If you sell into Europe — directly, through a distributor, through a U.S. customer who resells there — a one-page questionnaire is heading your way. It looks like a vendor security review. It reads like a SOC 2 ask. And it has three new questions on it:
Do you use AI to make or recommend decisions about our orders?
Who at your company reviews those decisions before they're acted on?
Can you produce the audit log?
If the answer to #1 is "yes," #2 is vague, and #3 is "what audit log," you are about to lose the deal. Or worse, you're going to win it and inherit a problem that has your name on it.
Here's why.
Three regulations that all say the same thing
Three rules are landing on the same idea at almost the same time:
EU AI Act, Article 14. High-risk obligations start August 2026 — about two months from this issue going out. It says: a human must be able to oversee, intervene in, and override AI-driven decisions. Article 12 adds: keep the logs for the system's operational lifetime.
Colorado ADMT Law (SB26-189). Effective January 1, 2027. Anyone doing business in Colorado — including out-of-state companies making "consequential decisions" about Colorado residents — must provide documentation, disclosures, and meaningful human review when automated decision-making materially influences the call.
NIST AI Risk Management Framework. Voluntary, but increasingly the floor U.S. federal agencies expect from anyone they buy from.
The common thread: a human has to be able to stop, change, or reverse the AI's recommendation, and you have to be able to prove it happened.
(Hat tip to the OpenRouter team — their recent write-up of these rules and the engineering patterns for compliant agents is the cleanest summary I've seen. Worth reading if you build software.)
Why this hits SMB exporters even though you're not the named target
The named targets are AI providers and "deployers" of high-risk AI. You probably aren't either of those.
You will still get pulled in. The mechanism is the vendor cascade — the same one that made you SOC 2 conversant a few years ago, GDPR conversant before that, and 889-conversant before that. It works like this:
Your EU buyer is regulated.
The regulation tells them their AI obligations don't disappear because they outsourced.
So their procurement, legal, or compliance team adds the AI questions to the vendor onboarding pack.
And now you, the U.S. machine shop that quoted them a part, have to answer them.
For export-touching businesses, the exposure is double: you're already a regulated supply-chain node under the EAR and ITAR. AI used in export decisions — ECCN classification, denied-party screening, license calls, end-use analysis — is exactly the kind of "consequential decision" the new rules are written about.
If you're using ChatGPT to guess at ECCNs, or a "compliance chatbot" that returns an answer with no named reviewer and no citation, your EU customer's procurement team is going to read that as a vendor risk. Because it is one.
What "good" looks like, in plain English
Across all three regulations, the design pattern is the same. You don't need to read 800 pages of regulation to operate it. You need five things:
Tier your tools by risk. Read-only lookup? Low risk, no gate. Recommending an ECCN that drives a license call? High risk, human gate.
A real human review on consequential actions. Not a checkbox. A named person who actually saw the recommendation, understood it, and approved or rejected it.
An audit log with teeth. Who reviewed, when, what they decided, and the rule they cited. Append-only. Survives a server reboot, a vendor change, an acquisition.
Default-deny when the human doesn't respond. A review queue nobody answers must fail closed — not silently auto-approve.
Durable state. Your records survive your tech stack. If your AI vendor disappears tomorrow, the audit trail still exists.
That's the test. Take it to any AI tool your team uses for compliance work and see what survives.
What ExChek already does, mapped to the rules
IExChek wasn't designed for the EU AI Act. ExChek was designed because I watched a small business get put through three years of an export case where none of the above existed, and the lack of it was the whole problem. The design principle was the same: a named human in the loop, on every consequential call, with the rule cited and the record kept.
That principle happens to be exactly what these regulations are about to require.
What we do, mapped to the framework above:
Risk tiering — built in. Lookups and read-only research run free. Classification, screening, license, and jurisdiction decisions all require a human reviewer to approve before the determination is recorded.
Named human reviewer — every memo carries the reviewer's name, role, and confirmation that they read and approved the answer. ExChek is not a black box that decides. It walks you through, shows you the rule, and you sign off.
Audit log with teeth — every determination produces a timestamped record, citing the exact CFR section, with the rationale in plain English. Retention defaults to the 5-year EAR requirement under 15 CFR 762, longer on request.
Default-deny — incomplete determinations don't silently pass. They stay in queue. There is no "ExChek decided for you" outcome.
Durable state — the memo lives as a file you own. It's not stuck in a vendor portal that might not exist in 2030 when an EU procurement team asks for it.
That's not a marketing claim. It's the only way I'd ever ship a compliance product.
What to do this week
You don't need to wait for the EU questionnaire to land. Run the gut-check now:
Pull every AI tool your team uses for any decision that touches an order, a buyer, an export, or a hire.
For each one, ask: Who approved this? When? Citing what rule?
For each "I don't know," you have either an internal SOP to write or a tool to replace.
If you want to see what the answer should look like, run one item through ExChek and read the memo it produces. That's the artifact the questionnaire is going to ask for.
Try it free: exchek.us
Read the architecture note: docs.exchek.us
Want us to walk your team through it before the EU questionnaire arrives? Book a call
Approve the decision. Cite the rule. Keep the receipt.
— The ExChek Team
ExChek is software, not legal advice. Every determination is reviewed and approved by you. American-owned, built to help American SMBs navigate export compliance. This bulletin describes engineering and product design choices. It is not a representation of legal compliance with the EU AI Act, Colorado SB26-189, or any other statute. Consult counsel for what applies to your business.