Trying to apply the EU AI Act to a real product (and why it’s harder than it looks)

I didn’t expect to spend this much time thinking about the EU AI Act. It started with a pretty innocent question. We’re building a product that uses AI, and at some point I figured I should probably check if this whole regulation thing applies to us. I assumed I’d skim a couple of articles, maybe read a summary, and move on with my life. That didn’t happen. At first, everything looks very clean. You’ve got categories, definitions, risk levels… it almost feels reassuring. Like someone has already done the hard thinking for you. Then you try to apply it to your actual product. That’s where things start to wobble a bit. I found myself going back and forth on questions that should be simple, but somehow aren’t: Are we even in scope here? What exactly counts as an “AI system” in what we’ve built? If we’re using third-party models, is that our problem or someone else’s? Are we supposed to be documenting things already, or is that future-us’ problem? The more I read, the less binary it all fe