Bulletin: Your EU customer is about to ask what AI you used to ship them that part.

A special bulletin.

If you sell into Europe, directly, through a distributor, or through a U.S. customer who resells there, a one-page questionnaire is heading your way. It looks like a vendor security review. It reads like a SOC 2 ask. And it has three new questions on it.

Do you use AI to make or recommend decisions about our orders?

Who at your company reviews those decisions before they are acted on?

Can you produce the audit log?

If the answer to the first is yes, the second is vague, and the third is "what audit log," you are about to lose the deal. Or worse, you are going to win it and inherit a problem that has your name on it.

Here is why.

Two regulations are landing on the same idea in close succession. A third is pending.

The EU AI Act. The high-risk obligations apply from 2 August 2026, including Article 14 (Human Oversight) and Article 12 (Record-Keeping). Article 14 requires that the system be designed so a human can effectively monitor it, interpret its output, decide not to use it, override the output, and intervene to stop it through a stop button or similar mechanism. Article 12 requires automatic logging of events over the lifetime of the system. The Act entered into force in August 2024, and the high-risk obligations apply two years later under Article 113.

Colorado SB26-189. Pending. Introduced in the Colorado Senate on May 1, 2026, currently in the Business, Labor, and Technology Committee. If enacted, the proposed effective date is January 1, 2027. It would require developers and deployers of "automated decision-making technology" used to materially influence consequential decisions (employment, finance, housing, insurance, healthcare, education, essential government services) to provide documentation, consumer notices, and meaningful human review on adverse outcomes. The 2024 Colorado AI Act (SB 24-205) is the enacted predecessor. Treat SB26-189 as a forecast, not as a deadline, until it clears committee.

NIST AI Risk Management Framework. Voluntary, but increasingly the floor U.S. federal agencies expect from anyone they buy from.

The common thread across all three: a human has to be able to stop, change, or reverse the AI's recommendation, and you have to be able to prove it happened.

A hat tip is owed to the OpenRouter team. Their recent write-up of these rules and the engineering patterns for compliant agents is the cleanest summary we have seen. Worth reading if you build software.

The named targets are AI providers and deployers of high-risk AI. You probably are not either of those.

You will still get pulled in. The mechanism is the vendor cascade, the same one that made you SOC 2 conversant a few years ago, GDPR conversant before that, and 889-conversant before that. It works like this. Your EU buyer is regulated. The regulation tells them their AI obligations do not disappear because they outsourced. So their procurement, legal, or compliance team adds the AI questions to the vendor onboarding pack. And now you, the U.S. machine shop that quoted them a part, have to answer them.

For export-touching businesses, the exposure is double. You are already a regulated supply-chain node under the EAR and ITAR. AI used in export decisions, including ECCN classification, denied-party screening, license calls, and end-use analysis, is exactly the kind of "consequential decision" the new rules are written about.

If you are using ChatGPT to guess at ECCNs, or a "compliance chatbot" that returns an answer with no named reviewer and no citation, your EU customer's procurement team is going to read that as a vendor risk. Because it is one.

Across all three regulations, the design pattern is the same. You do not need to read 800 pages of regulation to operate it. You need five things.

Tier your tools by risk. Read-only lookup is low risk and needs no gate. Recommending an ECCN that drives a license call is high risk and needs a human gate.

A real human review on consequential actions. Not a checkbox. A named person who actually saw the recommendation, understood it, and approved or rejected it.

An audit log with teeth. Who reviewed, when, what they decided, and the rule they cited. Append-only. Survives a server reboot, a vendor change, an acquisition.

Default-deny when the human does not respond. A review queue nobody answers must fail closed, not silently auto-approve.

Durable state. Your records survive your tech stack. If your AI vendor disappears tomorrow, the audit trail still exists.

That is the test. Take it to any AI tool your team uses for compliance work and see what survives.

ExChek was not designed for the EU AI Act. ExChek was designed because I watched a small business get put through three years of an export case where none of the above existed, and the lack of it was the whole problem. The design principle was the same. A named human in the loop, on every consequential call, with the rule cited and the record kept.

That principle happens to be exactly what these regulations are about to require.

Risk tiering is built in. Lookups and read-only research run free. Classification, screening, license, and jurisdiction decisions all require a human reviewer to approve before the determination is recorded.

Named human reviewer. Every memo carries the reviewer's name, role, and confirmation that they read and approved the answer. ExChek is not a black box that decides. It walks you through, shows you the rule, and you sign off.

Audit log with teeth. Every determination produces a timestamped record, citing the exact CFR section, with the rationale in plain English. Retention defaults to the five-year EAR requirement at 15 CFR 762.6, longer on request.

Default-deny. Incomplete determinations do not silently pass. They stay in queue. There is no "ExChek decided for you" outcome.

Durable state. The memo lives as a file you own. It is not stuck in a vendor portal that might not exist in 2030 when an EU procurement team asks for it.

That is not a marketing claim. It is the only way I would ever ship a compliance product.

You do not need to wait for the EU questionnaire to land. Run the gut-check now.

Pull every AI tool your team uses for any decision that touches an order, a buyer, an export, or a hire. For each one, ask: who approved this, when, and citing what rule? For each "I do not know," you have either an internal SOP to write or a tool to replace.

If you want to see what the answer should look like, run one item through ExChek and read the memo it produces. That is the artifact the questionnaire is going to ask for.

Try it free at exchek.us. Read the architecture note at docs.exchek.us. Want us to walk your team through it before the EU questionnaire arrives? Book a call.

Approve the decision. Cite the rule. Keep the receipt.

The ExChek Team

ExChek is software, not legal advice. Every determination is reviewed and approved by you. American-owned, built to help American SMBs navigate export compliance.

This bulletin describes engineering and product design choices and the current public status of EU and U.S. regulatory developments. It is not a representation of legal compliance with the EU AI Act, Colorado SB26-189, or any other statute. Pending legislation may change in committee or fail to pass. Consult counsel for what applies to your business.