The EU AI Act is not a future obligation. It is a present one. In seven minutes, you will know exactly where your organisation stands, and what to do before someone else forces the question.
MeRLIN Sourcing sits at the centre of how enterprise procurement teams make decisions. We see the tools being deployed, the workflows being automated, and the governance structures, or the absence of them, that sit behind every AI-assisted sourcing outcome.
What we see most often is not recklessness. It is assumption. The assumption that because a platform was procured through a legitimate vendor process, because it passed an IT security review, because nobody has complained yet, the organisation is covered. It is not. And the regulatory environment is now moving fast enough that the cost of that assumption is about to become very visible.
This is what we think every procurement leader needs to understand right now, before the enforcement conversations begin.
There is a particular kind of corporate confidence that comes from having done things a certain way for a long time. It is the confidence of the untested. And in enterprise AI adoption, it is becoming the most expensive posture a leadership team can hold.
The question for every executive is not whether AI is in your supply chain. It almost certainly is. The question is whether you know where, and whether you can account for it.
Across boardrooms in Frankfurt, Amsterdam, Dubai, and increasingly Chicago and New York, AI has become the centrepiece of digital transformation narratives. Procurement teams are deploying it to shortlist suppliers. Finance teams are using it to flag invoice anomalies. Legal is experimenting with contract review. And in most organisations, none of this has been formally assessed, documented, or reviewed against what is now, for EU-market operators, a binding legal obligation.
The EU AI Act is not a future concern. It entered into force in August 2024. Its prohibition-layer obligations applied from February 2025. High-risk system requirements are phasing in through 2025 and 2026. If your organisation is selling into, buying from, or operating within the European market, the compliance window is not approaching. It is already here, and the question of whether you are inside it or outside it will not be asked gently.
The regulation classifies AI systems by risk, and the classifications are not intuitive in the way executives might hope. High-risk is not defined by how dramatic the AI output is. It is defined by the domain in which the AI operates and the consequences of its decisions on individuals and organisations.
Procurement and sourcing AI sits in territory that regulators are watching closely. When an AI system is used to rank suppliers, score bids, assess counterparty risk, or make recommendations that materially affect business relationships, it enters the conversation around automated decision-making with significant consequence.
So what does the regulation actually demand? Less than you might fear, but more than most organisations are currently doing.
Compliance requires transparency in how the system works. It requires human oversight to be genuine, not a rubber stamp. It requires logging, auditability, and clear accountability. And it requires that the people making decisions on the basis of AI output actually understand the basis of that output.
That last requirement is the one most organisations are least prepared for.
The Accountability Gap Nobody Is Talking About
There is a gap growing in enterprise AI adoption that does not appear on risk registers yet. It is the gap between the speed at which AI tools are being embedded into procurement and supply chain workflows, and the speed at which governance structures are being built around them.
Regulators do not care that your procurement AI was approved by a vendor’s sales team. They care about you, as the operator, understood what it was doing and took responsibility for its output.
This is not a technology problem. It is a cultural and structural one. The tools exist. The frameworks are being written. What is missing is clear ownership: if an AI-assisted sourcing decision turns out to be wrong, biased, or non-compliant, who in your organisation is accountable for that?
In the United States, the regulatory picture is less codified but no less consequential. The current administration has prioritised AI innovation over prescriptive regulation, but the procurement and supply chain domain is being shaped by executive orders on supply chain resilience, government contractor AI requirements, and sector-level guidance from bodies like the FTC and NIST. For multinational organisations, the EU AI Act effectively sets a floor that US operations will eventually be measured against, whether formally required to or not.
What Responsible AI in Sourcing Actually Looks Like
Decision-makers often ask the wrong question at this point. They ask: which AI tools are compliant? The more important question is: what does a compliant AI-enabled sourcing process look like?
The distinction matters because compliance is not a product feature. It is an organisational posture. A sourcing platform can be built with auditability, explainability, and human override as first principles, and still be used in a non-compliant way if the organisation deploying it has not built the governance layer around it. Conversely, a well-governed organisation can use almost any reasonable tool within a compliant framework.
That said, platform architecture does matter. Systems that present AI-generated recommendations alongside explainable reasoning, that maintain complete audit trails of decision logic, that separate automated scoring from human approval, and that allow procurement managers to interrogate and override AI outputs without friction, these are not optional features in a regulated environment. They are the minimum viable infrastructure for an accountable sourcing operation.
MeRLIN Sourcing is built on precisely this premise. Governance is not a layer added after the fact, it is structural, designed into how recommendations are generated, how decisions are logged, and how procurement teams can demonstrate accountability when it is asked of them. That distinction, between designed-in accountability and bolt-on compliance, is one that regulators and internal audit functions will increasingly care about.
Put plainly: the compliance burden does not sit with the vendor. It sits with the organisation that chose to deploy the tool, in the process, at that moment of decision.
The Two-Minute Audit Your Leadership Team Has Not Done Yet
Most organisations assume they are broadly compliant until the moment someone asks them to prove it. The following four questions are not hypothetical. They are the questions a regulator, an external auditor, or a major counterparty will ask you first. See how far you get.
Where in our procurement and sourcing process is AI being used to support or make decisions, and have those systems been formally assessed against the EU AI Act’s risk classification framework?
Can we produce an audit trail of how a specific sourcing decision was reached, including the AI inputs and the human checkpoints, if asked to do so by a regulator or a counterparty?
Does our procurement team actually understand the basis on which AI recommendations are generated, or are they treating the output as a black box that happens to save time?
Who in our organisation owns AI compliance in the procurement function, and what authority does that person have?
The organisations that will navigate AI regulation are not necessarily those with the most sophisticated tools. They are those that built accountability into how those tools are used.
If you answered confidently on all four, your organisation is ahead of the curve. If you stalled on two or more, you are not alone, but you are also not in a safe position. The gap between those two states is not technical. It is a decision about whether to act before you are required to.
The Window for Proactive Compliance Is Narrowing
Procurement teams that build accountability into their AI today will not just survive regulatory scrutiny. They will define what responsible sourcing feels like for everyone else.
There is a useful asymmetry in the current moment. The EU AI Act’s high-risk provisions are phasing in now, but enforcement infrastructure is still maturing. The organisations that use this window to build genuine governance, proper documentation, explainable tooling, and trained procurement professionals, will enter the enforcement era in a fundamentally different position to those who waited.
This is not a compliance exercise. It is a competitive differentiator. Counterparties, regulators, and institutional investors are increasingly asking whether an organisation can demonstrate responsible AI use in its sourcing and procurement decisions. The organisations that can answer that question clearly, and quickly, will earn trust that no efficiency metric can manufacture.
The gap between compliant and non-compliant AI procurement is not measured in technology. It is measured in governance decisions made, or deferred, right now.
At MeRLIN Sourcing, this is the conversation we are already having with our customers. If you are ready to have it too, we are here.
