AI transparency obligations in 2026: what teams should document now

AI is already part of everyday business operations: customer support, marketing, content generation, coding, analytics, and internal automation. As additional phases of the EU AI Act take effect, one lesson stands out for smaller organisations: teams that do not document their AI usage today will have a harder time tomorrow.

Why this matters now

The EU AI Act follows a phased implementation timeline. After the first bans and governance provisions, obligations for general-purpose AI (GPAI) models started applying in August 2025. To support implementation, the European Commission published a GPAI Code of Practice focused on transparency, copyright, and safety and security. Enforcement structures for GPAI obligations become increasingly relevant from August 2026.

Most website owners are not building foundation models themselves. However, customers, partners, procurement teams, and regulators are increasingly asking how AI systems are used and what data they process.

The practical question: can you explain your AI stack?

Most companies can identify their CRM or hosting provider. AI usage is often much less visible.

Questions that should have clear answers include:

• Which AI services are being used?
• Which data is sent to external providers?
• Is personal data involved?
• Who is authorised to use AI tools?
• Which business processes depend on AI outputs?
• Where does human review take place?

For many organisations, the gap is not technical. It is documentation.

The simplest improvement: create an AI inventory

A lightweight document or internal wiki page is often enough.

It should include:

1. AI tools and providers in use.
2. Purpose of each system.
3. Categories of processed data.
4. Responsible teams or individuals.
5. Risks and known limitations.
6. Human oversight measures.
7. Contractual and privacy information.

This inventory is useful beyond AI Act compliance. It also supports GDPR reviews, customer due diligence requests, security assessments, and internal audits.

Transparency is becoming a business advantage

Customers increasingly ask whether AI is involved in service delivery.

Agencies, freelancers, and software providers that can clearly explain their AI usage are likely to build more trust than organisations relying on undocumented experimentation. Transparency also reduces the risk of employees introducing new AI services that process sensitive information without proper review.

What software teams should document

For development teams, these details are especially valuable:

• Models currently in use.
• Critical prompts and system instructions.
• External AI APIs.
• Logging and retention practices.
• Handling of hallucinations and incorrect outputs.
• Fallback procedures when AI services fail.

This information often provides more operational value than lengthy compliance paperwork because it directly improves reliability, troubleshooting, and security.

Conclusion

Future AI Act obligations are not only relevant for large model providers. Smaller businesses also benefit from making AI usage visible and understandable. A current AI inventory, clear ownership, and documented processes improve compliance readiness, reduce risk, and simplify customer communication.

The most effective preparation is often the least glamorous: know which AI systems are running, what data they can access, and who is accountable for them.

Sources

• https://digital-strategy.ec.europa.eu/en/policies/ai-office
• https://digital-strategy.ec.europa.eu/en/policies/general-purpose-ai-code-practice
• https://eur-lex.europa.eu/eli/reg/2024/1689/oj
• https://www.reuters.com/business/media-telecom/will-eu-delay-enforcing-its-ai-act-2025-07-03/

This article is a technical overview and not legal advice.