RESOURCES·BLOG·AI COMPLIANCE

The €40 Million Question

The EU AI Act's training-data provenance provisions enforce in August 2026. The teams that will be ready didn't build a compliance project. They ran workflows that produced the record as a side effect.

ATTRIBUTION
AuraOne Compliance team
PUBLISHED
January 19, 2026
READING
11 min
European Union flag waving in front of a modern glass building
AI Compliance · Hero image
EDITORIAL · ON THE RECORD

The €40 Million Question

The AI Act is not a theoretical conversation anymore.

In August 2026, the high-risk provisions enforce — including the training-data provenance obligations that most teams have spent the last year not preparing for. The authorities that were expected to move slowly are unlikely to move as slowly as the vendors predicted. The first companies in the public record for non-compliance are coming, and procurement teams across Europe will read that list carefully before they sign the next AI contract.

There are two kinds of companies looking at that deadline. The ones who will be compliant by construction. And the ones who are pretending not to be worried.

What compliance actually looks like

A compliance team at a regulated European bank opens an audit request on a high-risk AI system. The auditor wants five things.

One. The technical documentation for the system. What it does. How it was trained. What data trained it. What evaluations it passed before it went into production. Who signed off on the release.

Two. The data governance record. Where the training data came from. How consent was handled. What the data retention policy is. Where lineage breaks, and why.

Three. The risk management system. What risks were identified. What mitigations were chosen. What the residual risk is. How often the assessment gets updated.

Four. The human oversight log. Which decisions the model made autonomously. Which decisions a human reviewed. Which decisions the human overrode. What happened after.

Five. The post-market monitoring record. What the system is doing in production. What incidents happened. What was done about them.

Five things. One system, if the team was set up right. Five different systems, five different formats, and a team of three working weekends, if the team was set up wrong.

The difference between those two is not a compliance officer. It is an architecture.

Why most teams are not ready

Start with the numbers. 78% of organizations cannot validate their data before training. 77% cannot trace where their training data came from. Those are the exact two questions the high-risk provisions turn into legal obligations in August 2026, and most teams already know they cannot answer either one.

The pattern that keeps appearing in the AI Act postmortems is the same one that appeared in the GDPR postmortems eight years ago.

A team was moving fast. A team bought an AI product. A team wired the product into a decisioning workflow. A team shipped.

What the team did not do, because nobody was paid to do it, was keep a structured record of the five things above as the work happened. The decisions were made. The decisions did not get written down in a format a regulator could walk.

When the audit arrives, the team tries to reconstruct the record backwards. Pull training data lineage from an annotation vendor. Pull evaluation scores from a monitoring tool. Pull human oversight from Jira tickets that were never written for this purpose. Pull risk assessments from a folder on a shared drive.

The reconstruction takes a quarter. It costs seven figures in legal and consulting time. And the reconstruction is imperfect — pieces of the chain are missing, and the missing pieces are the ones the regulator asks about first.

This is the work that could have been avoided.

What "compliant by construction" means

A system that produces the compliance record as the output of doing the work, not as a separate artifact built afterward.

Concretely, this means the workflow the team already runs writes to a structured record. Every reviewed decision. Every override. Every sign-off. Every evaluation run. Every promotion of a new model. Every incident. Every remediation.

The record is immutable. The record is auditable. The record is exportable in the format the AI Act expects. When the auditor arrives, the export is a button. Not a project.

This is the shape of the bet every App Data app makes. The workflow the radiology team already runs on medical imaging, the workflow the risk team already runs on credit decisions, the workflow the pharmacovigilance team already runs on adverse-event reports — each one writes to the record by default. The compliance record is a byproduct of the work, not a deliverable the compliance team invents after the fact.

The five things — mapped to App Data

The AI Act calls for five categories of evidence. An App Data app is designed to produce those records while the work happens.

Technical documentation. Every model promoted through the lab has a model card, a training distribution summary, a reviewed-work record, and the evaluation battery it passed. Exported together. Ready to hand to the auditor.

Data governance. Every piece of training data has lineage — the reviewer who produced it, the calibration session they passed, the source document it derived from, the retention policy it falls under. Queryable. Exportable.

Risk management. Every decision type has a risk tier written into the workflow. Every reviewer has a credential tier written into the roster. Every model has a performance profile per risk tier. When the risk surface changes, the system flags which workflows need a new assessment.

Human oversight. Every autonomous decision is logged against a threshold. Every decision above threshold routes to a human. Every override is captured with the reviewer identity, the reason, and the data that produced it. The oversight log writes itself.

Post-market monitoring. Monitoring records, drift checks, incident notes, and reporting exports can be attached where the customer environment is configured for them.

None of this is a separate product. It is the shape of the work the team does every day. The compliance artifact is what falls out at the end of a well-run week.

Where Evaluation Studio and Compliance Monitoring fit

Two modules do most of the visible lift for the AI Act record.

Evaluation Studio is where the rules the model must pass before release are written and versioned. An evaluation is not a spreadsheet. It is a defined battery, reviewed by the people who will be accountable for the release, and run automatically at every promotion. The history of the battery — when it changed, who changed it, why — is the technical documentation the auditor asks for.

Compliance Monitoring is where the live record lives. Every decision the production system makes. Every human override. Every incident. Every drift signal. The monitoring runs forever. The export runs on demand.

Add Control Center for the sign-off chain, Regression Bank for the memory of past incidents, and the five things the auditor wants are one query away.

What the Act is already teaching us

Read the high-risk provisions carefully. The companies most exposed are not the companies with the worst AI systems. They are the companies whose systems are the hardest to explain.

A system that causes real harm, with a defensible evidence chain behind it, is a system an enforcement action will treat differently from a system that may or may not have caused harm but cannot be explained at all.

The Act rewards explainability. The Act punishes opacity. A team that cannot walk a regulator through the decision chain is a team that is going to be treated like the team that deliberately obscured it, whether or not that was the intent.

This is where App Data pays off. The workflow is the explanation. The explanation runs alongside the work. Nothing has to be reconstructed.

What to do this quarter

Three moves.

One. Map the five AI Act categories to the systems that produce each of them today. If a category comes out of three different systems, or out of nothing, the remediation roadmap starts there.

Two. Pick one high-risk workflow. Run it on a compliant-by-construction architecture for one quarter. Compare the audit readiness at the end of that quarter to the baseline.

Three. Stop treating compliance as a gate. Start treating compliance as a byproduct. The teams that make that shift in 2026 are the ones that will still be shipping AI in Europe in 2028.

The €40 million question is not "are we compliant today." It is "do we produce the evidence the regulator will ask for, as a side effect of the work we already do."

The teams that can say yes are not going to be in the headlines.

The teams that cannot are going to find out, in the order the enforcement actions arrive.

---

Ready to see what compliant-by-construction looks like?

Evaluation StudioCompliance MonitoringApp DataTalk to us

TAGS · INDEX
EU-AI-ActcomplianceregulationsGDPRai-governanceapp-data
ATTRIBUTION · ON THE RECORD
WRITTEN BY

AuraOne Compliance team

The team that runs the work. No bylines, no personal brands — only the role. The record is the byline.

ON THE RECORD
CATEGORY
AI Compliance
PUBLISHED
January 19, 2026
READING
11 min
BLOG · NEXT STEP

Turn the read into the next release.

The blog covers the ideas. The product surfaces show how teams put them into production.

STARTS WITH

An editorial take you can hand to the team.

LEAVES WITH

The next workflow named, the references attached, the pilot scoped.

The €40 Million Question | AuraOne Blog | AuraOne