EU AI Act Compliance Audit
Systematic classification of your AI systems against the EU AI Act. Know your risk level, your obligations, and your timeline — before a regulator tells you.
What we audit and why it matters
The EU AI Act classifies AI systems into four risk tiers: unacceptable, high, limited, and minimal. Your obligations depend entirely on where your systems land. Most US organizations have not conducted this classification. Many do not realize they are in scope.
Our audit follows a structured methodology designed to answer three questions: Does the Act apply to you? What is the risk classification of each AI system? What do you need to do, and by when?
The audit process
Phase 1: AI System Inventory. We catalog every AI system your organization develops, deploys, imports, or distributes. This includes third-party AI embedded in your products, SaaS tools with AI features, and internal models. For each system, we document the purpose, data inputs, outputs, and decision impact on individuals.
Phase 2: Scope Assessment (Article 2). For each system, we determine whether it falls under the EU AI Act. The key question is whether the system's output reaches or affects individuals in the EU. This applies regardless of where the system is hosted or where your company is headquartered. We map your EU nexus across customers, partners, subsidiaries, and end users.
Phase 3: Risk Classification (Article 6 + Annex III). Systems in scope are classified against the Act's risk framework. We analyze whether each system falls under Annex III high-risk categories (employment, finance, education, healthcare, law enforcement, critical infrastructure, migration) and whether Article 6(3) exemptions apply. Systems performing narrow procedural tasks or preparatory functions may qualify for exemption — but this must be documented and defensible.
Phase 4: Gap Analysis. For each high-risk system, we compare your current governance against the Act's requirements: risk management system (Article 9), data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), transparency (Article 13), human oversight (Article 14), accuracy and robustness (Article 15), quality management (Article 17). We identify what exists, what is missing, and what needs to be built.
Phase 5: Compliance Roadmap. A prioritized action plan with deadlines, resource estimates, and sequencing. We distinguish between obligations that are already enforceable (prohibited practices, AI literacy), those taking effect August 2026 (Annex III high-risk), and those with extended timelines (Annex I product safety, 2027).
Deliverables
You receive a written report of 5 to 15 pages (depending on portfolio size) containing: a complete AI system inventory with classification, your role determination (provider, deployer, or importer), a gap analysis matrix for each high-risk system, a prioritized compliance roadmap with deadlines, and recommended next steps including documentation templates and governance structure recommendations.
Entry-level engagement
EU AI Act Rapid Exposure Assessment: Inventory up to 5 AI systems, preliminary Annex III classification, obligation map. Delivered in one week. Fee credited toward any full engagement. Contact us to schedule.