Brief № 030 · Regulation
AI Act help desks do not replace an SME evidence log
The Commission now offers more AI Act guidance, but SMEs still need a small evidence log before tools become business process.
On this page
The AI Act is becoming easier to ask about and harder to dodge. That is the practical meaning of the Commission’s growing layer of service desks, pact material and webinars around the regulation.
On 23 June 2026, the European IP Helpdesk ran an EU webinar on the AI Act for businesses. The same week, SMEs could also find the AI Act Service Desk, the Commission’s regulatory framework page and AI Pact material. Guidance is no longer the scarce part. The scarce part is the small internal record showing what the business actually did with it.
Guidance is not evidence
A help desk can point an SME to the right article, definition or calendar. It cannot know that the sales team connected a meeting summariser to customer calls, that HR tested a CV-ranking plug-in, or that an operations manager let a general-purpose model draft safety instructions.
That difference matters. The AI Act does not only create one dramatic “high-risk or not” question. It also puts pressure on ordinary business use: AI literacy, transparency for certain uses, provider and deployer roles, procurement diligence, and the ability to explain who made the final decision.
For most SMEs, the first compliance artefact should not be a policy. It should be a register simple enough that people will actually fill it in.
| Field | What to write |
|---|---|
| Use case | The exact workflow, not “AI in marketing” or “AI in HR”. |
| Tool and supplier | Product name, model family if known, contract owner. |
| Affected people | Customers, staff, applicants, patients, suppliers or none. |
| Decision role | Drafting, recommendation, scoring, routing, monitoring or final decision. |
| Evidence kept | Prompt, source document, output, human review, override or rejection note. |
Source: Regulation (EU) 2024/1689, Commission AI Act page and AI Act Service Desk. Last verified 2026-06-26.
That table looks too plain until something goes wrong. Then it becomes the only way to reconstruct who relied on the system and why.
The service desk changes the excuse
The AI Act Service Desk is useful because it reduces a familiar SME problem: nobody knows where to start, so nobody starts. A question can now be framed against the Commission’s own navigation point instead of an old slide deck or a vendor’s blog post.
But the service desk also changes the excuse. “We did not know where to look” becomes less credible when the official route exists. The better question for an SME is now: did anyone record the answer, the date, the use case and the decision that followed?
That record should stay close to the work. If the purchasing manager asks whether an AI customer-service tool needs a transparency notice, the answer belongs beside the procurement note. If HR asks whether a screening tool is too sensitive to pilot, the answer belongs beside the rejected vendor file. If the workshop manager asks whether a maintenance assistant can draft instructions, the answer belongs beside the safety review.
Compliance fails when guidance lives in one folder and the tool lives in another.
AI literacy needs a worklist
The AI Act’s literacy duty has already pushed many SMEs toward training. Training is useful, but generic training without a worklist decays quickly. Staff remember that AI can hallucinate. They do not remember which tool is allowed to touch which customer data.
The evidence log gives AI literacy a spine. It tells each team which AI uses are live, who owns them, what the warning signs are and where the record is kept. That is more useful than a certificate proving that everyone watched the same webinar.
The light version is enough:
- one owner per AI use case;
- one sentence on the task;
- one note on affected people or data;
- one human review step;
- one retained record;
- one date for re-checking the source guidance.
The point is not to build a compliance department in miniature. It is to stop undocumented tools from becoming undocumented process.
High-risk checks come later, but not last
Some uses will require deeper classification and formal work. The AI Act’s high-risk structure, provider obligations and deployer duties cannot be compressed into a five-column spreadsheet when the system affects employment, education, credit, essential services, health, safety or fundamental rights.
Still, the evidence log helps before the lawyer or specialist review begins. It names the workflow, the affected person, the supplier, the decision role and the proof already available. Without that, the expensive review starts by interviewing the company back into existence.
The log also catches false comfort. A tool can look low-risk when described as “support” and look very different when the record says it ranks applicants, flags workers, routes customers away from a human or drafts instructions used on a shop floor.
That is the useful level of discipline for an SME: not over-classifying every assistant, but refusing to let a vague label hide a real decision.
The next audit starts with dates
The Commission’s official AI Act page remains the calendar anchor. The AI Pact and webinar ecosystem help businesses prepare before the main duties bite. But preparation is not the same as attendance.
An SME that wants a small, durable start can do this in one afternoon:
- List every AI tool used in customer, staff, finance, safety or operational work.
- Add the owner and supplier.
- Mark whether the tool drafts, recommends, scores, routes or decides.
- Record the human review step.
- Link the source guidance checked that day.
That is not a complete AI Act programme. It is the first page of one. More importantly, it is the page that prevents the business from pretending that a webinar, a help-desk answer or a vendor promise is the same thing as evidence.
The next useful AI Act question for an SME is not “where is the guidance?” It is “where is the log showing what we did after reading it?”
Frequently asked questions
Does the AI Act Service Desk give legal advice?
No. It helps users navigate the AI Act and related questions, but the SME still needs its own records, classification reasoning and professional advice where the use case is material.
What should an SME record first?
The use case, owner, AI tool, affected workflow, risk question, human review step and retained evidence. That is enough to start finding gaps.
Is this only for high-risk AI systems?
No. High-risk systems need deeper documentation, but ordinary AI tools still need ownership, literacy, transparency and procurement records.
Sources
- Primary Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence EUR-Lex accessed
- Official AI Act European Commission, Shaping Europe's digital future accessed
- Official AI Act Service Desk European Commission accessed
- Official AI Pact European Commission, Shaping Europe's digital future accessed
- Official EU Webinar: AI Act European IP Helpdesk accessed
Image credit: Photo: people reviewing documents - Mikhail Nilov, Pexels
Iris Van Loon covers SME operational reality and advisors for Flint Brief.
Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).