AI is already deciding who makes your shortlist. The EU AI Act wants to know who owns that decision. Most organisations have no answer. In the next seven minutes, find out if yours is one of them.
Picture a sourcing workflow that runs every day without incident. Suppliers are ranked. Bids are scored. Shortlists are generated. A procurement manager reviews the output, selects the recommended vendor, and moves on. Nobody questions the ranking. Nobody asks what weighted the score. Nobody logs the reasoning behind the recommendation because the system produced it and the system, as far as anyone is concerned, is the process.
When AI makes a procurement recommendation and a human accepts it without interrogating it, the human has not exercised oversight. They have performed it. The difference is everything to a regulator.
This is not a hypothetical. It is a description of how AI-assisted procurement operates in a significant number of enterprise organisations right now. And under the EU AI Act, it is a compliance failure in the making.
The failure is not the AI. The failure is the silence around it.
We work inside procurement workflows every day at MeRLIN Sourcing. What we see consistently is a specific moment where governance breaks down, and it is not where most people expect it.
It is not in the deployment decision. Organisations generally do think carefully about which AI tools to adopt. Procurement committees review them. IT security assesses them. Legal signs off on the vendor contract. That process, imperfect as it is, happens.
The governance gap is in what happens next. The moment the tool is live, the moment it is embedded in the daily workflow, the moment it starts producing outputs that influence who gets shortlisted, who gets scored highly, and who gets eliminated from a sourcing event, that is when the scrutiny stops. And that is precisely the moment the EU AI Act is most interested in.
Deploying and AI sourcing tool is a vendor decision. Using it accountably is an organisational one. The EU AI Act only cares about the second.
The regulation is not primarily concerned with how you chose your AI platform. It is concerned with how you use it, what decisions it informs, whether those decisions are explainable, and whether the humans involved genuinely understand and own the outcomes.
What the Regulation Actually Examines in Procurement AI
The EU AI Act classifies AI systems by the risk profile of the domain they operate in and the consequences of their decisions on people and organisations. Procurement AI that influences supplier selection, bid evaluation, or contract award sits in a category that regulators are examining with increasing specificity.
The obligations are not abstract. They translate into four operational questions that your organisation needs to be able to answer today, not when an audit begins.
Can you explain, in plain language, how your AI arrived at a specific sourcing recommendation? Not the general methodology. The specific recommendation, for that event, on that day.
Is human oversight in your process genuine or ceremonial? A procurement manager who approves an AI recommendation without the ability to interrogate or override it is not exercising oversight. They are providing a signature.
Do you maintain an audit trail that reconstructs the decision logic, not just the outcome? Knowing who was awarded a contract is not the same as knowing why the AI ranked them first.
Is there a named individual in your organisation who owns AI compliance in procurement, with the authority and the information to answer these questions under pressure?
If any of these stall you, your organisation has a governance gap. The good news is that this is a structural problem, and structural problems have structural solutions.
The Difference Between Compliant AI and Accountable AI
There is a distinction worth drawing carefully here, because it shapes how organisations approach the compliance challenge.
Compliant AI means your tooling has been assessed, categorised, and deployed within a documented framework that meets the minimum requirements of the regulation. It is necessary. It is not sufficient.
Accountable AI means that the people using the tool, the procurement managers, the category leads, the CPO signing off on major contracts, genuinely understand what the AI is doing and why, can intervene meaningfully when it produces a result they do not trust, and can defend every significant sourcing outcome with evidence that goes beyond the AI’s output alone.
The distance between those two states is not a technology gap. It is a process and culture gap. And it is the gap that regulators, counterparties, and increasingly institutional investors are beginning to probe.
At MeRLIN Sourcing, we built the platform around this distinction from the ground up. Explainability is not a reporting feature. It is structural, present at the point of recommendation, visible to the procurement manager at the moment of decision, and logged automatically for every sourcing event. The audit trail is not reconstructed after the fact. It is generated in real time as part of the workflow itself.
Compliant AI keeps you out of trouble. Accountable AI builds the kind of trust that wins better supplier relationships and stronger counterparty confidence and cleaner audits. Those are not compliance outcomes. They are business outcomes.
he result is a procurement team that does not just use AI. It uses AI it can stand behind.
The US Dimension: A Floor Is Being Built
For organisations with operations or ambitions in the United States, the regulatory picture is less prescriptive but moving in one direction. Executive orders on supply chain resilience, government contractor AI requirements, and guidance from the FTC and NIST are collectively building a floor that will eventually look familiar to anyone already operating under the EU AI Act. Multinational procurement teams that build governance-ready sourcing infrastructure now are not just solving a European compliance problem. They are building the operational foundation that US regulators will eventually expect as standard.
The organisations that treat the EU AI Act as a European inconvenience to be managed separately will find themselves rebuilding the same governance layer twice. The organisations that treat it as the leading edge of a global direction will build it once and build it properly.
What Acting Now Actually Looks Like
Proactive AI compliance in procurement is not a transformation programme. It does not require a new platform, a new team, or a six-month implementation. It requires three things, and it requires them with genuine commitment rather than as a box-ticking exercise.
A governance owner. One named individual with clear accountability for AI compliance in the procurement function. Not a committee. Not a shared responsibility. One person who knows the tools, understands the regulation, and has the authority to act.
An explainability standard. A documented expectation that every AI-assisted sourcing recommendation can be explained to a non-technical stakeholder in plain language. If your current tooling cannot support that, the tooling is part of the problem.
A real audit trail. Not a log of outcomes. A log of reasoning. The difference between who won and why the AI ranked them first is the difference between a record and an accountability framework.
The procurement teams that build accountability into their AI today will not survive just regulatory scrutiny. They will define what responsible sourcing looks like for the organisations that look after them.
None of this is beyond reach. All of it requires a decision to prioritise it before the question is asked from the outside.
The Question at the Centre of All of This
Return to the sourcing workflow we described at the start. Suppliers ranked. Bids scored. Shortlists generated. A manager approves the recommendation and moves on.
Now ask the question the EU AI Act is asking: who, in your organisation, can explain that ranking? Who can show the reasoning? Who owns the outcome if it turns out to be wrong, or biased, or contested by a supplier who feels unfairly excluded?
If the answer is the AI, you have a problem. If the answer is nobody, you have a larger one. If the answer is a specific person, with a specific process, and a specific audit trail behind them, you are in the minority of organisations that are genuinely prepared for what is coming.
That minority is where MeRLIN Sourcing is built to operate. And the window to join it, before the enforcement conversations begin, is still open. Not indefinitely, but it is open.
