The EU AI Act Applies to You — Even If You Don’t Build AI

Playback speed

Share post at current time

Share from 0:00

0:00

Transcript

The EU AI Act Applies to You — Even If You Don’t Build AI | Antonina Burlachenko (STAR)

Most companies are certain the EU AI Act is somebody else’s problem. They are wrong — and the vendor contract they are relying on will not save them.

Amer Altaf

Jun 24, 2026

On 2 August 2026 the EU AI Act becomes enforceable across Europe, and a few weeks out, Brussels moved the headline deadline to 2027 and 2028. The whole market exhaled. In this episode, Amer Altaf sits down with Antonina Burlachenko, Head of Regulatory Consulting at STAR — who audits and certifies these systems for a living — to explain why that exhale is the trap.

If your company runs an AI hiring tool, scores customers, automates a decision, or has wired AI into its operations, you may already be in scope — not as the AI lab, but as a deployer, and sometimes, without ever realising it, as a provider. We get into the deployer‑versus‑provider line that catches almost everyone, the Article 25 clause that quietly turns a buyer into a manufacturer regardless of what the contract says, what is still legally binding on 2 August 2026, and why the documentation you need cannot be faked at the audit. It ends, as every episode does, with a falsifiable prediction we write down and come back to.

In this episode

Why the EU AI Act binds ordinary companies that do not think of themselves as “AI companies”
The three ways you can become a “provider” without knowing it — and why your indemnity clause does not stop it
What actually counts as “high‑risk” AI under Annex III
Why a US company with no European office can still be caught
What the moved deadline did — and did not — change, and what stays live on 2 August 2026
The evidence you have to capture from week one, because you cannot reconstruct it later
ISO 42001: real protection, or a badge for the website?
Antonina’s prediction for the first real enforcement action

Timestamps

00:00 The EU AI Act trap hiding in “we don’t build AI”
00:55 Why this law applies to you
03:09 Who Antonina is and why she’d know
05:28 The one thing that makes the room go quiet
07:11 How a buyer becomes the “manufacturer” (Article 25)
09:37 What actually counts as “high-risk” AI
11:26 No EU office? You’re still in scope
13:42 Provider or deployer: where the line sits
14:55 “I just bought Copilot — am I a provider?”
17:22 What a deployer must do every single week
19:46 The vendor contract that’s worth nothing
23:33 What Brussels actually changed — and what it didn’t
25:58 Reprieve, or a longer run-up to the same wall?
27:47 What’s still binding on 2 August 2026?
30:05 Start now, wait — and did the EU get it right?
37:01 Why you can’t fake the evidence at the audit
40:47 Three things to write down from week one
43:50 ISO 42001: real armour or website badge?
47:16 Chicago to Germany — caught anyway
49:10 One company, three rulebooks
51:04 What calm companies have that the panicking don’t
53:15 Her prediction: the first enforcement action
54:42 Time machine: what she’d tell her 2024 self

Three lines worth the click

“For all three cases, the contract is not important. The responsibility lies with whoever is the provider.” — on why your vendor indemnity does not transfer the risk.
“How do you document control of that bias after the fact? I have no idea.” — on why AI compliance evidence has to be captured as you go.
“You don’t have a choice.” — on why the Act reaches you wherever you are headquartered.

About the guest

Antonina Burlachenko is Head of Regulatory Consulting at STAR, where she leads a team taking regulated products to market and building the quality, information‑security and AI‑management systems underneath them — across medical‑device regulation, the Cyber Resilience Act, GDPR and the EU AI Act. Her work spans advisory, internal audits and the due‑diligence assessments investors commission before they invest. Connect with Antonina on LinkedIn.

Read, watch, and go deeper

Read the companion essay: The EU AI Act Already Applies to You — the full written analysis, with sources → [link]
Watch on YouTube:
Listen: [Apple Podcasts] · [Spotify]
Sources: EU AI Act, Article 25 · Annex III high‑risk uses · Gibson Dunn — the Digital Omnibus deferral (May 2026) · European Commission — AI regulatory framework · ISO/IEC 42001

The Control Layer publishes weekly — decision‑grade analysis on AI, cybersecurity, and technology sovereignty, written for the board paper, not the timeline. Every episode ends with a prediction we write down and call in writing. Subscribe free, and you will be here when we find out whether Antonina was right.

The Control Layer is written and hosted by Amer Altaf, Founder & CEO of Arkava and Managing Editor of The Control Layer.

#EUAIAct #AIgovernance #AIcompliance #ISO42001