Your Fortune 500 HR Customer Just Asked What EU AI Act Obligations Apply to Them as Your Buyer: Answering the Article 26 Deployer Questions

Your enterprise deal is at the 11th hour. Six months of sales, a signed MSA draft, and now the Fortune 500 HR director sends one final email: "Before we countersign, legal needs to understand what our own obligations are under the EU AI Act for deploying your tool. Can you walk us through Article 26 and what we need to do on our end?"

This question trips up founders more than almost any other in procurement. Most prep for questions about your compliance. This one is about theirs — and your ability to answer it is what closes the deal.

Here's exactly what to say.

Why This Question Is Showing Up Now

The EU AI Act's enforcement deadline of August 2, 2026, has compliance and legal teams at large enterprises doing something they've never done before: categorizing every AI tool in their vendor stack by risk tier and mapping their own obligations as deployers.

Article 26 is the deployer's obligations article. For high-risk AI systems in the employment category (Annex III, point 4 — which includes AI that manages, monitors, or evaluates workers), the deployer carries a defined set of obligations that are separate from anything you handle as the provider.

When your customer's legal team reads Article 26, they see nine distinct obligations. They want to know: which of these do we own, which do you help us with, and how do we show evidence?

What Article 26 Actually Requires of Your HR Tech Customer

Walk them through each obligation:

1. Use the system only as intended (Article 26(1))

The deployer must use your system "in accordance with the instructions of use." This means they can't configure your AI to evaluate employees in ways your documentation says it wasn't designed for — for example, using a productivity scoring tool to drive termination decisions if your product documentation says it's designed for goal-setting only.

How to answer: Send them your product's intended-use statement (or equivalent documentation) from your AI Feature Registry. Frame it as: "Our instructions of use define which employment decisions the system is authorized to support. Using it outside those bounds creates Article 26(1) exposure for your organization."

2. Assign human oversight responsibility (Article 26(2))

The deployer must "assign the task of human oversight" to a natural person with the necessary competence, training, and authority. This doesn't mean a rubber stamp — Article 14 defines meaningful oversight as the ability to understand outputs, recognize and correct failures, and intervene or override.

How to answer: Tell them Complizo's Article 14 documentation specifies what competency that person needs (e.g., understanding confidence intervals, knowing how to trigger an override workflow). Offer to include this in your onboarding materials so they can document who holds the oversight role.

3. Monitor for anomalous outputs (Article 26(5))

Deployers are required to "monitor the operation of the high-risk AI system on the basis of the instructions of use." In practical terms, this means someone on their side is watching for outputs that look wrong — not just errors, but results that seem biased, inconsistent, or unexpectedly distributed across demographic groups.

How to answer: Clarify that monitoring under Article 26(5) is distinct from any product feature — it's an internal HR process they need to establish. Offer them a monitoring checklist they can adapt: "Every [cadence] review whether outcomes are distributed as expected across protected characteristics, and log your review."

4. Report serious incidents (Article 73)

If deployment of your AI system contributes to a "serious incident" — defined in Article 3(49) as any incident that causes or is likely to cause death, serious damage to health, or serious adverse impacts on fundamental rights — the deployer must report it to the market surveillance authority.

How to answer: Be specific: "Our product logs every AI output with timestamps and input context. If you ever need to reconstruct the chain of events for an Article 73 report, we can provide that log." Then ask: "Does your legal team need our data retention policy formatted for this purpose?"

5. Conduct a Fundamental Rights Impact Assessment (Article 27)

Before deploying a high-risk AI system in the employment category, deployers must conduct an FRIA. Article 27 outlines nine elements the assessment must address, including affected populations, categories of data processed, and the risk of discrimination.

How to answer: This is where Complizo directly accelerates them. Your Article 27 documentation (or the FRIA template you provide as part of onboarding) gives their legal and HR team a structured starting point rather than a blank page. Say: "We provide a pre-filled Article 27 FRIA template that maps our system's design choices to each required element. It cuts your assessment from weeks to hours."

The One Page They Actually Need From You

Most HR legal teams aren't asking you to write their Article 26 compliance program. They want one thing: a document that maps the obligations clearly between provider (you) and deployer (them).

The simplest version is a two-column table:

This table closes legal reviews faster than any 10-page technical document you could send.

The Closing Move

When you send this to their legal team, end with a direct ask: "Do you need this formatted for your vendor risk register, or as an annex to our MSA?" Making it easy to file accelerates legal sign-off — which is what's standing between you and the countersignature.

Try Complizo free at complizo.com — paste your first questionnaire and get Article-traceable answers in minutes.