The EU AI Act has been law since 2024, but 2026 is the year it stops being theoretical. General-purpose AI obligations took effect last August; the high-risk rules follow this August. Somewhere between those dates, every university department, learned society, and research charity that touches EU citizens needs to be able to answer a simple question: which AI systems do we actually use, and what do they do?
The reassuring part first
Most of what academic organisations do with AI is minimal-risk under the Act. Drafting newsletters, summarising minutes, transcribing interviews, cleaning data — none of this is regulated in the way recruitment screening or exam proctoring is. If your AI use lives in the back office, your obligations are mostly about transparency and knowing what you run.
The risk categories that bite academia are narrower than the headlines suggest: systems that score or filter people. Admissions triage, automated marking, plagiarism detection that feeds disciplinary decisions, recruitment tools. If a system’s output affects an individual’s access to education or work, treat it as high-risk until someone qualified tells you otherwise.
The afternoon of work
- Inventory, not investigation. One spreadsheet: tool, what it does, who uses it, what data goes in, whether its output affects a person’s prospects. Most rows will take two minutes.
- Mark the chatbots. Anything on your website that talks to visitors needs to identify itself as AI. This is the transparency obligation most academic sites will actually meet first.
- Ask your vendors. The compliance burden for the tools you license sits mostly with the provider — but you need their documentation on file. A one-line email per supplier does it.
- Name an owner. Not a committee. One person who keeps the inventory current and fields the questions.
Where it touches your website
Three places, in our experience. Chat and search assistants need disclosure. AI-generated images and text in public communications increasingly warrant a note — the Act’s transparency provisions point that way, and academic audiences expect it anyway. And any membership platform that profiles or segments people automatically deserves a closer look at what the segmentation is used for.
A worked example
A learned society we work with ran the exercise in January. Forty minutes produced eleven rows: a writing assistant, a transcription service, a translation tool, spam filtering, image generation for social cards, and six features buried inside platforms they already licensed. One row needed attention — an event platform’s “lead scoring” feature, which they simply turned off because nobody had asked for it. The inventory now lives next to their data-protection record and gets reviewed at the same meeting.
That is what readiness looks like for most academic organisations: not a compliance programme, but a current list and a named person. The organisations that struggle in August will be the ones that never made the list.
