Picture an AI assistant that summarises supplier contracts or instantly retrieves the latest version of a specification. Convenient, until you ask yourself which documents it is actually accessing, and who decided it could. This is where the AI Act comes in: Regulation (EU) 2024/1689, in force since August 2024 with progressive application until August 2026, the world's first binding regulatory framework on artificial intelligence, which also covers AIs that merely read and summarise internal documents. This is not legal advice, but a practical guide for anyone who manages documents and wants to approach the topic with the right mindset.
The AI Act in brief for document managers
The regulation works by risk levels, ranging from prohibited practices such as social scoring, to high-risk systems in strictly listed sectors such as credit, employment and justice, down to limited and minimal risk. The good news for anyone managing documents is that typical uses such as searching, summarising and extracting information do not normally fall into the high-risk categories. Some cross-cutting obligations still apply, including transparency (anyone interacting with an AI must know it), plus the data governance principles that require you to know which data the AI processes, who accesses it and on what basis.
A second useful concept is the distinction the AI Act draws between whoever supplies the AI system, the provider, and whoever uses it in the company, the deployer. If you are an SME you are almost always a deployer, which means part of the obligations falls on you, particularly on how you grant access to data. Choosing vendors that make this split of responsibilities explicit, rather than generically declaring themselves "compliant", makes your side much simpler.
When AI reads your documents: obligations and risks
The delicate point is just one: access. If an AI agent can read documents containing personal or confidential data, you must be able to prove that access is limited to what is necessary, tracked and revocable. An AI that fishes from an ungoverned export, whether a copied folder or an archive pasted into a prompt, makes that proof nearly impossible. And that is where AI Act risk and GDPR risk stop being two separate problems and become the same problem.
Governance: permissions, logs, data in the EU
There is a useful convergence here, because the same measures that keep you compliant are also good engineering. Granular permissions applied to agents as well mean the AI only sees what the user behind it sees, while a register tracks every access and the data stays in Europe. If the AI reads documents through a governed channel, rather than from a parallel copy, oversight and traceability are already built in rather than bolted on afterwards. It is also a matter of data sovereignty: knowing where your data lives and who touches it is the premise of any compliance.
A practical compliance checklist
Five concrete starting points:
- Map where personal and confidential data lives in your documents
- Make sure agents inherit user permissions, not an elevated role
- Enable a log on every AI access
- Verify where the data is processed
- Put the purpose and basis of every AI use on documents in writing, and clarify with the vendor who is accountable for what
Then validate everything with your DPO or a legal advisor, because this checklist gets you to that conversation well prepared, but does not replace it.
Note: Informational content, not legal advice. Compliance assessments depend on the specific case and must be confirmed with a professional.
