Skip to main content
AI ACT ADVISORY

You can only classify the AI you can see.

The AI Act sorts AI applications by risk and ties obligations to that classification. But you cannot classify what you cannot see. Most organisations do not know which AI is in use, let alone who decided what. That is where governance starts, not at the text of the law.

FramesEU AI Act, NIS2 art. 21, DORA, ISO 42001
For whomBoard, CISO, risk and compliance lead
Lead timeBaseline 2-3 weeks, programme to scope

The problem

AI governance starts with sight, not with the legal text.

The AI Act arrives in phases. Three patterns that hit organisations already, regardless of the exact timeline.

You do not know which AI you run

Models in tools, in departments, in shadow use. Without discovery you cannot classify, and without classification you cannot steer. It starts with knowing what is in use.

Three regimes on one application

An AI-driven fraud detection touches the AI Act, NIS2 and DORA at once. Three separate compliance projects with no coherence mean double the work and triple the risk.

Governing everything equally hard

Not every AI application is high risk. Govern everything equally hard and you waste capacity on the harmless and miss the system that truly matters. The level of control should match the risk.

How we do it

First see, then classify, then steer on what matters.

Not a legal exercise up front. We map your AI, classify it by risk, and set up governance so the level of control matches the risk.

01

Discovery

Which AI is in use, where, by whom, and on what data. Including shadow use no one declared. You cannot steer what you cannot see.

02

Classify by risk

Set the risk level per application, in line with the AI Act logic. High-risk systems get the heavy requirements, the rest a proportionate, lighter regime. No one-size-fits-all.

03

Decide demonstrably

Record who decided what and why, so you can show it later. Not for the folder, but because a supervisor and your board will ask.

04

Connected to the rest

AI Act, NIS2 and DORA as one governance system, not three separate projects. One cadence, one record, no double work.

What you keep

A grip on your AI, before the obligations bite.

  • Sight of all AI in use, including shadow use
  • A risk classification that matches the level of control to the risk
  • Demonstrable decision-making: who decided what, and why
  • AI Act, NIS2 and DORA connected, not three separate projects
  • A board that can make the trade-off and defend it

The distinction

Discovery before compliance

The market delivers an AI Act gap analysis against the legal text. We start with what actually runs: which AI, at what risk, and what that demands in steering.

The level of control matches the risk, not the other way around. And AI governance does not stand alone: the same application often touches the AI Act, NIS2 and DORA at once. We connect them as one system, so you do it once properly instead of three times by halves.

Independent, no AI platform

We sell no AI governance tool and no model. Capabilities and outcomes, the instrument is a means. So the advice is yours, not a vendor’s.

Risk-driven, not a checklist

Not governing everything equally hard, but putting attention where the risk sits. That is the logic of the law, and the only one that scales.

Coherence, not three projects

AI Act, NIS2 and DORA land on the same applications. We bring them together into one governance cadence, instead of three compliance projects running past each other.

Get started

Do you know which AI you run, or do you suspect it?

No legal track to begin. One conversation in which we decide which AI you have in view, what risk it carries, and what it takes to get a grip before the obligations bite.

Plan a conversation

30 minutes with a senior, no pitch.

Request a conversationCall directly088 - 163 23 25