The EU AI Act for product owners: a practical guide

These are AI systems considered harmful enough that they are prohibited under the Act. Examples include AI designed to manipulate people's behaviour in harmful ways, exploit vulnerabilities, or use certain types of social scoring.

For Product Owners, the key takeaway is that not every AI idea should become a feature. During discovery, teams need to consider whether an AI capability introduces unacceptable risks before investing time into building it.

High-risk AI systems face the strictest requirements under the EU AI Act because they can significantly impact people's rights, safety or opportunities. These include AI used in areas such as:

• healthcare
• education
• employment
• critical infrastructure
• access to essential services
• certain financial or legal decisions

For product teams, this category is particularly important. If an AI feature influences decisions about users rather than simply supporting them, additional controls may be required. This can include:

• risk management processes
• clear documentation of how the system works
• data quality checks
• human oversight
• accuracy and performance monitoring
• logging and traceability

A recommendation engine suggesting a product may have different obligations to an AI system deciding whether someone qualifies for a service.

Many AI features being introduced into digital products will fall into this category. These systems are not necessarily restricted, but they require transparency so users understand when they are interacting with AI. Examples include:

• AI chat assistants
• AI-generated content
• customer support automation
• AI-powered recommendations

For Product Owners, this creates clear product considerations:

• Should users be told when content is AI-generated?
• How should AI interactions be labelled?
• What information does a user need to understand the output?
• How can users challenge or correct an AI result?

Transparency becomes part of the user experience, not simply a compliance checkbox.

Many everyday AI applications fall into this category, such as spam filters, AI-powered search improvements or recommendation features. These systems have fewer regulatory requirements, but responsible development practices still matter. Teams should still consider areas such as privacy, security, bias and user expectations when introducing AI into products.

Although the EU AI Act came into force on 1 August 2024, its requirements are being introduced in stages.

Rules around prohibited AI practices and AI literacy requirements began applying from February 2025, while obligations for general-purpose AI models started taking effect in August 2025. The next major milestone arrives on 2 August 2026, when many of the Act's core requirements become enforceable, including obligations affecting organisations developing or deploying higher-risk AI systems.

For product teams, this timeline matters because compliance cannot be added at the end of a project. If an AI feature falls within scope, decisions around data, transparency, user controls, monitoring and documentation may need to be considered from the earliest stages of discovery.

A product roadmap that includes AI should consider these requirements alongside technical feasibility, user needs and business goals.

One of the most common misconceptions surrounding AI regulation is that it only affects organisations building sophisticated AI models. In reality, many businesses will interact with AI through third-party tools, APIs and services, embedding AI capabilities into products without ever training a model themselves.

The EU AI Act still applies because responsibility sits across the AI value chain. Even if a business uses an external AI provider, product teams still need to understand what the AI is being used for, what risks it introduces and what information users need.

For example, adding an AI assistant using a third-party API may require Product Owners to consider:

• whether users know they are interacting with AI
• whether outputs need to be reviewed before being shown
• what data is being sent to the AI provider
• how inaccurate or unexpected outputs will be handled
• whether the feature falls into a higher-risk category

The technology provider may handle the model, but the product experience around it still needs to be designed responsibly.

In fact, research from Deloitte found that while 73% of organisations have concerns about AI-related security and privacy risks, only 21% consider their AI governance practices to be mature. That gap highlights why governance can no longer be treated as a problem to solve after launch.

As a Product Owner, you may find yourself deciding how much autonomy an AI feature should have, what information users need to see, where human intervention should sit and how success will be measured.

These decisions now connect directly with the expectations of the EU AI Act. Product teams need to think about transparency, risk management and human oversight as part of the feature itself, not as documentation added later.

The rise of AI has created a temptation to start with the technology itself. Teams see an exciting new capability and immediately begin looking for ways to apply it. The most successful AI products tend to work the other way around. They start with a problem worth solving and then determine whether AI is genuinely the right solution.

While AI can unlock powerful experiences, it also introduces complexity, risk and ongoing management requirements. If a user problem can be solved more effectively through traditional functionality, then adding AI may create more challenges than benefits. The strongest AI products are rarely the ones with the most AI.

This challenge is already visible across the industry. McKinsey found that although AI adoption continues to grow rapidly, nearly two-thirds of organisations remain stuck in experimentation or pilot phases rather than scaling AI successfully across the business.

Unlike traditional software, AI systems operate with a degree of uncertainty. Recommendations can be inaccurate, outputs can be misleading and responses can occasionally be entirely incorrect. Product Owners need to understand not only how a feature behaves when everything goes well, but also how it behaves when it doesn't. The experience surrounding failure often determines whether users continue to trust a product.

As AI becomes more embedded within products, transparency is becoming an increasingly important part of the user experience. Users need appropriate context about how information is generated, where decisions are coming from and what role AI is playing within the product. The goal is not to overwhelm users with technical detail, but to provide enough clarity that they can make informed decisions about the outputs they receive.

Product Owners should also consider where human oversight belongs within the experience. Not every AI feature requires human intervention, but some absolutely do. Understanding where people need to review, approve or challenge AI outputs is becoming an important part of responsible AI product development. The answer will vary depending on the level of risk involved, but it should always be considered before development begins rather than after launch.

AI is not a feature that can simply be released and forgotten. Models evolve, user behaviour changes and performance can drift over time. Establishing clear success metrics, monitoring outputs and creating feedback loops are increasingly important responsibilities for teams building AI-powered products. The launch of an AI feature is often the beginning of the journey rather than the end.

The arrival of the EU AI Act reflects a broader shift already taking place across the industry.

Historically, many AI projects focused primarily on capability. The conversation centred around what the technology could do, how accurate it was and how quickly it could be delivered. Those questions still matter, but they are no longer sufficient on their own.

Today, successful AI product development requires teams to think about governance, transparency and trust from the earliest stages of discovery. For product teams, this means AI development needs to consider areas such as:

• risk assessment before development begins
• transparency within the user experience
• appropriate human oversight
• documentation of how AI features work
• ongoing monitoring after launch

These considerations need to sit alongside traditional product decisions around user needs, technical feasibility and business value.

There are clear parallels with the evolution of cybersecurity. Twenty years ago, security was often treated as a technical consideration that could be addressed later in the delivery process. Modern product teams understand that security must be built into products from the beginning, and AI governance is following a similar path.

AI governance is becoming another core part of product development. Discovery activities increasingly need to explore risk alongside opportunity. Product requirements need to consider explainability alongside functionality. Testing strategies need to validate user outcomes alongside technical performance.

For Product Owners, this does not mean becoming compliance experts. It means understanding the product decisions that influence responsible AI delivery.

Before introducing AI into your product roadmap, it's worth asking:

Understanding the use case

• What user problem are we trying to solve?
• Does AI provide the best solution?
• What type of AI system are we introducing?

Understanding risk

• Could this feature impact important decisions or user outcomes?
• Does it fall into a higher-risk category under the EU AI Act?
• What could happen if the AI produces an incorrect result?

Designing the experience

• Will users know when AI is involved?
• Do users understand the limitations of the AI?
• Can users challenge, correct or override AI outputs?

Building responsibly

• What data is the AI using?
• Do we need human oversight?
• How will we test performance before launch?
• How will we monitor the feature after release?

These questions will not provide every answer, but they help ensure responsible AI decisions are considered from the start of a project.

The EU AI Act is often presented as a regulatory milestone, but for Product Owners it represents something bigger. It marks a shift in expectations around how AI products are conceived, designed and delivered.

The conversation is moving beyond what AI can do and towards how AI should be used.

As AI continues to shape digital products, Product Owners will play a critical role in balancing innovation with responsibility. Those who understand the questions worth asking today will be far better positioned to build products that not only leverage AI effectively, but also earn the trust of the people using them.

Because in the long run, trust may prove to be the most valuable feature any AI product can offer.

Building AI features is no longer just about what's possible. It's about making the right product decisions from the start. If you're exploring AI opportunities and want to understand what good product discovery, governance and delivery look like, we'd love to talk.