EU AI Act Article 26 — Deployer obligations
Note: this explainer is informational and framework references are never a compliance guarantee — align your program with your legal counsel.
Article 26 addresses deployers — organizations using high-risk AI systems under their own authority. Under the 2026 Digital Omnibus, these duties apply from December 2027; the organizations that will meet them calmly are the ones building the operating routine now.
Article 26(1) — use per instructions, with control
Deployers must take appropriate technical and organizational measures to ensure high-risk systems are used in accordance with their instructions for use. That presupposes something more basic: knowing which AI systems your organization uses at all, and being able to stop the ones it shouldn't.
Shield's lever: the Block unsanctioned / high-risk AI tools preset (referenced to Art. 26(1)) plus Discovery triage — sanctioned tools are explicit, everything else is visible or blocked.
Article 26(5) — monitor operation
Deployers must monitor the operation of the high-risk system and act when risks materialize. Monitoring an AI tool your employees use through the browser means monitoring what actually flows into it.
Shield's lever: the Block file uploads to AI tools preset (referenced to Art. 26(5)) closes the least-inspectable channel — files are not content-inspected today, so this is deliberately a blanket control — while usage monitoring keeps the operating picture current.
Article 26(6) — keep the logs
Deployers must retain the logs automatically generated by the high-risk system that are under their control, for a period appropriate to the system's purpose. Logs you never captured cannot be retained.
Shield's lever: the Monitor all AI usage preset (referenced to Art. 26(6)) writes every AI interaction into the tamper-resistant audit log, with plan-based retention.
The outcome
By December 2027 the Article 26 duties land on organizations that either scramble or already run the routine: a governed tool inventory, monitored operation, and a retained audit trail. Applying the EU AI Act & GDPR Starter bundle via the preset library starts that routine today.
Was this article helpful?
Related articles
Apply policy presets and bundles
Deploy compliance-ready policies from the preset library — EU AI Act, GDPR, DIFC, Korea AI Basic Act, US AI in Employment, and ISO 42001/NIST bundles.
Read articleEU AI Act Article 4 — AI literacy
Article 4 requires a sufficient level of AI literacy in your workforce — already in force. What that means in practice, and how Shield turns it into an operational program.
Read articleEU AI Act Article 5 — Prohibited practices
Article 5 bans AI practices deemed unacceptable — already in force. What is prohibited, why shadow AI is your exposure, and how Shield keeps prohibited-class tools out.
Read articleGDPR Article 32 — Security of processing
Appropriate technical and organizational measures, including for the AI channel: how blocking secrets, redacting personal data, and warning on source code map to Article 32.
Read articleStill stuck?
Send us the details — we answer within one business day.