You do not know which AI you run
Models in tools, in departments, in shadow use. Without discovery you cannot classify, and without classification you cannot steer. It starts with knowing what is in use.
The AI Act sorts AI applications by risk and ties obligations to that classification. But you cannot classify what you cannot see. Most organisations do not know which AI is in use, let alone who decided what. That is where governance starts, not at the text of the law.
The problem
The AI Act arrives in phases. Three patterns that hit organisations already, regardless of the exact timeline.
Models in tools, in departments, in shadow use. Without discovery you cannot classify, and without classification you cannot steer. It starts with knowing what is in use.
An AI-driven fraud detection touches the AI Act, NIS2 and DORA at once. Three separate compliance projects with no coherence mean double the work and triple the risk.
Not every AI application is high risk. Govern everything equally hard and you waste capacity on the harmless and miss the system that truly matters. The level of control should match the risk.
How we do it
Not a legal exercise up front. We map your AI, classify it by risk, and set up governance so the level of control matches the risk.
Which AI is in use, where, by whom, and on what data. Including shadow use no one declared. You cannot steer what you cannot see.
Set the risk level per application, in line with the AI Act logic. High-risk systems get the heavy requirements, the rest a proportionate, lighter regime. No one-size-fits-all.
Record who decided what and why, so you can show it later. Not for the folder, but because a supervisor and your board will ask.
AI Act, NIS2 and DORA as one governance system, not three separate projects. One cadence, one record, no double work.
What you keep
The distinction
The market delivers an AI Act gap analysis against the legal text. We start with what actually runs: which AI, at what risk, and what that demands in steering.
The level of control matches the risk, not the other way around. And AI governance does not stand alone: the same application often touches the AI Act, NIS2 and DORA at once. We connect them as one system, so you do it once properly instead of three times by halves.
We sell no AI governance tool and no model. Capabilities and outcomes, the instrument is a means. So the advice is yours, not a vendor’s.
Not governing everything equally hard, but putting attention where the risk sits. That is the logic of the law, and the only one that scales.
AI Act, NIS2 and DORA land on the same applications. We bring them together into one governance cadence, instead of three compliance projects running past each other.
Get started
No legal track to begin. One conversation in which we decide which AI you have in view, what risk it carries, and what it takes to get a grip before the obligations bite.
Plan a conversation