Enforcement Timeline: No More "We're Working On It"
The EU AI Act (Regulation 2024/1689) is not a future proposal — it is law. Prohibited AI practices have been banned since February 2025. High-risk AI system obligations are enforceable from August 2026. EU member state market surveillance authorities are actively building their enforcement capacity. Enterprises using AI in HR decisions, credit assessment, or safety-critical operations need to be compliant now — not "soon."
What Is the EU AI Act? A Plain-English Summary
The EU AI Act is the world's first comprehensive legal framework governing artificial intelligence. Passed by the European Parliament in March 2024 and published in the Official Journal of the EU on 12 July 2024, it creates a risk-tiered regulatory framework — the higher the risk of an AI system to individuals and society, the stricter the obligations placed on organisations that deploy it.
The Act applies to:
- Providers — organisations that develop or place AI systems on the EU market (e.g., SAP, SAVI AI)
- Deployers — organisations that use AI systems in a professional context within the EU (e.g., your company using SAP AI in your operations)
- Importers and distributors of AI systems in the EU
Even if your company is headquartered outside the EU, the Act applies if your AI systems affect people in the EU — employees, customers, or citizens. Think of it as the GDPR of AI — and take it equally seriously.
Key distinction: The EU AI Act focuses on what the AI does (its risk to people), while GDPR focuses on what data the AI processes. Both apply simultaneously for most enterprise AI deployments. A high-risk AI system that processes personal data must comply with both regulations.
The 4 Risk Tiers — Where Does Your SAP AI Land?
Every AI system under the EU AI Act falls into one of four risk categories. Understanding your tier is Step 1 of compliance:
Unacceptable Risk — Banned Outright
AI systems that pose an unacceptable risk to fundamental rights. Banned since February 2025.
- Real-time biometric surveillance in public spaces
- Social credit scoring systems
- AI that manipulates behaviour subliminally
- Emotion recognition in workplaces/schools
Significant Obligations Apply
AI in critical infrastructure, HR decisions, credit assessment, education, law enforcement. Full compliance required by August 2026.
- AI making or assisting HR/employment decisions
- AI in credit/financial access decisions
- AI in safety-critical manufacturing systems
- AI for essential service access
Transparency Obligations Only
AI systems that interact with people (chatbots, deepfakes). Must be disclosed as AI.
- AI chatbots and virtual assistants
- AI-generated content
- Emotion recognition (non-workplace)
Voluntary Code of Conduct
The vast majority of AI systems. Compliance is voluntary best practice, not mandatory.
- Invoice processing AI
- Supply chain optimisation AI
- Most finance automation use cases
- Spam filters, search ranking
How Your SAP AI Applications Are Classified
The most important question for any SAP enterprise: which of my existing and planned AI deployments are high-risk? Here is our classification guide for common SAP AI use cases:
| SAP AI Use Case | SAP Module | Risk Classification | Reason |
|---|---|---|---|
| AI CV Screening & Recruiting | SAP SuccessFactors Recruiting | High Risk | Employment decisions affecting workers — Annex III(4) |
| AI Performance Evaluation | SAP SuccessFactors Performance | High Risk | Influences promotion/dismissal decisions — Annex III(4) |
| AI Attrition Prediction | SAP Workforce Analytics | High Risk | May influence employment decisions — Annex III(4) |
| AI Credit Limit Assessment | SAP SD / Credit Management | High Risk | Financial access decision — Annex III(5) |
| AI Safety Systems in Manufacturing | SAP PM / EHS | High Risk | Safety-critical infrastructure — Annex III(2) |
| Invoice Processing Automation | SAP FI / MM | Minimal Risk | No decision affecting individuals directly |
| GR/IR Reconciliation AI | SAP MM / FI | Minimal Risk | Internal financial data matching only |
| Demand Forecasting AI | SAP IBP | Minimal Risk | Operational planning, no individual impact |
| Financial Close Automation | SAP FI / Controlling | Minimal Risk | Internal financial operations |
| AI Procurement / P2P | SAP MM / Ariba | Minimal Risk | Business-to-business transactions |
| Joule Conversational AI (informational) | SAP Joule | Limited Risk | Chatbot — transparency obligation applies |
| AI Fraud Detection | SAP FI / GRC | Limited Risk | May impact individuals if used for adverse decisions |
Important nuance: Classification is context-dependent. An AI that suggests a candidate shortlist but is always overridden by a human is lower risk than one that automatically filters out candidates. If your AI makes a decision rather than a recommendation — and that decision affects a person — it is more likely high-risk. When in doubt, treat it as high-risk and document accordingly.
5 Core Compliance Obligations for High-Risk SAP AI
If any of your SAP AI deployments fall into the high-risk category, you must meet all five of these obligations before August 2026:
Data Governance & Quality Management
High-risk AI systems must be trained and operated on data that is relevant, representative, free of bias, and appropriately protected. You must document your training data sources, apply data quality checks, and detect and address data bias before deployment.
- Document all data sources used for AI training and operation
- Implement bias detection and mitigation processes
- Apply data quality rules before data enters AI models
- Establish data governance policies covering AI data lifecycle
Technical Documentation
Before deploying any high-risk AI system, you must create and maintain technical documentation covering the AI system's purpose, design, risk management measures, testing results, and monitoring approach. This documentation must be kept up to date throughout the system's lifecycle.
- Create an AI System Record for each high-risk deployment
- Document intended purpose, technical specifications, and known limitations
- Record risk assessment methodology and mitigation measures
- Maintain a change log for every model update or parameter change
Transparency & User Information
People affected by high-risk AI decisions must be informed that AI is being used. If the AI makes or significantly influences a decision about them (hiring, credit, access to services), they have the right to know and — in many cases — to request a human review of that decision.
- Add AI disclosure notices to all affected employee/customer touchpoints
- Implement a "request human review" process for AI-influenced decisions
- Train HR and line managers on how to explain AI recommendations
- Update privacy notices and employee handbooks to cover AI use
Human Oversight & Control
High-risk AI systems must be designed so that qualified humans can effectively monitor, understand, intervene in, and override the AI's outputs. "Effective" oversight means humans must have time, authority, and capability to meaningfully review decisions — not just rubber-stamp AI recommendations under deadline pressure.
- Design "human-in-the-loop" approval steps for all high-risk AI decisions
- Provide reviewers with explainability data (why did the AI recommend this?)
- Set confidence thresholds — low-confidence AI outputs must route to human review
- Ensure reviewers have authority to override without penalty
Accuracy, Robustness & Continuous Monitoring
High-risk AI must maintain its declared performance levels throughout its operational life. You must implement continuous monitoring for accuracy degradation, data drift, and unexpected behaviours — with automatic alerts and remediation processes when performance drops below thresholds.
- Define key performance metrics and minimum acceptable thresholds for each AI system
- Implement automated monitoring with alerting for performance degradation
- Schedule quarterly model reviews and annual full conformity assessments
- Maintain a model incident log for unexpected AI behaviours
EU AI Act Penalties: Why Compliance Is Non-Negotiable
| Violation Type | Max Fine (higher of) | Examples |
|---|---|---|
| Prohibited AI practices | €35 million or 7% global turnover | Deploying real-time biometric AI, social scoring, emotion recognition in workplace |
| High-risk AI non-compliance | €15 million or 3% global turnover | Missing documentation, no human oversight, inadequate transparency to users |
| Incorrect/misleading information | €7.5 million or 1.5% global turnover | Providing false conformity assessment results to authorities |
For a company with €5 billion in global revenue, a 3% penalty for high-risk AI non-compliance is €150 million. The compliance investment to avoid this is a fraction of that cost — and delivers the added benefit of more trustworthy, better-governed AI that employees and customers trust.
EU AI Act + GDPR: How They Work Together for SAP
Many SAP AI applications process both structured ERP data and personal data about employees, customers, or suppliers. When personal data is involved, both GDPR and the EU AI Act apply simultaneously. Here's how they interact:
Where GDPR Applies
- Any AI that processes employee data (SuccessFactors AI, payroll, attrition models)
- Any AI that analyses customer data (CRM AI, collections AI, personalisation)
- Supplier data linked to identifiable individuals
- Invoice data that contains personal information
Where EU AI Act Applies
- Any high-risk AI system as defined by the Act's Annex III
- All AI chatbots and virtual assistants (transparency obligation)
- General-purpose AI models used in deployment (from August 2025)
The Dual Compliance Checklist for SAP HR AI
SuccessFactors AI — GDPR + EU AI Act Combined Checklist
Your 90-Day EU AI Act Compliance Roadmap
Don't try to solve everything at once. This phased plan takes you from unassessed to audit-ready in 90 days:
Map Every AI System You Deploy
You cannot comply with what you haven't catalogued. Create a comprehensive inventory of every AI-powered feature in your SAP landscape.
- List all SAP modules using AI features (Joule, ML Foundation, custom BTP models)
- Include third-party AI tools integrated with SAP (SAVI AI, RPA tools, analytics AI)
- Apply the 4-tier risk classification to each system
- Prioritise the high-risk and limited-risk systems for immediate action
Identify What's Missing for Each High-Risk System
For each high-risk AI system, assess compliance against all 5 obligation pillars and document the gaps.
- Run a gap analysis checklist against the 5 pillars above
- Assess existing documentation, monitoring, and oversight processes
- Interview AI system owners and business process teams
- Produce a gap report with prioritised remediation actions for each system
Close the Highest-Priority Gaps
Focus on the gaps that are legally obligatory and can be addressed quickly — documentation, disclosure notices, and human oversight workflows.
- Create Technical Documentation records for each high-risk AI system
- Add AI disclosure language to employee and customer-facing communications
- Design and implement human-in-the-loop approval workflows in SAP
- Configure model performance monitoring dashboards on SAP BTP
Address the Harder Technical Requirements
Data quality and bias testing require more time but are critical for high-risk HR and credit AI systems.
- Conduct bias audits on HR AI training datasets
- Implement data quality gates in SAP Data Intelligence or MDG
- Run fairness testing across protected characteristics (gender, age, nationality)
- Document bias mitigation measures and residual risk acceptance
Validate Compliance and Establish Ongoing Governance
Compliance is not a one-time project — it's an ongoing programme. Set up the governance structures to keep you compliant as AI systems evolve.
- Conduct a compliance walkthrough with legal and compliance teams
- Test human override processes with real scenarios
- Establish an AI Governance Committee with quarterly review cadence
- Add EU AI Act compliance to your vendor assessment framework for all new AI purchases
Good news for most SAP finance teams: Invoice processing, GR/IR reconciliation, demand forecasting, financial close, P2P automation, and treasury AI are minimal-risk under the EU AI Act. If your SAP AI is limited to finance and supply chain operations with no direct impact on individual employment or credit decisions, your compliance burden is relatively light — focused on transparency disclosures for any conversational AI and voluntary best-practice governance.
Frequently Asked Questions
Need Help Assessing Your SAP AI Compliance?
SAVI AI's compliance-ready platform includes built-in audit trails, human oversight workflows, EU data residency, and model performance monitoring — designed to meet EU AI Act obligations from day one. Book a compliance assessment with our team.