On 2 February 2025 — six weeks from today — the EU AI Act’s first enforcement provisions become active. From that date, deploying AI systems that fall into the Act’s prohibited categories is unlawful across the EU. The prohibited applications include AI used for social scoring by public authorities, real-time biometric identification in public spaces in most circumstances, AI systems that exploit psychological vulnerabilities to manipulate behaviour, and systems that use subliminal techniques to influence people without their knowledge.
Most organisations reading this will not be deploying prohibited AI. But February 2025 is not only the prohibited applications deadline — it is the beginning of the EU AI Act enforcement clock. The high-risk system obligations follow in August 2026. And organisations that do not currently know their AI inventory with any precision are running out of time to find out.
The Problem: Most Organisations Cannot Answer the Basic Questions
The EU AI Act creates obligations that depend entirely on knowing what AI systems you operate and what those systems do. Compliance starts with a clear answer to: what AI systems does our organisation deploy, where, for what purposes, and to what risk tier do they belong under the Act?
In our experience, the majority of organisations cannot answer these questions with confidence. AI has proliferated across business functions faster than governance has followed. Vendor tools with embedded AI have been adopted by individual teams without central tracking. Models have been fine-tuned on internal data without formal registration. What looked like a manageable set of AI systems two years ago has grown significantly.
This is not a theoretical problem. An organisation that discovers in 2026, under audit pressure, that one of its HR screening tools or credit assessment processes falls into the EU AI Act’s high-risk category — and that it has had no risk documentation, no human oversight controls, and no conformity assessment in place — faces a significant exposure.
How ISO 42001 Creates the Foundation You Need
ISO 42001 does not map one-to-one onto EU AI Act compliance — the previous post in this series covered where the coverage lands and where the gaps are. But ISO 42001 creates the organisational infrastructure that makes EU AI Act compliance achievable:
The AI inventory. ISO 42001 requires a comprehensive inventory of all AI systems in scope — what each system does, who developed it, what data it uses, what risk classification applies. This is the same inventory you need to determine your EU AI Act obligations. Building it for ISO 42001 means you have it ready for the Act.
Risk classification methodology. ISO 42001 requires risk classification of each AI system. Extending that classification to include EU AI Act risk tier assessment — prohibited, high-risk, limited risk, minimal risk — is incremental work from a functioning AIMS rather than a cold start.
Documentation infrastructure. The technical documentation, risk assessment records, and operational evidence that ISO 42001 requires organisations to maintain are a substantial portion of what the EU AI Act requires for high-risk systems. Organisations with a mature AIMS are building their EU AI Act compliance record as a by-product of normal AIMS operation.
Human oversight controls. ISO 42001’s human oversight requirements — documented processes for monitoring, reviewing, and intervening in AI outputs — satisfy the EU AI Act’s human oversight obligations for high-risk systems. These do not need to be built separately.
What to Do Before February 2025
Six weeks is not enough time to implement ISO 42001 and complete an EU AI Act compliance review from scratch. But it is enough time to take the most critical immediate steps:
First, conduct a rapid AI system inventory. Identify every AI system your organisation operates or has deployed in EU contexts. This does not need to be exhaustive on day one — it needs to identify any systems that might fall into prohibited or high-risk categories.
Second, apply the EU AI Act’s prohibited category list to your inventory. If any system could plausibly fall into a prohibited category, stop deployment pending a formal assessment. The legal exposure of deploying a prohibited system from 2 February 2025 is not a compliance programme risk — it is a legal risk.
Third, identify which systems are candidates for high-risk classification under Annex III. These are the systems that require the most preparation for August 2026. Knowing which they are now gives you 18 months to build the required documentation, controls, and conformity assessment readiness.
If you have ISO 42001 in place, your AI inventory and risk classification work is already done or underway. The step is applying the EU AI Act risk tier framework to your existing AIMS documentation — not building from scratch.
At Bitsecura, we are working with clients right now to map their AI inventories against EU AI Act risk tiers, identify exposure, and build the documentation infrastructure that serves both ISO 42001 and the Act’s requirements. If you are facing the February deadline without a clear picture of your AI footprint, reach out — we can move quickly.
Talk to us here. The deadline is close.
Bitsecura provides ISO 42001 AIMS implementation, internal audit, and maintenance services. Learn more about our ISO 42001 services.