Fake EU AI Office GPAI (general-purpose AI) compliance-audit lure — "AI Office audit scheduled — submit model card and technical documentation within 7 days to avoid AI Act enforcement" targeting EU AI providers and downstream deployers. GPAI obligations went live Aug 2 2025; the high-risk Article 53/55 transition runs to Aug 2 2026, giving attackers a real and credible pretext window. Real AI Office communications come through ec.europa.eu / digital-strategy.ec.europa.eu, never via inbound email link. Source: GC1 R7 multiagent council top-5 (S3 EU-reg specialist).

Fake EU AI Office GPAI (general-purpose AI) compliance-audit lure targeting EU AI providers, downstream deployers, and SMEs caught by the AI Act's general-purpose AI obligations. The phish narrative arrives as: "AI Office audit scheduled — submit model card and technical documentation within 7 days to avoid AI Act enforcement," "Article 53 conformity assessment deficient — upload technical file via the AI Office portal," or "Your GPAI deployment requires updated model card disclosures before the deadline." GPAI obligations under the AI Act went into force Aug 2 2025; the high-risk Article 53/55 transition runs to Aug 2 2026, giving attackers a real and credible pretext window through the entire 2026 calendar. The AI Office itself launched in 2025 and has been issuing real "guidance updates" + "compliance reminders" — making it hard for non-specialist deployers to distinguish a genuine reminder from a phish. Real AI Office communications come exclusively through `ec.europa.eu`, `digital-strategy.ec.europa.eu`, and `aioffice.ec.europa.eu` with DMARC pass; the AI Office never demands technical-file uploads via inbound email link, never sets 7-day deadlines, and provides a formal Notified Body or AI Office portal for submissions. Compromised AI providers face credential theft for the AI Office portal (loss of conformity-assessment evidence, model-card history, internal-documentation exfil) and downstream Article 99 fine exposure if attackers tamper with the regulatory record. Distinct from `ai-act-high-risk-annex-iii-conformity-assessment-lure` (Annex III high-risk systems / Notified Body scope) — this signal targets the broader GPAI / Article 53/55 obligations affecting any general-purpose model provider above the FLOPS threshold. Fires when body references AI Act / GPAI / general-purpose AI / AI Office / Article 53 / Article 55 AND contains compliance-audit / deficient / deadline / enforcement / submit-model-card / submit-technical-documentation / submit-conformity-assessment / audit-scheduled urgency. Excludes ec.europa.eu, digital-strategy.ec.europa.eu, aioffice.ec.europa.eu, and the broader .europa.eu umbrella. Auto-classified as danger via the `-lure` suffix. Source: GC1 R7 multi-agent council top-5 (S3 EU-reg specialist).