EU AI Act readiness: the Microsoft-side evidence your program needs

The EU AI Act is the first broad, risk-based law governing how AI is built and used in the European Union. Obligations scale with the risk an AI system poses, and they reach any organization that places AI on the EU market or uses it to affect people in the EU. As Microsoft 365 Copilot and AI agents land in everyday tenants, your AI Act program has to account for the AI your people already run.

Senserva is not legal advice and not a certification. What Senserva provides is the technical, Microsoft-side evidence and AI inventory an EU AI Act program depends on: an inventory of the Microsoft AI you operate, the access and permissions that govern it, and the monitoring record that shows your controls run. It aligns with ISO/IEC 42001, the harmonized-standard route many organizations use to demonstrate conformity.

What the EU AI Act actually does

The Act sorts AI by risk and attaches obligations accordingly. It also adds a separate set of rules for general-purpose AI (GPAI) models. The duties phase in over time, running through 2025 to 2027, and the penalties for the most serious breaches are significant, reaching into the millions of euros or a percentage of global turnover.

Risk tier What it means
UnacceptablePractices banned outright, such as social scoring and certain manipulative or biometric uses.
HighPermitted with strict duties: risk management, data governance, human oversight, logging, technical documentation, and post-market monitoring.
LimitedTransparency obligations, for example telling people they are interacting with an AI system.
Minimal or noneNo specific obligations, though voluntary codes of practice are encouraged.
GPAISeparate rules for general-purpose AI models, with extra duties for models judged to carry systemic risk.

Most of the hard work for an in-scope deployment sits in the high-risk obligations: keeping a current risk assessment, governing the data, ensuring human oversight, retaining logs, maintaining technical documentation, and monitoring the system after it goes live. Those duties need continuous, current evidence, not a one-time document.

Where Senserva fits

The EU AI Act is broader than any single tool. It is a legal and organizational program. Senserva covers the Microsoft technical layer of that program: it shows what AI you actually run in Microsoft 365, Intune, Defender, and Entra ID, how it is permissioned, and whether the controls around it are working. That is the operational evidence an assessor or regulator asks to see.

Inventory the Microsoft AI you run
Senserva enumerates Microsoft agent identity blueprints, the agent identities and users bound to them, and the Copilot surface, so the AI in your tenant is documented, not assumed.
Govern access and permissions
It reads inheritable agent permissions and flags high-risk Microsoft Graph scopes, plus the identity, OAuth, and access posture that decides what AI can reach.
Keep monitoring evidence
Audit-log and sign-in health checks, plus scheduled re-scans, give you the record-keeping and post-market monitoring evidence in a form you can hand over.
Document responsible use of your own AI
Senserva's own AI runs locally with your model, your data stays on your machine, and every remediation is approved by a human before it is applied.

Mapping EU AI Act themes to Senserva evidence

Senserva does not make you compliant on its own. It supplies the Microsoft-side evidence for the high-risk obligations that are hardest to keep current.

EU AI Act theme Senserva evidence
Risk managementRanked findings across the Microsoft AI surface, prioritized by real-world risk, give a repeatable input to your risk process.
Data governanceIdentity, SharePoint and OneDrive sharing, and Purview label and DLP posture surface where AI could reach data it should not.
Human oversightSenserva tracks human-in-the-loop and approval-gate controls, and its own remediation is approve-before-apply by design.
Logging and record-keepingAudit-log and sign-in health checks confirm the logs you need are being kept and are reviewable.
Technical documentationAudit-ready reports document the configuration of your Microsoft AI and agents at a point in time.
Post-market monitoringScheduled re-scans show change over time, with a clear before and after when a finding is fixed.

For the detail on exactly what the scanner inspects on the Microsoft AI surface, see Microsoft AI security.

The standards route is the practical route

Demonstrating conformity is far easier when you run a recognized AI management system. ISO/IEC 42001 is the harmonized standard most organizations lean on, and the evidence Senserva produces maps cleanly onto it. Start with an inventory and a scan, then build the program around what you find.

Scan your tenant free ISO/IEC 42001 Microsoft AI security

Explore the AI Enhanced suite

Agentic AI for Microsoft 365 security, end to end. Each piece works with the AI of your choice.

Works with any AIChatGPT, Claude, Gemini, Copilot, or a local model, with a built-in prompt builder. Claude & MCPRun Microsoft 365 security agentically from Claude through the Senserva MCP. AI security reportsSix AI-enhanced report types generated from one scan. AI remediationValidated, approve-before-apply fixes for every finding. AI complianceMap and close gaps against CISA SCuBA, MCSB, and more.