AuraOne
Start a project
RESOURCES·BLOG·AI COMPLIANCE

The €40 Million Question

Eight months into EU AI Act enforcement, the first fines have landed. The teams that are compliant didn't build a compliance project. They ran workflows that produced the evidence as a side effect. Here's what that looks like for a high-risk AI system in 2026 — and why Domain Labs was built for this moment.

ATTRIBUTION
AuraOne Compliance team
PUBLISHED
January 19, 2026
READING
11 min
European Union flag waving in front of a modern glass building
AI Compliance · Hero image
EDITORIAL · ON THE RECORD

The €40 Million Question

The AI Act is not a theoretical conversation anymore.

Eight months into enforcement, the first fines have landed. The DPAs that were expected to move slowly moved less slowly than the vendors predicted. A handful of companies are now in the public record for non-compliance, and procurement teams across Europe are reading the list carefully before they sign the next AI contract.

There are two kinds of companies reading that list. The ones who are compliant. And the ones who are pretending not to be worried.

What compliance actually looks like

A compliance team at a regulated European bank opens an audit request on a high-risk AI system. The auditor wants five things.

One. The technical documentation for the system. What it does. How it was trained. What data trained it. What evaluations it passed before it went into production. Who signed off on the release.

Two. The data governance record. Where the training data came from. How consent was handled. What the data retention policy is. Where lineage breaks, and why.

Three. The risk management system. What risks were identified. What mitigations were chosen. What the residual risk is. How often the assessment gets updated.

Four. The human oversight log. Which decisions the model made autonomously. Which decisions a human reviewed. Which decisions the human overrode. What happened after.

Five. The post-market monitoring record. What the system is doing in production. What incidents happened. What was done about them.

Five things. One system, if the team was set up right. Five different systems, five different formats, and a team of three working weekends, if the team was set up wrong.

The difference between those two is not a compliance officer. It is an architecture.

Why most teams are not ready

The pattern that keeps appearing in the AI Act postmortems is the same one that appeared in the GDPR postmortems eight years ago.

A team was moving fast. A team bought an AI product. A team wired the product into a decisioning workflow. A team shipped.

What the team did not do, because nobody was paid to do it, was keep a structured record of the five things above as the work happened. The decisions were made. The decisions did not get written down in a format a regulator could walk.

When the audit arrives, the team tries to reconstruct the record backwards. Pull training data lineage from an annotation vendor. Pull evaluation scores from a monitoring tool. Pull human oversight from Jira tickets that were never written for this purpose. Pull risk assessments from a folder on a shared drive.

The reconstruction takes a quarter. It costs seven figures in legal and consulting time. And the reconstruction is imperfect — pieces of the chain are missing, and the missing pieces are the ones the regulator asks about first.

This is the work that could have been avoided.

What "compliant by construction" means

A system that produces the compliance record as the output of doing the work, not as a separate artifact built afterward.

Concretely, this means the workflow the team already runs writes to a structured record. Every reviewed decision. Every override. Every sign-off. Every evaluation run. Every promotion of a new model. Every incident. Every remediation.

The record is immutable. The record is auditable. The record is exportable in the format the AI Act expects. When the auditor arrives, the export is a button. Not a project.

This is the shape of the bet every Domain Lab makes. The workflow the radiology team already runs on medical imaging, the workflow the risk team already runs on credit decisions, the workflow the pharmacovigilance team already runs on adverse-event reports — each one writes to the record by default. The compliance artifact is a byproduct of the work, not a deliverable the compliance team invents after the fact.

The five things — mapped to Domain Labs

The AI Act calls for five categories of evidence. A Domain Lab produces four of them as a side effect of the workflow, and the fifth as a first-class artifact.

Technical documentation. Every model promoted through the lab has a model card, a training distribution summary, a reviewed-work record, and the evaluation battery it passed. Exported together. Ready to hand to the auditor.

Data governance. Every piece of training data has lineage — the reviewer who produced it, the calibration session they passed, the source document it derived from, the retention policy it falls under. Queryable. Exportable.

Risk management. Every decision type has a risk tier written into the workflow. Every reviewer has a credential tier written into the roster. Every model has a performance profile per risk tier. When the risk surface changes, the system flags which workflows need a new assessment.

Human oversight. Every autonomous decision is logged against a threshold. Every decision above threshold routes to a human. Every override is captured with the reviewer identity, the reason, and the data that produced it. The oversight log writes itself.

Post-market monitoring. Live telemetry on every production model. Drift detection against a registered baseline. Incident capture with ticket-grade structured fields. Reporting ready in the format the authority expects.

None of this is a separate product. It is the shape of the work the team does every day. The compliance artifact is what falls out at the end of a well-run week.

Where Evaluation Studio and Compliance Monitoring fit

Two modules do most of the visible lift for the AI Act record.

Evaluation Studio is where the rules the model must pass before release are written and versioned. An evaluation is not a spreadsheet. It is a defined battery, reviewed by the people who will be accountable for the release, and run automatically at every promotion. The history of the battery — when it changed, who changed it, why — is the technical documentation the auditor asks for.

Compliance Monitoring is where the live record lives. Every decision the production system makes. Every human override. Every incident. Every drift signal. The monitoring runs forever. The export runs on demand.

Add Control Center for the sign-off chain, Regression Bank for the memory of past incidents, and the five things the auditor wants are one query away.

What the fines are teaching us

Read the first enforcement actions carefully. The companies that were fined are not the companies with the worst AI systems. They are the companies whose systems were the hardest to explain.

A system that causes real harm, with a defensible evidence chain behind it, is a system the enforcement action will treat differently from a system that may or may not have caused harm but cannot be explained at all.

The Act rewards explainability. The Act punishes opacity. A team that cannot walk a regulator through the decision chain is a team that is going to be treated like the team that deliberately obscured it, whether or not that was the intent.

This is where the Domain Labs bet pays off. The workflow is the explanation. The explanation runs alongside the work. Nothing has to be reconstructed.

What to do this quarter

Three moves.

One. Map the five AI Act categories to the systems that produce each of them today. If a category comes out of three different systems, or out of nothing, the remediation roadmap starts there.

Two. Pick one high-risk workflow. Run it on a compliant-by-construction architecture for one quarter. Compare the audit readiness at the end of that quarter to the baseline.

Three. Stop treating compliance as a gate. Start treating compliance as a byproduct. The teams that make that shift in 2026 are the ones that will still be shipping AI in Europe in 2028.

The €40 million question is not "are we compliant today." It is "do we produce the evidence the regulator will ask for, as a side effect of the work we already do."

The teams that can say yes are not going to be in the headlines.

The teams that cannot are going to find out, in the order the enforcement actions arrive.

---

Ready to see what compliant-by-construction looks like?

Evaluation StudioCompliance MonitoringDomain LabsTalk to us

TAGS · INDEX
EU-AI-ActcomplianceregulationsGDPRai-governancedomain-labs
ATTRIBUTION · ON THE RECORD
WRITTEN BY

AuraOne Compliance team

The team that runs the work. No bylines, no personal brands — only the role. The record is the byline.

ON THE RECORD
CATEGORY
AI Compliance
PUBLISHED
January 19, 2026
READING
11 min
KEEP READING · AI COMPLIANCE

More dispatches, on the record.

Compliance documents and financial charts reviewed on a conference table
RELATED · 01
12 min
AI COMPLIANCE

The August 2026 AI Act Deadline Is a Workflow Deadline

High-risk AI compliance is not a policy binder. The August 2026 deadline is a forcing function for traceability, human oversight, logging, documentation, and post-market monitoring inside the work itself.

April 18, 2026
AuraOne Compliance team
READ →
BLOG · NEXT STEP

Turn the read into the next release.

The blog covers the ideas. The product surfaces show how teams put them into production.

STARTS WITH

An editorial take you can hand to the team.

LEAVES WITH

The next workflow named, the references attached, the pilot scoped.

Plan a pilotSee customer proof
The €40 Million Question | AuraOne Blog | AuraOne