The EU AI Act's high-risk provisions become fully enforceable on 2 August 2026 — a deadline that is now weeks, not months, away.
For financial services compliance teams, this is not an incremental regulatory update. Regulation (EU) 2024/1689 classifies the AI systems that already sit inside credit decisioning, AML risk profiling, and insurance underwriting as "high-risk" — and the obligations attach to the firm operating the system, not just the vendor that built it.
If your AI Act readiness plan still treats this as a vendor due-diligence exercise, the next 70 days are the window to fix that.
Annex III Lands Squarely on Financial Services
Article 6 of the AI Act, read together with Annex III, designates specific AI use cases as high-risk. Two paragraphs in Annex III(5) hit the financial sector directly.
Annex III(5)(b) covers AI systems intended to evaluate the creditworthiness of natural persons or to establish their credit score, with a narrow carve-out for systems used to detect financial fraud.
Annex III(5)(c) covers AI systems intended for risk assessment and pricing in life and health insurance.
That sweeps in credit-scoring models at retail and SME banks, BNPL underwriting engines, insurance risk-tier and pricing models, and any decisioning system that materially shapes whether a natural person receives a financial product or at what price. AML risk-rating and customer-due-diligence profiling systems also commonly fall into Annex III scope when the output materially affects a person's access to services.
The fraud-detection carve-out is narrower than it looks. Only the detection function is excluded — if the same model also feeds a creditworthiness score downstream, the carve-out doesn't insulate it.
The practical implication: most large EU-active banks and insurers have at least one production system that, from August 2, requires high-risk-grade governance.
Article 26 Is the Article That Makes This Your Problem
The most common misread of the AI Act in financial services is that obligations sit with the provider — the vendor that built the model. That is only half the picture.
Article 26 of the Regulation imposes a distinct set of obligations on deployers — the entity using a high-risk system in the course of its activity. A bank running a third-party credit-scoring engine is a deployer. So is an insurer running a vendor-supplied underwriting model.
Among other things, Article 26 requires deployers to:
- Use the system in accordance with the provider's instructions for use.
- Assign human oversight to natural persons who have the necessary competence, training, and authority.
- Ensure that input data is relevant and sufficiently representative for the system's intended purpose.
- Monitor the operation of the system and notify the provider and competent national authorities of serious incidents.
- Keep the logs automatically generated by the system for a period appropriate to the intended purpose, and at least six months unless otherwise required by EU or Member State law.
You cannot contract these away. A SaaS clause that pushes "AI Act compliance" onto the provider does not discharge Article 26 for the deployer. National competent authorities will hold the firm using the system accountable.
Article 13 Turns Governance into an Audit-Trail Problem
Article 13 requires high-risk AI systems to be designed and developed so their operation is sufficiently transparent for deployers to interpret outputs and use them appropriately. Providers must supply detailed instructions covering intended purpose, capabilities, limitations, performance characteristics, and the human-oversight measures available.
For deployers, Article 13 has a runtime consequence. Combined with the automatic-logging requirement of Article 12 and the record-keeping obligation in Article 26, it means a competent authority can ask for the record of how a high-risk system was used — what inputs flowed in, what outputs came out, which human reviewed and accepted them, and which policy evaluations ran along the way.
Three concrete capabilities the combined obligations imply for financial-services deployers:
- A live inventory of high-risk AI systems in production, with intended purpose, provider, Annex III classification, and oversight owner mapped to each.
- Real-time logs of inputs, outputs, and policy evaluations — retained for the period the regulation specifies and producible on request.
- Documented human-in-the-loop checkpoints at the decision boundaries that materially affect a natural person — adverse credit decisions, AML risk uplifts, denied insurance applications.
These are runtime controls, not annual attestations. A PowerPoint inventory of AI use cases does not satisfy them.
How Containment.AI Maps to Article 13 + 26
Containment.AI provides the operational layer that financial-services compliance teams need to demonstrate Article 13 and Article 26 compliance in production — without rebuilding the model pipelines themselves.
- Real-time policy enforcement at the proxy and browser layer for AI interactions, including the GenAI assistants that sit upstream of regulated decisioning workflows.
- Tamper-evident logging of prompts, outputs, and policy evaluations — retained as the deployer's record under Articles 12 and 26.
- Human-oversight checkpoints wired into the policy engine, so adverse decisions surface a reviewable record before the decision propagates.
- Inventory and reporting dashboards that map each governed system to its Annex III classification and Article 26 obligations.
The architecture is provider-neutral. It sits where AI interactions actually happen, so the deployer keeps control of the audit trail regardless of which provider built the underlying model.
Start Now, Not in July
The Commission has not signaled a further delay to the high-risk provisions. August 2, 2026 is the trigger for enforcement — not the trigger for starting implementation. For financial-services compliance teams, the remaining runway is to inventory high-risk systems, close the Article 26 oversight and logging gaps, and verify the audit trail will hold up the first time a competent authority asks for it.
Get started with Containment.AI — the runtime governance layer for high-risk AI under the EU AI Act.
Source: Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence — EUR-Lex consolidated text.