Don't outsource understanding your AI. Now it's also the law.

Over the past few months I've sat down with quite a few businesses that had already bought "something with AI". A chatbot on their website. An automation a freelancer they found on a video had set up for them. An "agent" that enriches their leads. And almost every time, when I ask the same simple-looking question, the room goes quiet:

They don't know. Not for lack of competence: these are competent people running real businesses. They don't know because it was sold to them as a black box, and the market taught them that understanding what happens inside is "a technical thing". That's exactly what I want to pull apart here, because it's false, and because for over a year the law has been asking you to do precisely the opposite.

A bit of context: I completed the Master's in Artificial Intelligence in Communication and Media at UCM, and I've been putting AI into real businesses for a while now. I'm not writing this from a place of fear, or from the "AI is dangerous" camp. Well-applied AI is one of the best things that can happen to a small business. I'm writing it from the opposite angle: AI you don't understand isn't yours, it's a problem that hasn't exploded yet. AI done right can save you hours, reduce errors and bring order to processes you currently do by hand. Opaque AI only saves you from understanding what you're paying for.

The AI Act already requires you to understand what you use.

Let's start with what almost nobody tells you when they're selling you a workflow. The European Artificial Intelligence Regulation (the AI Act, Regulation EU 2024/1689) has an article, Article 4, called "AI literacy". And it says something very specific: any company that deploys AI systems must ensure that the people using them on its behalf have a sufficient level of knowledge about what those systems do, their limits and their risks.

Underline the word deploys. It's not talking only about whoever builds the AI in Silicon Valley. It's talking about you, who puts a chatbot on your website or uses an AI tool with your customers' data. In the regulation's language you're a "deployer", and the obligation is yours.

The important part: this is not coming into force next year. It has been in force since 2 February 2025. That is to say, right now. While you were reading that last sentence, it was already enforceable.

And this is just the start of the timeline. On 2 August 2026 the transparency obligations kick in (Article 50): among other things, your chatbot will have to clearly disclose that it's an AI, and certain AI-generated or AI-manipulated content (deepfakes in particular) will have to be identifiable as such. The regulation's fines go up to €35 million or 7% of global turnover for the most serious infringements. Don't be scared by the number (it's aimed at the big players), but understand the direction: Europe has decided that opacity in AI comes at a cost.

The Spanish detail (the forthcoming AI Law, AESIA as supervisor, what you specifically need to do) I covered in another article, so I won't repeat it here. You can read it here if you're interested in the compliance side. This article is about something earlier and more practical: how to stop buying black boxes.

Five places where your AI is doing something you don't know about.

I'll be specific, because that's the only thing that's actually useful. These are five real marketing and lead-generation scenarios where I've seen the same pattern: the business pays, the thing "works", and nobody knows what's happening inside. For each one I'm giving you the exact question you should ask whoever sold it to you.

1 · The chatbot on your website.

You put an "intelligent" chat widget on the homepage. A visitor types their name, their email, sometimes their phone number or the health problem they're asking about. Where does that conversation go? In most cheap setups, the text leaves your website, travels to a server run by an AI provider (often outside the EU, or a US company even if the interface looks European), and is processed there. If that's what's happening, personal data from your customers is leaving Europe.

What almost nobody verified: is there a data processing agreement signed with that provider? Are there safeguards for the transfer outside the EU (the so-called standard contractual clauses)? Are the conversations stored, where, and for how long? And the most common surprise: the bot, trying to seem helpful, makes up prices, timelines or promises you never made. And a commitment your website puts in writing can be held against you.

2 · The automation chain the "expert" built for you.

This one is the classic. A lead fills in your form and behind the scenes that data jumps through five or six different tools: a Make or n8n, an enricher, a CRM, a spreadsheet, an AI API that classifies, an automated email. On paper, magic. In practice, your customer's personal data has passed through six companies and you don't know which ones, where they are, or whether you signed anything with them.

Many of those tools are, in legal terms, processors (or sub-processors) of your data, and the relationship with each one that handles data on your behalf should be governed by contract. If tomorrow there's a breach at link number four in a chain you didn't even know existed, the customer won't call the tool. They'll call you.

3 · AI-powered lead enrichment.

"You give it an email and it gives back the name, job title, company, phone number and LinkedIn." Sounds incredibly powerful for sales. The uncomfortable question is: where does all that information come from? Many of these services feed off databases built by scraping the internet without the person's knowledge, or without a clear legal basis that you can actually defend. You're processing data about people who have no idea you have it.

This isn't theory. The data protection authority can ask you what legal basis you're relying on to hold that data, and "an AI tool gave it to me" is not one. The risk is yours, not the tool's.

4 · Your ad creative, generated by AI.

More and more creative assets (copy, images, voices) come out of an AI. Two problems almost nobody looks at. One: from August 2026 there are transparency obligations for certain synthetic content. If your ad uses a cloned voice or an image that mimics something real (a deepfake) without labelling it, you're in regulated territory. Two, and more urgent: AI states things that aren't true with complete confidence. An ad that promises a result you can't deliver is misleading advertising, and you're the one liable, not the model.

5 · The "AI salesperson" sending cold emails.

The latest thing: an agent that finds prospects, writes personalised emails with AI and sends them on its own. Here all the previous problems collide at once: data obtained who knows how, messages the AI drafts without anyone reading them, mass sending that skirts (or crosses) the rules on commercial communications. And the detail that worries me most: you don't control what that agent says in your name. It speaks for your brand, and you haven't read it.

The 30-second test.

You don't need to understand neural networks. You need something much simpler. For any piece of AI you have running in your business, you should be able to answer these three questions in 30 seconds, without calling anyone:

1. What does it do, exactly? In one sentence, without "optimises" or "powers". What goes in, what comes out.
2. Where does the data go? What information it touches, which companies process it, what gets stored and for how long.
3. What happens when it gets it wrong? Because it will get it wrong. Who spots it, what breaks, how you fix it.

And watch out, because the trap is elegant: when everything is going well, the black box looks like a marvel. The problem with black boxes isn't the good day. It's the day the bot promises a discount that doesn't exist, or a customer asks where you store their data, or the service at link four goes down and nobody even knew that link was there.

What I require before putting AI into a client's business.

So this doesn't end at "be careful", here's my own checklist. Nothing heroic, just common sense applied with discipline. Before switching on anything AI-related in a business:

• I map the full data journey, tool by tool. If it doesn't fit on one page, it's too fragile.
• I sign the processing agreements with every provider that touches data, and I prefer EU-based servers wherever possible.
• I put a human at the risk point. The AI prepares, a person validates what reaches the customer or goes out in your name. Nothing sensitive gets published alone.
• I keep a log. If something fails I want to be able to see what happened, not guess.
• I can explain it in one sentence. If I can't tell you what it does without jargon, then I don't have it clear either, and in that case it doesn't get switched on.

None of this actually slows you down. What slows you down is the fire you spend six months putting out because you switched on something nobody understood. AI set up properly gives you hours and headroom. Opaque AI gives you a time bomb with a success face.

The conclusion, without the smoke.

The market is full of people selling AI like a magic trick: the whole point is that you don't understand how it works. It's exactly the opposite. In your business, understanding what AI does for you isn't a technical luxury: it's the condition for it to actually be yours. It always was, by common sense. Since February 2025, it's also what the law requires.

So the next time someone offers to "automate with AI" or "put an agent in place for you", don't ask what it costs. Ask what it does, where your data goes and what happens when it fails. If they can't give you a clear answer, they're not selling you AI. They're selling you a black box with your name on the invoice.