Most AI-native SaaS is not a "high-risk system" — but founders either panic that it is, or assume the Act is a Europe problem that doesn't reach a US startup. Both are wrong often enough to matter. Answer a few questions and land in the bucket that actually fits your product, with the obligations and 2026 dates for each.
Are you a provider or a deployer? If you build and put an AI system (or a general-purpose model) on the market, you're a provider and you carry the heavier obligations. If you use someone else's model — say you call the OpenAI API inside your app — you're mostly a deployer, with lighter duties (use it as intended, keep humans in the loop where required, pass through transparency notices). Most "we're an AI startup" companies are deployers of a third-party model plus providers of their own thin layer, and the obligations attach differently to each. Getting that split right is usually the difference between a weekend of disclosures and a genuine compliance program.