“We only use AI, we don't build our own models.”

This sentence comes up more and more often in conversations with companies that are starting to take an interest in the AI Act. Many organizations assume that since they are not a manufacturer of artificial intelligence systems, do not build their own models and do not sell AI tools, the new EU rules do not apply to them.

That may be a mistaken assumption.

The AI Act does indeed impose significant obligations on providers of AI systems, model developers and technology companies. But it does not apply exclusively to Big Tech. In certain situations, obligations may also fall on organizations that simply use off-the-shelf AI tools in their day-to-day operations.

The AI Act is not only for Big Tech

The AI Act, the EU regulation on artificial intelligence, entered into force on 1 August 2024. Its aim is to create a framework for the responsible development and use of AI in the European Union.

The key principle of the AI Act is simple: the greater the risk associated with a given use of AI, the greater the obligations.

That is why the rules do not look solely at who created the technology. What also matters is:

  • who uses it,
  • for what purpose,
  • towards whom,
  • on what data,
  • in what process,
  • whether the AI affects people, decisions or access to services.

This is precisely why the AI Act may also be relevant for companies in sectors such as HR, sales, marketing, customer service, education, finance, public administration, healthcare, retail, e-commerce or B2B services.

Who can have obligations under the AI Act?

The AI Act distinguishes several roles for organizations in the artificial intelligence ecosystem. Four basic categories are most commonly mentioned: providers, deployers, importers and distributors.

AI provider

A provider is an entity that develops an AI system, or has it developed, and places it on the market or puts it into service under its own name or trademark.

Example: A company builds an AI tool for CV screening and sells it to HR departments. A company offers clients an AI-based scoring system. A software house builds and makes an AI solution available to clients as a product.

Providers, especially of high-risk systems, may have extensive obligations relating to, among other things, documentation, risk management, data quality, human oversight, testing and system conformity.

Deployer, i.e. the organization using AI

A deployer is a company, institution or other organization that uses an AI system in its professional activity.

And here comes the most important point: a deployer does not have to be a technology company.

It can be:

  • an employer using AI in recruitment,
  • an online store using AI for recommendations,
  • a service company using a chatbot,
  • a marketing department generating content with the help of AI,
  • a bank or fintech using AI for risk assessment,
  • a school or university using AI in education,
  • a public authority using AI to handle citizens' cases,
  • a company analyzing customer data with an off-the-shelf tool.

Simply using AI does not automatically mean that a company has the heaviest obligations. But it does mean it should understand which AI systems it uses and in what context.

Importers and distributors

Obligations may also apply to companies that place AI systems from outside the EU on the EU market, or that resell, distribute or make AI solutions available to other entities.

This is important for IT integrators, resellers, implementation companies, software distributors and entities that help clients use AI tools.

In practice, it is not enough to say: “this is our provider's solution.” Depending on its role in the value chain, an organization may have its own verification, information or organizational obligations.

AI in HR: an example where the risk grows

One of the areas companies should pay particular attention to is HR.

AI can be used in recruitment and personnel management for:

  • CV screening,
  • candidate assessment,
  • application ranking,
  • competency analysis,
  • automatic matching of candidates to job offers,
  • employee evaluation,
  • predicting turnover,
  • supporting decisions on promotions or hiring.

Why is this area sensitive?

Because AI can affect a person's access to work, professional development, evaluation, promotion or the rejection of an application. A system error, data bias or lack of human oversight can lead to real consequences for specific individuals.

That is why AI systems used in the area of employment, workforce management and access to self-employment may fall into the high-risk category.

For companies this means one thing: if you use AI in HR, do not treat it like an ordinary office tool. Check how it works, what decisions it supports, whether it affects people and who is responsible for its use.

AI in customer service: transparency obligations

The second common example is customer service.

More and more companies use chatbots, voicebots, automated responses, systems that classify tickets or tools that generate messages to customers.

In many cases such solutions are useful and low-risk. They help answer questions faster, shorten handling time and relieve teams.

But the AI Act also introduces transparency obligations for certain systems. In practice, this means that in some situations the user should know that they are talking to an AI, or that a given piece of content has been generated or manipulated by an AI system.

Examples:

  • a customer talks to a chatbot but thinks they are talking to a human,
  • a company publishes material generated by AI,
  • a system creates a deepfake or a synthetic image, voice or video,
  • AI generates informational content aimed at the public.

In such situations, a company should ensure transparency, clear communication and appropriate labelling of the use of AI.

Does AI support decisions about people? Responsibility grows

The most important question every organization should ask itself is:

Does the AI affect decisions concerning people?

If AI only helps draft a marketing text, the risk is usually different from when a system:

  • assesses a job candidate,
  • suggests refusing a service,
  • classifies a customer as risky,
  • analyzes employee data,
  • supports a decision about access to benefits,
  • affects a student, patient, citizen or customer.

The more AI affects a person's rights, opportunities, evaluation or situation, the more important the following become:

  • human oversight,
  • data quality,
  • the ability to explain how it works,
  • documentation,
  • risk control,
  • transparency towards the user,
  • the organization's accountability.

That is why the AI Act should not be analyzed solely through the lens of the question: “do we build AI?” A better question is: “do we use AI in processes that may affect people?”

“We only use an off-the-shelf tool” - why is that not always enough?

Using an off-the-shelf AI tool may reduce the scope of technical obligations on the company's side, but it does not remove all organizational responsibilities.

Example: The tool's provider is responsible for the product's compliance with the requirements that apply to its role. But the company using the tool is still responsible for how it uses it.

It is the organization that decides:

  • in what process it uses AI,
  • what data it enters into the system,
  • who it shares the result with,
  • whether the AI output is verified by a human,
  • whether the employee knows how to use the tool,
  • whether the customer or candidate is properly informed,
  • whether the use of AI complies with company policy and regulations.

That is why responsible use of AI requires more than buying a license. It requires management.

The first step: check where you use AI in your company

Before an organization starts analyzing the detailed obligations arising from the AI Act, it should take a simple, practical step: an inventory of AI use.

It is worth answering a few questions:

  • What AI tools are used in the company?
  • Which departments use them?
  • What tasks are they used for?
  • Does the AI process personal, confidential or business-sensitive data?
  • Does the AI affect customers, employees, candidates or citizens?
  • Does the user know they are interacting with AI?
  • Does the company have rules for using AI?
  • Have employees been trained?
  • Is anyone in the organization responsible for assessing AI risks?

Only after such a review can you sensibly assess whether a given use is low-risk, subject to transparency obligations, high-risk, or perhaps requires additional safeguards.

What should a company that uses AI do?

To start with, you do not need to build a complicated compliance system. In many organizations it is enough to begin with a few basic actions.

1. Map your AI tools

Check which AI tools are used in the company officially and unofficially. Include not only systems purchased by IT, but also tools used by marketing, sales, HR, administration, customer service and management.

2. Define the purpose of AI use

The same tool can have a different level of risk depending on its use. Using AI to improve the style of a text is different from using it to evaluate an employee or a customer.

3. Check the data

Establish what data goes into the AI tools. Pay particular attention to personal data, customer data, trade secrets, financial data, contractual documents and confidential information.

4. Set rules for using AI

Employees should know:

  • which tools they may use,
  • what they must not enter into AI,
  • when the result must be verified,
  • when human oversight is needed,
  • how to label content generated by AI,
  • where to report errors or incidents.

5. Train your employees

AI literacy - the competencies and awareness related to AI - is one of the foundations of responsible use of artificial intelligence. Training should be practical and tailored to employees' roles.

HR needs different examples than marketing, sales needs different ones again, and customer service yet others.

6. Document and update

The rules for using AI should be updated regularly. Tools change quickly, and AI use in organizations often develops faster than procedures.

Summary

The AI Act does not apply only to technology companies.

It may also be relevant for organizations that use off-the-shelf AI tools in their everyday work: in HR, marketing, sales, customer service, data analysis, process automation or decision-making.

The biggest mistake is to assume that because a company does not build AI, it has no responsibility at all.

A better approach is to ask three questions:

  • Where in our organization do we use AI?
  • What exactly do we use it for?
  • Does the AI affect people, data, decisions or business processes?

The first step is not panic. The first step is awareness and inventory.

Because responsible AI starts with knowing where and how it is used.

Want to check whether the AI Act may apply to your organization?

Start by diagnosing where artificial intelligence is used in your company and what risks may arise from it.

AI TrustCERT helps organizations bring order to their use of AI in a single process - combining an inventory of AI use, AI Governance rules, risk assessment and AI Literacy for employees.

If your company uses AI, don't wait until a problem appears. Start by checking where AI is already at work in your organization.

Sources

  1. European Commission - AI Act: regulatory framework for AI. Describes the aim of the AI Act, its timeline of application and its risk-based approach. The AI Act entered into force on 1 August 2024, and most provisions will apply from 2 August 2026, with exceptions for, among others, prohibited practices and general-purpose models: digital-strategy.ec.europa.eu
  2. European Commission - AI Act enters into force. Statement of 1 August 2024 noting that the AI Act has entered into force and is intended to support the responsible development and deployment of AI in the EU: commission.europa.eu
  3. AI Act Service Desk - Article 4: AI literacy. A discussion of the obligation to ensure an adequate level of AI competence among employees and other persons using AI systems on behalf of providers and deployers: artificialintelligenceact.eu/article/4
  4. EUR-Lex - Regulation (EU) 2024/1689, Artificial Intelligence Act. The official text of the regulation laying down harmonized rules on artificial intelligence: eur-lex.europa.eu
  5. European Commission - Navigating the AI Act. An FAQ explaining, among other things, the transparency obligations for chatbots, interactive systems, deepfakes and certain AI-generated content: digital-strategy.ec.europa.eu