In brief: An AI compliance audit reviews, one by one, the artificial intelligence tools your company uses to verify whether they meet the European AI Regulation (the AI Act, EU 2024/1689). Parts of the regulation are already mandatory: the prohibition on certain practices and the staff literacy requirement have applied since February 2025, and the rules for general-purpose models since August 2025. The major date is August 2026, when obligations for high-risk systems take effect. In Spain, the supervising body is AESIA. Below you will find the full checklist and the timeline.
What an AI compliance audit is
It is an ordered review of all the artificial intelligence systems your company uses, purchases, or sells, to check whether they align with what the law requires. It is not a technical examination of algorithms, nor a cybersecurity audit. It looks at something different: whether you know what AI you have, what you use it for, what risk it generates, and whether you meet the obligations that apply to you based on that risk.
I often explain it to clients this way: it is the same exercise we all went through with GDPR in 2018, but applied to AI. First you draw up an honest inventory of what you use. Then you classify each item by its risk level. Then you check, case by case, whether you comply. And finally you document everything so you can demonstrate it if anyone asks.
The difference between a genuine audit and an improvised internal project lies in rigour. A real audit leaves a paper trail: a report with findings, a risk level assigned to each system, and an action plan with dates and responsible parties. Without that paper trail, you do not have compliance — you have good intentions.
Why now: the AI Act is already in force
The AI Regulation (AI Act, EU Regulation 2024/1689) was published in 2024 and is not a promise for the future: parts of it already apply. Many people believe they have until 2026 to look into the matter. That is not true, and that misunderstanding is precisely what gets companies into trouble.
The regulation rolls out in phases. Since February 2025, certain AI practices have been prohibited (Article 5) and there is a duty of AI literacy (Article 4) — meaning staff who work with these systems must be trained. Since August 2025, obligations apply to general-purpose AI models (the so-called GPAI, such as large language models). And the date that marks most companies' calendars is August 2026, when obligations for high-risk systems come into force.
This is the same phased pattern we analysed in detail in the article on AI Act obligations in August 2026 for SMEs (small and medium-sized enterprises) in Spain. If your company plans to use AI in staff selection, credit decisions, or any process that affects people's rights, that is your appointment — and it pays to arrive prepared.
On sanctions, it is worth being precise. The regulation provides for fines of up to €35 million or up to 7% of global annual turnover for prohibited practices, and lower amounts for other infringements. I use "up to" deliberately: these are ceilings, not automatic amounts. But the underlying message is clear — this is taken seriously.
What an AI compliance audit covers
A thorough audit addresses seven areas. I explain each one because each tends to hold a surprise.
1. AI systems inventory
Before you can comply with anything, you need to know what you have. And here the first surprise almost always appears: there is more AI than management thinks. The website chatbot, the HR CV filter, the lead-scoring tool, the ERP forecasting module, the assistants the team uses independently without asking permission. The inventory captures all of them, with their provider, purpose, and the data they touch.
2. Risk classification
The AI Act orders systems by risk. There are prohibited practices (for example, certain uses of social scoring or manipulation), high-risk systems (those affecting employment, education, credit, essential services, or safety), systems with transparency obligations, and minimal-risk systems. Each tool in your inventory receives a label. All other obligations depend on that label, so this is the step that requires the most care.
3. Transparency
Some AI uses require notifying the person involved. If a user is talking to a chatbot, they must be able to know it is not a human. If you publish content generated or manipulated with AI, in certain cases you must flag it. The audit verifies that those notices exist and are understandable.
4. Data and GDPR
AI feeds on data, and much of it is personal data. Here the AI Act and GDPR work hand in hand: lawful basis for processing, minimisation, information to data subjects, and, where required, an impact assessment. If you want to review the data protection side separately, it is covered in the GDPR compliance guide for businesses and its sanctions. In practice, a poorly governed AI system usually has a data problem lurking behind it.
5. Human oversight
For high-risk systems, a person must be able to monitor, understand, and, if necessary, stop the machine. "The algorithm decides and that's that" is not acceptable. The audit reviews who supervises, with what training, and with what real power to intervene. This connects to the Article 4 literacy duty: if your staff do not understand the tool, they cannot supervise it.
6. Documentation and traceability
Complying without being able to prove it is worthless. High-risk systems require technical documentation, operational logs, and a trail that allows you to reconstruct what happened and why. The audit verifies that this documentation exists and is current — not just that the system works.
7. Governance
The seventh area ties everything together: internal policies, assigned responsibilities, a process for evaluating each new tool before purchase, and a management system that does not depend on one person's memory. If you want a formal, certifiable structure for this, the ISO 42001 AI management system standard is the reference framework, and it fits very well as the backbone for AI Act compliance.
Practical AI compliance audit checklist
This is the checklist we use as a starting point. It works for an initial self-assessment before embarking on a formal audit.
| Area | What to check | Status |
|---|---|---|
| Inventory | A complete list of AI systems used, purchased, or developed exists, with provider and purpose | Yes / No / Partial |
| Classification | Each system has been assigned a risk level under the AI Act | Yes / No / Partial |
| Prohibited practices | It has been verified that no system falls under Article 5 (prohibited since Feb 2025) | Yes / No / Partial |
| AI literacy | Staff who use AI have received training (Article 4, since Feb 2025) | Yes / No / Partial |
| Transparency | Users know when they are interacting with AI or AI-generated content | Yes / No / Partial |
| Data and GDPR | Lawful basis, minimisation, and information to data subjects are in place; impact assessment where required | Yes / No / Partial |
| Human oversight | A person can monitor, understand, and stop high-risk systems | Yes / No / Partial |
| Documentation | Technical documentation and logs exist for high-risk systems | Yes / No / Partial |
| GPAI models | If general-purpose models are used, their obligations are met (since Aug 2025) | Yes / No / Partial |
| Governance | Policies, responsible parties, and a process for evaluating new tools are in place | Yes / No / Partial |
If you mark "No" or "Partial" in several rows, do not panic — that is normal at this stage. The value of the checklist is to give you an honest snapshot of reality so you can decide where to start.
AI Act obligations timeline
These are the dates that matter for planning the audit, in order, so the pace of the regulation is clear.
| Date | What enters into force |
|---|---|
| 2024 | Publication of EU Regulation 2024/1689 (AI Act) |
| February 2025 | Prohibition of AI practices under Article 5 and AI literacy duty under Article 4 |
| August 2025 | Obligations for general-purpose AI models (GPAI) |
| August 2026 | Obligations for high-risk systems |
My practical reading: if you are already on top of Article 5 and staff training, the urgent priority now is the inventory and classification. And if your sector involves high-risk AI, August 2026 is closer than it looks when you need to document, train staff, and set up oversight.
Who supervises in Spain: AESIA
Spain was among the first countries to establish a dedicated authority. AESIA (the Spanish Agency for the Supervision of Artificial Intelligence), headquartered in A Coruña, is the national body responsible for enforcing the regulation. Having a dedicated, operational authority changes the calculation: supervision is not some abstract thing from Brussels — it is an agency with a name and an address.
How to prepare without feeling overwhelmed
The good news is that this can be done in an orderly way. You do not need to resolve everything in a week; you need to start in the right order.
First comes the inventory, because without knowing what you have you cannot do anything else. Second, classification by risk — that is where you find out how much work really lies ahead. If nothing high-risk emerges from that classification, your workload drops significantly. If something does, you know where to focus and you have until August 2026 for the heavy lifting.
After that, the rest is closing gaps: transparency notices, alignment with GDPR, human oversight where required, documentation, and a minimum governance structure that prevents starting from scratch every time someone installs a new tool. And the Article 4 training, which many companies overlook thinking it is a minor detail — it has already been mandatory for over a year.
If you prefer not to do this blind, in my compliance consultancy I guide companies through the entire process, from inventory to action plan. The goal is not to generate fear or paperwork for its own sake, but to get your AI use into proper order and be able to prove it.
If you would like an initial review of your situation, write to me from the contact page and we will see where to start in your specific case.