Vendor Actions
All major CRM vendors publish compliance materials. Documentation of AI systems. Conformity assessments for high-risk features. Trust Layer configurations enforceable for compliance. Customer-facing transparency obligations.
Salesforce publishes per-feature AI Act fact sheets through its Trust portal, covering Einstein, Agentforce, and Data Cloud. Microsoft maintains EU-specific documentation for Copilot and Dynamics AI in the Service Trust Portal, including DPA addenda and FRIA-input templates. HubSpot’s Breeze documentation now includes intended-purpose statements and oversight design notes. ServiceNow publishes Now Assist conformity attestations and offers EU data residency for AI workloads. Oracle, SAP, Adobe, and Pegasystems all maintain similar registries.
Shared Responsibility
Vendor provides compliant platform; customer deploys compliantly. Platform certification doesn’t automatically make customer deployment compliant. Customer governance still required.
The split mirrors GDPR’s controller/processor model. Vendor is provider for the base system; you become deployer (or co-provider if you substantially modify intended purpose under Article 25). Vendor obligations: technical documentation, conformity assessment, post-market monitoring of the system as designed. Deployer obligations: use per instructions, oversight, FRIA, log retention, incident reporting. A vendor’s CE marking does not certify your specific configuration.
Feature Gating
Some AI features may gate to specific regions. High-risk capabilities restricted until conformity assessment completed. Expect regional rollout variations through 2026.
Concrete examples already visible: Salesforce delays some Agentforce autonomous-action features in the EU pending conformity work. Microsoft Copilot’s resume-screening capability launched in North America Q1 2026 but remains gated in EU. HubSpot’s predictive lead scoring offers an EU-specific model trained on lower-risk data. Read each vendor’s regional roadmap before committing — assuming feature parity across geographies will surprise you.
Customer Actions
Review your vendor’s AI Act materials. Map your deployments to Annex III categories. Ensure documentation, audit, human oversight in place. Don’t rely solely on vendor — your specific deployment has compliance obligations.
Practical sequence: pull the latest AI Act documentation pack from each vendor, identify which provided artifacts you can reuse, identify gaps that require deployer-side work, brief legal and procurement on changed contractual obligations (Article 25 and 26 trigger MSA amendments), and add AI Act compliance as a vendor scorecard line item alongside SOC 2 and ISO 27001.
What Changed in 2026
Three shifts. Vendor MSAs now include AI Act addenda by default — read them. Vendor SOC 2 reports increasingly reference Article 12 logging controls. Notified bodies are publishing first guidance on what counts as a “substantial modification” that flips a customer to provider status; the threshold is lower than many expect.
What to Do This Week
Email each major AI-feature vendor and request their current EU AI Act compliance pack and DPA addendum, then route to legal for review.
