EU AI Act · Algorithmic Audits · AI Governance
The EU AI Act is now in force. Most organisations using AI are not ready. We audit your AI systems, classify your risk exposure, and build the governance structures that protect you — before the regulator arrives.
EU AI Act enforcement has begun. High-risk AI systems face fines of up to €30M or 6% of global turnover for non-compliance.
The Problem
Chatbots, scoring models, automated decisions — deployed without a documented risk classification or conformity assessment. The EU AI Act makes this a liability, not a gap you can close later.
Black-box AI outputs applied to credit, hiring, or customer triage. Regulators, auditors, and increasingly — customers — demand explainability. Without it, you cannot defend your decisions.
Teams adopting AI tools without central oversight. No inventory of what's deployed, who owns it, or what data it touches. The audit trail doesn't exist — until an incident makes it urgent.
The Methodology
Our AI audit methodology combines regulatory compliance expertise with operational consulting discipline. Every step produces a documented, auditable output — not a slide deck of recommendations.
We map every AI system in your organisation — purchased, built, or embedded in third-party tools. Chatbots, recommendation engines, automated decision systems, predictive models. Most organisations are surprised by how many they have and how few are documented. This inventory becomes the foundation of your entire compliance posture.
We classify each AI system against the EU AI Act's risk tiers — Unacceptable, High, Limited, and Minimal. High-risk systems (covering employment, credit, education, law enforcement, and critical infrastructure) face mandatory conformity assessments. We identify which of your systems qualify, what obligations they trigger, and the timeline you must meet.
For each high-risk or decision-making AI system, we conduct a structured algorithmic audit: data quality review, bias testing across protected characteristics, output consistency analysis, and explainability evaluation. We produce a written audit report with findings, severity ratings, and specific remediation actions — formatted for regulatory review if required.
The EU AI Act requires extensive technical documentation for high-risk AI — system architecture, training data provenance, performance metrics, human oversight mechanisms, and post-market monitoring plans. We write this documentation for you, in the format required for EU conformity assessments and notified body review. This is one of the most time-consuming parts of compliance — we have templates and the expertise to do it efficiently.
Compliance is not a one-time event. We design and implement your ongoing AI governance structure: an AI register, approval workflows for new deployments, human oversight protocols, incident response procedures, and a post-market monitoring programme. Aligned with ISO/IEC 42001 and NIST AI RMF, built to scale as your AI footprint grows.
Tangible Outcomes
Every AI audit engagement produces a complete compliance package — audit-ready, regulator-ready, and written to be understood by both your legal team and your engineering team.
Complete AI system inventory with ownership and data lineage
EU AI Act risk classification for every system in scope
Algorithmic audit reports with bias test results and findings
Technical documentation package for high-risk systems
Conformity assessment readiness report with gap analysis
AI governance framework, policies, and approval workflows
Post-market monitoring plan and ongoing audit retainer option
Regulatory Context
Real-time biometric surveillance in public spaces, social scoring by governments, subliminal manipulation. These are banned outright. No path to compliance.
AI in hiring, credit scoring, education, healthcare triage, law enforcement, critical infrastructure. Requires conformity assessment, technical documentation, and human oversight. Most business AI falls here.
Chatbots, deepfakes, and AI-generated content require disclosure that users are interacting with AI. Simple to implement — but most deployments currently don't comply.
AI spam filters, recommendation engines, inventory tools. No mandatory requirements — but voluntary codes of conduct are encouraged and increasingly expected by enterprise clients.
Key Deadlines
Prohibited practices ban: February 2025 (already in force) · High-risk system obligations: August 2026 · GPAI model rules: August 2025
Sectors
Credit scoring, fraud detection, customer risk profiling. High-risk under EU AI Act and subject to overlapping GDPR Article 22 constraints on automated decision-making. We align both frameworks.
Predictive maintenance, quality control vision systems, supply chain AI. Often embedded in equipment purchased from third-party vendors — where the compliance responsibility still falls on the deployer.
Diagnostic support tools, patient triage systems, clinical decision aids. Among the highest-risk category under the EU AI Act. Requires the most rigorous documentation, testing, and human oversight structures.
CV screening tools, candidate scoring, performance assessment platforms. Explicitly high-risk under the EU AI Act. We've seen these deployed widely without any compliance framework — the exposure is significant.
Personalisation engines, dynamic pricing, customer segmentation. Predominantly limited or minimal risk — but the transparency obligations for AI-driven recommendations are frequently missed.
Providers of AI-embedded software face obligations as both developers and deployers. General-purpose AI models (GPAIs) like LLMs have their own compliance track. We help you understand both sides of the obligation.
Self-Assessment
If you answer yes to two or more of these, your organisation has EU AI Act exposure that needs to be addressed now.
"Do you use AI tools that make or influence decisions about people — employees, customers, or applicants?"
"Could you produce a complete inventory of every AI system in your organisation within 48 hours?"
"If a regulator asked you to explain how a specific AI decision was made, do you have the documentation to do it?"
"Have you tested your AI systems for bias across gender, age, nationality, or other protected characteristics?"
30 minutes. We'll review your AI deployment landscape, identify your highest-risk systems, and give you an honest assessment of where you stand under the EU AI Act.
Book a discovery call