Compliance

EU AI Act for Dynamics Partners: Less Scary Than It Sounds (and Where to Start)

So the EU AI Act is here. Parts of it have been live since February 2025, the next deadline lands on 2 August 2026, and somewhere between the legal newsletters and the LinkedIn doom-posting, you’re probably wondering: do I, a Dynamics partner who implements and builds agents (or plans to do it), need to do something about this?

Short answer: yes, a little. Much less than the headlines suggest. And the first step takes an afternoon.

Start here: write your AI policy with Claude (seriously, today)

The one obligation that already applies to you – right now, since February 2025 – is AI literacy (Article 4). If your team uses AI at work (it does), you need to take measures to support a sufficient level of AI literacy across the company. The practical way to evidence that? An AI Use & Literacy Policy that people actually read.

Here’s the thing: a generic template downloaded from somewhere won’t reflect how your practice works. A policy written for a bank doesn’t fit a 40-person BC shop that builds agents in Copilot Studio. So write your own and let Claude do the heavy lifting.

The flow:

1. Assign one owner. Before any prompting happens, pick one person to own AI compliance. For larger organizations, you’ll probably need the person to have a team. In most partner organizations that’s a founder, CTO, COO, or whoever already owns security. This person owns the policy, keeps it updated, and is the one your team asks related questions. Without an owner, the policy becomes a PDF nobody opens.

2. Give Claude real context. Open Claude and brain-dump everything: what your company does, which services you sell, which agents you implement (BC Payables Agent? Sales Order Agent? Custom Copilot Studio builds?), which AI tools your team uses internally and for what, what’s on the roadmap, how big the team is, which countries you operate in. The more context, the less generic the output.

3. Ask your colleagues what they actually use. Before drafting anything, send a quick email or run short chats with the team: which AI tools do you use, for what, and with what data? Don’t make it an audit – be curious about it. People are often using more (and better) tools than management knows about, and a policy written without that picture will miss reality on day one. Feed the answers to Claude as part of the context.

4. Tell Claude to interview you. This is the step most people skip. Don’t ask for “an AI policy” – ask Claude to ask you questions first. Something like: “Before drafting, interview me about our business, our AI usage, our client work, and our plans. Ask about anything that would change what the policy should say.”

5. Turn the answers into a policy and a framework. The output shouldn’t just be rules. Ask for the policy plus the working parts: a training log, a simple register of AI systems you use and deliver, and a screening step for new agent projects. That’s your company AI framework.

6. Run it through the company and actually train people. Introduce the policy properly: a short session walking the team through what’s in it, what’s prohibited, and how the new-tool check works. That session is your AI literacy training under Article 4 – log who attended, repeat it for new joiners, and do a short refresher when the rules change. Everyone reads the policy, everyone signs the log, the owner reviews it every six months. You’ve just complied with Article 4 with documentation to prove it. (we of course, encourage continuous AI training, but this is the mininum required)

A word of warning: don’t trap your team with less by trying to be compliant. We’ve seen too many companies “comply” by locking the team down to one approved chatbot and banning everything else. That’s not what the Act asks for, and it quietly kills the experimentation an agent practice runs on. Be open by default and restrict only what the law or basic professional duty requires. A clause we like:

“New tools may be adopted by any team member after a quick self-check: (a) the use is not in the prohibited list below, (b) confidential or personal data is only entered into tools running under business terms that exclude training on our data, and (c) the tool is added to the AI System Register. No approval committee – just the check and the register entry.”

OK, but what does the Act actually mean for an agent practice?

Good news first: if your business is implementing BC Agents and building Copilot Studio agents for SMB clients, you are almost certainly not in the high-risk category. The Act sorts AI by risk, and back-office automation – payables, sales orders, document handling – isn’t on the high-risk list. No conformity assessments, no CE marking, no registration databases.

What you do need to understand is roles, because the Act assigns obligations based on who counts as the “provider” and the “deployer” of each system:

  • Your internal tools (Claude, ChatGPT, Copilot): you’re a deployer. Obligations are light: literacy measures (see above) and not using AI for prohibited stuff. There’s no AI Act reason to ban or restrict tools; just keep client data in business-tier accounts.
  • BC Payables Agent and Sales Order Agent implementations: Microsoft is the provider, your client is the deployer, and you’re the integrator in between – which means essentially no direct AI Act obligations for you. Keep it that way: don’t rebrand Microsoft’s agents under your own name and don’t modify them beyond supported configuration, or you can inherit provider duties.
  • Custom Copilot Studio agents: this is where it gets interesting. Who’s the “provider” of a custom agent depends on how the contract is written. Usually it should be your client – they put it into service under their own name. Say so explicitly in the statement of work.

And two lists to memorize (or rather, put in your project intake checklist):

  • Never build: anything on the prohibited list – social scoring, emotion recognition in the workplace, manipulative systems. These have been illegal since February 2025.
  • Stop and think before building: anything high-risk – agents that screen job applicants, score creditworthiness, or decide who gets access to essential services. Not forbidden, but they carry a heavy compliance load (from December 2027, after the recent “Digital Omnibus” deferral). If a client asks for one, that’s a deliberate business decision with a deliberate price tag, not a regular agent project.

The date that didn’t move: 2 August 2026

You may have read that the EU delayed the AI Act. Partially true – the high-risk obligations moved to late 2027 and 2028. But the transparency rules (Article 50) still kick in on 2 August 2026, and those are the ones that touch everyday agent work:

  • Agents that interact with people need to disclose they’re AI (unless it’s obvious).
  • AI-generated content needs machine-readable marking.

If you’re building customer-facing agents this year, design that in now. A disclosure line in the chat UI costs nothing during the build and a retrofit project after.


This post is general information, not legal advice — confirm specifics for your situation with qualified counsel.

Qezaro AI adoption framework builds governance into every agent implementation from day one – screening, documentation, and deployer handover included.