How to Comply with the AI Act

“How do I comply with the AI Act?” is the most common question in AI governance right now. The answer depends on which AI act you mean — because there are several, and they don't work the same way.

This guide covers the two most immediate frameworks: the EU AI Act (phasing in through 2026) and Texas TRAIGA (enforceable now). If you operate in both jurisdictions, you need to comply with both.

Step 1: Inventory Your AI Systems

This is step one under every framework. You cannot comply with regulations you haven't mapped to your actual AI deployments.

For each AI system, document:

• System name and vendor
• What it does and what decisions it makes or influences
• Who it affects (customers, employees, patients, citizens)
• What data it ingests and where that data comes from
• When it was deployed and who is responsible for it

This inventory is legally required for Texas government agencies under SB 1964 (public disclosure). For everyone else, it's the foundation everything else builds on.

Step 2: Classify Each System

Here's where the EU and Texas diverge:

Under the EU AI Act, you need to determine whether each system falls into the Unacceptable, High, Limited, or Minimal risk category. Under Texas TRAIGA, you screen each system against 7 prohibited intents. The EU approach requires interpretation; the Texas approach is more binary.

Step 3: Determine Your Deployer Type (Texas)

Texas compliance obligations stack differently by deployer type:

• Private sector — TRAIGA only (7 prohibited practices + NIST safe harbor)
• Government agencies — TRAIGA + SB 1964 (ethics code, inventory, heightened scrutiny) + HB 3512 (annual AI training)
• Healthcare providers — TRAIGA + SB 1188 (patient disclosure before AI-assisted treatment)

Step 4: Build Your Documentation

Regulators don't accept verbal assurances. They want evidence. The documentation requirements differ by framework but share a common core:

For Texas TRAIGA

• Prohibited practice screening results for each AI system
• NIST AI RMF alignment documentation (Govern, Map, Measure, Manage)
• Evidence bundles with timestamps predating any enforcement action
• Cure response plan for the 60-day window

For the EU AI Act

• Technical documentation per Annex IV
• Risk management system documentation
• Data governance and quality records
• Conformity assessment (for high-risk systems)
• Post-market monitoring plans

For both

• AI system inventory with risk classification
• Human oversight procedures
• Incident response plans
• Transparency disclosures

Step 5: Establish Monitoring

Compliance is not a one-time event. Both frameworks require ongoing monitoring:

• Performance tracking — Is the AI system still performing within acceptable parameters?
• Bias monitoring — Has output drift introduced disparate outcomes?
• Incident logging — Are failures, complaints, and anomalies being captured?
• Regulatory updates — Have requirements changed since your last assessment?

Step 6: Prepare for Enforcement

The enforcement timelines are different and both are close:

Texas is the most immediate. There is no transition period, no grace period, and no warning before an AG investigation. The 60-day cure window only activates after you've already received an enforcement notice.

The Shortcut

If you're overwhelmed by the overlap, start with NIST AI RMF alignment. It serves as a legal defense in Texas, maps to Colorado's impact assessment requirements, and satisfies the EU AI Act's risk management obligations. One framework, three jurisdictions covered.

Document it. Timestamp it. Update it continuously. That's how you comply with the AI act — whichever one applies to you.