Does the EU AI Act apply to companies outside the EU?

Yes, it can. Like GDPR, the Act follows the output of the AI and the person it affects, not your headquarters. If your AI's output — a candidate score, ranking, or shortlist decision — is used in the EU, or you screen EU-based candidates or hire for an EU-based role, you're likely in scope even if your company, team, and servers are entirely outside the EU.

Is using AI to screen or rank candidates high-risk under the EU AI Act?

Almost always, yes. Annex III names recruitment explicitly: AI that places targeted job ads, analyses and filters applications, or evaluates candidates is classified as high-risk. CV screening and candidate ranking are the textbook high-risk cases.

Isn't the AI vendor responsible for compliance, not us?

No. The Act splits duties: the provider (who builds the tool) must make it safe and conformant, but the deployer (you, who uses it on real candidates) carries separate obligations — human oversight, informing candidates and workers, monitoring for bias, and keeping an audit trail. You can buy the tool; you cannot buy your way out of the deployer obligations.

What are a deployer's obligations for high-risk hiring AI?

Meaningful human oversight by a competent, named person who can override the system; informing candidates they're assessed by AI (and being able to explain decisions that materially affect them); informing workers and their representatives; using the system as intended and monitoring it for drift or bias; retaining the system's logs; and managing input data, with a data-protection assessment alongside.

When do the EU AI Act's hiring rules take effect?

In stages. The prohibitions (including emotion recognition in recruitment) and the AI-literacy duty have applied since 2 February 2025. The high-risk obligations for recruitment AI under Annex III apply from 2 August 2026. Note that GDPR already governs automated decisions about candidates today — independently of the AI Act timeline.

What's the first thing we should do?

Map what AI is actually touching your hiring — across sourcing, ads, screening, interviews, and assessment, including hidden ATS features and tools recruiters use personally. Then triage by what each tool decides about candidates, pause anything that reads emotions, restrict candidate data to approved tools, and put human oversight plus an audit trail in place. You can't govern what you can't see.

Does the EU AI Act Apply to Your Hiring?

Q: Can AI video interviews that detect emotion be used?

Generally no. Inferring emotions from a candidate's face or voice in a recruitment or workplace context is, with narrow exceptions, outright prohibited under the Act — a stricter category than high-risk. Several "AI interview" products are on the wrong side of this line.

Short answer: if you use AI to screen, rank, or evaluate candidates, almost certainly yes — and likely even if your company sits outside the EU. AI in recruitment is named as high-risk under the EU AI Act, and the obligations that come with it fall on you, the company using the tool — not just the vendor who built it.

That sentence catches a lot of capable people off guard. So let's walk through who's actually in scope, what you're on the hook for, and what to do about it — without the fear-marketing.

A note up front, because it matters: I'm Darius Suryadi, founder and director of Qadar AI, an AI security, control and governance platform based in the DIFC in Dubai. I'm a hands-on founder — I'm in the architecture and the code, not just the deck.

What pulled me here is simple: I use AI intensively myself. That made two things obvious fast. First, this is a bigger shift than the internet, and it isn't going away. Second — because I used it so much — the risks were just as obvious. The moment a company feeds contracts, employee records or customer data into an LLM, that's legally and commercially dangerous. And as a candidate myself, I don't want my data quietly swept into someone's model — GDPR already drew that line for personal data.

The key moment was realizing those two truths collide exactly as the EU AI Act came into force: AI adoption is unstoppable, and it now carries hard obligations. So what's needed isn't "use less AI" — it's an independent layer that lets people keep using their tools without leaking data or triggering things they'll regret. Same logic as GDPR: you don't trust Google Analytics or the website owner to self-police privacy; you need an independent third party. That's what we built Qadar to be for AI.

And the reality I see everywhere: practically every company already runs AI without governance. Employees adopt it faster than compliance teams — or the leadership of smaller firms — can put safeguards in place, because the upside is immediate. Meanwhile the risk is real and technical: with prompt injection, internal company information can be pulled straight back out of these models. It affects every LLM.

Hiring is one of the sharpest versions of this — candidate data going into an AI screener, scored against a client's criteria, with no oversight and no record, in a use case the EU AI Act treats as high-risk. That's exactly the fault line I sit on.

"We're not in the EU" — does the Act still reach us?

It probably does. The instinct everyone walks in with is: the Act is European, my company isn't European, so it's not my problem. That's the wrong mental model. The EU AI Act — exactly like GDPR before it — doesn't follow your headquarters. It follows the output of the AI and the person that output lands on.

The trigger that pulls in non-EU companies is this: if the output of your AI system is used in the EU, you're in scope — even if you, your servers, and your whole team never set foot on European soil. In hiring, the "output" is the screening, the score, the ranking, the shortlist call. So the real line is about where that decision lands:

A Dubai search firm screening a candidate who's sitting in Berlin → that's an AI assessment of a person in the EU. In scope.
A US company hiring for a role based in Dublin, running applicants through an AI ranker → the decision takes effect in the EU. In scope.
You have an EU entity or subsidiary that deploys the tool → now you're also a deployer established in the EU, the most direct route in. In scope.
A clean, fully non-EU pipeline — non-EU company, non-EU role, non-EU candidates, output used only outside the Union → no EU person, no EU output, no EU entity. Then it doesn't reach you. But the moment one EU-based candidate enters that funnel, the answer flips for that process.

That flip is not hypothetical. International executive search is the textbook case: when you run a global mandate, EU-based candidates land in the funnel almost by default. I've watched a sharp, experienced operator be certain "this doesn't apply to us" right up until we mapped the pipeline and the EU candidates were already there. The "this is European, not us" assumption flips the instant you look.

One honest caveat: this law is new, and the "output used in the EU" test hasn't been litigated for hiring yet. So the smart move isn't to gamble on the narrowest possible reading — it's to assume that if EU candidates touch your AI, you're in scope, and put the governance in place so the question never becomes a problem.

"The vendor handles compliance" — don't they?

No. This is the most dangerous misconception in the whole topic, so let's kill it properly. The Act deliberately splits the responsibility in two. The provider — the company that builds the AI tool — has to make it safe, documented, and conformant. But the deployer — you, the company actually using it on real candidates — carries a completely separate set of duties. You can buy the tool. You cannot buy your way out of the deployer half. And that half is where almost everyone is exposed.

Here's the deployer's side of the ledger, in plain terms:

Human oversight. A named, competent person who can understand the system's output, has the authority to override it, and actually does — not a rubber stamp.
Tell the candidates. People assessed by a high-risk AI system have to be informed they're subject to it — and for decisions that materially affect them, you need to be able to explain the basis.
Tell your own people. If it's used in the workplace, you inform workers and their representatives before you switch it on.
Use it as intended + monitor it. Operate it the way the provider specified, and keep watching for drift, malfunction, or bias over time — with a duty to suspend and report if something goes wrong.
Keep the logs. Retain the records the system generates — the audit trail of who was assessed, when, and on what basis — for the required period.
Mind the input data + the GDPR overlap. Candidate data is personal data; your choices about what goes in are yours, and a data-protection assessment usually rides alongside (have the Data Processing Agreement in place).

Where do teams fall short? Three, almost every time:

Oversight is theatre. This is the big one. People think "we have oversight" because a recruiter looks at the AI's shortlist and clicks approve. But if that recruiter can't tell you why the model ranked candidate A over candidate B, and wouldn't realistically overrule it, that's not oversight — it's a rubber stamp on a black box. Most "human in the loop" is a human next to the loop.
No audit trail. The decision lived inside a vendor tool, nothing was retained, and when a rejected candidate or a regulator asks "why," there's no record to produce.
Set-and-forget. They notify nobody, check for bias once at procurement, and never look again.

The provider's job is to make the tool capable of being compliant. The deployer's job is to make its use compliant — every day, on every candidate, with evidence. That second job is exactly the part "the vendor handles it" quietly skips.

Is my tool actually high-risk? (Where the line is)

Not every AI in hiring is high-risk — and the law is fairly specific about where the wire is. The test I use is simple: does the AI evaluate, filter, rank, or target a person? If yes, you're almost certainly in the high-risk bucket. If it only handles logistics or generates content — with no decision about a candidate — you're probably not.

Annex III names recruitment explicitly: AI used to place targeted job ads, to analyse and filter applications, and to evaluate candidates. So:

Clearly high-risk:

CV screening and candidate ranking — the textbook case. Filtering and scoring people.
AI video-interview analysis that assesses competencies or "fit" — you're evaluating candidates.
Targeted job advertising — and this one surprises people. If an AI decides who gets shown the job, that's named in the Act. Most teams file it under "marketing" and never realize it's in scope.

Probably not high-risk:

A chatbot that only schedules interviews — pure logistics, no evaluation.
An AI that writes job descriptions or ad copy — generating text isn't deciding about a person.
Grammar or formatting helpers.

The Act even has an explicit exception for narrow, procedural, or preparatory tasks — with one big catch: if the system profiles people, the exception doesn't apply and it's high-risk regardless.

The genuine gray area, where people get it wrong in both directions:

Wrongly safe — "sourcing" tools. If it just searches and surfaces names, fine. But the moment it ranks or scores who you should approach, that's evaluating candidates. People call it search; the Act calls it selection.
Wrongly safe — a "scheduling" chatbot that quietly qualifies people ("do you have 5 years' experience?") and filters them out. That's not logistics anymore; that's filtering applications.
Wrongly panicking — teams convinced their JD-writer or calendar bot is a compliance bomb. It isn't. Generating content and booking slots aren't decisions about candidates.

And one that goes beyond high-risk: emotion recognition in video interviews. If a tool claims to read a candidate's confidence, enthusiasm, or emotional state from their face or voice, that's not just high-risk — inferring emotions in a workplace or recruitment context is, with narrow exceptions, outright prohibited under the Act. Several "AI interview" products are quietly on the wrong side of that line.

So the map: logistics and content → usually out. Evaluating, filtering, ranking, targeting, or profiling a person → in. Reading their emotions → possibly banned. When in doubt, ask what the tool actually decides about a human — not what the vendor calls it.

When does this actually bite — and what are the stakes?

The timing surprises people in both directions. The Act came into force in August 2024, but it switches on in stages:

Already live (since 2 February 2025): the outright prohibitions — including emotion recognition in a recruitment or workplace context — and the AI-literacy duty, meaning the people operating these tools are already expected to understand them. If you're running an "AI interview" tool that reads candidates' emotions, you're not waiting for a deadline; you're already on the wrong side of one.
2 August 2025: rules for general-purpose AI models and the penalty regime came online.
2 August 2026: the big one — the high-risk obligations under Annex III, where recruitment AI lives.

So calibrate accordingly. Not blind panic — but the window for "we'll get to it methodically over the next year or two" has basically closed for high-risk hiring AI. The honest message is: late, but not too late — if you start now.

Now the teeth. The headline numbers are real: up to €35 million or 7% of global turnover for using a prohibited system, and up to €15 million or 3% for getting the high-risk obligations wrong. But in my experience, the fine is almost never what a company feels first. What actually bites sooner:

A rejected candidate. They have the right to know AI assessed them and, for decisions that matter, to an explanation. One candidate — or one candidate's lawyer — who suspects bias puts you under a microscope long before any systematic enforcement.
The vendor assessment. This is the one that hits commercially. Your enterprise customers already add AI-governance questions to their procurement and security questionnaires — exactly like they did with GDPR. If you can't show which AI you use in hiring, who oversees it, and where the audit trail is, you fail the assessment and the deal stalls. (Here's what that section of the questionnaire looks like.) That's revenue, this quarter — not a fine someday.
Then the regulator, the press, the lawsuit.

The fine is the story everyone tells; the lost deal is what they actually experience.

What this looks like in the real world: an executive-search firm

Let me make this concrete. Julian von Blücher runs an executive-search firm — high-end headhunting — and he's a Qadar AI customer who's happy to be named here. His setup was, honestly, quite simple, which is exactly why it's so representative.

They were using an LLM to screen CVs: the logic was "here are our current mandates — does this candidate fit?", and the model scored candidates against the client's criteria. Fast, useful, and on the surface, harmless.

But that setup bought them speed with zero transparency. When I asked the simple questions, the gaps were immediate: Which AI screened which candidates? Which CVs went through it? On what basis was each person scored? There was no audit log. The model made judgments about real people's careers, and none of it was recorded.

And this is squarely high-risk territory — analysing applications and evaluating candidates is the textbook case. So the exposure was real. Picture a rejected candidate, an auditor, or one of Julian's own enterprise clients running a vendor assessment, asking: "Show me how this decision was made, and prove the AI was governed." The honest answer at that point was fail. No record, no defensibility, candidate data flowing into a model with no controls around it.

What changed: through Qadar AI, we put the governance layer underneath it. The screening still happens — we didn't slow the business down — but now it's auditable. There's a record of which AI assessed which candidate, when, and against what criteria; the client and candidate data is handled on the safe side, under control, instead of leaking into a tool nobody was watching.

The before-and-after, in one line: before, Julian could screen fast but couldn't prove anything; after, he can screen just as fast and prove all of it — to a client's procurement team, to a regulator, to a candidate who asks. The speed stayed. The exposure left.

What I actually think (and where I disagree with the standard advice)

Some of this cuts against the consulting consensus.

Stop waiting for perfect legal certainty. The common line is "let's wait for the guidance, the standards, the case law before we move." That's a trap. The certainty won't arrive before the obligations do — and the governance you'd build anyway (knowing which AI you use, who oversees it, keeping the audit trail) is valuable no matter how the fine print lands. It helps you with the AI Act and GDPR and a client's vendor assessment and your own bias risk. Waiting optimizes for a certainty that never comes while the exposure compounds.

Ripping out your AI hiring tools "to be safe" is the wrong move. The Act isn't anti-AI — it's anti-ungoverned AI. Tearing out tools that genuinely make you faster, to avoid the work of governing them, is throwing away the value to dodge the responsibility. The answer was never less AI. It's AI you can account for.

Compliance theatre is worse than doing nothing. A "human in the loop" who rubber-stamps a black box. A policy PDF nobody enforces. A bias check you ran once at procurement. These don't just fail to protect you — they actively hurt, because now you've documented that you "had oversight" and a regulator or a candidate's lawyer can show it never actually worked. Honest gaps are recoverable. A paper trail of fake controls is evidence against you.

And what most consultants and vendors get wrong: consultants sell this as a one-time deliverable — a readiness assessment, a gap-analysis binder. But compliance here is operational and ongoing: every candidate, every screen, every day, with evidence. A binder is exactly what fails the moment a real candidate complains. And tool vendors love to say "our product is EU-AI-Act-compliant" — which quietly implies they've handled your half. They haven't. They can't.

A 5-step starter plan you can begin this morning

You don't need to become a lawyer or a data scientist by Monday. You need to do five things, in order — and the first one you can start before your coffee's cold.

Find what AI is actually touching your hiring. Write out your funnel — sourcing, job ads, screening, interviews, assessment, the final call — and for each step ask: is there AI in here? Be honest about the hidden stuff: the "smart matching" already baked into your ATS, the AI in your sourcing tool, the video product that quietly scores people, and the recruiter who pastes CVs into ChatGPT to "save time." Ask your recruiters directly what they use — including their personal tools. Almost everyone finds more than they expected. (This is the shadow AI problem, in miniature.) You can't govern what you can't see.
Triage by what the AI decides. For each tool, one question: does it evaluate, filter, rank, target, or profile a candidate? If yes, it's high-risk — that's your priority list. If it just schedules meetings or writes job ads, it's probably fine. Don't boil the ocean.
Stop the obvious bleeding today. Two immediate moves: (a) if any tool reads candidates' emotions from video or voice, pause it now — that may be prohibited, not just high-risk. (b) Put one rule in place: candidate data only goes into approved tools — no pasting full CVs into random public AI. Highest protection for the least effort.
Put in the three cheap, high-leverage pieces. (a) A named human owner with real oversight for each high-risk tool — someone who can understand the output, has the authority to overrule it, and actually does. (b) Tell candidates AI is part of your assessment, and be ready to explain a decision. (c) Make sure there's an audit trail — a record of which AI assessed whom, when, and on what basis. This is the single thing that turns "we'd fail" into "we can prove it." (A written AI usage policy anchors all three.)
Make it a routine, not a one-off. Put a quarterly review on the calendar: re-scan for new AI (it creeps back in), re-check the high-risk tools, keep the records current — with a named owner. These obligations are ongoing; a one-time cleanup decays in weeks.

See it, sort it, stop the worst, govern the rest, repeat.

The one thing to remember

If AI touches your hiring, the question that decides everything isn't "is our vendor's tool compliant?" — it's "can we prove how this decision was made?" — and that part is on you, not your vendor.

Two things people most want to forget, so I'll say them plainly. This isn't a 2026 problem — GDPR already regulates it today. Automated decisions about candidates already fall under GDPR's rules on automated decision-making. The AI Act adds to that; it doesn't replace it. Anyone thinking "we've got until August 2026" is already exposed under a law that's been in force for years. (How the AI Act and GDPR controls stack.) And a token human doesn't make it go away — dropping someone next to the AI to rubber-stamp it doesn't downgrade you out of high-risk, or out of GDPR.

But here's the part I actually care about most, and it's why the law exists at all: this isn't really about fines — it's about not quietly discriminating against real people. Ungoverned hiring AI can systematically screen people out unfairly, at scale, without anyone noticing. Governance is how you make sure your speed isn't costing someone a job they should've gotten — and how you can show it. That's the goal worth aiming at: using AI and treating candidates fairly, and being able to prove both.

Start here

The first move is yours and it costs nothing: map what AI is actually touching your hiring (Step 1 above). That single exercise is where most teams realize how much is running unseen — and what's high-risk.

If you'd rather not do that blind — or you want it auditable, not just visible — that's exactly what we do at Qadar AI: give you visibility into the AI touching your business and make its use provable, candidate by candidate. If that's useful, come talk to us for a scoping call. No pressure — do Step 1 first either way.

This article is general information, not legal advice. The EU AI Act is new and your exact obligations depend on your tools, your candidates, and your set-up — confirm the specifics with qualified counsel.

That sentence catches a lot of capable people off guard. So let's walk through who's actually in scope, what you're on the hook for, and what to do about it — without the fear-marketing.

"We're not in the EU" — does the Act still reach us?

A Dubai search firm screening a candidate who's sitting in Berlin → that's an AI assessment of a person in the EU. In scope.
A US company hiring for a role based in Dublin, running applicants through an AI ranker → the decision takes effect in the EU. In scope.
You have an EU entity or subsidiary that deploys the tool → now you're also a deployer established in the EU, the most direct route in. In scope.
A clean, fully non-EU pipeline — non-EU company, non-EU role, non-EU candidates, output used only outside the Union → no EU person, no EU output, no EU entity. Then it doesn't reach you. But the moment one EU-based candidate enters that funnel, the answer flips for that process.

"The vendor handles compliance" — don't they?

Here's the deployer's side of the ledger, in plain terms:

Human oversight. A named, competent person who can understand the system's output, has the authority to override it, and actually does — not a rubber stamp.
Tell the candidates. People assessed by a high-risk AI system have to be informed they're subject to it — and for decisions that materially affect them, you need to be able to explain the basis.
Tell your own people. If it's used in the workplace, you inform workers and their representatives before you switch it on.
Use it as intended + monitor it. Operate it the way the provider specified, and keep watching for drift, malfunction, or bias over time — with a duty to suspend and report if something goes wrong.
Keep the logs. Retain the records the system generates — the audit trail of who was assessed, when, and on what basis — for the required period.
Mind the input data + the GDPR overlap. Candidate data is personal data; your choices about what goes in are yours, and a data-protection assessment usually rides alongside (have the Data Processing Agreement in place).

Where do teams fall short? Three, almost every time:

Oversight is theatre. This is the big one. People think "we have oversight" because a recruiter looks at the AI's shortlist and clicks approve. But if that recruiter can't tell you why the model ranked candidate A over candidate B, and wouldn't realistically overrule it, that's not oversight — it's a rubber stamp on a black box. Most "human in the loop" is a human next to the loop.
No audit trail. The decision lived inside a vendor tool, nothing was retained, and when a rejected candidate or a regulator asks "why," there's no record to produce.
Set-and-forget. They notify nobody, check for bias once at procurement, and never look again.

Is my tool actually high-risk? (Where the line is)

Annex III names recruitment explicitly: AI used to place targeted job ads, to analyse and filter applications, and to evaluate candidates. So:

Clearly high-risk:

CV screening and candidate ranking — the textbook case. Filtering and scoring people.
AI video-interview analysis that assesses competencies or "fit" — you're evaluating candidates.
Targeted job advertising — and this one surprises people. If an AI decides who gets shown the job, that's named in the Act. Most teams file it under "marketing" and never realize it's in scope.

Probably not high-risk:

A chatbot that only schedules interviews — pure logistics, no evaluation.
An AI that writes job descriptions or ad copy — generating text isn't deciding about a person.
Grammar or formatting helpers.

The genuine gray area, where people get it wrong in both directions:

Wrongly safe — "sourcing" tools. If it just searches and surfaces names, fine. But the moment it ranks or scores who you should approach, that's evaluating candidates. People call it search; the Act calls it selection.
Wrongly safe — a "scheduling" chatbot that quietly qualifies people ("do you have 5 years' experience?") and filters them out. That's not logistics anymore; that's filtering applications.
Wrongly panicking — teams convinced their JD-writer or calendar bot is a compliance bomb. It isn't. Generating content and booking slots aren't decisions about candidates.

When does this actually bite — and what are the stakes?

The timing surprises people in both directions. The Act came into force in August 2024, but it switches on in stages:

Already live (since 2 February 2025): the outright prohibitions — including emotion recognition in a recruitment or workplace context — and the AI-literacy duty, meaning the people operating these tools are already expected to understand them. If you're running an "AI interview" tool that reads candidates' emotions, you're not waiting for a deadline; you're already on the wrong side of one.
2 August 2025: rules for general-purpose AI models and the penalty regime came online.
2 August 2026: the big one — the high-risk obligations under Annex III, where recruitment AI lives.

A rejected candidate. They have the right to know AI assessed them and, for decisions that matter, to an explanation. One candidate — or one candidate's lawyer — who suspects bias puts you under a microscope long before any systematic enforcement.
The vendor assessment. This is the one that hits commercially. Your enterprise customers already add AI-governance questions to their procurement and security questionnaires — exactly like they did with GDPR. If you can't show which AI you use in hiring, who oversees it, and where the audit trail is, you fail the assessment and the deal stalls. (Here's what that section of the questionnaire looks like.) That's revenue, this quarter — not a fine someday.
Then the regulator, the press, the lawsuit.

The fine is the story everyone tells; the lost deal is what they actually experience.

What this looks like in the real world: an executive-search firm

What I actually think (and where I disagree with the standard advice)

Some of this cuts against the consulting consensus.

A 5-step starter plan you can begin this morning

You don't need to become a lawyer or a data scientist by Monday. You need to do five things, in order — and the first one you can start before your coffee's cold.

Find what AI is actually touching your hiring. Write out your funnel — sourcing, job ads, screening, interviews, assessment, the final call — and for each step ask: is there AI in here? Be honest about the hidden stuff: the "smart matching" already baked into your ATS, the AI in your sourcing tool, the video product that quietly scores people, and the recruiter who pastes CVs into ChatGPT to "save time." Ask your recruiters directly what they use — including their personal tools. Almost everyone finds more than they expected. (This is the shadow AI problem, in miniature.) You can't govern what you can't see.
Triage by what the AI decides. For each tool, one question: does it evaluate, filter, rank, target, or profile a candidate? If yes, it's high-risk — that's your priority list. If it just schedules meetings or writes job ads, it's probably fine. Don't boil the ocean.
Stop the obvious bleeding today. Two immediate moves: (a) if any tool reads candidates' emotions from video or voice, pause it now — that may be prohibited, not just high-risk. (b) Put one rule in place: candidate data only goes into approved tools — no pasting full CVs into random public AI. Highest protection for the least effort.
Put in the three cheap, high-leverage pieces. (a) A named human owner with real oversight for each high-risk tool — someone who can understand the output, has the authority to overrule it, and actually does. (b) Tell candidates AI is part of your assessment, and be ready to explain a decision. (c) Make sure there's an audit trail — a record of which AI assessed whom, when, and on what basis. This is the single thing that turns "we'd fail" into "we can prove it." (A written AI usage policy anchors all three.)
Make it a routine, not a one-off. Put a quarterly review on the calendar: re-scan for new AI (it creeps back in), re-check the high-risk tools, keep the records current — with a named owner. These obligations are ongoing; a one-time cleanup decays in weeks.

See it, sort it, stop the worst, govern the rest, repeat.

Does the EU AI Act Apply to My Company's Hiring?

"We're not in the EU" — does the Act still reach us?

"The vendor handles compliance" — don't they?

Is my tool actually high-risk? (Where the line is)

When does this actually bite — and what are the stakes?

What this looks like in the real world: an executive-search firm

What I actually think (and where I disagree with the standard advice)

A 5-step starter plan you can begin this morning

The one thing to remember

Start here

Frequently asked questions

Still have questions?

Related articles

What is shadow AI and why it costs companies more than they think

How to build an AI usage policy your team will actually follow

What controls you actually need: EU AI Act and GDPR for lean SaaS operators

Ready to govern AI usage across your organization?

Does the EU AI Act Apply to My Company's Hiring?

"We're not in the EU" — does the Act still reach us?

"The vendor handles compliance" — don't they?

Is my tool actually high-risk? (Where the line is)

When does this actually bite — and what are the stakes?

What this looks like in the real world: an executive-search firm

What I actually think (and where I disagree with the standard advice)

A 5-step starter plan you can begin this morning

The one thing to remember

Start here

Frequently asked questions

Still have questions?

Related articles

What is shadow AI and why it costs companies more than they think

How to build an AI usage policy your team will actually follow

What controls you actually need: EU AI Act and GDPR for lean SaaS operators

Ready to govern AI usage across your organization?