My take on the EU AI Act after actually reading the thing

I spent last weekend reading through the EU AI Act (the final consolidated text, not summaries). A few things that surprised me: 1. The 'prohibited practices' list is actually quite narrow — it's mostly the obvious things (social scoring, real-time biometric surveillance in public spaces with narrow exceptions) that were already politically agreed. 2. The 'high risk' classification has a whitelist approach, not principles-based. This means a lot of genuinely impactful AI (personalisation systems, recommenders) doesn't fall under it unless specifically designated later. 3. The foundation model rules (GPAI section) are still underspecified on what 'systemic risk' thresholds mean in practice. The 10^25 FLOP threshold is a proxy and everyone knows it. 4. Enforcement mechanism is a patchwork. The AI Office has powers but member state market surveillance is inconsistent. Overall: better than nothing, probably slows down some genuinely bad use cases, creates compliance overhead that will disproportionately hurt small players. Which is about what you'd expect from an EU regulatory framework. Full text: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689