has rolled out an AI-driven decision feature
- Your expense management or vendor risk platform has added AI-based anomaly detection
If your CRM is ranking inbound leads with AI and any of those leads are in the EU, you may be operating an AI system that falls under the Act's scope. Most companies do not have visibility into which of their vendor's features have AI components or how those features are classified.
First-week response. Inventory the AI features in every commercial software vendor you currently pay. For each, classify the feature against the Act's risk categories (unacceptable, high-risk, limited-risk, minimal-risk). Document the controls the vendor publishes. This is rarely documented anywhere in the business until someone makes it the priority.
Door two: customer or employee data that touches the European Economic Area
This door tends to be obvious in legal review and invisible in operating practice. The Act applies to any AI system that processes personal data of individuals in the EEA, regardless of where the company processing the data is located.
If your AI tools are processing data on EU customers, EU employees, EU prospects, or EU contractors, the Act applies to those processing activities.
This door is common in companies that:
- Have any EU customer base (B2B or B2C, paid or free tier)
- Employ remote workers in EU member states
- Use AI tools that touch employee performance review, hiring, or evaluation, where any reviewed employee is in the EEA
- Have EU resellers, channel partners, or affiliates whose data flows into your central systems
- Run any EU-facing webinar, content, or pipeline where lead data enters your AI-enabled stack
First-week response. Map every AI-enabled tool against the data subjects it processes. Wherever EU data flows in, the Act applies. This usually requires a small joint working session between operations, IT, and legal. The output is a simple two-column table: AI system, data subjects it processes. The work takes a day if you have the right people in a room.
Door three: product features that ship into the EU market
This door applies primarily to companies whose own product includes AI capability. If your product is sold, made available, or used in the EU, and it includes an AI system, the Act applies to that AI system as a product placed on the EU market.
This door is the one most often documented in legal review, because product compliance is a familiar discipline. The risk classification (high-risk, general-purpose, limited-risk) determines obligations like CE marking, post-market monitoring, transparency disclosures, and documentation.
First-week response. If your product team has AI features, the legal team probably already has a workstream on this. The operating risk is that the workstream is owned by legal and not connected to product roadmap decisions. Make sure the workstream lives at the intersection of legal and product, with a single accountable owner who has authority to slow ship dates if needed.
How the three doors stack
Most US mid-market companies that BRAGI has assessed have walked through doors one and two without realising it. Door three is more visible because it sits inside product. The common pattern looks like this.
| Door | Visibility | Common state | |---|---|---| | Door one (vendor stack) | Low. Buried in vendor release notes. | Active exposure, undocumented | | Door two (data flows) | Medium. Legal often knows; ops does not. | Active exposure, partially documented | | Door three (product features) | High. Sits inside product compliance. | Documented, owned, sometimes coordinated |
The first job is to make door-one and door-two exposure visible. Without that, you are operating blind on the highest-likelihood failure modes.
The cost of getting this wrong
Penalties at 35 million EUR or 7 percent of global turnover are the headline. The operating cost of getting it wrong is broader.
- Regulator-driven vendor switches in the middle of an active programme
- Forced pauses on customer-facing features while you classify them
- Loss of trust from European enterprise customers who request your AI Act position before renewal
- Brand exposure when a competitor publishes a comparison and your governance position is weaker
- Internal velocity drag as legal and operations end up in adversarial back-and-forth without a shared map
The companies that move first on this in the next three months will avoid almost all of that drag. The companies that wait until July 2026 will spend the second half of the year in catch-up.
The Bragi response
BRAGI maps EU AI Act exposure through an AI Vendor Exposure Heatmap that classifies every commercial AI tool in your stack against the Act's risk categories. The work produces a baseline an executive team can act on, plus a sequencing recommendation for the first 90 days of compliance work. The intent is practical operating clarity, not compliance theatre.
The four-week BRAGI Assessment is the standard entry point for this work. Bragi & Co. has been operating at the intersection of US enterprise AI strategy and EU regulatory practice from Copenhagen, which gives the work direct access to the Danish AI Act (the first member state to implement the EU AI Act, with criminal penalties for breaches) as well as the broader EEA picture.
Take the next step
If you have any AI activity in motion, the highest-leverage first step is a scored baseline of where exposure already sits. The four-week BRAGI Assessment produces a baseline, a vendor exposure heatmap, and a recommended sequencing plan for the next 90 days.
If you already know you want to talk, request a partner conversation directly.