ComplianceFebruary 18, 2026

From innovation to regulation: How internal audit must respond to the EU AI Act

By: TeamMate

Artificial intelligence has moved from experimentation to operational dependency in record time. AI systems now influence hiring decisions, credit approvals, fraud detection, healthcare diagnostics, cybersecurity monitoring, and customer interactions at scale. With that influence comes risk—risk to individuals, organizations, and societies. The European Union’s Artificial Intelligence Act (EU AI Act) represents the world’s first comprehensive attempt to regulate those risks through a binding legal framework.

The EU AI Act is not just a European compliance issue. Its global reach, risk-based structure, and explicit governance requirements make it a de facto global standard. Much like the General Data Protection Regulation (GDPR) before it, the EU AI Act will shape how organizations worldwide design, deploy, govern, and audit AI systems, regardless of their headquarters.

For internal auditors, the EU AI Act signals a fundamental shift. AI risk is no longer an abstract technology concern or a future consideration. AI is now a regulated risk domain with clear expectations for governance, controls, documentation, monitoring, and accountability.

This article explains what the EU AI Act is, how it affects organizations outside the EU, and what responsibilities internal audit functions must assume to remain relevant and effective in an AI-driven regulatory environment.

Want to stay up to date on Expert Insights?

Subscribe to our newsletter to receive monthly Expert Insights in your inbox.
Subscribe Now

What is the EU AI Act?

The EU Artificial Intelligence Act is a comprehensive regulatory framework governing the development, deployment, and use of AI systems within the European Union. First proposed in 2021 and finalized in 2024, the Act is expected to be fully enforced beginning in 2026, with phased implementation requirements leading up to that date.

The Act’s primary objective is to ensure that AI systems placed on or used within the EU market are safe, transparent, explainable, and respectful of fundamental rights, while still enabling innovation. Unlike sector-specific regulations, the AI Act applies across industries and technologies, making it one of the most sweeping digital governance laws ever enacted.

At its core, the AI Act introduces a risk-based regulatory model. Rather than treating all AI systems equally, it classifies them based on the level of risk they pose to individuals and society, and imposes obligations proportionate to that risk.

This approach reflects a recognition that AI is not inherently dangerous, but that certain uses—especially those affecting rights, safety, or access to essential services—require stronger oversight and controls.

EU AI Act risk categories

The EU AI Act risk levels dictate compliance obligations, banning certain harmful uses outright, imposing transparency and conformity requirements on high-risk systems, and encouraging voluntary codes of conduct for lower-risk applications. From a risk-based perspective, there are four EU AI Act risk categories: unacceptable, high, limited, and minimal.

Unacceptable risk: Certain AI practices are completely prohibited because they are considered incompatible with EU values and fundamental rights. EU AI Act unacceptable risk systems include those that manipulate human behavior in harmful ways, exploit vulnerable populations, or enable governments to engage in social scoring. EU AI Act unacceptable risk systems cannot be developed, sold, or used in the EU under any circumstances.

High-risk AI systems: EU AI Act high risk systems are permitted when strict requirements are met. Allowed high-risk systems are typically critical applications that handle sensitive data used in areas such as:

  • Employment and workforce management
  • Education and student assessment
  • Creditworthiness and financial services
  • Healthcare diagnostics and treatment
  • Law enforcement and public safety
  • Border control and immigration
  • Critical infrastructure management

EU AI Act high risk systems are subject to extensive obligations, including risk assessments, data governance controls, human oversight, technical documentation, logging, transparency, and ongoing monitoring.

Limited-risk AI systems: Limited-risk systems must meet specific transparency obligations, such as informing users when they are interacting with an AI system (for example, chatbots or deepfake content).

Minimal-risk AI systems: Most AI applications fall into this category and face no new regulatory obligations beyond existing laws. Examples include AI used in gaming, photo enhancement, or spam filtering.

The majority of regulatory focus and internal audit attention will be on high-risk AI systems, as these carry the most significant compliance, reputational, and operational exposure.

Why the EU AI Act matters beyond Europe

One of the most important features of the EU AI Act is its extraterritorial scope. The Act applies not only to organizations established in the EU, but also to organizations outside the EU if:

  • They sell AI systems on the EU market, or
  • The outputs of their AI systems are used within the EU

These two considerations mean that any organization creating AI systems may be fully subject to the Act, even if it has no physical presence in Europe.

The Act mirrors the global impact of GDPR, which forced organizations worldwide to rethink data governance, privacy controls, and accountability models. The AI Act is expected to have a similar effect on AI governance. From a practical standpoint, this means non-EU organizations must assume that EU AI Act compliance is unavoidable if they serve EU customers, employees, patients, or users in any capacity involving AI.

How non‑EU organizations must respond

For organizations outside the EU, compliance with the AI Act requires more than minor policy updates. It demands structural changes to how AI systems are identified, governed, controlled, and monitored.

AI inventory and classification

The first step is developing a comprehensive inventory of AI systems in use across the organization, including:

  • Internally developed models
  • Third-party AI tools
  • Embedded AI in vendor platforms
  • Generative AI used by employees
  • AI used indirectly through outsourcing arrangements

Each system must be assessed to determine whether it falls under the Act’s definition of AI and, if so, which risk category applies. The EU AI Act risk classification drives all downstream compliance obligations. Many organizations underestimate how pervasive unsanctioned AI already is in their operations. Without a reliable inventory, compliance is impossible.

Governance and accountability structures

The EU AI Act explicitly requires organizations to define clear accountability for AI risk. This includes ownership for:

  • AI strategy and adoption
  • Risk assessment and classification
  • Compliance with regulatory requirements
  • Ongoing monitoring and incident response

For non-EU organizations, this often means extending existing governance frameworks to include AI, rather than treating it as an IT or innovation concern.

Third‑party and supply chain risk

A significant portion of AI risk originates from vendors. Cloud providers, HR platforms, marketing tools, and security solutions increasingly rely on AI models that may qualify as high-risk under the Act. Many software vendors have been quick to release updates to their applications with AI-embedded features that customers may not be able to deactivate or explain.

Non-EU organizations must ensure that vendor contracts, due diligence processes, and ongoing monitoring comply with the EU AI Act’s requirements. Vendor contracts should include access to documentation, audit rights, and assurances regarding data quality, model governance, and regulatory compliance.

Documentation and transparency

The EU AI Act places heavy emphasis on documentation. Organizations must be able to demonstrate:

  • How AI systems were designed and trained
  • What data was used and why it is appropriate
  • How risks were assessed and mitigated
  • How human oversight is implemented
  • How system performance and outcomes are monitored

For organizations accustomed to agile development and rapid deployment, this documentation burden represents a cultural shift. In the rush to get their new products to the market, documentation is often an afterthought.

View a demo

TeamMate+ Audit

As the world’s leading audit management software, TeamMate has revolutionized the industry, empowering audit departments of all sizes. Join us for a demonstration of TeamMate+ Audit’s most powerful benefits leading audit evolution.

Length: 2 minutes, 54 seconds
View Demo

Internal audit’s role under the EU AI Act

The EU AI Act highlights the need for internal audit to play a critical governance partner in AI oversight. Internal auditors are uniquely positioned to assess whether effective AI governance structures exist, and to determine if management’s assertions about compliance are supported by evidence.

Auditing AI governance

An EU AI Act audit should evaluate whether the organization has established:

  • Clear AI governance frameworks
  • Defined roles and responsibilities
  • Board or executive oversight mechanisms
  • Policies governing acceptable AI use
  • Alignment between AI strategy and risk appetite

The elements listed above mirror traditional IT governance reviews but are further complicated by the EU AI Act's regulatory stringency. The absence of governance is itself a significant finding under the AI Act.

Auditing risk classification and impact assessments

EU AI Act high risk systems require formal risk assessments and impact analyses. An EU AI Act audit should assess whether:

  • AI systems are correctly classified under the Act
  • Risk assessments are complete and objective
  • Assumptions are documented and validated
  • Mitigation measures are implemented and tested

Auditors should be prepared to challenge optimistic classifications that downplay regulatory exposure.

Auditing data quality and model controls

The Act introduces expectations around data quality, bias mitigation, and model performance. An EU AI Act audit should examine:

  • Data sourcing and governance practices
  • Controls over training, testing, and validation data
  • Bias identification and remediation processes
  • Model drift detection and response mechanisms

Auditors are not expected to possess data scientist skills. As with any new risk area, the focus is on understanding control objectives and inspection of evidence.

Auditing human oversight and accountability

One of the Act’s central principles is that humans must remain accountable for AI-driven decisions, often referred to as “human in the loop”. An EU AI Act audit should assess:

  • Whether human oversight is meaningful or symbolic
  • Whether escalation paths exist for AI failures
  • Whether employees understand when and how to override AI outputs
  • Whether accountability is clearly assigned

Automated decision-making without effective human oversight represents a material compliance and ethical risk.

Auditing third‑party AI risk

Third-party AI failures are expected to have the highest failure rates. An EU AI Act audit should expand third-party risk audits to explicitly include AI considerations, such as:

  • Vendor compliance with AI Act requirements
  • Transparency into vendor AI models
  • Contractual protections and audit rights
  • Monitoring of vendor AI incidents

While many AI failures will originate outside the organization, regulators will still hold the organization accountable. Just as with any other risk, each organization is responsible, and accountability cannot be passed to a third party.

Why EU AI Act audits are critical to compliance

The EU AI Act formalizes the need for effective AI governance risk oversight. The Act forces organizations to move beyond informal, ad hoc AI usage and toward disciplined, auditable control environments. Internal audit functions must invest in AI literacy, understanding governance frameworks, and designing audit methodologies. Delaying this responsibility will sideline internal auditors as AI decisions increasingly shape enterprise risk profiles.

The Act also reinforces the need for continuous auditing and monitoring, as AI systems evolve dynamically and cannot be assessed through static, one-time reviews. As highlighted in professional guidance for internal auditors, including perspectives from The Institute of Internal Auditors, regulators increasingly expect internal audit to play an active role in identifying AI risks, facilitating governance discussions, and providing assurance over emerging risk domains.

Prepare now for increased requirements

Full enforcement of the EU AI Act is still ahead, and additional regulations are sure to come. Organizations that wait will struggle to catch up. Internal auditors should act now to:

  • Build AI literacy within audit teams
  • Incorporate AI risk into audit planning
  • Engage with management on governance design
  • Pilot AI-focused audits and advisory reviews
  • Align audit frameworks with emerging regulatory expectations

The EU AI Act is not just another compliance requirement. The Act is a signal that AI has reached a level of impact where informal controls and reactive oversight are no longer acceptable. AI assurance is now a core component of modern governance, risk, and compliance.

EU AI Act Example Risk and Control Matrix (RCM)

Risk Domain Risk Risk Description Key Controls 
AI Inventory and Classification Incomplete AI inventory AI systems subject to the EU AI Act are not fully identified, leading to unmanaged compliance exposure. • Maintain a centralized AI inventory covering internal, third-party, embedded, outsourced, and employee-used (shadow) AI 
• Require intake/registration before production use
• Periodic reconciliation with procurement and architecture repositories
AI Inventory and Classification Incorrect risk classification AI systems are misclassified (e.g., high-risk treated as limited risk), resulting in missed obligations and potential enforcement risk. • Formal AI risk-classification methodology aligned to EU AI Act categories
• Documented rationale
• Legal/Compliance review and approval
• Reclassification trigger upon material changes
AI Inventory and Classification Shadow AI usage Employees use generative or automated AI tools without oversight, potentially exposing regulated data or creating ungoverned decision impacts. • AI acceptable-use policy
• Approved tooling list
• DLP and access controls for regulated data
• Monitoring of AI tool usage
• Enforcement actions and exception handling
AI Governance and Accountability Lack of AI governance No defined governance structure exists to oversee AI strategy, risk, compliance, and ethical use. • AI governance framework with committee/charter
• Defined decision rights alignment to enterprise risk appetite
• Periodic governance reviews
AI Governance and Accountability Unclear accountability Responsibilities for AI compliance, performance, and risk are unclear, creating gaps in control execution and escalation. • Named AI system owners and risk owners
• RACI covering lifecycle (design, train, deploy, monitor, retire)
• Segregation of duties across build/approve/operate
AI Governance and Accountability Board oversight gaps Board and audit committee do not receive sufficient reporting to exercise oversight over AI risks and compliance obligations. • Regular AI risk reporting to board/audit committee
• KPI/KRI dashboards
• Material-incident reporting thresholds
• Periodic deep-dive reviews on high-risk AI
Risk Assessment and Impact Analysis Missing AI risk assessments High-risk AI systems lack documented risk and impact assessments prior to deployment, violating governance expectations and increasing harm likelihood. • Mandatory AI risk and impact assessments before production
• Standardized templates
• Independent review
• Go-live gating control
Risk Assessment and Impact Analysis Inadequate assessment quality Assessments do not sufficiently evaluate bias, explainability, security, privacy, misuse, and downstream impacts. • Assessment quality standards
• Required risk categories and test coverage
• Peer review
• Legal and ethics review where applicable
Risk Assessment and Impact Analysis No reassessment after changes AI risks are not reassessed after model updates, data changes, or context shifts, leading to drift and control breakdowns. • Periodic reassessment cadence
• Reassessment triggers (model retrain, feature changes, new population)
• Change management integration
Data Governance and Model Integrity Poor data quality Training or operational data is inaccurate, incomplete, or not representative, driving unreliable and potentially harmful outcomes. • Data governance standards for AI
• Data quality controls and thresholds
• Data lineage documentation
• Access controls and retention rules
Data Governance and Model Integrity Bias and discrimination AI outcomes introduce unlawful or unethical bias impacting protected classes or vulnerable groups. • Bias testing and fairness validation
• Documented mitigations
• Monitoring for disparate impact post-deployment
• Controlled use of sensitive attributes
Data Governance and Model Integrity Model drift and degradation Model performance degrades over time due to drift, changing data, or adversarial behavior without timely detection. • Model performance monitoring
• Drift detection alerts
• Periodic revalidation
• Incident workflow for performance degradation
Transparency and Documentation Insufficient documentation Required technical documentation is missing or incomplete, preventing demonstration of compliance to regulators and stakeholders. • AI documentation standards (model cards/system cards)
• Version control
• Documentation completeness checks
• Centralized documentation repository
Transparency and Documentation Lack of user transparency Users are not informed they are interacting with AI or are not provided required disclosures and instructions. • Transparency notices
• User-facing disclosures
• Labeling for AI-generated content where applicable
• Periodic UX/legal review
Transparency and Documentation Inability to explain decisions AI output cannot be explained to impacted individuals, auditors, or regulators, undermining trust and legal defensibility. • Explainability requirements for high-risk systems
• Interpretable outputs where feasible
• Documented explanation approach
• Support playbooks
Human Oversight and Intervention Over-reliance on automation AI decisions are accepted without meaningful human review, leading to unchecked errors or rights impacts. • Defined human-in-the-loop controls
• Decision thresholds requiring review
• Quality sampling
• Dual-approval for sensitive outcomes
Human Oversight and Intervention Inadequate override capability Humans cannot intervene or override AI outputs effectively during exceptions or incidents. • Manual override procedures
• Emergency shutoff/kill switch
• Escalation paths
• Tested continuity procedures for AI outages
Human Oversight and Intervention Poor user training Users do not understand AI limitations, appropriate reliance, and escalation triggers. • Mandatory training for AI users and approvers
• Role-based guidance
• Periodic refresher training
• Attestations
Third-Party and Supply Chain AI Risk Vendor non-compliance Third-party AI systems do not meet EU AI Act requirements, creating compliance exposure for the deploying organization. • AI-specific vendor due diligence
• Evidence collection (documentation, testing, certifications)
• Ongoing monitoring
• Supplier remediation plans
Third-Party and Supply Chain AI Risk Lack of contractual protections Contracts do not include required AI compliance clauses, transparency commitments, audit rights, and incident notification duties. • Standard AI contract clauses
• Legal review gates
• Audit rights
• Incident notification SLAs
• Data usage restrictions
Third-Party and Supply Chain AI Risk Limited vendor transparency Organization lacks visibility into vendor model behavior, training constraints, and control effectiveness. • Right-to-audit and transparency disclosures
• Minimum documentation deliverables
• Vendor performance reporting
• Periodic supplier reviews
Monitoring, Incident Management, and Reporting AI incidents go undetected Harmful, non-compliant, or unsafe AI behavior is not detected quickly, increasing impact and regulatory exposure. • AI incident monitoring; defined detection signals
• Integration with SOC/IRM
• Anomaly and complaint intake channels
Monitoring, Incident Management, and Reporting Poor incident response AI incidents are not escalated, contained, investigated, or remediated effectively. • AI-specific incident response procedures
• Escalation matrix
• Post-incident reviews
• Corrective action tracking
Monitoring, Incident Management, and Reporting Regulatory reporting failures Required notifications or documentation requests from regulators are missing or handled inconsistently. • Regulatory notification procedures
• Legal review
• Reporting logs
• Evidence retention and response playbooks

Subscribe below to receive monthly Expert Insights in your inbox

Missing the form below?

To see the form, you will need to change your cookie settings. Click the button below to update your preferences to accept all cookies. For more information, please review our Privacy & Cookie Notice.

TeamMate
For auditors who are challenged to improve audit productivity while delivering strategic insights, TeamMate provides expert solutions, delivered with premium professional services, to auditors around the globe and in every industry.

Subscribe below to receive monthly Expert Insights in your inbox

Missing the form below?

To see the form, you will need to change your cookie settings. Click the button below to update your preferences to accept all cookies. For more information, please review our Privacy & Cookie Notice.

TeamMate+ AI Editor

TeamMate offers the resources and tools to harness AI's potential.
Learn More
TeamMate+ AI Editor helps teams work faster, produce higher-quality documentation, and improve audit standards.
Learn More
View a Demo
Contact Us

Related Insights

  • Article
    Compliance
    October 22, 2025

    Navigating AI cybersecurity risks: The role of internal controls in a threat-driven landscape

    As AI threats continue to evolve, internal auditors and risk professionals must ensure that their internal control frameworks are adaptable and robust enough to strengthen their ability to assess an organization’s preparedness and compliance posture.
    Learn More
  • Article
    Compliance
    October 01, 2025

    Building stronger control environments through controls automation

    Discover how controls automation strengthens governance, reduces risk, and improves efficiency. Learn the difference between manual and automated internal controls, see real-world examples, and explore best practices for technology integration.
    Learn More
  • Article
    Compliance
    September 25, 2025

    Fintech trends: Shaping risk and assurance in 2026

    Fintech is transforming internal audit—bringing both risk and opportunity. Auditors must grasp emerging tech to stay ahead in a rapidly evolving financial world.
    Learn More
  • Article
    Compliance
    September 10, 2025

    Specialize or generalize: The future of internal auditing

    Learn how audit specialists and generalists each add value—and how to strike the right balance.
    Learn More
Back To Top