Preparing for 2026 requires execution discipline, not just awareness. This checklist is designed for SMEs that need a practical path from initial uncertainty to operational readiness.
10-item readiness checklist
1) Inventory all AI use cases
Capture system name, owner, purpose, affected groups, and business process.
2) Assign role per system
Classify provider/deployer/mixed with documented rationale.
3) Run prohibited-practice screening
Check every sensitive use case against Article 5 red flags.
4) Map high-risk candidates
Use Annex III categories and context-based impact analysis.
5) Define oversight controls
Set human review/override points for consequential decisions.
6) Implement logging and monitoring
Track critical events, model drift indicators, and incident triggers.
7) Prepare transparency notices
Disclose AI interaction/content where obligations apply.
8) Build documentation packs
Maintain risk rationale, controls, owners, and evidence references.
9) Create incident workflow
Define severity model, escalation owners, and corrective loop.
10) Schedule governance cadence
Monthly risk updates + quarterly compliance review + event-driven reassessment.
Maturity scoring suggestion
- 0-3 complete: ad hoc stage
- 4-6 complete: emerging control stage
- 7-8 complete: managed stage
- 9-10 complete: audit-ready stage
What to do if you are behind
Start with high-impact workflows first (employment, eligibility, pricing, rights-sensitive decisions). It is better to fully control 20% of highest-risk workflows than to lightly document everything without operational effect.
Final takeaway
A checklist is only useful if each item has an owner, due date, and verification method. Convert this list into a board and execute weekly until every item is evidenced.