The EU AI Act is not your problem. Your data chaos is.
Gravitnomad · June 29, 2026 · 7 min read

There's a specific meeting happening in European mid-market companies this year. Someone presents an AI initiative. Someone else says the words "AI Act", the room's temperature drops, and the initiative leaves the meeting as a "workstream" — which is where initiatives go to be remembered fondly.
Here is the position of this essay, stated at maximum bluntness: for the overwhelming majority of companies, the EU AI Act is a manageable paperwork problem — while the thing actually blocking their AI ambitions is the unowned, unstructured, permissionless chaos of their own data. The fear is pointed at Brussels. It should be pointed at the shared drive.
(Obligatory honesty: this is an engineering firm's reading, not legal advice. Keep your counsel. But make them read the annexes, not the headlines.)
What the Act actually asks of most companies
The AI Act is risk-tiered, and the tiers are the entire story:
- Prohibited practices — social scoring, manipulative systems, certain biometric uses. If any of this describes your roadmap, you have problems upstream of compliance. Statistically: it doesn't.
- High-risk systems — a specific, listed set of uses: AI deciding on hiring, credit, insurance eligibility, essential services, critical infrastructure, law enforcement contexts. Real obligations live here — risk management, data governance, human oversight, documentation. If you operate in these zones, take them seriously.
- Transparency obligations — the tier where most deployed business AI actually lands: tell people when they're talking to an AI, label synthetic content appropriately, don't fake humanity. If reading that list feels less like regulation and more like decency — yes. We argued exactly this as design constraints in Voice agents will eat the phone queue, before any regulator required it.
- General-purpose model obligations — aimed principally at the companies building foundation models. You are, most likely, a deployer of those models, which is a materially lighter position in the regime.
Now map your actual pipeline against those tiers: an agent drafting order entries from emails, retrieval over your product documentation, automated proposal assembly, a disclosed assistant on your website. None of that is social scoring. None of it decides anyone's credit. The honest reading for the median company is: disclose, document, keep humans over the consequential loops, maintain basic AI literacy — and get back to work. Demanding? Somewhat. A reason to freeze an AI roadmap for a year? Not even close.
And if you are on the high-risk list — you screen candidates with AI, score credit, operate critical infrastructure? Then the obligations are real, and here's the twist this essay keeps insisting on: every one of them — risk management, data governance, documentation, human oversight, logging — presupposes exactly the structured, owned, traceable data layer described below. High-risk deployers don't escape the argument. They just meet it sooner, with a deadline attached.
So why does the panic persist? Partly because fear is a compliance-industry business model — the webinar economy needs you anxious. And partly, less comfortably: the Act is a respectable excuse. "We're waiting for regulatory clarity" sounds strategic. "We have eleven versions of the price list and nobody knows which is true" does not. Guess which one gets said in board meetings.
The real blocker: nobody knows where the truth lives
Do the audit your AI project will eventually force anyway. In a typical mid-size company:
- Contracts live in inboxes — the binding version in a thread titled "RE: RE: FW: final".
- Prices live in
precos_2026_final_v7_CORRIGIDO.xlsx, of which there are three copies, two current. - Process knowledge lives in the heads of four employees, one of whom is retiring.
- Permissions are archaeology: nobody can say who may see what, only who happens to have the link.
- No source has an owner. Everything is everyone's, i.e., no one's.
Point the finest model on Earth at that substrate and you get chaos with excellent grammar. An agent cannot be accountable to a company that can't tell it what's true. And here's the part that reframes the whole compliance panic: neither can a compliance officer. You cannot document data governance you don't have. The Act didn't create this problem; it schedules the moment you must confess it.
Regulation didn't block your AI project. Your file server did.
The convergence nobody exploits
Write the two lists side by side. What a serious agent deployment needs: an inventory of the data sources that matter; a named owner per source; access control that matches reality; provenance for every answer; logs of automated actions; freshness discipline so retrieval reflects now. What sensible AI governance — under the Act or any regime that will follow it — needs: the same list, in a different font.
This is the arbitrage: do the work once, collect both dividends. The citation machinery that makes your assistant trustworthy (we detailed it in RAG is table stakes) is your provenance documentation. The action logs that let you debug an agent are your oversight evidence. The deterministic, auditable execution path we keep advocating (see Determinism is a feature) is precisely what "human oversight" attaches to. Compliance-as-afterthought costs twice; structure-as-architecture pays twice.
The 90-day data-ownership sprint
The unglamorous program that unblocks both the agents and the auditors:
- Weeks 1–2: inventory the ten sources of truth that matter. Not all data — the ten collections that answer the questions your business actually asks: prices, contracts, product specs, client history, policies. If choosing ten is hard, that difficulty is finding #1.
- Weeks 2–3: name one owner per source. A person, not a committee. The owner answers one question forever: what is currently true here?
- Weeks 3–6: consolidate and kill shadow copies. One canonical home per source. Every duplicate becomes a redirect or a corpse. This step hurts; it's also most of the value.
- Weeks 6–10: structure and embed at write time. Typed fields where structure exists; indexed, searchable-by-meaning-and-filter storage for everything; new content embedded the moment it's written, so nothing drifts stale by design.
- Weeks 10–13: wire permissions and logging. Access mapped to roles; every automated read and write logged. Boring. Priceless — twice.
Companies emerge from this sprint simultaneously agent-ready and audit-ready, which was the point of the convergence all along. And the raw material is already yours — that argument is The knowledge base you already own.
What this looks like in practice
Our brandbook-to-website engine is governance wearing product clothes. One structured source of truth about a brand — facts, services, tone, assets — propagates deterministically to every page of a multi-tenant website. Change the truth once, it corrects everywhere; every rendered claim traces to a field someone owns. Nobody bought it as "compliance tooling", but notice what it is: provenance, ownership, and consistency as architecture. That's the pattern we bring to every AI system we build.
The assistant on this page answers with citations — provenance as user interface, retrieval over content that's embedded at write time. When regulation asks "how does your AI know that?", the honest answer is a link, not a shrug.
And a clearly illustrative archetype: picture an 80-person wholesaler that starts the sprint and discovers — as such companies plausibly do — three price lists in circulation, two of them wrong, one quoted to customers last week. That discovery isn't an AI problem or a compliance problem. It's a company problem that both AI and compliance were about to surface, and fixing it pays for the sprint before any agent ships.
One more convergence: this is fundable
A data-structuring and AI-readiness program — consolidation, structured knowledge, automation on top — is exactly the profile of modernization that European and national innovation instruments exist to co-finance. Which produces a pleasing symmetry: the EU that wrote the Act will, through its other hand, help pay for the very housekeeping that makes complying with it trivial. We've written about how the EU will fund your AI, and structuring such projects is standing work for us — see funding.
Reassign the fear
You now have one anxiety too many and one too few. Retire the Brussels one: for your actual use cases, the Act most likely asks for honesty, documentation, and human oversight — things you'd want anyway. Adopt the file-server one: every quarter of data chaos is a quarter in which no agent, no audit, and frankly no new employee can be onboarded to the truth.
If you want the two-list exercise done properly — what the Act plausibly requires of your specific use cases, and what your data actually looks like underneath them — talk to us. The first conversation is free, and unlike the webinar, it won't try to keep you scared.
- ai-act
- data-governance
- compliance