AI systems inventory
We identify AI systems, AI components and model use cases within the organisation - both solutions built in-house, those purchased from vendors, and AI features embedded in existing enterprise applications.
The AI Act requires organisations to bring order to how they use AI systems: from inventory and risk classification, through documentation and an AI register, to human oversight, access control and an audit trail.
The organisation receives a map of its AI systems, a risk classification, and a plan for closing gaps. Compliance can then be demonstrated through documentation, a register and controls, rather than through declaration alone.
Each AI system has an assigned risk category, business owner, compliance status and required actions. The board can see which solutions require urgent attention and which can be planned into the roadmap.
The AI Act provides for penalties for the most serious breaches. Early classification of systems and remediation of gaps help reduce the regulatory, operational and reputational risk associated with uncontrolled AI use.
Requirements relating to data, access control, security, documentation and oversight often overlap with other compliance programmes. This is why we treat the AI Act as part of a broader governance system, not as a separate project detached from GDPR, NIS2 or DORA.
We identify AI systems, AI components and model use cases within the organisation - both solutions built in-house, those purchased from vendors, and AI features embedded in existing enterprise applications.
We assign AI systems to the appropriate risk categories: minimal, limited, high or unacceptable. We analyse the system’s purpose, its users, the data involved, its impact on individuals, and the organisation’s role in the chain of responsibility.
We compare the current state with the requirements for the given risk category. We check documentation, human oversight, data quality, transparency, cybersecurity, usage logging, monitoring and access control rules.
We create an AI systems register and system cards describing the purpose, owner, vendor, data, model, risk category, users, controls, compliance status and required actions.
We prepare a structured documentation package: system classification, risk description, ownership decisions, assigned controls, an audit trail, a remediation plan, and the status of actions. The documentation helps the organisation demonstrate what has been assessed, on what basis, and what decisions were made.
We define AI usage policies, roles and responsibilities, rules for approving new systems, human-oversight mechanisms, and escalation paths for decisions or recommendations supported by AI.
We start with a workshop and inventory. We establish which AI systems operate within the organisation, who uses them, who supplies them, what data they work on, and which decisions or processes they support.
We then classify the systems by risk category and carry out a gap analysis against the obligations arising from the AI Act. The output is an AI register, a list of gaps, action priorities and a remediation plan.
We typically deliver the basic compliance framework within a 4-week horizon. Further gap closure is planned in stages - depending on the number of systems, risk categories, documentation availability and security requirements. Interpretations with binding legal effect are confirmed with the client’s legal adviser.
Technology stack
The team’s experience in AI, cybersecurity and regulatory compliance confirms SNOK’s readiness to support organisations in preparing for AI Act requirements.
Financial sector company
Inventory and classification of AI systems, preparation of an AI register and compliance documentation for AI Act and DORA requirements.
Essential services operator
AI Act gap analysis integrated with the NIS2 programme. The project allowed a single compliance programme to be run instead of separate, disconnected initiatives.
Corporate group
Preparation of AI usage policies, ownership roles and human-oversight rules for AI assistants used across subsidiary companies.
The AI Act entered into force in 2024, but its provisions apply in stages. Some obligations already apply, and further requirements come into effect at subsequent dates. In practice, the first step is not preparing full documentation for every system, but rather inventory, risk classification and a prioritised action plan.
If the organisation supplies, deploys or uses AI systems, it most often does. The scope of obligations depends on the organisation’s role, the system’s risk category, the purpose of the solution, and the data the system works on. Most business use cases will require at least classification and basic documentation.
The AI Act provides for substantial penalties for the most serious breaches, including the use of prohibited practices. The final amount depends on the type of breach, its scale, the severity of the case, the size of the organisation, and the role the organisation plays with respect to the given AI system.
No. SNOK provides classification, risk assessment, an AI register and technical-organisational documentation. Interpretations with binding legal effect require confirmation by a legal adviser. We work with the client’s legal team on this.