The EU AI Act has been rolling out in phases since 1 August 2024. For most advisors, that date — and the subsequent milestones e.g., on prohibited AI practices (February 2025) or the GPAI model obligations (August 2025) — passed as someone else's problem.
From 2 August 2026 — calculating... — the EU AI Act's Article 50 transparency obligations become enforceable. Every AI system that interacts with a person, generates content, or reads emotional or biometric signals has to say so. This one doesn't arrive through your client's compliance programme and cascade down to you. It applies to you directly, the moment you're the one deploying the AI system on client work.
If you or your consulting team is using consumer AI — or even enterprise accounts — for client work, you are very likely already falling short on at least one of the asks below.
What the EU AI Act requires — from your clients, and from you
The EU AI Act runs to 144 pages with 113 Articles across 12 Titles. Here is the operative part, distilled into nine asks across three tiers — what's already expected, what's enforceable in five weeks, and what's confirmed for 2027.
| # | Ask | Source | Status |
|---|---|---|---|
| 1a | Chinese walls — data segregation between client engagements | GDPR Art. 5(1)(f) / Art. 32 | Already live |
| 1b | Signed data processing terms (baseline DPA) | GDPR Art. 28 | Already live |
| 2a | AI-generated content marking | AI Act Art. 50(2) | Live 2 Aug 2026 |
| 2b | AI interaction disclosure | AI Act Art. 50(1) | Live 2 Aug 2026* |
| 2c | Deepfake disclosure | AI Act Art. 50(4) | Live 2 Aug 2026† |
| 2d | Emotion/biometric-recognition notices | AI Act Art. 50(3) | Live 2 Aug 2026† |
| 3a | Automatic logs | AI Act Art. 12 + Art. 26(6) | Live 2 Dec 2027 |
| 3b | Model governance | AI Act Art. 26 (deployer) | Live 2 Dec 2027 |
| 3c | Data jurisdiction, per engagement | AI Act Art. 26 | Live 2 Dec 2027 |
Two things worth being precise about. First, 1a and 1b aren't AI Act creations — they're baseline GDPR obligations that already bind any advisor processing client personal data through a third-party AI vendor, regardless of what happens to the AI Act's own timeline. Second, the AI Act does add something on top of the GDPR baseline at 1b specifically — Article 26(9) requires that signed agreement to cover AI-specific content — but that enhancement, like the logging and jurisdiction asks, doesn't land until 2 December 2027.
*2b applies when you build an AI-based tool — a chatbot, agent, or interactive assistant — that interacts directly with people on a client's behalf, whether that's the client's own employees or their customers. The disclosure obligation (that they're talking to an AI, not a person) then sits with you as the deployer of that tool. This is relevant because modern advisors are expected to be vertically integrated and more likely to build such tools for their clients.
†2c and 2d applies when you build AI-generated image/audio/video content or build biometric/emotion-recognition tools. Even if advisors may not build these, they need to be aware of the disclosure obligation when delivering work in integrated teams.
Why your AI-stack is likely to fail compliance
Most advisors use one of two grades of AI tools: a consumer subscription or an Enterprise account — sometimes both. Neither was built for professional services data governance. Here is the evidence.
If you are using consumer AI
Some advisors and consultants use the c. $20/month AI tools such as ChatGPT Plus, Claude Pro, or Gemini Pro for client research and synthesis. Most claim to redact client info before using AI — but that gives a false sense of protecting client confidentiality. Even with redaction, and even if you opt-out of training their model using your data, the consumer AI tools will fail every ask that's actually theirs to answer.
| # | Ask | Compliance | Why |
|---|---|---|---|
| 1a | Chinese walls | 🔴 Not possible |
No client separation at infrastructure level — your work for Clients A and B sits in same tables |
| 1b | Signed DPA | 🔴 Not possible |
Consumer AI does not legally protect your client data — no signed DPA, no residency guarantee, and no breach notification obligation. |
| 2a | Content marking | 🔴 Not possible |
Exported text documents carry no visible AI-generated label and no machine-readable provenance marking |
| 2b | Interaction disclosure | ⚪ For your action | This sits with you, not the tool — see footnote 2b above |
| 3a | Logs | 🔴 Not possible |
No per-query logs. No model version stamping, no input/output record, no timestamp per interaction. |
| 3b | Model governance | 🔴 Not possible |
No mechanism to restrict models to use for client work, no audit trail of which model produced which answer. |
| 3c | Data jurisdiction | 🔴 Not possible |
Consumer tools don't disclose per-query routing. You cannot evidence whether their data was processed in the US, EU, or elsewhere |
If you are using an Enterprise account
Enterprise subscriptions — ChatGPT Enterprise, Claude for Work, Gemini for Workspace — move you off consumer terms. They explicitly state that your data will not be used to train their models. Whilst this is an improvement over consumer AI, it still does not solve the compliance problem that matters most to your clients.
| # | Ask | Compliance | Why |
|---|---|---|---|
| 1a | Chinese walls | 🔴 Not possible |
No client separation at infrastructure level — your work for Clients A and B sits in same tables |
| 1b | Signed DPA | ⚠️ Partial |
Enterprise DPA covers your account. Your client needs documented terms covering their specific engagement — that document does not exist |
| 2a | Content marking | 🔴 Not possible |
Enterprise changes your data-handling terms, not your output marking — exported documents still carry no visible label or machine-readable metadata |
| 2b | Interaction disclosure | ⚪For your action | Same as for consumer AI — the disclosure obligation sits with you as deployer, not the platform. |
| 3a | Logs | 🔴 Not as required |
Logs sit in vendor infrastructure, not yours. You cannot pull a clean log of every AI interaction on Client A's engagement only. Art. 26(6) requires logs under your control |
| 3b | Model governance | 🔴 Not possible |
No mechanism to restrict models per client, no audit trail of which model produced which answer. Compliance is an honour system — not enforceable. |
| 3c | Data jurisdiction | ⚠️ Partial |
Regional data residency at the account level. You cannot offer different jurisdiction per client |
Worth noting: Most independent advisors do not have Enterprise accounts at all — minimum seat requirements put them out of reach. Many boutique firms run a hybrid: one Enterprise account for a primary tool, consumer subscriptions for others. That hybrid satisfies neither requirement.
So how do you build a compliant AI posture for all your client work?
Passing a client AI governance audit requires you to satisfy every ask that's yours to answer — not most, not best efforts — 2 live under GDPR, 4 more live shortly under Article 50, and 3 more confirmed for December 2027. There are three credible paths.
Some clients will insist you work within their own AI environment — their laptop, their internal tools, their approved models. This eliminates your data sovereignty problem entirely since the client owns the infrastructure and controls their own compliance. However it introduces a different risk: your IP, your prompts, and your methodology must be copied into their environment to generate outputs. You have no control over what happens to your intellectual property once it sits on their systems. AI quality is also constrained by whatever models their IT team has approved — which may lag significantly behind frontier capabilities.
The highest-control option. Your own infrastructure, your own model routing, your own compliance layer, your own logs — everything under your control and no one else's. This is what full compliance looks like in practice, and it gives you complete ownership of your IP and your client data. The large consulting firms — McKinsey, BCG, Deloitte — have the IT muscle and budget to build, certify, and maintain this internally. Most independent advisors and boutique firms do not. The cost is significant: infrastructure decisions, model routing architecture, memory design, token cost management, ongoing maintenance across a rapidly evolving model landscape, and building and certifying a compliance documentation layer for every client engagement. It is a substantial ongoing engineering and legal investment before you have delivered a single piece of client work.
PAL delivers everything Option B provides without building it yourself. Private inference, per-client vault isolation, frontier model access including sovereign Mistral routing for EU-only engagements, automatically generated logs under your control, and a client-ready compliance pack from day one. Built initially as a private AI stack for a confidential client engagement by a McKinsey-trained consultant who felt every infrastructure decision, every token cost trade-off, every memory architecture choice — then productised as a simple subscription for one advisor or an entire team.
Then we decided other advisors should not have to build it themselves.
PAL is your competitive advantage — not just your compliance answer
GDPR created the same dynamic in 2018. The firms that got ahead of it won mandates from clients who were serious about data governance. The ones that scrambled lost them quietly — dropped from vendor lists without a conversation. The EU AI Act is that moment for AI. And the most commercially astute advisors won't wait for December 2027 — because their clients won't either. Privacy-conscious enterprise clients are already setting their own AI governance requirements ahead of the regulatory deadline. The advisor who is already compliant when that questionnaire lands is not just safe — they are ahead.
No consumer AI subscription and no Enterprise AI account can produce a compliant AI posture for client work. PAL is the only tool built for this — not by policy, not by promise — but ground up with a privacy-first architecture, per-client vault isolation, and cited answers so you always know what the AI used to reach a conclusion.
| # | Ask | How PAL addresses it |
|---|---|---|
| 1a | Chinese walls | ✅ Each client workspace is ringfenced at infrastructure-level. Client A's data will never sit in same table as Client B's |
| 1b | Signed DPA | ✅ Complete client-ready compliance pack from day one: Data Processing Agreement, sub-processor register, AI disclosure document, and jurisdiction evidence — ready to share before the engagement starts |
| 2a | Content marking | ✅ DOCX and PPTX generation ship with a visible AI-generated label and embedded document-property metadata, live before 2 August 2026 |
| 2b | Interaction disclosure | ⚪ The disclosure obligation sits with you as deployer, not the platform. |
| 3a | Logs | ✅ Per-client and per-project logs — model version, input, output, timestamp, operator ID — stored under your control, exportable on demand |
| 3b | Model governance | ✅ Model-level enforcement per vault — non-approved models are technically blocked, not managed by policy. Sovereign routing to Mistral Large for EU-only engagements enforced at the infrastructure level |
| 3c | Data jurisdiction | ✅ Per-engagement jurisdiction evidence. Sovereign routing confirms EU-only data processing where required. UK/EU residency documented per client vault |
This article focuses on EU AI Act obligations — but compliance is only part of the story. We have evaluated PAL against every credible AI alternative for confidential client work across quality, privacy, memory, and cost.
See the full comparison →
PAL — Built by consultants, for consultants — because we lived the problem before we built the solution.
Advisors who walk into a pitch with a compliant AI posture — will win the mandate.
With PAL, you walk into any pitch with that compliant AI posture — confident that you can deliver the best advice by using frontier AI on client work confidentially.
Researched and drafted with AI, reviewed and edited by Kedar Gharpure.
Kedar Gharpure is founder of Heyxio, building PAL — private AI for consultants and boutiques.
← Back to Perspectives