The Compliance Surface

There is a version of the EU AI Act story that gets told at conferences, and a different one that gets lived in sales pipelines. The conference version is about fundamental rights, risk tiers, and the architecture of a landmark regulation. The pipeline version is shorter and less dignified: a US or UK software vendor, weeks from closing a six-figure European deal, receives a spreadsheet. The spreadsheet has ninety rows. Several of them say AI Act. Nobody on the vendor’s side knows how to answer them, and the deal goes quiet.

That spreadsheet is what I have started to call the compliance surface — the thin, administrative layer where a regulation actually touches a transaction. It is not the law. It is the law’s shadow, cast by a procurement team that has been told to be careful and given no further instructions.

The surface is where the friction lives

It is tempting to think the hard part of the AI Act is the substance: classifying systems, documenting risk, building the governance machinery. For a small number of genuinely high-risk deployments, it is. But most of the deals stalling right now are not stalling on substance. They are stalling because a buyer’s procurement function has added AI questions to its standard security questionnaire, and the seller has no rehearsed way to respond.

The questions are often not even answerable in the form they are asked. Is your product compliant with the EU AI Act? is not a yes/no fact about a product; it depends on how the buyer deploys it, in what role, for what purpose. But the row demands an answer, and a blank cell reads as a red flag.

Why this is a better problem than it looks

A bottleneck that sits on the surface, rather than in the substance, is a good problem — because surfaces are addressable without practising law. You cannot, as a software tool, tell a company whether it is compliant. That is a legal conclusion. But you can help a vendor produce a clear, well-organised, honestly-caveated account of how their system works, which obligations plausibly apply, and what evidence they can point to. You can turn a blank cell into a defensible first draft.

The distinction matters enormously, and I will keep returning to it: the value is in structuring information the vendor already half-knows, not in issuing a verdict. The moment a tool issues verdicts, it is doing something only a lawyer should do. The moment it organises facts and surfaces the right questions, it is doing something every vendor desperately needs and no one is selling them well.

The shape of the thing

If I were designing for this — and I am — the artefact is not a chatbot. It is a response pack: a structured document a vendor can attach to a procurement reply. It takes a description of the product, walks the live obligations the Act actually imposes today, and produces draft answers with the caveats built in. It does not promise compliance. It promises readiness to have the conversation.

That framing is doing real work. It keeps the tool on the right side of the line between information and advice. It matches what the buyer actually wants, which is not a certificate but a counterparty who has clearly thought about this. And it meets the seller at the exact moment of pain — not in the abstract, months before, but in the hour the spreadsheet lands.

The regulation will keep generating conference talks about rights and risk. Good. But the money, for now, is in the shadow it casts on a Tuesday-afternoon procurement review — and in helping the people standing in that shadow find the light switch.