The EU AI Act for US Companies: A Board-Level Summary
EU AI Act oversight for US boards: Learn what SR 11-7 thinking teaches AI governance about ownership, evidence, monitoring, and executive decisions.


Plain-English EU AI Act oversight for boards, CEOs, and executive teams.
Your company may be selling, using, or embedding AI across Europe while directors still lack a clear view of ownership, evidence, and exposure. The pressure is rising, and the complexity of AI governance is now a primary boardroom concern. Customers ask harder questions, and regulators expect more discipline. Management may be moving faster than the current reporting model can support, making it critical for Senior Management to provide oversight similar to the rigorous standards expected by the Federal Reserve for other types of organizational risk.
The EU AI Act can reach some US companies, even when their headquarters, leadership, and core operations sit outside Europe. This is not a legal memo. It is a board-level summary of who may be covered, where the risk sits, and what management should do next.
TL;DR: What Your Board Needs to Know About the EU AI Act
The Act may reach your US company if you place AI systems or models on the EU market, deploy them in the EU, provide outputs used in the EU, or participate in an affected AI supply chain. Conducting a thorough risk assessment is the first step to determining if your specific operations fall under these extraterritorial requirements.
Prohibited AI practices need the fastest attention. A use case that crosses that line is not a routine compliance issue.
High-risk AI systems require more than a policy. You need controls, documentation, human oversight, monitoring, and evidence that the system performs as intended.
General-purpose AI and Generative AI providers face separate duties, with added requirements when a model creates systemic risk. Please note that vendor contracts do not remove every responsibility across the evolving AI supply chain.
Your Board of Directors should assign ownership, set reporting expectations, and retain a record of material decisions. AI compliance is not a one-time policy exercise, and the board must set the tone for an ongoing culture of accountability.
Legal exposure depends on your role, system, intended use, and EU connection. Management should involve qualified EU counsel before reaching a final classification or legal conclusion.
When the EU AI Act Can Reach Your US Company
Your office address does not decide coverage. Your activity does.
The Act can apply when you place an AI system or general-purpose AI model on the EU market, deploy a system in the EU, or produce AI outputs used in the EU. It also addresses importers, distributors, product manufacturers, and authorized representatives. While many firms are still assessing their posture, Financial Institutions are often ahead of the curve due to their existing experience with rigorous regulatory frameworks.
This is not simply an EU version of a US AI law. It is a risk-based rule set with defined duties by role. Publishing a broad AI policy does not settle whether your product, model, or deployment meets those duties.
The timetable is phased. Prohibited practices and AI literacy duties began in February 2025. General-purpose AI model rules began in August 2025. Major obligations continue through 2026 and 2027, including high-risk requirements. Confirm the current timetable before acting, especially if your product falls under sector-specific rules.
Financial exposure can be serious. The highest penalties can reach EUR 35 million or 7% of worldwide annual turnover, whichever is higher. The right analysis starts with scope, not fear.
Start by Identifying Your Role, System, and EU Connection
Ask management three questions.
What AI system or model is involved?
What role does your company play?
What connection does the activity have to the EU?
Develop a comprehensive Model Inventory that includes the purpose, users, affected people, geography, vendor, model type, data used, and accountable business owner. One company may be a provider for one product, a deployer for another, and a distributor for a third.
Assumptions do not hold up under pressure. Named owners and evidence do. AI governance for boards starts with the same discipline: turn AI activity into clear business decisions.
Why a US Compliance Program Cannot Rely on Geography Alone
EU employees, customers, resellers, SaaS users, and embedded AI features can create exposure even when your company does not market itself as an AI provider.
Contract language can clarify responsibilities, but it cannot always remove regulatory duties, especially when dealing with Third-Party Models that introduce external risks into your operations. Ask one direct question: Which AI activities could create EU obligations even if you do not describe your company as an AI company?
Use the AI Act's Risk Tiers to Focus Board Attention
The Act does not treat every AI project the same. That is useful. Your board needs prioritization, not a long list of tools.
Use four practical categories: prohibited, high-risk, transparency-sensitive, and lower-risk uses. Classification depends on intended purpose and context, not only on the technology beneath it.
Prohibited Practices Require Immediate Escalation
Some uses are prohibited because they can create unacceptable harm. Examples include certain manipulative or deceptive practices, exploitation of vulnerable people, prohibited social scoring, and restricted biometric or law enforcement uses.
This is not a complete legal list. Sensitive use cases need legal review before launch. Your board should ask whether management has screened current and planned systems for prohibited practices or potential model misuse. It should also ask who can stop deployment and how any exception or legal determination is documented.
If nobody can pause a high-impact AI use, your control model is incomplete.
High-Risk AI Needs Evidence, Controls, and Human Oversight
High-risk systems can include certain AI uses in employment, education, essential services, safety-related products, critical infrastructure, law enforcement, migration, and access to important benefits. The classification rules matter. Not every system in these settings is automatically high-risk.
For systems that qualify, management needs an operating model. That includes risk management, model documentation, data governance, model monitoring, transparency, human oversight, explainability, accuracy, cybersecurity, incident handling, and post-market review.
Each control answers a business question. Poor data can create discrimination. Weak documentation can leave you unable to explain a decision. Missing logs can prevent investigation. Weak oversight can let an unsafe or unfair result reach customers, employees, or the public.
A binder on a shelf is not proof of control. You need evidence that the system works within defined limits, that people can intervene, and that material changes trigger review.
General-Purpose AI and Transparency Duties Still Matter
General-purpose AI models have separate provider duties. These can include technical documentation, information for downstream providers, copyright-related policies, and a public summary of training content. Models with systemic risk face added evaluation, risk management, incident reporting, and cybersecurity expectations.
As organizations adopt Agentic AI to automate complex workflows, the distinction between provider and deployer responsibilities becomes critical. Transparency duties also matter for some chatbots, synthetic media, emotion recognition, biometric categorization, and human-facing AI interactions. Do not assume a vendor contract transfers every obligation to the vendor, especially when your team customizes or deploys these autonomous systems in high-impact environments.
What SR 11-7 Thinking Teaches You About AI Governance
While SR 11-7 is US banking Supervisory Guidance for model risk management and not a formal EU AI Act requirement, its rigorous discipline provides a blueprint for modern AI oversight. Combined with SR 26-02, this framework establishes the industry standard for how firms should govern complex automated systems.
The shared lesson is straightforward. Define intended use, assign an accountable owner, ensure conceptual soundness, and document all limitations. Strong practice requires robust model validation and continuous model monitoring to detect drift. Weak practice treats AI as a static software implementation, whereas strong practice maintains a living record of assumptions, tests, incidents, changes, and accepted model risk. This record is essential for demonstrating reasonable oversight to regulators and investors.
In this context, Effective Challenge is the validator's core duty. You must ensure that independent validation identifies fundamental errors before they scale, transforming static compliance into a system of adaptive governance. That documentation serves as the bedrock of your model governance strategy.
Use AI questions management must answer to keep the discussion focused. What changed? What remains exposed? What decision is needed?
Turn Compliance Into Four Board-Level Decisions
Your board should expect management to clarify four decisions:
Which AI uses are allowed, restricted, or prohibited based on the risk tier.
Who owns each material model risk.
What evidence from independent validation proves the controls are working.
When a risk must be escalated to the board.
Management runs the program, but the board oversees strategy, risk appetite, accountability, and reporting.
Decision rights should be plain. Who approves a high-impact deployment? Who has the authority to pause a system? Who signs off on risk acceptance? Who informs the board after a serious incident? By anchoring your strategy in the principles of model risk management, you build a sustainable foundation for compliance that survives regulatory scrutiny.
A 90-Day EU AI Act Plan for Your Board and Management Team
Start with a short, visible plan. Do not wait for a perfect framework.
Days 1 to 30: Build the AI inventory, update the model inventory, identify EU connections, classify use cases, and name accountable owners.
Days 31 to 60: Review vendor contracts and evidence, assess high-risk gaps, set approval and escalation rules, and train teams with direct responsibilities.
Days 61 to 90: Test controls, document material decisions, run a scenario exercise, and deliver a one-page board report. During this testing phase, leverage quantitative methods to validate performance.
Your board should ask: What systems affect customers, employees, safety, or essential decisions? Which connect to the EU? What could create material harm? What supports our classification? Who can stop deployment? How will we know if the system has drifted? Your organization should apply robust model risk management principles to these questions to ensure comprehensive oversight.
Download the AI Boardroom Question Pack when you need practical prompts for the next management discussion. If ownership or reporting is still unclear, Get Board-Ready on AI and Cyber Risk.
Build a Board Packet That Shows Risk, Not Activity
A useful packet has five parts: AI inventory and EU scope, risk classification, model governance status, incidents and exceptions, and decisions requested.
Do not report only policies written, people trained, or tools reviewed. Show whether material model risk is rising or falling, whether controls were tested, and whether management needs funding, approval, or a risk decision. Your board packet should mirror the rigorous standards expected of major financial institutions.
Keep evidence available for model documentation, approvals, testing results, vendor terms, monitoring records, complaints, incidents, and remediation dates.
Avoid the Compliance Traps That Create False Confidence
Do not assume a US-based program removes EU exposure. Map actual users, customers, outputs, and distribution paths.
Do not treat vendor assurances as proof. Review evidence and test what matters.
Do not classify a system without reviewing intended use. Context can change the legal result.
Do not adopt a policy without testing behavior. A policy that nobody follows is not a control.
Do not report technical activity without business impact. Boards need exposure, ownership, trend, and a decision. By embedding formal model risk management into these updates, you provide the board with the clarity they need to fulfill their fiduciary duties.
EU AI Act FAQs for US Boards and CEOs
Does the EU AI Act apply to companies based in the United States?
It can. Location alone does not decide coverage. US companies may be covered if they place AI systems or models on the EU market, deploy systems in the EU, or produce outputs used in the EU.
What makes an AI system high-risk?
The Act identifies certain uses and settings, including areas such as employment, education, essential services, and critical infrastructure. Classification depends on the system's intended purpose and the applicable rules.
Are all Generative AI tools regulated the same way?
No. General-purpose AI model providers have distinct duties, and deployments may trigger separate high-risk or transparency obligations. Your vendor's role may differ from yours.
What should a board ask management first?
Ask for an AI inventory, EU exposure map, classification method, accountable owners, and a list of systems that affect people, safety, important decisions, or customer trust. These inquiries are consistent with the Supervisory Guidance issued by the Federal Reserve and serve as a strong foundation for your broader AI Governance strategy.
Can a vendor contract transfer EU AI Act responsibility?
A contract can allocate work and liability between parties, but it may not remove duties the Act assigns to your company. Model Validation remains a critical requirement for the user regardless of what is outlined in a vendor contract. Seek qualified counsel for classification, enforcement exposure, and sector-specific obligations.
Build the Oversight System Before Pressure Builds
The central challenge is not memorizing every article of the EU AI Act. Instead, it is building a repeatable system for inventory, classification, ownership, evidence, monitoring, and escalation. By establishing a robust framework for AI governance now, your organization can effectively manage both regulatory mandates and evolving operational risks.
Start by mapping your EU connections and identifying your highest-impact AI uses. Then, make the board's questions and management's decision rights explicit. Relying on the proven principles of SR 11-7 provides a reliable roadmap for your oversight program, ensuring long-term compliance and risk mitigation even as technology changes. This approach reduces surprise without pretending that compliance removes every possible risk.
Explore Boardroom AI and Cyber Risk Resources or See Where Your Board Actually Stands when you need a clearer view of your current oversight.
Tyson Martin is the executive public and pre-IPO companies in financial services, AI/data, SaaS, and cloud hire to make trust a measurable asset, one accountable answer to Is it secure? Is it resilient? Is the AI governed?
© 2026. All rights reserved.
Navigation
Free Resources
Contact


Stay ahead of your next board agenda
Sign up for Reports & Learnings From the Boardroom. Plain-English AI and cyber governance insights, biweekly. No pitch.
No spam. Unsubscribe anytime. · Or download the Director's AI Question Pack — 25 questions free
