The 90-Day Path to EU AI Act Compliance — A Programme Guide for the CIO

Sixty days before the 2 August 2026 deadline, I was in a conversation with the General Counsel of a tier-1 European bank who hadn't yet briefed her executive committee on the bank's EU AI Act exposure. The reason wasn't institutional resistance — it was that her team genuinely didn't know what the exposure was. Their AI inventory was incomplete; their classification work hadn't been done; the gap analysis hadn't been started. She wasn't alone. Most of the BFSI and healthcare enterprises we've spoken to in May and June 2026 are in the same position: aware that the deadline is coming, behind on the work to be ready for it, and uncertain about what a defensible 90-day programme actually looks like. Most enterprises are behind. Most won't be ready in the sense of being fully compliant. A defensible posture is still achievable in 90 days of focused work — even from a standing start — and that's what the supervisor will look for in the first round of enforcement. Here is the day-by-day programme we run with CIOs and CROs to get them from "unaware of exposure" to "audit-ready position."

Days 1–14: Mobilise + commission the programme

Appoint a programme lead with authority — typically reporting to Chief Risk or Chief Compliance. Charter the programme at board awareness level. Stand up the working group: Legal, Risk, Tech, AI/ML, Compliance, HR (if HR AI in scope), Procurement. Brief executive committee on exposure and the programme timeline. Allocate budget envelope. None of this is technical work, but skipping it produces stalled programmes — the technical work doesn't start cleanly without the programme structure in place.

Days 15–45: Inventory + classification

Comprehensive inventory of every AI system — production, pilot, shadow IT (especially shadow IT), vendor-supplied, internally built. This work surfaces 30–50% more AI systems than initial estimates at most enterprises we've assessed. Classify each system against Annex III categories. Determine provider-vs-deployer posture per system, including explicit Article 25 trigger review. Document the rationale per classification — the rationale, not just the conclusion. Output: a risk-tier register signed off by the CRO.

Days 46–60: Gap analysis

For each high-risk workload identified in the inventory, gap-analyse against Articles 9–15 obligations. Risk management framework: present or absent. Data governance documentation: present or absent. Annex IV technical documentation: present, partial, or absent. Logging and record-keeping: present at adequate granularity, present at inadequate granularity, or absent. Transparency to deployers (if you're a provider): present or absent. Human oversight: effective, nominal, or absent. Accuracy / robustness / cybersecurity controls: present or absent. Quantify remediation effort per workload. Prioritise by exposure (penalty risk × reputation risk × strategic importance).

Days 61–80: Remediation plan + architecture decisions

Sequence remediation across workloads — fixing the highest-exposure ones first. For each workload, the architecture decision: sovereign on-prem, cloud-with-controls, or retire-and-replace. Most workloads at most enterprises will land on sovereign on-prem for the regulated portion; this conclusion shouldn't surprise the CIO at this point. Resource and budget envelope for the remediation. Vendor and partner selection (engineering partners, legal advisors, conformity-assessment bodies if external assessment is needed). Output: a board-ready remediation plan with sequencing and resource commitments.

Days 81–90: Board signoff + Phase-1 kickoff

Board paper covering exposure, plan, investment envelope, and risk-managed approach to the timeline. The realistic framing for the board: full compliance for every workload by 2 August 2026 isn't achievable from a standing start, but a defensible programme — board-aware, well-resourced, sequenced, demonstrating good-faith engagement with the obligations — is. That posture is what the supervisor will look for in the first round of enforcement. First remediation workstream kicked off. Quarterly programme cadence established with the board. By day 90 the enterprise has moved from "unaware" to "actively managing."

What the supervisor will actually ask for on 3 August 2026

Three artefacts that the supervisor's first-round review will request. One: the AI inventory with risk classification per system. Two: the gap analysis against Articles 9–15 per high-risk system. Three: the remediation plan with timelines and accountabilities. Each of these is achievable in the 90 days described above. None of them require having every workload fully compliant by 2 August — they require having an honest accounting of the state and a credible plan to address it. The enterprises that produce these three artefacts cleanly will not be in the first wave of enforcement. The enterprises that produce nothing will be.

What to do if you're starting in July 2026 with 30 days left

Compress the programme to 30 days by deprioritising shadow-IT inventory (revisit later) and focusing the gap analysis on the top 5 high-risk workloads only. Days 1–10: inventory the top 20 production systems, classify the 5–10 most likely Annex III workloads, draft the board paper. Days 11–20: gap-analyse the top 5 against Articles 9–15. Days 21–30: present to board, get budget commitment, kick off remediation. The 30-day version produces less coverage but the same defensible posture: the enterprise can demonstrate it knew its exposure and was actively managing it. /eu-ai-act covers the full article-by-article mapping; /playbooks/eu-ai-act offers the 18-page whitepaper with the engineering checklist.