For 27 years, I’ve argued that organizational readiness — not technology capability — determines implementation success.
On August 2, 2026, the European Union makes that argument law.
The Shift No One Is Talking About
The EU AI Act doesn’t just regulate AI providers (vendors). It regulates AI deployers — the organizations that use AI systems.
That’s you. The practitioner. The enterprise. The buyer.
And the obligations are significant:
The EU isn’t asking whether you bought good technology.
They’re asking whether you’re ready to deploy it responsibly.
What This Means for ProcureTech
Vendors like Zycus (Merlin Agentic AI), Coupa (AI-powered spend intelligence), and GEP (Autonomous Procurement Agents) are aggressively marketing AI capabilities.
But here’s the question no one is asking:
Are your clients prepared to meet their legal obligations as AI deployers?
If a vendor sells AI capability to an organization that lacks:
- AI literacy programs for staff
- Data governance frameworks
- Human oversight mechanisms
- Post-go-live monitoring systems
…that organization isn’t just at risk of implementation failure. They’re at risk of regulatory non-compliance with penalties up to €35 million.
The Hansen Fit Score Maps Directly to EU AI Act Requirements
This isn’t a coincidence. What the EU now requires is what the Hansen Method has measured since 1998:
The EU AI Act’s deployer obligations align closely with what Phase 0 has measured since 1998.
The Hansen Fit Score is not a legal compliance certification — it is a governance readiness diagnostic. What the EU AI Act now mandates, HFS has measured since 1998.
The Vendor Accountability Gap
Under the EU AI Act:
- Providers (vendors) must build compliant AI systems
- Deployers (clients) must be ready to use them compliantly
But vendors have no obligation to verify that their clients are ready.
They can sell AI-powered autonomous procurement agents to organizations with:
- No AI literacy training
- No data governance framework
- No human oversight protocols
- No post-deployment monitoring
And when that implementation fails — or triggers regulatory scrutiny — the deployer bears the liability. Not the vendor.
This is the same pattern we’ve documented for 27 years. Technology gets sold. Organizations aren’t ready. Implementations fail. Except now, failure comes with a €35 million price tag.
What the Hansen Fit Score Now Measures
The “Minimum Client Readiness Required” score in every Hansen Fit Score assessment is no longer just a best practice recommendation.
It’s a compliance checkpoint.
When we say Zycus requires a Minimum Client HFS of 6.5, we’re saying:
Organizations below this threshold face elevated implementation risk AND potential EU AI Act compliance exposure.
The Hansen Fit Score bridges two gaps simultaneously:
- The Capability-Outcome Gap — Can you actually implement what you’re buying?
- The Regulatory Readiness Gap — Can you legally deploy what you’re buying?
The Five Questions You Should Now Ask Every AI Vendor
- “What is your assessment of our organization’s readiness to meet EU AI Act deployer obligations?”
- “Do you have a minimum client qualification threshold before selling AI capabilities?”
- “What AI literacy training do you provide or require before deployment?”
- “How do you support human oversight requirements in your AI system design?”
- “What post-deployment monitoring tools do you provide to help us meet our regulatory obligations?”
If the vendor can’t answer these questions, they’re selling you technology without regard for whether you can legally deploy it.
The Irony
In 1998, funded by the Canadian Government’s Scientific Research & Experimental Development program, I developed the agent-based Metaprise framework and Strand Commonality theory — built on one premise:
Organizational readiness determines implementation success, not technology capability.
In 2026, the European Union reached the same conclusion and made it law.
Twenty-seven years of documented evidence. An 80% industry failure rate that never improved. And now, regulatory enforcement with penalties up to 7% of global revenue.
The question is no longer whether readiness matters.
The question is whether your organization is ready — and whether your vendors care.
Hansen Fit Score™ — Measuring what matters: implementation success, not capability theater.
Access the Hansen Fit Score Vendor Assessment Series →
Each assessment now includes Minimum Client Readiness Required scores — your baseline for both implementation success AND EU AI Act compliance readiness.
Related Reading:
- The Coupa Software Consolidated Assessment Report
- The Gartner Consolidated Assessment Report
- The Zycus Consolidated Assessment Report
- Dangerous Supply Chain Myths Series (2007–2024)
Methodology Note:
This analysis is based on publicly available EU AI Act documentation, implementation timelines, and deployer obligation requirements as of February 2026. The Hansen Fit Score framework alignment represents conceptual mapping between regulatory requirements and established readiness assessment methodology. Organizations should consult qualified legal counsel for specific EU AI Act compliance guidance.
Hansen Models is 100% independent. We have never accepted vendor sponsorship.
-30-
Procurement Insights 
Tim Cummins
February 6, 2026
Yes John, your point is incredibly well made.
This readiness issue is arguably most pertinent in regard to external trading activities – as a buyer or supplier. And anyone who has absorbed our 2025 Global Benchmark Report will have discovered that only around 8% of organisations have that ‘readiness’. Many are headed in the wrong direction; rather than reassessing their commercial operating model, they are doubling down on controls within a fragmented architecture – systems, functions, processes.
This really is a battle for relevance and survival.
piblogger
February 6, 2026
Tim — thank you. That 8% figure is exactly the uncomfortable reality most organisations still underestimate.
What strikes me most in your comment is the phrase “doubling down on controls within a fragmented architecture.” That is precisely the failure pattern we initially discoverd and addressed in the DND case and across the Procurement Insights archive for more than two decades: adding controls to systems that were never governed as an integrated operating model.
The EU AI Act changes the stakes. Fragmentation is no longer just inefficient — it becomes a deployer liability. Readiness isn’t about adding more rules or tools; it’s about whether the commercial operating model actually works across buyers, suppliers, data, and decision rights when stress is applied.
If only ~8% are ready today, then the Act isn’t a compliance exercise — it’s a forcing function for survival, exactly as you say.
Tim Cummins
February 6, 2026
And an important question: why is this positioned as ‘Procurement Insights’? What we are discussing is the commercial capability of an organisation. That (in my view – for 27 years) requires an integrated view of markets. What we buy is driven by what we sell.
piblogger
February 6, 2026
Tim — your point about commercial capability is exactly right.
It reminds me of a question I’m often asked: “Can you quickly explain procurement and supply chain?”
I usually answer it this way:
Do you see someone carrying a bag of groceries? That’s procurement and supply chain.
Do you see someone filling their car with gas? That’s procurement and supply chain.
Do you see someone texting on their phone? That’s procurement and supply chain too.
There isn’t a single part of our personal or business lives that procurement and supply chain don’t touch — which is precisely why they surface commercial reality faster than any other function.
So when I write under Procurement Insights, it’s not to narrow the conversation — it’s because procurement is where fragmented commercial models, broken data flows, and misaligned decision rights show up first, long before the consequences are visible in revenue, compliance, or reputation.
The EU AI Act simply formalizes what practice has shown for decades: if the end-to-end commercial system doesn’t work across markets, buyers, and suppliers, governance fails — no matter how well intentioned the controls.
Tim Cummins
February 7, 2026
Procurement unquestionably touches almost every aspect of organizational life and often detects stress signals earlier than other functions. That makes it operationally central and strategically valuable, but it is not the starting point of enterprise value. It’s like arguing that a smoke alarm somehow determines the design and purpose of a building.
Every product or service begins with an idea, tested against market demand and shaped into a commercial model. Only then do organizations decide what capabilities to build, what to access externally, and on what terms. Procurement is therefore not the author of commercial strategy, it is one of its instruments.
Where the distinction matters is in how organizations design themselves. When procurement (or any single function) becomes the perceived center of gravity, it is often indicative of overall fragmentation – strategy disconnected from execution, finance focused on hindsight, legal focused on protection, operations reacting to events.
The real leadership challenge is not deciding which function comes first. It is building an integrated commercial architecture where market insight, supply capability, risk, cost, innovation, and governance inform decisions together.
In that environment, procurement is neither upstream nor downstream. It is part of a coordinated system translating commercial intent into executable commitments.
Competitive advantage rarely comes from functional excellence alone. It comes from coherence, from the organization’s ability to design and continually adapt the way it creates and delivers value.
piblogger
February 7, 2026
Tim — I don’t think we’re actually disagreeing at all. I think we’re describing the same system from different observation points.
I agree that procurement doesn’t author commercial strategy, and I agree that functional primacy is usually a symptom of fragmentation rather than strength.
Where I come at it from is what happens after intent meets reality.
In well-designed commercial systems, coherence is largely invisible — decisions flow, commitments hold, exceptions are rare. In poorly aligned systems, strain surfaces at the points where human judgment, external dependency, and governance intersect. Procurement just happens to sit at one of those intersections, so it often becomes the earliest place where misalignment is observable.
That’s not about procurement being upstream or downstream. It’s about where adaptation is forced to occur when assumptions break — and whether the organization has designed itself to absorb that stress coherently or react to it function by function.
The reason the EU AI Act feels so disruptive is that it removes the option to assume coherence. It forces organizations to demonstrate that intent, capability, governance, and accountability actually reconcile in practice, including under conditions they didn’t anticipate.
Seen that way, procurement isn’t the center of gravity — it’s one of the clearest windows into whether the system as a whole is working as designed.
I think we’re aiming at the same outcome: organizations that can continuously translate commercial intent into executable commitments without fragmenting under pressure.
Realistically, because of its broad and far-reaching impact both within and outside the organization, procurement isn’t the sole checkpoint — but it is one of the most important threads running through the enterprise. When coherence holds, it’s largely invisible. When it doesn’t, that thread is often where strain shows first.
piblogger
February 7, 2026
Realistically, because of its broad and far-reaching impact both within and outside the organization, procurement isn’t the sole checkpoint — but it is one of the most important threads running through the enterprise. When coherence holds, it’s largely invisible. When it doesn’t, that thread is often where strain shows first.