Example scenario — not a live project yet. An illustrative depiction of a typical implementation.
Starting point
The EU AI Act classifies AI systems along a risk-based approach: from prohibited practices through high-risk systems and transparency obligations to minimal risk — with additional obligations for GPAI models, and depending on whether an organisation acts as provider, deployer, importer, or distributor. Obligated organisations must first inventory their AI systems, classify them correctly, and meet the obligations appropriate to each class — risk management, data governance, technical documentation, human oversight, and logging.
Consultancies in this space face the task of mapping this classification and the obligations that follow from it for several clients consistently, auditably, and kept current — work that in practice often lives in spreadsheets, checklists, and slide decks: hard to keep current, barely audit-proof, and laborious to repeat across many clients. A tool that captures this methodology could turn that recurring work into a reusable product of its own.
Solution approach
Such an application would be designed as a multi-tenant platform that covers the EU AI Act readiness path end to end — from inventorying the AI systems, through guided risk classification, to a per-system gap report and action plan. A guided wizard would lead through prohibited practices, high-risk logic, and transparency cases, so that every classification ends up fully derived and evidenced.
- Guided classification wizard per system — along prohibited practices (Art. 5), the high-risk logic (Art. 6 in conjunction with Annex III), and the transparency cases (Art. 50)
- Role assignment per system (provider, deployer, importer, distributor), since obligations differ by role
- Parametric obligations library per risk class — risk management, data governance, technical documentation, human oversight, logging, and transparency — maintained by the subject-matter experts themselves
- Gap report with target-versus-actual per system and the referenced regulatory text right alongside
- AI-assisted preliminary classification that would draw solely on the stored regulatory texts and the consultancy's methodology — always as a draft, never as an automatic decision
- Measures board for the open obligations with roles, deadlines, and approvals — role-based, multilingual, with a complete audit trail and two-factor authentication
How it could look
Mockup / illustrative depiction — invented demo data, not a live system or product.
What the tool would deliver
Designed as a reusable product, such a tool could put a consultancy's AI Act work onto the same traceable process across all clients. Instead of scattered spreadsheets, a structured source of data would emerge, from which risk classification, the gap report, and audit-ready evidence could be derived at any time.
- Would derive, traceably, why each system falls into a given risk class — with evidence and a regulatory reference
- Could map the AI inventory, obligations, and open measures consistently across all clients
- Would be designed as an audit-proof basis for audits and supervisory inquiries
- Would turn recurring advisory work into a scalable product under an own brand