Guide
EU AI Act compliance for enterprises
The risk tiers, the obligations they trigger, and why an owned, auditable model makes compliance simpler.
In short
The EU AI Act regulates AI by risk tier, from minimal to unacceptable, with the heaviest obligations on high-risk systems: transparency, data governance, human oversight, and documentation. Owning an auditable model deployed in your perimeter makes these obligations easier to meet than relying on an opaque third-party API.
The risk tiers
- Unacceptable risk: Banned uses (e.g. certain manipulative or social-scoring systems).
- High risk: Systems in sensitive domains, subject to the strictest obligations.
- Limited risk: Transparency duties, e.g. telling users they're interacting with AI.
- Minimal risk: Most general applications, with light or no specific obligations.
Core obligations for high-risk systems
- Data governance: Documented, quality-controlled training data.
- Transparency & documentation: Technical records of how the system works.
- Human oversight: Meaningful human control over outcomes.
- Robustness & logging: Accuracy, security, and traceable operation.
How owning the model simplifies compliance
Many obligations, data governance, documentation, traceability, are far easier when you hold the weights, training data, and logs. With an owned model you can evidence exactly what it learned and how it behaves; with an opaque hosted API, you depend on a vendor's disclosures. Ownership turns compliance from a black box into something you can document and audit.
What this looks like with Locai
Compliance is easier to evidence when the model, the data, and the logs are all things you actually own, not things a vendor describes in a whitepaper.
Locai Labs believes organisations should own their intelligence. Renting access to a general-purpose model that lives on someone else's servers is fine for low-stakes work; for the AI that touches your data, your customers and your decisions, the model itself should be yours. That is the bet behind everything we build.
It is also a bet that an expert model beats a generalist on the work that actually matters to your business. A smaller model trained on your data, your language, your workflows and your edge cases routinely outperforms much larger generalists on the tasks you care about, and it does so on infrastructure you control. The goal is not the biggest model; the goal is the right model for your business.
And it is deployed sovereignly: an owned model that runs inside your perimeter, on-prem via Locai One, in your private cloud tenant, in a UK sovereign cloud, or fully air-gapped, depending on your residency and security requirements. Your prompts, your documents and your outputs stay inside your environment, under UK jurisdiction, with a data path designed to fit GDPR and the procurement standards regulated organisations are held to.
Frequently asked questions
What is the EU AI Act?
The EU's regulation of AI by risk tier, imposing the strictest obligations (transparency, data governance, oversight, documentation) on high-risk systems.
Who must comply?
Providers and deployers of AI systems used in the EU, with obligations scaled to the system's risk tier.
How do I prepare?
Classify your systems by risk, then put data governance, documentation, oversight, and logging in place. Owning an auditable model makes each step easier.
Does owning the model help?
Yes. Holding the weights, data, and logs lets you evidence governance and traceability directly, rather than relying on a third party's disclosures.
Book a sovereign AI briefing
A 30-minute session on owning your model: deployment options, the data path, and a clear cost range for your use case.