Most coverage of the EU AI Act reads like a legal brief. That's useful for counsel and useless for the engineers who have to actually build the controls. Stripped of the jargon, the Act is a fairly concrete engineering checklist — here's the version your team can act on this sprint.

1. Classify every AI system you ship

The Act sorts systems into four tiers: prohibited, high-risk, limited-risk, and minimal-risk. Most SaaS AI features land in limited or high-risk. The trigger for high-risk is usually use case (employment, credit, education, critical infrastructure) — not model size. Maintain a registry. If you can't list every AI system in your product in under five minutes, you have a problem.

2. Build the audit trail before you need it

High-risk systems require automatic logging of inputs, outputs, and decisions for the lifetime of the system. Retrofitting this onto a year-old feature is painful. Add it as middleware now, even for systems you think are limited-risk — the classification can change with a single use-case expansion.

3. Human oversight is a code path, not a policy

"A human can override the model" doesn't mean a line in your policy doc. It means a UI affordance, an audit-logged action, and a feedback loop into the model. If the override isn't in the product, regulators will assume it isn't real.

4. Data governance is non-negotiable

Training data needs documented provenance, bias evaluations, and a process for handling subject-access requests. If you fine-tune on customer data, you need a way to prove what went in and a way to take it out.

5. Transparency for users

Users interacting with AI must know they are. Generated content needs to be marked. This is a UI requirement, not a legal one — and the deadline is sooner than you think.

The deadline math

Prohibited-practice rules are already in force. General-purpose AI obligations hit in August 2025. High-risk system rules follow in 2026. If you're a SaaS team selling into the EU, the runway to retrofit is shorter than a normal roadmap cycle. Start now, ship incrementally, automate the evidence.