Many companies assume that the obligations connected with the AI Act mainly concern the big technology providers: OpenAI, Google, Anthropic, Meta, Mistral, Microsoft and other entities that build artificial intelligence models.

That is partly true.

It is providers of general-purpose models, so-called GPAI, who have their own obligations regarding transparency, copyright, documentation, security and - for the most advanced models - systemic risks.

But from the perspective of an ordinary company, the problem doesn't end with the fact that someone else built the model.

Because even if an organisation doesn't build its own AI, it may use AI intensively in sales, HR, marketing, customer service, document analysis, administration, finance or managerial work.

And then the question arises: does the company know what it is actually buying, from whom, on what terms and with what risk?

What is GPAI and why does it matter?

GPAI is general-purpose AI, that is, a general-purpose artificial intelligence model. It is not a tool built for one narrow function. Such a model can support many different uses: generating text, analysing documents, writing code, translating, summarising, creating concepts, answering questions, supporting customer service or helping with knowledge work.

In practice, many popular AI tools are built on such models.

For companies this is hugely important, because the same model can be used for very different purposes. In one department it will help polish the style of an email, in another analyse CVs, in another summarise contracts, and elsewhere support communication with clients.

The technology is the same or similar, but the risk can be completely different.

That is why the AI Act distinguishes the obligations of general-purpose model providers from the obligations of organisations that use AI systems in specific processes. The provider is responsible for certain elements of the model and its documentation. The company is responsible for how it uses the tool in its own environment.

The Code of Practice: a signal for the whole market

The European Commission published the General-Purpose AI Code of Practice as a voluntary tool to help general-purpose model providers demonstrate compliance with their AI Act obligations.

The code focuses on three main areas: transparency, copyright, and safety and security. For the most advanced models, questions of systemic risk, testing, documentation and security management are particularly important.

Formally, it is a document aimed primarily at GPAI providers.

But its significance is broader.

It shows the direction the market is heading: increasingly, it isn't enough to say "our model works well." What matters more is whether the provider can explain how the model is documented, what its limitations are, what the rules on data are, how it approaches copyright and what security mechanisms it applies.

For business clients this is a clear signal: if you use AI in your company, you have to learn to ask vendors better questions.

A company can't buy AI the way it buys an ordinary app

Deploying an AI tool often looks very simple. We choose a subscription, create accounts, give employees access and start using it.

That simplicity is only apparent.

An AI tool may have access to content that previously never left the organisation: client queries, internal documents, personal data, marketing materials, code, meeting notes, financial analyses or proposal content.

It may also affect the quality of work. If an employee uses AI to create communication, analysis, a recommendation or a reply to a client, the model's output begins to indirectly influence the business process.

That is why buying AI should not be solely the decision of a department that "wants to improve its work." It should be part of risk management.

Not every company needs an elaborate vendor-assessment process like a large corporation. But every organisation should know which AI tools it allows, who uses them and whether they are appropriate for a given use.

What to ask an AI vendor?

Questions for an AI vendor don't have to create a major audit straight away. To begin with, it's about common sense and a minimal level of control.

A company should understand whether the data entered into the tool may be used to train models, where it is processed, what privacy settings apply, whether there is a business version with better data protection and what the limitations of using the system are.

It should also know whether the vendor provides documentation, information about the model, a description of limitations, security rules, terms of data processing and mechanisms for responding to incidents.

Copyright matters too. If the tool generates content, images, text or code, the company should understand the rules for using the outputs, the risks that may relate to the input materials and whether the vendor declares compliance with copyright obligations.

These are not theoretical questions. They are questions that may come back during an audit, a complaint, a dispute with a client, a security incident or an inspection.

The vendor is responsible for the model. The company is responsible for the use

This distinction is crucial.

A model provider may have obligations related to documentation, security, transparency or copyright. But if a company uses an AI tool for the wrong process, feeds it confidential data or bases a business decision on an unverified output, it cannot simply say: "it's the vendor's fault."

The AI Act builds accountability across the value chain. This means different entities have different roles and different obligations.

For an organisation using AI, the most important thing is to understand its own context. It is the one that knows whether the tool is used in marketing, recruitment, customer service, data analysis or a decision-making process. It is the one that knows what data is processed. It is the one that determines whether the AI output is only an inspiration or part of a real decision.

The vendor can help, but it won't replace the company's responsibility for how AI is used.

A register of AI tools as a foundation

You can't ask vendors about compliance if a company doesn't know which tools it uses.

This is one of the biggest gaps in organisations.

Some AI tools are bought officially. Some operate within existing systems. Some are tested by teams. Some run through employees' personal accounts. Some are "invisible," because AI appeared as a new feature in a tool the company already knew.

That is why the first step should be a simple AI register.

Not in order to create bureaucracy. So that the company knows which tools are used, who is responsible for them, what they are for, what data they process and whether they require additional assessment.

Only then can you sensibly discuss vendors, documentation, risk, consents, acceptances and usage rules.

Without a register, a company operates on guesswork.

The GPAI Code of Practice and companies' purchasing practice

The Code of Practice for GPAI doesn't mean every small or medium company must read the technical documents of the largest models.

It does mean the market is maturing.

AI vendors will increasingly be assessed not only through the lens of answer quality, but also through transparency, security, documentation, copyright and regulatory compliance.

Companies that buy AI should prepare for a similar shift.

Just as with GDPR organisations learned to ask vendors about data processing agreements, data location and security measures, with AI they will have to learn to ask about model documentation, the scope of data use, limitations, risks, AI Act compliance and the ability to demonstrate responsible deployment.

It doesn't have to be complicated from day one. But it has to start.

What can go wrong if a company doesn't do this?

The simplest scenario is a data breach. An employee enters information into an AI tool that they should not pass to an external vendor.

Another scenario is a wrong decision. AI generates a convincing but false analysis, and the team uses it without verification.

Yet another scenario is a copyright problem. A company publishes content or an image generated by AI without understanding the licensing limitations or the risks related to the input materials.

An operational problem is also possible: the company bases part of a process on a tool that later changes its terms, raises prices, restricts features or stops being available.

In all these situations the common denominator is the same: the organisation used AI but didn't manage that use.

Where does AI TrustCERT help?

AI TrustCERT helps companies put the basics of responsible AI use in order.

Instead of starting with a complex technology audit, an organisation can first build practical readiness: train employees, adopt rules for using AI, collect acceptances, create a register of tools, recognise risks and prepare a readiness report.

This is also a good starting point for conversations with vendors.

If a company knows which tools it uses and in which processes, it's easier to determine what questions to ask vendors, where additional documentation is needed and where simple internal rules are enough.

AI TrustCERT doesn't replace all legal and technical obligations. But it helps take the first, most important step: moving from accidental AI use to a conscious and documented process.

Summary

You don't have to build your own AI model to have responsibility for AI in your company.

It's enough to use AI tools in everyday work.

Providers of general-purpose models will be increasingly obliged to document transparency, security and AI Act compliance. But organisations using these tools must also do their part.

They should know which tools they use, what data goes into them, who the vendor is, what rules apply and whether the way AI is used is appropriate for a given process.

AI in a company doesn't end with the question: "does it work?"

Increasingly, it starts with the question:

"Do we know on what terms we're using it?"

Sources

  1. The European Commission published the General-Purpose AI Code of Practice on 10 July 2025; the code helps general-purpose model providers meet their AI Act obligations on safety, transparency and copyright.
  2. The European Commission explains that the GPAI Code of Practice is a voluntary tool prepared by independent experts in a multi-stakeholder process, and that its three main chapters cover transparency, copyright, and safety and security for the most advanced models.
  3. The European Commission indicates that model providers who sign the code can demonstrate compliance with the AI Act by following its provisions, which is meant to reduce administrative burden and increase legal certainty.
  4. Reuters described the EU Code of Practice as a voluntary tool supporting AI Act compliance, focusing on transparency, copyright, safety and security.