EU AI Act enforcement · 2 December 2027 Using ChatGPT, an ATS or assessment AI? Hiring, education and worker-management AI need evidence If AI helps decide people’s outcomes, map it now EU market access goes before the fine Book an audit
PREFEXAILTD
Deutsch

UK firms using AI to make decisions about people

You could lose
the EU market
by December 2027

Do you use ChatGPT, an ATS, screening tools, assessment software, worker monitoring, student scoring, or any AI that helps decide what happens to a person in Europe? From December 2027, the EU AI Act can hurt your business.

Enforcement clock

2 December 2027

High-risk AI rules start applying

--Y
--M
--D
--H
--MIN
--SEC

The trigger is not where your company is based. It is what your AI does. If it helps rank, assess, admit, reject, allocate, monitor or evaluate people in the EU, your UK company may need high-risk evidence.

It starts with getting locked out of the EU market: clients, partners and procurement teams asking for evidence you cannot produce. Then come the regulators. The highest fine band is €35M (£29M) or 7% of worldwide turnover, whichever is higher.

Check your risk Answer eight questions
EU AI Act Annex III Fines and penalties

Not just AI

Any decision-making system can count, including tools bought from vendors or quietly switched on inside existing software.

€35M /7%

Fines can reach up to €35M or 7% of worldwide turnover, whichever is higher. Even outside the EU.

2 Dec 2027

Show evidence, oversight and controls for high-risk systems, or risk losing EU access, contracts and fines.

The lede

GDPR was the rehearsal. The EU AI Act has sharper teeth.

The EU AI Act is coming for business operations, not just obvious AI products. Under the Act, AI includes systems that generate predictions, recommendations or decisions. That means ChatGPT and Copilot workflows, vendor scoring, ranking, allocation, monitoring, student assessment, customer triage and the quiet automation already inside your software stack.

This is worse than GDPR in one practical way: the risk is not only inside your own systems. It also sits inside Workday, Microsoft, Salesforce, assessment tools, education platforms, browser extensions, AI add-ons and vendor features your teams may not even recognise as AI.

UK location does not insulate you. If you serve EU clients, handle EU people, or use AI outputs in EU-facing workflows, the EU AI Act can follow the work. The first test is not a legal memo. It is whether you can name the systems, owners, vendors, data paths, oversight and evidence before a buyer asks.

Read Annex III Read Article 99 fines

Section I — The six

The six AI systems that can put your business at risk.

The EU AI Act is not only about recruiters. It catches AI that helps decide what happens to people: hiring, work allocation, performance, education, access, assessment and monitoring. The risk often hides inside vendor platforms your team already uses.

High-risk

HCM and ATS decisioning

Workday / HiredScore / SAP SuccessFactors / Oracle / iCIMS

Ranking, matching, screening and recommendation logic inside core HR platforms. The vendor name does not remove your obligation to know what is switched on, where it is used and what evidence exists.

High-risk

ChatGPT and Copilot workflows

OpenAI ChatGPT / Microsoft Copilot / Gemini / Claude

Managers paste CVs, student work, performance notes and customer cases into general AI tools. If those outputs influence decisions about people, you need policy, logging, review and data controls.

High-risk

Assessment and scoring

HireVue / Arctic Shores / Pymetrics / SHL / ThriveMap

Video interviews, psychometrics, skills tests and behavioural scoring can all shape who advances. Calling it decision support does not remove the need for oversight and evidence.

High-risk

Education and student scoring

Turnitin / Canvas / Moodle plugins / exam proctoring / custom LLM tools

Admissions, grading, plagiarism flags, proctoring and student-risk scores can affect access to education. These systems need governance before a student, parent or buyer asks for the file.

High-risk

Worker management AI

Microsoft Viva / ServiceNow / Salesforce / Zendesk / workforce analytics

Allocation, productivity scoring, call analysis, quality monitoring and performance prompts can become employment decisions. The audit question is where the AI touches management action.

High-risk

Custom models and vendor add-ons

Eightfold / Textkernel / Daxtra / in-house models / embedded AI add-ons

Parsing, classification, risk scoring, suitability ranking and prediction models often appear as small features. Small features still need owners, controls and proof when they affect people.

The reach

“This Regulation should also apply to providers and deployers of AI systems that are established in a third country.”

Recital 22, Regulation (EU) 2024/1689

Self-check

Eight questions. Two minutes. One honest score.

Tick only what you can prove in writing today. Vendor marketing pages do not count. The score updates as you go.

The people

German engineering rigour.
Two operators who have led audit work from both sides of the table.

We are not management consultants or lawyers who need to bring in specialists before they can understand your IT systems, vendors and AI stack. PREFEX AI is led by senior operators: a former CEO and AI leader, and a quality and innovation leader with ISO 9001 and ISO 27001 certification experience. We can speak to the board, legal, IT, vendors and clients without losing the thread.

Portrait of Tobias Kaechele

Tobias Kaechele

ex-CEO · CTO · Head of AI

Former CEO, CTO and Head of AI, and author of “AI Leadership”. Built and led AI organisations at executive level, while staying close enough to the systems to inspect what is actually running. Knows where vendor assurances usually stop and evidence must begin. Turns board risk into controls, evidence and client-ready answers.

AI riskGDPRClient evidence
LinkedIn profile
Portrait of Patrick Doering

Patrick Doering

ex-Head of Innovations · Quality Mgr

Led quality and innovation systems through ISO 9001 and ISO 27001 certification and surveillance cycles. Two decades inside German enterprise, working where process, evidence, suppliers and operational reality meet. Turns ambiguous requirements into controls, owners, corrective actions and operating documents that survive client and certification scrutiny.

ISO 9001ISO 27001Controls
LinkedIn profile

AI risk is built on

GDPR · EU AI Act · ICO expectations · AI cybersecurity · vendor controls.

  • GDPR plus AI. GDPR did not go away. AI and vendors make it harder: DPIA, ROPA, lawful basis, processor control, data-subject rights and customer assurance now sit inside the AI risk conversation.
  • EU AI Act controls. High-risk AI needs more than a policy: system inventory, human oversight, data governance, incident handling, cybersecurity, supplier evidence and proof buyers can inspect.
  • Vendor controls. AI Act exposure often hides inside vendor tools, add-ons, defaults and pilots. The work is to turn vendor promises into usable evidence, obligations and internal controls.
  • Client scrutiny. EU clients and enterprise buyers will ask sharper questions before regulators arrive. We prepare the answers, evidence pack and operating story your team can defend.

Audit and fix

We audit your AI risk and readiness, then fix the gaps that matter.

We audit the systems, map the obligations, fix the documentation, challenge vendor answers and leave your team with a defensible operating pack your EU clients can actually inspect.

Phase 01

Inventory and scope

ATS modules, add-ons, pilots, spreadsheets, interview tools, assessment vendors and EU data paths. Including the experiments your team forgot they switched on.

Phase 02

Evidence and controls

Human oversight, supplier documentation, bias monitoring, DPIA alignment, change logs and incident handling. Each gap dated, costed, and assigned an owner.

Phase 03

Client-ready pack

A practical conformance dossier your EU client, auditor or procurement team can read and understand without theatre.

Section V — The next move

Start with a 30-minute AI Act preaudit.

Bring the messy version: vendor names, AI add-ons, pilots, spreadsheets, ChatGPT habits and the EU-facing workflow you are worried about. We will tell you what evidence would matter first.

  • Speak directly with Tobias or Patrick for 30 minutes, free and with no obligation.
  • Identify the AI or vendor workflows that may create EU AI Act exposure.
  • Leave with a clear view of whether you are exposed and what would need checking next.
Book the free preaudit

Defaults to Europe / London. Switch to CET / Dublin →

Have another question for us?

“I lived through GDPR. I am not doing that scramble again.” That is the right moment to call.

Fully booked online

Please contact us on +44 (0)333 335 7530 or at [email protected].