The EU AI Act Demands an AI Audit. It Does not Tell You How.

J. Nathan Matias wants you to think of AI audits the way you think of car inspections: not a one-time test at the door, but regular maintenance while the system runs. His new MIT Press book, "Auditing AI," published April 21 with ten co-authors including Cornell assistant professor J. Nathan Matias, argues that AI trust is a maintenance problem, not a certification problem. The metaphor is clean. The timing is not an accident.

The EU AI Act's high-risk obligations kick in August 2, 2026 — 77 days from the book's publication. The law requires that providers of high-risk AI systems conduct conformity assessments before placing products on the European market. It does not prescribe how those assessments should work. Nobody — not the EU, not any accredited standards body — has published a mandatory audit methodology that vendors can follow.

That 77-day window is the gap at the center of this book.

Penalties for non-compliance with high-risk obligations reach 15 million euros or 3 percent of global turnover. The binding enforcement date for Articles 9 through 17 of the regulation is August 2, 2026, according to the Cloud Security Alliance. What the Act does not do is prescribe an audit methodology. It requires assessment but provides no checklist, no test suite, no prescribed standard for how an AI auditor should evaluate a system. Providers must verify compliance. They are not handed a method.

"Auditing AI" is not the answer to that gap. The book is positioned as an introduction for general audiences — business leaders, lawyers, government officials, journalists — not as a regulatory compliance manual. Its co-authors, including Christian Sandvig, Karrie Karahalios, and Alondra Nelson, draw on stories from American Airlines automated flight-booking experiments in the 1960s and the emergence of food safety inspection regimes. The goal is conceptual: help readers understand what auditing means and why it matters. The specific steps a compliance officer needs in February 2027 are not its subject.

The deft auditor begins with the mindset of a skeptic, Matias says in the book. Good advice. It is not a compliance framework.

What vendors are actually doing

The absence of a mandated methodology has created a market for answers. ISO 42001, the international standard for AI management systems, has emerged as a candidate framework, with accredited certification bodies including ANAB in the United States offering audits against it. NIST has published its AI Risk Management Framework as voluntary guidance. Neither is required by the EU AI Act.

The Stanford Law Review noted a pattern it called procedural perfectionism in the Act approach: the regulation stacks conformity assessment requirements without specifying what meaningful disclosure operationally requires. Other legal analyses have observed that the Act defines the obligation to audit without defining what a compliant audit looks like.

This creates a specific kind of risk for vendors. They face a hard deadline. They face significant penalties for non-compliance. They do not face a regulator who will hand them a checklist and say do these steps. They face a regulator who will ask how did you determine your system was compliant? and expect a credible answer.

"Auditing AI" does not provide that answer. What it provides is a way of thinking about the question — trust as maintenance rather than trust as certification, ongoing vigilance rather than one-time approval. For a vendor scrambling to build an EU AI Act compliance program in the next 77 days, that is either exactly what they need or a reassuring distraction from the actual work, depending on what they were expecting.

The maintenance metaphor and its limits

The book's central argument is intellectually coherent and practically incomplete. Maintenance requires procedures. Inspections require standards. Water safety works because the EPA specifies acceptable contaminant levels and municipalities follow standardized testing protocols. The book argues for the category of ongoing inspection without providing the inspection regime.

Matias's framing from the Cornell interview is precise: sometimes the problems of AI do not show up for just one person. They are a pattern of decisions or actions that play out over an entire organization. This is correct and important. But noting that harms are systemic does not tell a compliance officer how to detect them in a specific system before August 2.

The strength of the book is conceptual. It reframes the question away from is this AI trustworthy? toward how do we continuously evaluate whether this AI is behaving as expected and not causing harm? That reframing is valuable for organizations building AI governance programs. It is not the same as a methodology.

What changed now

The publication of "Auditing AI" in April 2026 would be interesting regardless of regulatory context. The EU AI Act's August 2 enforcement date is what makes it urgent. The 77-day runway between the book's publication and the legal deadline means the book arrives at the moment vendors are most actively searching for answers to the exact question it addresses conceptually but does not answer procedurally.

Whether that makes the book a compliance resource or a philosopher's guide to trust depends on what the reader shows up looking for. A founder building an EU-market AI product will find the framing useful and the specifics thin. A regulator evaluating whether a vendor's conformity assessment was conducted in good faith may find the maintenance metaphor persuasive. The book was not designed for either audience, but both will encounter it in the same 77-day window.

The EU AI Act requires vendors to demonstrate their high-risk AI systems are safe and compliant. It does not tell them how. "Auditing AI" tells them why the question matters. For the next 77 days, that gap is a problem — and the book is evidence of the problem, not the solution to it.