Skip to main content

The EU AI Act exposes a CX blind spot most leaders don't know they have

The greatest compliance risk may be the AI you haven't identified.

Woman on phone looking at a laptop

The next major phase of the EU AI Act arrives on 2 August 2026, bringing new transparency requirements and potentially significant penalties. Organisations that fail to meet certain obligations could face fines of up to €15 million or 3% of global annual turnover, while the most serious violations can trigger penalties of up to €35 million or 7% of global annual turnover. 

To explore what the legislation means in practice, I spoke with Georgi Georgiev, Senior Corporate Counsel, EMEA, and Amanda Panks, Senior Manager, Strategy and Operations, EMEA.  

What emerged was a picture that extends well beyond chatbots and customer-facing automation. Some of the biggest risks sit in places many organisations rarely consider, from employee-facing AI tools to vendor technologies operating quietly in the background.  

For CX leaders, understanding where those risks exist is the first step towards building a defensible approach to governance, compliance, and innovation.

Where are CX teams most at risk under the EU AI Act regulations? 

It’s natural to focus first on the AI tools customers can see. But in my experience, some of the bigger risks are often sitting behind the scenes, in back-end operations and employee management tools. 

A lot of CX teams have assumed that internal, employee-facing AI is automatically “safer” than client-facing automation because it’s not exposed to the public. The AI Act challenges that assumption. Tools used to monitor, evaluate, or predict human behaviour in an employment context now face serious regulatory scrutiny. 

Georgi Georgiev explains where the line needs to be drawn for internal systems: "Utilising an AI tool in the context of an employment relationship brings very serious governance processes. The AI tool should not be (and should not be perceived as) the main driver of employment-based decisions. It should only be supporting what would ultimately be a human-based decision." 

A simple example makes this easier to see. Imagine an internal analytics system tracking agent response times. If the system flags that an employee's speed has slipped over the past month, a non-compliant setup might automatically trigger a written warning or place them on a disciplinary track based purely on that algorithmic data. 

That’s where the risk appears. In a compliant framework, AI should flag the drop in performance to a team leader, who can then carry out a human-led review and decide whether the employee needs coaching, training, or personal support. The technology should act as a helpful tool. It shouldn’t make the management decision. 

Action item: If an AI system independently initiates automated disciplinary tracks or rankings without clear human intervention, it introduces significant corporate liability. That’s why building human-in-the-loop safeguards into these systems should happen immediately. 

What CX leaders need to know about unseen AI under the EU AI Act 

AI is no longer limited to one obvious platform or initiative. It’s often introduced gradually through platform upgrades, third-party tools, or vendor-managed features. 

That creates a real gap between perception and reality. You may think you’re using AI in a few visible areas, while in practice, AI may already be shaping decisions across much more of the customer journey. 

The challenge is simple: if you can’t clearly account for where these systems are operating, you may already have a compliance issue. 

Amanda Panks explains why this hidden operational risk is so important: The Act can apply to pretty much anything you have in your operation. It seeps into a lot of nooks and crannies... and I think a lack of technical understanding is driving a lack of conversation. People are happy things work, so they don’t question why they’re working. But it’s not magic. True readiness means choosing to stop, look, and understand exactly how that technology is making your life easier.” 

Action item: You can’t govern what you can’t see. Step one of readiness is taking inventory of all AI usage. Procurement, IT, legal, and CX operations should collaborate to determine which tools meet the AI Act definition of an AI system and involve all relevant stakeholders in the conversation. 

The non-EU trap: Why UK and US operations are not exempt 

One misconception I hear often is that geography provides a natural shield. If a contact centre is based in the United Kingdom or the United States, it can be tempting to assume the EU AI Act doesn’t apply. 

But the Act isn’t only concerned with where your operation is physically based. What matters is where the output of your AI system is used and whose data is being processed. If your automated systems process data for people in the European Union, support cross-border customer interactions, or touch overseas territories, your platform may fall within scope. 

Amanda Panks puts that operational blind spot into practical terms: “I hear people say, ‘my contact centre is in the United Kingdom. We’re not in the EU. How much really does that impact me?’ Are all of your customers sitting in the United Kingdom and not anywhere else? Because if they’re in Ireland or you’ve got overseas territories and customers that are living abroad, then the EU AI Act could be an issue.” 

The wider point is that global compliance is moving quickly. Even if your customer database feels largely domestic today, waiting for local laws to catch up is a reactive strategy. The EU framework is already becoming a reference point for how other markets think about AI governance, privacy, and accountability. 

Georgi Georgiev makes that point clearly: “I think the EU AI Act is the frontier of what's about to come in other continents as well, including in the US.” 

Action item: Assuming geographic immunity is a high-risk compliance strategy. Instead of waiting for a regulatory inquiry to force their hand, global operations must evaluate their compliance stance based on customer data flow rather than office postcodes. 

How to meet contact centre AI transparency and chatbot disclosure rules 

For the EU AI Act’s 2 August 2026 transparency mandate, the principle is straightforward: people should know when they’re interacting with an AI system, unless that’s already obvious from the context. 

In practical terms, disclosures need to be clear, accessible, and presented at the right point in the interaction. For CX teams, that often means examining chatbot greetings, IVR scripts, and other customer-facing touchpoints. 

Amanda Panks explains why that transparency changes the customer experience itself: "Telling people who they're talking to influences what they do and don't share. Most people feel more comfortable sharing sensitive information with humans because their perception is they can understand context and nuances better. If they are talking to a machine, they talk in a very transactional fashion. Customers need to be able to make informed choices, and it's in a business's own interest to get that mindset right." 

Action item: CX leaders should audit and consider updating all automated touchpoints, such as: 

  • Chatbots and voicebots: Reword greetings so they are explicit, for example: "You are speaking with our virtual assistant today." 

  • Automated channels: Clearly indicate AI authorship on automated emails, call summaries, or SMS updates. 

What good AI governance looks like in practice 

It’s easy to feel overwhelmed by the scale of the EU AI Act, the potential fines, and the legal thresholds. But for CX leaders, the real question is much more practical: what do we need to do next? 

Governance is a word we use a lot in business, but it can quickly become abstract. In client conversations, I try to bring it back to something simpler. Good governance isn’t there to slow innovation down. It’s there to give teams the confidence to innovate safely. 

When you strip it back, practical AI governance usually comes down to three foundations: 

1. Cross-functional councils: Good governance shouldn’t sit in one department. A strong model brings security, legal, infosec, and business stakeholders together so new use cases can be reviewed from every relevant angle. 

2. Multi-layered approval frameworks: You also need an approval process that balances speed with compliance: 

  • Layer 1: Explores the fundamental business case, data mapping, and inherent risk profile. 

  • Layer 2: Tailors the deployment to regional legal nuances, data protection compliance, and localised operational context. 

3. Unified global data architecture 

Rather than building fragmented compliance systems for every region, global businesses can make life easier by designing for the most comprehensive requirements first. 

Why AI governance is an innovation accelerator for customer experience 

Too many organisations still see compliance as something that gets in the way of transformation. I see it differently. Done well, AI governance can help innovation move faster because it gives teams clearer guardrails and enables responsible scaling across the technology estate. 

When review processes are in place early, enterprises can scale advanced models, deploy automation more securely, and turn regulatory readiness into a point of trust with customers. 

Join Georgi Georgiev, Amanda Panks, and Wayne Kay on 22 July 2026 at 1 p.m. BST for a practical discussion on the biggest compliance questions facing CX teams, where organisations are most exposed, and the steps you can take now to strengthen AI governance before enforcement intensifies. Register for the LinkedIn Live here.