The EU AI Act has been rolling out in phases since 1 August 2024. For most advisors, that date — and the subsequent milestones e.g., on prohibited AI practices (February 2025) or the GPAI model obligations (August 2025) — passed as someone else's problem.

However, 2 August 2026 is the showstopper milestone for any advisor or consultant whose AI-drafted work reaches a client without disclosure.

From 2 August 2026 — calculating... — the EU AI Act's Article 50 transparency obligations become enforceable. Every AI system that interacts with a person, generates content, or reads emotional or biometric signals has to say so. This one doesn't arrive through your client's compliance programme and cascade down to you. It applies to you directly, the moment you're the one deploying the AI system on client work.

If you or your consulting team is using consumer AI — or even enterprise accounts — for client work, you are very likely already falling short on at least one of the asks below.

What the EU AI Act requires — from your clients, and from you

The EU AI Act runs to 144 pages with 113 Articles across 12 Titles. Here is the operative part, distilled into nine asks across three tiers — what's already expected, what's enforceable in five weeks, and what's confirmed for 2027.

# Ask Source Status
1aChinese walls — data segregation between client engagementsGDPR Art. 5(1)(f) / Art. 32Already live
1bSigned data processing terms (baseline DPA)GDPR Art. 28Already live
2aAI-generated content markingAI Act Art. 50(2)Live 2 Aug 2026
2bAI interaction disclosureAI Act Art. 50(1)Live 2 Aug 2026*
2cDeepfake disclosureAI Act Art. 50(4)Live 2 Aug 2026
2dEmotion/biometric-recognition noticesAI Act Art. 50(3)Live 2 Aug 2026
3aAutomatic logsAI Act Art. 12 + Art. 26(6)Live 2 Dec 2027
3bModel governanceAI Act Art. 26 (deployer)Live 2 Dec 2027
3cData jurisdiction, per engagementAI Act Art. 26Live 2 Dec 2027

Two things worth being precise about. First, 1a and 1b aren't AI Act creations — they're baseline GDPR obligations that already bind any advisor processing client personal data through a third-party AI vendor, regardless of what happens to the AI Act's own timeline. Second, the AI Act does add something on top of the GDPR baseline at 1b specifically — Article 26(9) requires that signed agreement to cover AI-specific content — but that enhancement, like the logging and jurisdiction asks, doesn't land until 2 December 2027.

*2b applies when you build an AI-based tool — a chatbot, agent, or interactive assistant — that interacts directly with people on a client's behalf, whether that's the client's own employees or their customers. The disclosure obligation (that they're talking to an AI, not a person) then sits with you as the deployer of that tool. This is relevant because modern advisors are expected to be vertically integrated and more likely to build such tools for their clients.

†2c and 2d applies when you build AI-generated image/audio/video content or build biometric/emotion-recognition tools. Even if advisors may not build these, they need to be aware of the disclosure obligation when delivering work in integrated teams.

All of these live, near-term, and upcoming obligations are already showing up in AI governance questionnaires from your clients

Why your AI-stack is likely to fail compliance

Most advisors use one of two grades of AI tools: a consumer subscription or an Enterprise account — sometimes both. Neither was built for professional services data governance. Here is the evidence.

If you are using consumer AI

Some advisors and consultants use the c. $20/month AI tools such as ChatGPT Plus, Claude Pro, or Gemini Pro for client research and synthesis. Most claim to redact client info before using AI — but that gives a false sense of protecting client confidentiality. Even with redaction, and even if you opt-out of training their model using your data, the consumer AI tools will fail every ask that's actually theirs to answer.

# Ask Compliance Why
1a Chinese walls 🔴
Not possible
No client separation at infrastructure level — your work for Clients A and B sits in same tables
1b Signed DPA 🔴
Not possible
Consumer AI does not legally protect your client data — no signed DPA, no residency guarantee, and no breach notification obligation.
2a Content marking 🔴
Not possible
Exported text documents carry no visible AI-generated label and no machine-readable provenance marking
2b Interaction disclosure ⚪ For your action This sits with you, not the tool — see footnote 2b above
3a Logs 🔴
Not possible
No per-query logs. No model version stamping, no input/output record, no timestamp per interaction.
3b Model governance 🔴
Not possible
No mechanism to restrict models to use for client work, no audit trail of which model produced which answer.
3c Data jurisdiction 🔴
Not possible
Consumer tools don't disclose per-query routing. You cannot evidence whether their data was processed in the US, EU, or elsewhere

If you are using an Enterprise account

Enterprise subscriptions — ChatGPT Enterprise, Claude for Work, Gemini for Workspace — move you off consumer terms. They explicitly state that your data will not be used to train their models. Whilst this is an improvement over consumer AI, it still does not solve the compliance problem that matters most to your clients.

# Ask Compliance Why
1a Chinese walls 🔴
Not possible
No client separation at infrastructure level — your work for Clients A and B sits in same tables
1b Signed DPA ⚠️
Partial
Enterprise DPA covers your account. Your client needs documented terms covering their specific engagement — that document does not exist
2a Content marking 🔴
Not possible
Enterprise changes your data-handling terms, not your output marking — exported documents still carry no visible label or machine-readable metadata
2b Interaction disclosure ⚪For your action Same as for consumer AI — the disclosure obligation sits with you as deployer, not the platform.
3a Logs 🔴
Not as required
Logs sit in vendor infrastructure, not yours. You cannot pull a clean log of every AI interaction on Client A's engagement only. Art. 26(6) requires logs under your control
3b Model governance 🔴
Not possible
No mechanism to restrict models per client, no audit trail of which model produced which answer. Compliance is an honour system — not enforceable.
3c Data jurisdiction ⚠️
Partial
Regional data residency at the account level. You cannot offer different jurisdiction per client

Worth noting: Most independent advisors do not have Enterprise accounts at all — minimum seat requirements put them out of reach. Many boutique firms run a hybrid: one Enterprise account for a primary tool, consumer subscriptions for others. That hybrid satisfies neither requirement.

So how do you build a compliant AI posture for all your client work?

Passing a client AI governance audit requires you to satisfy every ask that's yours to answer — not most, not best efforts — 2 live under GDPR, 4 more live shortly under Article 50, and 3 more confirmed for December 2027. There are three credible paths.

Option A: Use your client's AI infrastructure  ⚠️
Simple if your client has private AI — but you lose your IP and would be limited by the models in your client's stack.

Some clients will insist you work within their own AI environment — their laptop, their internal tools, their approved models. This eliminates your data sovereignty problem entirely since the client owns the infrastructure and controls their own compliance. However it introduces a different risk: your IP, your prompts, and your methodology must be copied into their environment to generate outputs. You have no control over what happens to your intellectual property once it sits on their systems. AI quality is also constrained by whatever models their IT team has approved — which may lag significantly behind frontier capabilities.

Option B: Build your own private AI stack  🔴
The most complex and expensive option to build, certify, and maintain — realistic only for firms with serious IT muscle and budget.

The highest-control option. Your own infrastructure, your own model routing, your own compliance layer, your own logs — everything under your control and no one else's. This is what full compliance looks like in practice, and it gives you complete ownership of your IP and your client data. The large consulting firms — McKinsey, BCG, Deloitte — have the IT muscle and budget to build, certify, and maintain this internally. Most independent advisors and boutique firms do not. The cost is significant: infrastructure decisions, model routing architecture, memory design, token cost management, ongoing maintenance across a rapidly evolving model landscape, and building and certifying a compliance documentation layer for every client engagement. It is a substantial ongoing engineering and legal investment before you have delivered a single piece of client work.

Option C: PAL  ✅
Out-of-the-box compliance, frontier AI, sovereign model routing — works for one person or a team, no infrastructure decisions, no usage caps.

PAL delivers everything Option B provides without building it yourself. Private inference, per-client vault isolation, frontier model access including sovereign Mistral routing for EU-only engagements, automatically generated logs under your control, and a client-ready compliance pack from day one. Built initially as a private AI stack for a confidential client engagement by a McKinsey-trained consultant who felt every infrastructure decision, every token cost trade-off, every memory architecture choice — then productised as a simple subscription for one advisor or an entire team.

Then we decided other advisors should not have to build it themselves.

PAL is your competitive advantage — not just your compliance answer

GDPR created the same dynamic in 2018. The firms that got ahead of it won mandates from clients who were serious about data governance. The ones that scrambled lost them quietly — dropped from vendor lists without a conversation. The EU AI Act is that moment for AI. And the most commercially astute advisors won't wait for December 2027 — because their clients won't either. Privacy-conscious enterprise clients are already setting their own AI governance requirements ahead of the regulatory deadline. The advisor who is already compliant when that questionnaire lands is not just safe — they are ahead.

No consumer AI subscription and no Enterprise AI account can produce a compliant AI posture for client work. PAL is the only tool built for this — not by policy, not by promise — but ground up with a privacy-first architecture, per-client vault isolation, and cited answers so you always know what the AI used to reach a conclusion.

# Ask How PAL addresses it
1a Chinese walls ✅ Each client workspace is ringfenced at infrastructure-level. Client A's data will never sit in same table as Client B's
1b Signed DPA ✅ Complete client-ready compliance pack from day one: Data Processing Agreement, sub-processor register, AI disclosure document, and jurisdiction evidence — ready to share before the engagement starts
2a Content marking ✅ DOCX and PPTX generation ship with a visible AI-generated label and embedded document-property metadata, live before 2 August 2026
2b Interaction disclosure ⚪ The disclosure obligation sits with you as deployer, not the platform.
3a Logs ✅ Per-client and per-project logs — model version, input, output, timestamp, operator ID — stored under your control, exportable on demand
3b Model governance ✅ Model-level enforcement per vault — non-approved models are technically blocked, not managed by policy. Sovereign routing to Mistral Large for EU-only engagements enforced at the infrastructure level
3c Data jurisdiction ✅ Per-engagement jurisdiction evidence. Sovereign routing confirms EU-only data processing where required. UK/EU residency documented per client vault

This article focuses on EU AI Act obligations — but compliance is only part of the story. We have evaluated PAL against every credible AI alternative for confidential client work across quality, privacy, memory, and cost.
See the full comparison →

PAL — Built by consultants, for consultants — because we lived the problem before we built the solution.

Advisors who walk into a pitch with a compliant AI posture — will win the mandate.

With PAL, you walk into any pitch with that compliant AI posture — confident that you can deliver the best advice by using frontier AI on client work confidentially.

See PAL demo Get PAL - Your Private AI

Researched and drafted with AI, reviewed and edited by Kedar Gharpure.

Kedar Gharpure is founder of Heyxio, building PAL — private AI for consultants and boutiques.

← Back to Perspectives