The EU AI Act enters its second compliance milestone on 2 August 2026, when high-risk system obligations under Article 6 and Annex III become enforceable. Most "AI-enabled" guard tour platforms are not yet ready for the documentation requirements, and procurement teams in regulated EU sectors are already updating RFPs to include AI-specific evidence.
If your platform ships anomaly detection, predictive routing, or incident classification, the questions below will land in your next renewal cycle. This is what we are watching at PatrolTech.
What changes on 2 August 2026
The AI Act's risk classification places most guard-tour AI features into the limited-risk category — they do not directly affect fundamental rights at the individual level. But two patterns push specific deployments into high-risk territory under Annex III:
- Workforce monitoring with operational consequences. When AI-driven anomaly detection on patrols feeds into HR decisions (performance reviews, dismissal, shift assignment), Annex III §4 (employment, workers' management) applies.
- Critical infrastructure monitoring. Annex III §2 covers AI systems used as safety components in critical infrastructure. Patrol monitoring on energy, water, transport or digital infrastructure operators classified under NIS 2 Annex I may fall under this trigger.
The classification matters because high-risk systems require: documented risk management, training data governance, technical documentation, transparency to deployers, human oversight, accuracy and robustness testing, and post-market monitoring. None of this is optional.
What procurement teams are starting to ask
We have seen three questions appear in 2026 RFPs across data centers, hospitals and energy operators:
1. Model card per shipped AI feature. Training data sources, evaluation methodology, precision and recall on representative test sets, demographic disparities, known limits, update cadence. Vendors that ship AI features without a public model card will be filtered out of regulated-sector procurement starting Q3 2026.
2. Article 22 GDPR compliance evidence. Automated decision-making with legal or significant effect on individuals requires a human-review step by design. Procurement teams want to see the audit log: every AI alert that reached an operational threshold must show a documented human reviewer before any consequence flowed.
3. Per-tenant model isolation. Customer data used to train customer-specific models must not leak into other deployments. Vendors that share trained models across customers face GDPR Article 6 exposure plus AI Act Article 10 (data governance) scrutiny.
What to ask your guard tour vendor before the deadline
Three questions that filter quickly:
- Can you give me the model card for each AI feature you ship? If the answer is "we will share it under NDA", that means the documentation does not exist yet.
- Does an AI alert trigger any operational action without a human reviewer in the loop? If yes, that platform is not Article 22 compliant for high-risk deployments.
- Is my patrol data used to train models deployed at other customers? Cross-customer training is incompatible with the trust contract most regulated buyers expect.
Where guardtour.app stands
PatrolTech publishes model cards for every shipped AI feature at guardtourai.com/ai/model-card. Per-site model isolation is the default — your patrol patterns never train another customer's model. GDPR Article 22 enforcement is built in: every AI alert requires a human review step before operational consequences. The AI Act conformance documentation will be available in customer trust portals from Q2 2026.
The 2 August deadline is closer than it looks. Audit your AI feature documentation now, before procurement adds the questions to your next RFP.
Further reading
- /ai-guard-tour-software — head pillar for AI guard tour platforms.
- /responsible-ai — six principles and ethics commitments.
- EU AI Act final text — Articles 6, 22, Annex III.