The EU AI Act deadline is approaching. Does your Marketing Operations even know what it owns?

The EU AI Act becomes broadly applicable on 2 August 2026.

For some organisations, that date will represent the final stage of a carefully managed programme involving legal, security, IT, data and every business team using AI.

For others, it will mark the beginning of a frantic search for a spreadsheet somebody vaguely remembers creating last year.

Your Marketing Operations should probably start checking which camp it is in.

Because while the conversation about AI compliance has largely been happening in boardrooms, legal teams and technology departments, much of the actual use is happening inside marketing.

It is embedded in platforms. Added to campaign processes. Connected to customer data. Used to create content, prioritise accounts, recommend actions, personalise experiences and communicate directly with prospects. In some cases, it is doing all of that without anybody having formally decided that it should.

That is the uncomfortable part.

The biggest immediate challenge for Marketing Operations may not be understanding every article of the EU AI Act. It may be working out what the organisation is already using, what those systems are doing and who is responsible for them.

Marketing did not wait for the governance meeting

AI did not enter most marketing organisations through a carefully controlled transformation programme. It arrived through product updates.

A copywriting feature appeared inside a campaign platform. A meeting tool started producing summaries. A media platform introduced automated creative. A salesperson connected a browser extension to the CRM. Somebody uploaded a customer list into a tool to “see what it could do.”

Then came the pilots, custom assistants, automated workflows and agents. Each individual decision may have seemed small. Together, they have created a network of systems using company information, customer data and business rules in ways that are not always visible from the centre.

The problem is not necessarily that all of this activity is reckless. Some of it may be entirely sensible and low risk. The problem is that many organisations cannot describe it accurately.

Ask which AI systems marketing uses and you may receive a list of officially purchased tools. That is not the same thing.

The real list also includes AI features inside existing platforms, free tools used by individuals, systems trialled by agencies, functions switched on by vendors, integrations created by employees and automations nobody has looked at since the person who built them left.

If your inventory only includes products with “AI” in the contract title, it is probably already wrong.

Buying the platform does not settle ownership

One of the easiest mistakes is assuming the technology team owns anything involving AI. It may own the contract. It may manage access. It may review the security. None of that means it understands how marketing is using the system.

Legal may interpret the regulation, but legal does not build campaign workflows.

IT may approve the platform, but IT does not decide which customer data should be used for personalisation. Procurement may negotiate the agreement, but procurement does not know whether an automated recommendation is being treated as an interesting suggestion or as an instruction that nobody questions.

The team using the system owns part of the responsibility because it owns the business context. In Marketing Operations, that context matters.

A tool generating rough ideas for internal campaign planning is not doing the same job as a system deciding which people receive an offer. A feature correcting grammar is not the same as a chatbot communicating directly with customers. A model suggesting possible target accounts is not the same as a process automatically excluding people from an opportunity.

The technology may look similar on a systems diagram. The consequences are not.

That means Marketing Operations cannot simply hand the entire subject to legal and wait for a policy document. It needs to explain what the systems actually do.

You cannot govern an invisible stack

The first practical job is not writing a 70-page AI policy. It is finding the technology.

Marketing Operations needs an inventory that reflects reality rather than the approved software catalogue. For each system, the organisation needs to know what it does, which team uses it, what information it can access, what it produces and whether its output affects customers, employees or business decisions.

It also needs a named owner. “Marketing” is not an owner. “The automation team” is not much better.

Ownership needs to reach an identifiable person who understands the use case and can answer questions about it. That does not mean this person carries every legal obligation alone. It means somebody is responsible for making sure the system does not disappear into the organisational wallpaper.

The inventory should also cover features inside platforms the organisation already owns. This is where things get messy. Software providers are racing to add AI functions to almost everything, often enabled through ordinary product releases. A platform that was reviewed two years ago may now behave quite differently.

The contract may not have changed. The risk may have.

Marketing Operations should therefore be asking vendors direct questions.

Which features use AI? What data do they access? Is customer information used to improve external models? Can the feature be disabled? Are actions logged? Can a human review the output? What happens when the system gets something wrong?

A shiny product page containing the words “responsible” and “enterprise-grade” is not an adequate answer.

The deadline is not the starting gun

There is also a dangerous assumption that organisations have until August to begin thinking about this.

They do not.

Some requirements are already applicable, including the obligation for organisations providing or using AI systems to ensure that relevant staff have a sufficient level of AI literacy.

That does not mean every marketer needs to become a machine-learning engineer. It means people should understand enough about the systems they use to recognise their limitations, apply appropriate judgement and avoid creating obvious harm.

A generic one-hour training course followed by a multiple-choice quiz may produce a completion certificate. It does not necessarily produce competent use.

The training should reflect the job.

A content writer needs to understand accuracy, attribution, confidentiality and the risks of publishing generated material without proper review.

A campaign manager needs to understand what can happen when a system creates segments, selects audiences or changes workflows.

A Marketing Operations leader needs to understand permissions, data access, monitoring, approval processes and accountability.

The person connecting a tool to the CRM needs considerably more than a reminder not to paste passwords into a chat window.

Training should match what people are actually allowed to do, otherwise, the organisation has technically educated everybody while practically preparing nobody.

Transparency is about more than adding a disclaimer

From 2 August 2026, transparency obligations under the EU AI Act will apply to certain systems and content. For marketing teams, this is likely to bring particular attention to customer-facing chatbots, synthetic images, video or audio, deepfake-style material and some AI-generated text relating to matters of public interest.

This does not mean every AI-assisted email subject line needs a warning label large enough to frighten the recipient.

It does mean organisations need to understand where disclosure is required and ensure the process exists to make it happen.

That process cannot rely entirely on the person publishing the content remembering to tick a box.

Marketing Operations should help build disclosure and review requirements into workflows. Where content must be identified, the system should support it. Where a customer is interacting with a machine, that should not be hidden behind deliberately vague language and a stock photograph of someone wearing a headset.

Transparency is not just a legal inconvenience. It is part of preserving trust. Most customers will accept that organisations use automation. What they will not appreciate is feeling tricked.

The hidden issue is decision-making

Content generation receives most of the attention because it is visible. The harder questions sit underneath it.

What is the organisation allowing AI to decide?

Marketing systems increasingly recommend audiences, prioritise accounts, predict behaviour, adapt journeys, score leads and select the next action.

Again, not every automated marketing decision falls into the most heavily regulated category. Claims that every lead score is suddenly a major EU AI Act emergency are not particularly helpful. But the absence of a dramatic legal classification does not make a process sensible.

Marketing Operations should still understand which decisions are automated, which are influenced by automated recommendations and where human judgement remains.

It should be possible to explain why a person entered a particular journey, received a specific message or was excluded from an opportunity.

It should also be possible to challenge the system.

If the team treats every recommendation as correct because it arrived inside a polished dashboard, there is no meaningful oversight. There is just a human clicking “approve” to make the workflow look respectable.

Governance should improve the work

This is the point where many organisations make governance unnecessarily painful. They create committees, forms, approval stages and policy documents without fixing the way work happens. Employees then find unofficial routes around the process because the official one takes six weeks and requires a meeting with fourteen people.

Good governance should make acceptable uses easier and questionable uses harder.

People should know which tools are approved, what they can use them for and when additional review is required.

There should be a straightforward route for proposing a new use case.

Higher-risk activity should receive closer scrutiny. Routine, low-impact activity should not require an emergency summit.

Marketing Operations is well placed to help design this because it already understands workflows, permissions, quality assurance and operational controls.

Or at least it should.

If the team can build a 47-step nurture programme with six branches and three regional exceptions, it can probably design a sensible approval process for an AI-enabled campaign.

What Marketing Operations needs to do now

The immediate priority is visibility.

Find the systems. Document the use cases. Identify the data involved. Assign owners. Review access. Check vendor terms. Understand which outputs reach customers and which decisions are being influenced. Then look at the controls.

Can people review outputs before they are used? Are important actions logged? Is there a clear escalation route? Can the organisation stop the system quickly? Does somebody periodically check whether it is still doing what it was intended to do?

Finally, look at the people.

Do they understand the tools they use? Do they know what information they can enter? Do they know when human review is mandatory? Would they recognise a poor or inappropriate output, or are they trusting the system because it sounds confident?

None of this requires Marketing Operations to become the legal department. It requires the team to behave like the operational owner of marketing technology.

Which, inconveniently, is exactly what the name suggests.

August will expose the gaps, not create them

The EU AI Act is not suddenly going to make poorly controlled technology risky on 2 August. That risk already exists. The deadline simply makes it harder for organisations to continue pretending that nobody owns it.

Marketing Operations has an opportunity here. It can wait for legal to send around a policy and then attempt to bolt it onto a marketing stack that nobody has fully mapped.

Or it can take the lead in understanding how AI is actually being used, where it touches customers and data, and what practical controls need to exist.

That is not bureaucratic housekeeping.

It is the difference between using AI as part of a functioning operation and scattering it across the business until something embarrassing forces everyone to pay attention.

The deadline is approaching... The first question is not whether your organisation is compliant. It is whether Marketing Operations even knows what it owns.