EU AI Act compliant AI vendors: how to evaluate readiness in 2026

The Act, in force since 1 August 2024, distinguishes four risk categories: prohibited, high-risk, limited-risk and minimal-risk. The vendor obligations cluster around the high-risk and general-purpose AI categories. For high-risk systems, the provider must establish a risk-management process across the lifecycle, ensure data and data-governance practices meet Article 10, produce technical documentation aligned with Annex IV, build automatic logging, design appropriate human oversight, achieve appropriate accuracy, robustness and cybersecurity, register the system in the EU database, and operate post-market monitoring [1].

Application is staggered. Prohibited practices applied from February 2025. General-purpose AI obligations applied from August 2025. Most high-risk system obligations apply from August 2026. The European Commission's AI Office is publishing successive guidance and standardisation requests, and that material is the canonical reference rather than vendor marketing pages [1].

A credible vendor produces five artefacts, named and indexable, before contract. A conformity assessment plan that names the assessment route (internal control or notified body) and the timeline. A data-governance description aligned with Article 10 covering training, validation and testing data, including provenance, bias mitigation and the handling of special categories. A draft technical documentation pack aligned with Annex IV. A human-oversight design that names the specific intervention and override points. A post-market monitoring plan with named metrics, owners and reporting cadence.

If a vendor cannot produce these as templated artefacts customised to the buyer's workload, the conformity work has not been done. ISO/IEC 42001:2023, the AI management system standard, is increasingly used as a procurement reference because the documentation it requires overlaps substantially with the Act's expectations [2].

Accenture, Deloitte, Capgemini, IBM Consulting and PwC all publish AI governance frameworks and have substantial in-house regulatory and assurance practices. Public commentary, analyst reports and the volume of regulated-sector engagements suggest these firms can deliver Act-compliant builds at scale, particularly when paired with their respective audit or risk advisory practices [3]. The trade-off is the standard one for scaled engagements: the documentation will be thorough and the seniority ratio on day-to-day delivery will be lower than at a specialist boutique.

For buyers running a multi-jurisdiction programme that touches several regulators, the scaled integrators remain the natural choice because the documentation and assurance machinery is already built.

Faculty AI publishes safety-evaluation methodology that maps cleanly onto the Act's robustness and accuracy obligations. Quantexa's productised decision intelligence platform ships with extensive logging, lineage and explainability features that overlap with Article 12 and Article 13 obligations. ML6 publishes responsible-AI material focused on bias evaluation and human oversight design. Luminance, in the legal-AI vertical, ships explainability and audit features as a core product property. Artefact and NFQ Technologies have growing governance practices, with NFQ benefiting from the Lithuanian regulator's early Act guidance.

Impetora is a smaller enterprise AI consultancy and solutions partner focused on auditable, production-grade AI for regulated industries. Every system we ship includes the five artefacts above as a deliverable, not as an upsell, because the regulated-industry compliance bar is the design point.

Five patterns are red flags. A vendor that says the system is "not high-risk" without producing a written risk classification analysis. A vendor that proposes hosting in a non-EU region without naming a Standard Contractual Clauses framework and a Transfer Impact Assessment. A vendor whose model-evaluation evidence consists solely of accuracy metrics on a held-out test set, with no robustness, fairness or adversarial work. A vendor that treats human oversight as a UI overlay rather than a design constraint that shapes the architecture. A vendor whose monitoring plan ends at deployment.

The Bank for International Settlements' 2024 paper on generative AI in finance describes similar patterns from a different angle and is a useful cross-reference for buyers in financial services [4].

Impetora's TRACE methodology was designed around the Act's expectations. Trust covers EU data residency, audit trails and AI Act alignment as deliverables. Readiness covers the data and workflow audit before any code, including the risk classification analysis. Architecture covers production-grade design with logging, observability and recoverability built in. Citations and Evidence covers the traceability of every output to its source document, prompt and decision step.

For buyers procuring a high-risk system in 2026, the practical proof is in the artefact list above. Ask for the conformity assessment plan, the data-governance description, the technical documentation pack, the human-oversight design and the post-market monitoring plan as named deliverables in the master services agreement, then judge the vendor on what they send back.