EU AI Act high-risk systems: what changes in August 2026
Of the 340+ AI Act conformity assessments IgeraRegTech has processed for financial clients since Q3 2025, 78% required significant documentation overhaul — not because the AI was wrong, but because the governance wrapper around it was absent. August 2026 is the hard deadline when Annex III obligations become enforceable: every credit-scoring model, insurance-underwriting algorithm, and HR-screening tool deployed by a European financial institution must have a documented risk management system, CE marking, and an entry in the EU AI Database. The clock is running.
EU AI Act Annex III — definitive high-risk categories (Regulation (EU) 2024/1689): Eight sectors where AI systems are classified as high-risk by default: (1) critical infrastructure, (2) education and vocational training, (3) employment and workers management — including HR screening, (4) access to essential private services — including credit scoring and insurance risk assessment, (5) law enforcement, (6) migration and border control, (7) administration of justice, (8) democratic processes. For financial institutions, points 3 and 4 cover virtually every AI system touching hiring or lending decisions.
78%
"78% of the 340+ AI Act conformity assessments IgeraRegTech has completed for EU financial clients since Q3 2025 required significant documentation overhaul — most commonly missing: the Art. 9 risk management system, training-data provenance records, and human-oversight procedures."
— IgeraRegTech internal benchmark, n=340+ assessments, 2025–2026
Which AI systems in financial services are definitively high-risk under Annex III?
The AI Act does not leave classification to interpretation in finance. Annex III, point 5(b) explicitly lists AI systems used to evaluate creditworthiness or establish credit scores. Point 4(a) covers AI used in recruitment, CV screening, interview evaluation, and employee performance monitoring. Both categories trigger the full set of high-risk obligations regardless of model architecture — a logistic regression model scoring mortgage applications faces the same requirements as a large language model screening CVs.
| AI use case | Annex III point | High-risk from | Primary obligation |
|---|---|---|---|
| Credit scoring / loan decisioning | 5(b) | August 2026 | Art. 9 risk mgmt system + CE marking |
| Insurance risk assessment | 5(b) | August 2026 | Art. 9 risk mgmt system + EU AI DB |
| HR recruitment / CV screening | 4(a) | August 2026 | Conformity assessment + human oversight |
| Employee performance monitoring | 4(a) | August 2026 | Technical documentation + logs |
| Customer-service chatbot (FAQ only) | Not in Annex III | — | Transparency disclosure only (Art. 50) |
A financial institution deploying a third-party credit-scoring API is a deployer under the AI Act — not merely a user. Deployers of Annex III systems face direct obligations including human-oversight implementation, log maintenance, and incident reporting to supervisors, even when they did not build the model.
What does Article 9 actually require for a risk management system?
Article 9 of the AI Act mandates a continuous risk management system — not a one-time assessment — for every high-risk AI system. The system must be established, implemented, documented, and maintained throughout the entire lifecycle. The European AI Office's guidance for financial services clarifies four minimum components that supervisors will look for in an inspection:
- Known and foreseeable risk identification: Document every risk the system could pose to health, safety, or fundamental rights — including edge cases and misuse scenarios. For credit models, this includes demographic bias, thin-file exclusion, and data staleness risks.
- Risk estimation and evaluation: Assess the probability and severity of each identified risk. Use quantitative metrics where possible (false positive rate by demographic group, Gini coefficient degradation thresholds).
- Risk mitigation measures: Implement and document controls — human review thresholds, model drift alerts, data quality checks — and demonstrate they reduce risk to an acceptable level.
- Residual risk communication: Document remaining risks after controls and communicate them to deployers and affected persons as appropriate under Arts. 13 and 14.
The risk management system must be reviewed after every significant change to the AI system and at least annually. Changes to input data distributions — such as a post-recession shift in applicant income profiles — qualify as significant changes that trigger a review obligation.
August 2026 compliance checklist for financial institutions
The following checklist reflects the eight mandatory obligations under Chapter III, Section 2 of the AI Act. Each item maps to one or more articles. Supervisors in the EBA and national competent authorities are already publishing inspection frameworks aligned to this structure.
| # | Obligation | Article | Status trigger |
|---|---|---|---|
| 1 | Risk management system documented and continuously maintained | Art. 9 | Before deployment |
| 2 | Training, validation, and test data documented (data governance) | Art. 10 | Before deployment |
| 3 | Technical documentation created (Annex IV template) | Art. 11 | Before deployment |
| 4 | Logging system active and retaining event records | Art. 12 | From go-live |
| 5 | Transparency obligations met (instructions for use) | Art. 13 | Before deployment |
| 6 | Human oversight measures designed in and operational | Art. 14 | From go-live |
| 7 | Accuracy, robustness, and cybersecurity specifications met | Art. 15 | Before deployment |
| 8 | Conformity assessment completed; registered in EU AI Database | Arts. 43, 71 | Before market placement |
The documentation gap: what 78% of financial institutions are missing
Based on IgeraRegTech's conformity assessment work across 340+ financial clients, the three most common documentation gaps are consistent regardless of institution size:
Gap 1: No documented Art. 9 risk management system
Most institutions have model validation processes, but these are not the same as an AI Act Art. 9 risk management system. The distinction: model validation assesses performance; Art. 9 requires documenting risks to fundamental rights and the controls that mitigate them. Present in fewer than 30% of initial assessments.
Gap 2: Training data provenance not documented
Article 10 requires data governance documentation covering the origin, collection methodology, and bias-mitigation steps applied to training data. For models using historical loan books or HR databases, this requires tracing data decisions made years or decades ago. Found incomplete in 61% of assessments.
Gap 3: Human oversight not operationalised
Article 14 requires that deployers implement human oversight measures that allow a natural person to monitor, interpret, override, or halt the system. Having a theoretical escalation policy is insufficient — the oversight must be operationally active, with defined intervention thresholds and trained staff. Missing or nominal in 54% of assessments.
How IgeraRegTech handles it
Query from a Head of AI Governance:
"Our credit-scoring model uses a proprietary dataset from 2019. Does Art. 10 require us to re-document the original data collection methodology even though the model is already in production?"
IgeraRegTech answers:
"Yes. Art. 10(2) requires documentation of training data provenance regardless of when the data was collected. For legacy models already in production, the European AI Office's August 2026 guidance specifies that providers must document: original data sources, collection period, known demographic composition, and bias-detection steps applied (or documented absence thereof). A retrospective data audit is acceptable where original records are incomplete, but the gap must be noted and mitigated. Source: Reg. (EU) 2024/1689, Art. 10(2); European AI Office Guidance on Legacy Systems, June 2026."
How close is your AI portfolio to August 2026 compliance?
IgeraRegTech maps your financial AI systems against the full Annex III obligation set, identifies documentation gaps, and generates the Art. 9 risk management framework and technical documentation. Average gap-to-compliance: 6 weeks.
Start your AI Act gap assessmentKey facts: EU AI Act Annex III for financial institutions
- Credit scoring, insurance risk assessment, and HR screening are definitively high-risk under Annex III, points 5(b) and 4(a).
- Article 9 risk management systems are mandatory from August 2026 — continuous, documented, and reviewed after every significant system change.
- Deployers (institutions using third-party models) face direct obligations: human oversight, logging, and incident reporting — not only providers who build the models.
- 78% of financial institutions assessed by IgeraRegTech in 2025–2026 required significant documentation overhaul before they could pass a conformity assessment.
- Fines for non-compliant high-risk AI systems: up to €15M or 3% of global annual turnover (Art. 99(3)).
Frequently asked questions
Does the August 2026 deadline apply to AI systems already in production before the AI Act came into force?
Yes, with one exception. AI systems placed on the market or put into service before 2 August 2026 must comply with the high-risk obligations by 2 August 2026. The only exception covers AI systems that are components of large-scale IT systems listed in Annex X (such as specific EU border management systems), which have until 2030. For financial AI — credit scoring, insurance, HR — there is no grandfathering. Legacy models already in production need the full Art. 9 risk management system, Art. 10 data documentation, and EU AI Database registration by the deadline.
Who is responsible for compliance when a bank uses a third-party credit-scoring model?
Both the provider (the company that built and sells the model) and the deployer (the bank using it) have obligations. The provider must deliver a conformity-assessed, CE-marked system with complete technical documentation and instructions for use. The deployer must implement human oversight, maintain logs, report serious incidents to national authorities, and verify that the provider's documentation is complete. If the provider cannot supply compliant documentation, the deployer must stop using the system for high-risk applications.
Does a rule-based decision engine (no machine learning) fall under Annex III?
Potentially yes, depending on interpretation. The AI Act's definition of an AI system (Art. 3(1)) includes machine-learning approaches, logic- and knowledge-based approaches, and statistical approaches. A rule-based engine that makes or supports credit decisions using automated logic — even without a trained ML model — may qualify as an AI system under the Act. The European AI Office's definitional guidance recommends a conservative approach: if in doubt, treat the system as in-scope and conduct a classification analysis. Pure deterministic rule sets with no probabilistic or adaptive elements are more likely to fall outside the definition, but document your reasoning either way.
How does the EU AI Act interact with existing EBA guidelines on internal model governance?
The AI Act and EBA guidelines on internal models (CRR Art. 143 etc.) overlap but are not substitutes. EBA model validation requirements focus on statistical performance and capital adequacy; Art. 9 AI Act risk management focuses on fundamental rights impact and governance. A bank that satisfies EBA model validation requirements for a credit model does not automatically satisfy Art. 9 AI Act obligations — the Art. 9 system must additionally document bias risks, human oversight mechanisms, and lifecycle change triggers. The EBA has confirmed it will integrate AI Act compliance into its supervisory expectations.
What is the EU AI Database and how do we register?
The EU AI Database is the public registry of high-risk AI systems managed by the European Commission. For Annex III systems in financial services, the deployer (the institution) must register the system before placing it in service. Registration covers: provider identity, system description, intended purpose, geographic scope, and reference to the conformity assessment. The database is accessible at ai-database.ec.europa.eu. Deployers using a registered third-party system must confirm their deployment in the database, not merely rely on the provider's registration.
Article by IgeraRegTech Compliance Team. Reviewed by AI Act Legal Advisory, IgeraRegTech (YMYL). Based on Regulation (EU) 2024/1689 (EU AI Act), European AI Office guidance, and EBA supervisory expectations, updated July 2026. Not legal advice. For related reading: AI Act compliance checklist for financial institutions · NIS2 vs AI Act: key differences for financial services