Does running AI on-premise avoid the EU AI Act?

No. The Act applies based on the use case and risk level, not where the model runs. On-premise can make some obligations (data governance, logging, oversight, residency) easier to satisfy, but it does not exempt you.

What are the AI Act risk tiers?

Unacceptable (banned), high-risk (strict obligations), limited-risk (transparency duties), and minimal-risk (largely unregulated). Most enterprise LLM uses fall into limited or high risk depending on the domain.

Do general-purpose AI models have their own rules?

Yes. General-purpose AI (GPAI) models carry transparency and documentation obligations, with extra requirements for the most capable models deemed to pose systemic risk. Deployers of open models inherit some responsibilities too.

How does on-premise help with compliance?

Data, logs and the model stay under your governance, making data residency, audit logging and access control straightforward to evidence — which simplifies meeting high-risk obligations versus a third-party black box.

EU AI Act & On-Premise AI (2026): Compliance Checklist

A common misconception is that keeping AI in-house sidesteps the EU AI Act. It does not — the regulation targets how AI is used and the risk it poses, regardless of infrastructure. What on-premise gives you is control: the data, the logs and the model all stay under your governance, which makes demonstrating compliance simpler than auditing a third-party black box. This guide maps the tiers, the obligations, where on-prem helps, and a checklist.

Risk tiers and obligations

Tier	Examples	Obligations
Unacceptable	Social scoring, manipulation	Banned
High-risk	Hiring, credit, medical, critical infra	Risk mgmt, data governance, logging, human oversight, conformity assessment
Limited-risk	Chatbots, content generation	Transparency: disclose AI use
Minimal-risk	Spam filters, most tools	Largely unregulated

General-purpose AI (GPAI) models

Beyond use-case tiers, the Act sets obligations for general-purpose AI models themselves — transparency, technical documentation, and a summary of training data — with stricter requirements for the most capable models judged to pose systemic risk. If you self-host an open-weight model, you are typically a "deployer" rather than the "provider", but you still inherit responsibilities around how you use and document it. On-premise does not change which tier applies; it changes how easily you can prove what your system does.

Why on-premise helps (even though it does not exempt you)

High-risk obligations lean heavily on evidence: you must show data provenance, keep logs of inputs/outputs, control access, and prove data stays where it should. With a self-hosted system, all of that is inside your perimeter — you can log everything, pin data to an EU/sovereign location, and audit the full pipeline. Demonstrating the same with a closed third-party API is harder because you do not control the internals. This is why regulated sectors lean on-prem: not because the law requires it, but because compliance is easier to evidence.

On-premise compliance checklist

✓ Classify each AI use case into a risk tier
✓ Maintain logs of model inputs/outputs (high-risk)
✓ Document data governance and training-data provenance
✓ Ensure human oversight of high-risk decisions
✓ Disclose AI interaction to end users (limited-risk)
✓ Pin data and processing to the required jurisdiction
✓ Keep technical documentation and a conformity assessment
✓ Track which obligations fall on you as provider vs deployer

This is general information, not legal advice. The AI Act phases in over time and details evolve — consult qualified counsel for your specific obligations and deadlines.