An EU AI Act compliance audit is a structured check of whether an organisation knows where it uses artificial intelligence, whether it meets the regulation's obligations and whether it can prove it. The best time to run one is on your own initiative - before a supervisory authority, a client in a tender or a contractor's corporate auditor does it for you.

Below is a practical guide: seven steps, concrete control questions and a list of the evidence an audit should leave behind.

When does an audit make sense?

From 2 August 2026 the AI Act applies in full and organisations must be able to demonstrate compliance. Some obligations apply earlier: the bans and AI literacy since 2 February 2025, the general-purpose model obligations since 2 August 2025. So the audit is worth doing now - every gap found is a task list to close, not a penalty risk. We collected the deadlines and sanctions on our EU AI Act compliance page and in the guide to AI Act fines.

Step 1: Inventory - do we know what we use?

The audit starts with the simplest and most often painful question: which AI tools and systems does the organisation actually use?

Control questions: Does an AI system register exist? Does it cover informally used tools (shadow AI)? Does every entry have an owner, a purpose of use, data categories and an approval status? When was the register last reviewed?

If there is no register - the audit effectively stops here. Without an inventory, no further question can be answered reliably.

Step 2: Prohibited practices - are we doing anything from Article 5?

Go through the catalogue of prohibited practices: subliminal manipulation, exploiting people's vulnerabilities, social scoring, emotion recognition in the workplace and education, untargeted scraping of facial images. Control questions: Does any tool we use analyse people's behaviour or emotions? Do HR, sales and marketing know these uses are prohibited no matter how tempting they look in a vendor's offer?

Step 3: Risk classification - do we have high-risk systems?

Check the use cases from Annex III of the AI Act: recruitment and workforce management, credit scoring, education, access to essential services, critical infrastructure. Control questions: Does AI take part in decisions about people in our organisation? As a deployer, do we meet the Article 26 obligations - human oversight, use according to the provider's instructions, monitoring? Has the provider supplied the required documentation?

While you are at it, verify the providers themselves - we collected the questions worth asking in our article on vendor compliance, data and risk, and we wrote about dependence on a single provider in the piece on vendor risk.

Step 4: AI literacy - do people know what they are doing?

Article 4 of the AI Act requires an adequate level of AI competence among people using AI systems on the organisation's behalf - and has applied since February 2025.

Control questions: Have employees completed AI literacy training appropriate to their roles? Did the training end with a knowledge check (exam) and are there certificates? Do new employees get trained during onboarding? Can you identify who has NOT completed the training?

Step 5: Rules - does a policy exist and does it work?

Control questions: Does an AI usage policy exist? Does it include a list of approved tools, data rules, output verification requirements and a path for proposing new tools? Have employees confirmed they have read it? Is it reviewed and updated?

Step 6: Transparency - do we disclose where required?

Article 50 of the AI Act requires, among other things, informing people that they are interacting with an AI system and labelling certain generated content. Control questions: Do chatbots and voicebots disclose that they are AI? Are deepfakes and synthetic content labelled? Does marketing content created with AI follow the company's labelling rules?

Step 7: Evidence - can we prove all of it?

The most important step of the audit. Compliance that cannot be proven effectively does not exist. After the audit, the organisation should hold a complete set of:

  • an AI system register with change history and review dates;
  • an AI policy with read-acknowledgements;
  • AI literacy training certificates for employees;
  • tool approval/ban decisions signed by the responsible person;
  • risk classification documentation and vendor assessments;
  • an audit report with a gap list and a remediation plan.

This set makes the difference in every stressful situation: an inspection, an incident, a client's question in a tender, a contract negotiation. And when setting any penalty, the authority takes into account the preventive measures in place and the organisation's diligence.

Audit by hand or with a tool?

The seven steps above can be done manually - with spreadsheets and surveys. The challenge is that an audit is not a one-off: tools change, people join, providers change their terms. That is why it makes more sense to embed the audit in a system that keeps the register, policies, training and evidence up to date continuously.

That is exactly how the AI TrustCERT platform works: its modules mirror the audit steps (register → rules → training → evidence → readiness report), and deployment takes 1-7 days. To start, the free AI Ready Check is enough - an initial readiness assessment in 3 minutes that shows which areas need action first.

Summary

An EU AI Act compliance audit is seven questions: what do we use, are we doing anything prohibited, do we have high-risk systems, are people trained, do we have rules, are we transparent and can we prove it.

An organisation that walks through these steps before 2 August 2026 turns the risk of penalties into a task list. An organisation that does not, hands the initiative over - to the supervisory authority, to clients, or to chance.

It is better to audit yourself than to be audited.

Sources

  1. Regulation (EU) 2024/1689 (AI Act) - Article 4 (AI literacy), Article 5 (prohibited practices), Article 26 (deployer obligations), Article 50 (transparency), Article 99 (penalties), Annex III (high-risk systems), Article 113 (application dates): eur-lex.europa.eu
  2. European Commission - AI regulatory framework and AI Act application timeline: digital-strategy.ec.europa.eu
  3. European Commission - AI Literacy - Questions & Answers: digital-strategy.ec.europa.eu