The Hidden Compliance Bill in Your AI Pipeline: EU AI Act for Vision Teams

Most computer vision teams shipping to European customers have a quiet problem: the EU AI Act classifies their systems as high-risk, and they don't have the documentation to prove they're compliant. Discovery happens during a customer's procurement review — by then, fixing it costs six months of engineering.

This post is the brief that should have circulated before you closed your first EU deal.

Why your vision model is almost certainly high-risk

The Act's Annex III lists high-risk categories. Computer vision lands in most of them: biometric identification, critical infrastructure (manufacturing safety, transport), employment (CV screening with face detection), essential services (insurance assessment from photos), law enforcement, migration, education, and product safety. If your model touches any of these — and most production vision systems do — you're in scope.

What 'high-risk' obligations actually are

Six concrete obligations. Risk management system (RMS) covering the model lifecycle. Data governance — labeled, validated, representative, free of bias. Technical documentation — sufficient detail that a third party can assess the system. Record-keeping — automatic logging of operation, with retention. Transparency — clear information to users about what the AI does. Human oversight — defined override mechanisms. Accuracy, robustness, cybersecurity — measured and reported.

None of these are abstract. Each maps to specific artifacts your team has to produce on demand.

The retrofit cost

Teams that build compliance retroactively typically spend 4-6 engineer-months per model. Most of that work is recreating audit history that should have been captured during labeling and training. Reconstructing 'who labeled this, when, with what reviewer chain' from existing systems is nearly impossible — that data was never persisted.

Teams that build compliance into their data ops from day one spend roughly zero additional time. The audit log is a side effect of doing labeling correctly.

What auditors actually look at

Real CE-marking audits focus on three artifacts. The data sheet — what's in your training set, where it came from, how it was labeled, how representative it is of the deployment domain. The model card — what the system does, accuracy benchmarks, known failure modes, intended use boundaries. The decision log — for any deployed prediction, who can trace it back through model version, dataset version, and labeler chain.

Without these three artifacts you cannot CE-mark. Without CE-marking, you cannot legally place a high-risk AI system on the EU market after August 2026.

The platform-level fix

The audit trail is the cheapest part of the obligation if it's generated automatically. Every annotation logged with reviewer identity. Every dataset version snapshotted. Every training run linked to the dataset version it used. Every deployed model linked to the training run. This is metadata plumbing — boring but required.

Intellabel's audit log captures this by default across labeling, dataset versioning, and MLOps. The conformity exports map directly to EU AI Act Annex IV technical documentation. If you're 8 months out from your EU launch, this is the engineering you skip.

What to do this quarter

Inventory your deployed and in-development models. Map each to an Annex III category. For each high-risk model, list the six artifacts the Act requires and identify which you can produce today. The gap is your compliance backlog, and the gap closes much faster from a platform with the audit trail built-in than from any retrofit.

From Labeling to Structured AI Data Pipelines