AgenixHub
All articles
AI Governance7 min read2026-07-10

Provider vs Deployer Under the EU AI Act: Which Are You?

Shubham KhareFounder, AgenixHub

Share this article

Love it? Share it with your thoughts!

XLinkedIn

Article context

Category Focus: AI Governance
Two executives reviewing a provider versus deployer decision-tree diagram on an office screen.

One of the biggest misconceptions surrounding the EU AI Act is that using ChatGPT, Claude, Gemini, or an internal AI assistant automatically makes your company an AI provider.

In most cases, it doesn't.

Understanding whether your organization is a provider or a deployer is one of the first steps toward understanding which parts of the AI Act apply to you.

Quick answer

If your company primarily uses AI systems developed by someone else, such as ChatGPT, Claude, Gemini, or internal assistants built on those models, you are usually a deployer, not a provider. Provider obligations generally apply to organizations that develop or place AI systems on the market under their own name or substantially modify an existing AI system. Your obligations depend on your role and your specific use case—not simply on using AI.

Provider vs. deployer: what's the difference?

Although the legal definitions contain important details, the distinction is straightforward for most businesses.

Provider

A provider is generally an organization that develops an AI system or places it on the market or puts it into service under its own name or trademark. Providers are responsible for meeting the regulatory requirements that apply to the systems they make available.

Examples may include a software company selling its own AI product, a company releasing an AI platform under its own brand, or an organization that substantially modifies an AI system in ways that affect its compliance responsibilities.

Deployer

A deployer is an organization that uses an AI system in its business operations. Examples include companies using ChatGPT, Claude, Gemini, Microsoft Copilot, internal AI assistants, customer service chatbots, document summarization tools, or AI-powered internal knowledge assistants.

Simply integrating or using these systems typically does not make the organization a provider.

A simple decision tree

Use this quick decision flow.

Do you develop or place an AI system on the market under your own name?
        │
       Yes → You may be a Provider
        │
        No
        │
Are you substantially modifying an AI system in a way that changes compliance responsibilities?
        │
       Yes → You may have Provider obligations
        │
        No
        │
Are you primarily using AI systems developed by another provider?
        │
       Yes → You are usually a Deployer

For many enterprises adopting generative AI today, the final answer is the most common one.

Decision-tree infographic for determining provider versus deployer status under the EU AI Act.

Common examples

SituationUsually provider?Usually deployer?
Employees use ChatGPTNoYes
Internal assistant built using Claude APIsNo (typically)Yes
Customer support chatbot using a third-party modelNo (typically)Yes
Company develops and sells its own AI platformYesPossibly
Company substantially modifies an AI system in ways relevant to compliancePotentiallyPotentially

Every situation depends on the specific facts, but most enterprises using third-party AI models remain deployers.

What deployer obligations actually apply?

Being a deployer does not mean having no responsibilities. Several obligations may still apply depending on how AI is used.

AI literacy

The AI literacy requirement has applied since 2 February 2025. Organizations should ensure that people working with AI have an appropriate level of understanding for their role. This is about enabling responsible and informed use of AI systems rather than treating AI as a black box.

Transparency requirements

From 2 August 2026, Article 50 transparency obligations apply. Depending on the use case, these include requirements relating to AI systems interacting with people, certain AI-generated public-interest content, and deepfake labeling. Whether these obligations apply depends on the specific deployment—not simply on the presence of AI.

Governance still matters

Even where the AI Act imposes relatively limited legal obligations, organizations still benefit from establishing operational governance around AI usage: which teams are using AI, which models are approved, what sensitive data is being processed, whether outputs are reviewed before being shared externally, and whether employees follow consistent AI usage policies.

What usually does not apply?

A common misunderstanding is that every organization using AI must immediately comply with the full high-risk framework. That is not how the AI Act works.

For most deployers using general-purpose AI systems, the following do not automatically apply simply because AI is being used: full Annex III high-risk provider obligations, comprehensive high-risk logging requirements, conformity assessment obligations, technical documentation obligations for providers, and risk management systems required of high-risk providers. These obligations depend on whether the AI system falls within the relevant high-risk categories—not whether it contains an LLM or is described as an "AI agent."

Myth vs. reality

MythReality
Using ChatGPT makes my company a provider.Most organizations remain deployers.
Every company using AI must follow the full high-risk regime.High-risk obligations depend on the specific use case.
Every AI deployment requires comprehensive AI Act logging.Comprehensive logging requirements are tied to qualifying high-risk systems.
AI agents are automatically high risk.Risk depends on the application, not the label "AI agent."

A practical checklist

Ask these questions before assuming your obligations: Are we developing an AI system under our own brand? Are we primarily using someone else's AI model? Do users interact directly with AI? Could Article 50 transparency obligations apply? Are any of our AI use cases within the high-risk categories? Do employees have sufficient AI literacy? Do we have governance processes around AI usage?

Why this distinction matters

Many enterprises have already deployed dozens of AI tools across customer support, engineering, HR, legal, finance, and internal productivity. The challenge is no longer simply adopting AI—it is understanding how those systems are governed, monitored, and used responsibly across the organization.

As AgenixHub is an enterprise AI implementation and operations company. Its flagship product, AgenixCore, is an AI control plane for private, governed, cost-efficient enterprise AI, organizations can establish consistent operational practices across AI deployments while improving visibility into usage, governance, privacy, and policy enforcement.

FAQ

Does using ChatGPT make me an AI provider?

Usually not. Most organizations using third-party AI models are deployers rather than providers.

Can one company be both a provider and a deployer?

Yes. An organization may develop one AI system while deploying others developed by third parties.

Do deployers have obligations under the AI Act?

Yes. Depending on the use case, deployers may have obligations such as AI literacy requirements and Article 50 transparency obligations.

Are all deployers subject to the high-risk regime?

No. The full Annex III high-risk framework depends on whether the specific AI use case falls within the relevant high-risk categories.

Do AI agents automatically become high-risk systems?

No. The classification depends on the intended use, not on whether the software is called an AI agent.

Conclusion

For most enterprises, the answer to "Provider or Deployer?" is simpler than it first appears. If your organization is using AI systems developed by another company, you are usually a deployer—not a provider. That distinction shapes which obligations apply today and helps organizations focus on the governance, transparency, and AI literacy measures that are relevant to their actual AI deployments.

Continue reading this cluster:

Related AgenixHub system

Industrial-Grade Agentic Systems for Operations

Move past stitched-together AI tools. Build secure, vertically-focused workflows that scale business outcomes across teams.

View Operational Systems