← All articles

AI trends Published 2026-06-15 · 7 min read

EU AI Act in 2026: what on-prem deployment changes about compliance

The Act's high-risk deployer obligations are phasing in through 2026. On-prem deployment doesn't dodge the regulation — but it changes which obligations are practical to satisfy, and which ones cloud SaaS can't satisfy at all.

The EU AI Act entered into force in August 2024, with provisions phased in over a two-to-three year window [1][2]. Most enterprise compliance conversations have, so far, focused on whether a workflow falls into the "high-risk" category at all. By mid-2026, the conversation is shifting to a more practical question: given that the workflow is in scope, which deployment architectures actually let you satisfy the deployer obligations, and which ones quietly don't?

That second question is where on-premises deployment stops being a stylistic preference and starts being a structural fit.

What the Act asks deployers of high-risk AI to do

The Act distinguishes between the provider of an AI system and the deployer of it [1]. A bank using a third-party LLM API to score loan applications is the deployer, not the provider. Deployers of high-risk systems carry obligations including: ensuring human oversight, monitoring the system's operation, keeping logs for an appropriate period, suspending use if the system poses a risk to fundamental rights, and demonstrating these capabilities on request.

Several of those obligations are straightforward when the deployer controls the runtime. The "keeping logs for an appropriate period" obligation is mechanically simple if the inference happens on a server the deployer owns and the logs land in the deployer's SIEM. The "suspending use" obligation is similarly trivial if the deployer can shut down the model on their own infrastructure.

The same obligations become harder when the inference runs on a cloud LLM API the deployer doesn't operate. The logs the deployer can produce are limited to what the provider exposes. Suspending use requires the provider's cooperation. Demonstrating, contemporaneously, what data flowed through the system requires trusting the provider's pipeline.

Where cloud LLM APIs sit in the regulation

None of this makes cloud LLM APIs non-compliant. Article-by-article, providers and deployers of cloud-hosted AI can satisfy the Act's obligations. The friction is operational, not legal: the deployer has to assemble, audit, and demonstrate compliance across a vendor boundary, often for workflows that run thousands of inferences per day.

Stanford HAI's longitudinal AI Index has tracked the corresponding shift in enterprise spending [3]: the steepest growth across 2023–2025 was not in general-purpose generative AI, but in the supporting tooling — observability, governance, prompt-logging, content-classification, jailbreak-detection. Most of that spend exists to bridge the gap between what cloud LLM APIs natively expose and what a deployer needs to evidence in a regulatory context.

That gap is the structural advantage of running inference on hardware the deployer owns. Every "did this happen?" question collapses to a question the deployer can answer from their own logs.

What on-prem doesn't get you for free

Three deployer obligations from the AI Act are not automatically satisfied by an on-prem deployment, and it's worth naming them explicitly:

  • Human oversight. The Act requires meaningful oversight of high-risk AI, with humans able to interpret outputs and intervene. Running the model locally doesn't put a human in the loop; the workflow design does.
  • Monitoring for drift and unsafe behaviour. The deployer must continuously monitor the system. On-prem deployment makes the plumbing trivial (the data is local), but the policy ("what does drift look like for this workflow?") still has to be defined.
  • Provider obligations passed through. When the on-prem deployment is built on a third-party model (e.g., an open-weight model under a non-commercial licence, or a vendor model shipped as a binary), the deployer still needs to surface the provider's required disclosures.

The structural advantage of on-prem is on the data-handling and demonstrability axes, not on policy. Policy has to be written and enforced regardless of where the GPU sits.

How this plays with US, UK, and other jurisdictions

The EU AI Act is the most prescriptive of the major frameworks. The US NIST AI RMF [4] takes a voluntary, framework-based approach, and the OECD AI Policy Observatory [5] tracks how national governments outside the EU are converging on broadly similar principles (risk-based oversight, transparency obligations, data-handling rules).

For a multinational deployer, the practical effect is that the strictest jurisdiction sets the architecture. If a workflow has to satisfy the EU AI Act for European users, the same workflow won't fail US, UK, Japanese, or Singaporean obligations if it's designed against the EU bar. Designing the deployment against the strictest bar — including the deployer's ability to evidence per-request data handling — is what makes on-prem the structurally simpler default in 2026 enterprise AI.

What an on-prem AI deployment ready for 2026 compliance looks like

The shape we ship — and the shape compliance reviewers we work with ask for — is:

  • Inference local to the customer. Either on the user's device or on a customer-operated server. No prompts leave the perimeter.
  • Content-free audit logs. Every administrative action is logged with timestamp + actor; no prompts and no responses appear in the audit row. The audit row is the evidence; the content is the deployer's to retain under their own retention policy.
  • Identity through the customer's IdP. OIDC against Microsoft Entra ID or Google Workspace, with the deployer's existing access controls applying unchanged.
  • No vendor-side tenant. The vendor (us) doesn't operate the runtime, doesn't see the data, and isn't a point of failure for the deployer's compliance posture.

That last property is the one cloud LLM APIs structurally can't replicate — and it's why on-prem deployment is the dominant pattern in the regulated-enterprise corner of the market in 2026.

Background on how we built around this from the start is in Why we ship AI as installable binaries, not cloud SaaS. The capabilities that implement the audit, identity, and policy surface live in AI Admin Console.

References

  1. European Commission. "AI Act — Regulatory framework on AI." digital-strategy.ec.europa.eu. Accessed 2026-06-15.
  2. European Commission. "AI Act enters into force." digital-strategy.ec.europa.eu. Accessed 2026-06-15.
  3. Stanford HAI. "AI Index Report." aiindex.stanford.edu. Accessed 2026-06-15.
  4. NIST. "AI Risk Management Framework (AI RMF 1.0)." nist.gov/itl/ai-risk-management-framework. Accessed 2026-06-15.
  5. OECD AI Policy Observatory. "National AI policies." oecd.ai. Accessed 2026-06-15.

Related articles

Walk deployer obligations through a real workload.

A free 1-week pilot walks the customer's compliance team through deployer obligations against a real piece of work, on local inference, with the customer's IdP and audit trail.

Start a free 1-week pilot

Get release updates

New free AI products, major updates, and a few releases available only via this site. No spam.