By Kevin M. Hyams
Why I Wrote This Article
Artificial intelligence is already embedded in ordinary business activity.
Organisations use it to generate content, analyse information, support customer service, screen candidates, assist employees, identify anomalies and inform decisions.
But the compliance question is not simply:
Do we use AI?
The more useful questions are:
- What AI systems and models do we have?
- What are they used for?
- Who provides them?
- What role does our organisation perform?
- Which systems present the greatest risk?
- Which EU AI Act requirements apply?
- What evidence supports our compliance position?
Those questions sound straightforward. In practice, they can become difficult very quickly.
An organisation may use several types of AI across different business functions. It may be a provider in relation to one system, a deployer in relation to another, and part of an import, distribution or product-manufacturing chain in relation to a third.
Some AI uses may attract limited requirements. Others may be subject to transparency obligations. Some may be classified as high-risk. Certain practices may be prohibited.
General-purpose AI models have a further set of requirements, including additional obligations for models presenting systemic risk.
I wrote this article to explain a practical way through that complexity.
The central principle is simple:
Identify the AI. Determine the role. Classify the risk. Assess only the requirements that apply. Retain the evidence needed to support the conclusion.
Summary
An effective EU AI Act compliance assessment should begin with an inventory and classification of individual AI systems and models.
For each system, the organisation should determine:
- Whether the EU AI Act applies
- What regulatory role or roles the organisation performs
- Whether the use involves a prohibited practice
- Whether the system is high-risk
- Whether transparency requirements apply
- Whether general-purpose AI model obligations apply
- What governance, controls, documentation and evidence are required
The assessment should then route the organisation into the relevant role-based and functional requirements.
This is more practical than beginning with one large checklist containing every provision in the Regulation. It also reduces the risk of assessing obligations that do not apply while overlooking those that do.
What Is the EU AI Act?
The EU AI Act is Regulation (EU) 2024/1689.
Its stated purpose includes establishing a uniform legal framework for the development, placement on the market, putting into service and use of AI systems in the European Union. It seeks to promote human-centric and trustworthy AI while protecting health, safety and fundamental rights and supporting innovation. [eur-lex.europa.eu], [eur-lex.europa.eu]
The Regulation uses a risk-based approach.
It establishes rules relating to:
- Prohibited AI practices
- High-risk AI systems
- Transparency for certain AI systems and outputs
- General-purpose AI models
- Market monitoring and surveillance
- Governance and enforcement
- Measures supporting innovation
This risk-based structure is important because the EU AI Act is not intended to impose the same level of assessment on every AI system.
The compliance work should reflect:
- The system’s intended purpose
- How it is actually used
- The organisation’s regulatory role
- The people and interests potentially affected
- The risk classification
- The significance of the system’s outputs
- The evidence needed to support the compliance conclusion
Why an Article-by-Article Checklist Is Not Enough
A conventional approach might begin with the Regulation's text and convert each article into a question.
That can be useful for legal completeness, but it does not by itself create an effective compliance assessment.
The first difficulty is applicability.
Before assessing an obligation, the organisation needs to know whether it applies to:
- The organisation
- The relevant AI system or model
- The role performed
- The intended use
- The applicable risk category
The second difficulty is responsibility.
An organisation that develops and markets a high-risk AI system may have substantially different responsibilities from a company using that system under the provider’s instructions.
The third difficulty is evidence.
A response such as “Yes, we comply” is not enough. The organisation should be able to identify:
- The control relied upon
- The person responsible
- The documentation supporting it
- How the control was validated
- Any weakness identified
- The remediation required
- Whether remediation was retested and closed
The practical objective is not merely to answer questions.
It is to create a clear route from:
Requirement → Applicability → Control → Assessment → Evidence → Finding → Remediation → Conclusion
Start with an AI System and Model Inventory
The first stage is to identify the AI systems and models that the organisation develops, supplies, acquires, distributes, incorporates into products or uses.
A useful inventory should record information such as:
- System or model name
- Version
- Provider or supplier
- Business and technical owners
- Intended purpose
- Actual use
- Persons or groups potentially affected
- Data used
- Outputs generated
- Decisions or processes influenced
- Geographic use
- Lifecycle status
- Regulatory role
- Preliminary risk classification
- Supporting contracts and documentation
- Last assessment date
- Next review date
The inventory does not need to become a technology project in its own right.
It needs to be complete enough to allow the organisation to determine what must be assessed.
This stage should also look for AI tools that have been introduced informally.
Employees may use publicly available services, embedded software functions or supplier features without recognising them as part of the organisation’s AI population. A compliance assessment based only on systems already known to the central technology team may therefore be incomplete.
Determine Whether the EU AI Act Applies
Once an AI system or model has been identified, the organisation should document whether the Regulation applies.
That assessment may need to consider:
- Whether the technology falls within the definition of an AI system
- Whether it is instead or also a general-purpose AI model
- The locations of the relevant provider and deployer
- Whether the system is placed on the EU market
- Whether it is put into service in the EU
- Whether an output produced outside the EU is used within the EU
- Whether a statutory exclusion or special provision applies
The definition of an AI system includes a machine-based system designed to operate with varying levels of autonomy, potentially exhibiting adaptiveness after deployment, and that infers from input how to generate outputs such as predictions, content, recommendations, or decisions capable of influencing physical or virtual environments.
Where the organisation concludes that a technology or activity is outside scope, that conclusion should still be recorded.
Out-of-scope and not-applicable decisions are part of the compliance evidence. They should not exist only in someone’s memory or an informal email.
Identify the Organisation’s Role
Role determination is one of the most important parts of an EU AI Act compliance assessment.
Depending on the facts, an organisation may act as a:
- Provider
- Deployer
- Importer
- Distributor
- Product manufacturer
- Authorised representative
The same organisation may have different roles in relation to different AI systems.
It may also hold more than one role within the same system.
For example, an organisation may begin by using an externally supplied system. If it later changes the intended purpose, makes a substantial modification or places the system on the market under its own name, its responsibilities may change.
The role assessment should therefore ask practical questions:
- Who developed the system?
- Who had it developed?
- Under whose name is it supplied?
- Who uses it?
- Who imports or distributes it?
- Is it incorporated into another product?
- Has anyone changed its intended purpose?
- Has anyone substantially modified it?
- How are responsibilities allocated across the AI value chain?
A role conclusion should identify the facts relied upon, the contractual arrangements, the supporting evidence and the person who approved it.
Screen for Prohibited AI Practices
Prohibited-practice screening should occur early.
There is little value in completing a long control assessment for a use that should not proceed.
The screening should examine the proposed purpose, system capabilities and reasonably foreseeable misuse.
Where a potential prohibition is identified, the appropriate response is not to proceed with an ordinary assessment and hope that subsequent controls will resolve it.
The matter should be:
- Escalated
- Restricted or suspended
- Assessed by suitably qualified personnel
- Supported by legal analysis where necessary
- Formally resolved and documented before further use
The organisation should also monitor whether an initially permitted use changes over time. New data, functionality, users or business objectives may change the character of the deployment.
Classify High-Risk AI Carefully
High-risk classification determines whether a substantial body of additional requirements may apply.
The Commission’s May 2026 draft classification guidance describes two principal routes.
The first concerns an AI system that is itself a product, or is intended to be used as a safety component of a product, covered by EU harmonisation legislation listed in Annex I and subject to third-party conformity assessment.
The second concerns AI systems that fall within the use cases listed in Annex III.
Examples of relevant areas include:
- Biometrics
- Critical infrastructure
- Education and vocational training
- Employment and worker management
- Access to certain essential services
- Law enforcement
- Migration, asylum and border control
- Administration of justice
The classification should not stop at identifying the general business function.
The organisation should assess the precise intended purpose and applicable conditions.
Not every AI tool used in recruitment, education, finance or any other listed area will necessarily produce the same classification outcome. Conversely, a system described internally as an administrative aid may influence a significant decision more than its label suggests.
As of 13 July 2026, the Commission’s high-risk classification guidance remains presented as a draft and non-binding. The current consultation is open until 23 July 2026, and the Commission says its examples are not exhaustive and may be updated.
That reinforces the need for:
- Documented classification reasoning
- Version-controlled source references
- Periodic regulatory review
- Reassessment following material change
Assess Transparency Requirements Separately
Some systems may not be high-risk but may still attract transparency requirements.
The assessment should determine whether:
- People are interacting directly with AI
- The system generates or manipulates audio, images, video or text
- Outputs require machine-readable marking
- Deepfake content is involved
- Emotion recognition is used
- Biometric categorisation is used
- Other disclosure requirements apply
The control question is not merely whether a disclosure exists.
The organisation should assess whether it is:
- Provided at the right time
- Clear and understandable
- Accessible
- Appropriate to the medium
- Consistent with how the system actually operates
- Capable of being evidenced
Treat General-Purpose AI Models as a Distinct Assessment Pathway
General-purpose AI models should not be treated as merely another category of ordinary AI systems.
The Commission explains that providers of general-purpose AI models must prepare technical documentation, maintain a copyright policy and publish a summary of the model’s training content.
Providers of general-purpose AI models with systemic risk have additional obligations regarding Commission notification, systemic risk assessment and mitigation, serious incident reporting, and cybersecurity.
The General-Purpose AI Code of Practice provides a voluntary route to demonstrating compliance. Its Transparency and Copyright chapters address obligations for providers generally, while its Safety and Security chapter is relevant to providers of models with systemic risk.
The assessment should therefore determine:
- Whether the organisation provides a general-purpose AI model
- Whether it merely uses a downstream AI system incorporating one
- Whether it has significantly modified or fine-tuned another provider’s model
- Whether an open-source provision affects particular obligations
- Whether systemic-risk criteria may be met
- Which documentation, copyright, transparency, safety and security requirements apply
This avoids asking an ordinary corporate user to answer provider questions that bear no relationship to its role.
Separate Provider and Deployer Responsibilities
For many corporate entities, the most relevant role will be that of a deployer: the organisation uses an AI system under its authority.
A deployer assessment may need to examine:
- Pre-deployment due diligence
- Use in accordance with instructions
- Human oversight
- Operational input data
- Monitoring
- Log retention
- Worker information
- Affected-person communications
- Fundamental-rights impact assessment
- Data protection alignment
- Incident notification
- Periodic review and retirement
A provider of a high-risk AI system has a different and generally more extensive assessment pathway, including areas such as:
- Risk management
- Quality management
- Data and data governance
- Technical documentation
- Record-keeping and logging
- Information supplied to deployers
- Human-oversight design
- Accuracy
- Robustness
- Cybersecurity
- Conformity assessment
- Registration
- Post-market monitoring
- Corrective action
This distinction is central to making the assessment useful.
A company acquiring an AI-enabled recruitment service should not be required to work through the same questions as the company that designed, developed and placed that system on the market.
AI Literacy Is Already a Practical Requirement
AI literacy should not be postponed until the organisation has completed every other part of its implementation programme.
Article 4 entered into application on 2 February 2025. It requires providers and deployers to take measures to ensure a sufficient level of AI literacy among staff and other individuals who deal with AI systems on their behalf. Relevant factors include their technical knowledge, experience, education and training, the context in which the systems are used and the people on whom they are used.
A practical AI literacy assessment should therefore ask:
- Who develops, operates or uses AI?
- Who oversees AI-generated outputs?
- Who approves AI systems?
- Who manages suppliers?
- Who investigates incidents?
- What does each group need to understand?
- How is learning adapted to different roles?
- How is understanding assessed?
- What evidence of training and competence is retained?
A short general-awareness course may be part of the answer.
It is unlikely to be the whole answer for a system owner, developer, human overseer, compliance professional, security specialist or incident responder.
Connect AI Governance to the Individual System
An organisation-wide AI policy is important, but it does not by itself prove that individual AI systems are being governed appropriately.
The policy should be connected to system-level records showing:
- Who owns the system
- Why it is being used
- How it was classified
- Who approved it
- What risks were identified
- What controls are required
- What evidence supports those controls
- What monitoring is performed
- What happens when the system changes
- How incidents and complaints are handled
- When continued use will be reconsidered
This is where governance becomes operational.
The policy states what the organisation expects.
The assessment shows whether those expectations are being met for the particular system.
Build the Evidence as the Assessment Progresses
AI Act compliance evidence should not be assembled only when an audit, regulator, customer, or management committee requests it.
The evidence should be linked to the assessment as the work occurs.
Depending on the system and role, relevant evidence may include:
- AI inventory records
- Applicability assessments
- Role determinations
- Risk classifications
- Prohibited-practice screenings
- Policies and procedures
- Supplier due diligence
- Contracts
- Risk assessments
- Fundamental-rights impact assessments
- Data protection impact assessments
- Training records
- Technical documentation
- Test and validation results
- Human-oversight procedures
- Transparency notices
- Logs
- Monitoring reports
- Incident records
- Corrective-action plans
- Management approvals
- Conformity documentation
The central question for every assessed control should be:
Can we show what we rely on and how we know it is working?
Use Modular Smart Templates Rather Than One Large Checklist
A modular assessment suite is better suited to the EU AI Act than one enormous workbook containing every possible provision.
A practical structure could include:
- EU AI Act Applicability, Inventory and Classification
- Deployer of AI Systems
- AI Governance and AI Literacy
- Provider of High-Risk AI Systems
- Data Governance and Technical Documentation
- Human Oversight, Transparency and Fundamental Rights
- Accuracy, Robustness, Cybersecurity and Resilience
- Post-Market Monitoring, Incident Management and Corrective Action
- Provider of General-Purpose AI Models
- Importer, Distributor, Product Manufacturer and Authorised Representative
The first template should act as the gateway.
Its results should identify which subsequent templates or work modes apply.
This allows the organisation to:
- Begin with one controlled inventory
- Record its role for each system
- Classify risk consistently
- Avoid unnecessary assessment work
- Direct questions to the correct owners
- Keep related evidence together
- Produce a clearer assessment trail
- Reassess efficiently when something changes
How NORVA Solutions’ Approach Supports the Assessment
The proposed EU AI Act suite for the NORVA Solutions Compliance Assessment Toolkit is designed around the practical flow of the assessment rather than merely reproducing the Regulation.
The intended pathway is:
Identify the AI → Determine scope → Confirm the role → Classify the risk → Activate the applicable assessment → Evaluate the controls → Retain the evidence → Record findings → Remediate and retest → Produce the required outputs
Within the relevant smart template, each compliance question can be assessed using NORVA Solutions’ structured logic, including:
- Maturity Status
- Assessed Response
- Assessed Rating
- Validation Method
- Supporting evidence
- Findings
- Remediation
- Ownership
- Target dates
- Retesting
- Review and approval
Assessment requirements can be linked directly to the relevant source materials, while supporting documents can be retained through the template’s built-in evidentiary document repository.
The functionality is powered by NORVA Solutions’ Assessment Runtime Engine, which supports a guided, repeatable assessment within the familiar Excel environment.
That is important because the value does not come from presenting another list of EU AI Act requirements.
It comes from helping the user move from uncertainty to a supportable conclusion:
- We know which AI systems and models we have.
- We know the role we perform.
- We know how the systems are classified.
- We know which obligations apply.
- We have assessed the relevant controls.
- We know where the gaps are.
- We can show the evidence supporting the result.
Prepare for Regulatory and Standards Development
The EU AI Act implementation environment is still developing.
The European Commission states that harmonised standards are being developed across ten areas:
- Risk management
- Data governance and dataset quality
- Record-keeping
- Transparency
- Human oversight
- Accuracy
- Robustness
- Cybersecurity
- Quality management
- Conformity assessment
The Commission explains that the use of standards remains voluntary, but harmonised standards referenced in the Official Journal can provide a presumption of conformity with the corresponding legal requirements.
There has also been a May 2026 political agreement on simplification measures and a revised high-risk implementation timeline. The Commission says rules for certain Annex III-type high-risk areas would apply from 2 December 2027, while rules for systems integrated into products such as lifts or toys would apply from 2 August 2028. This development should be monitored through the completion and formal adoption of the relevant legislative process rather than treated as settled solely because a political agreement has been announced.
A sustainable assessment suite should therefore record:
- Legal and guidance source
- Source status
- Publication date
- Applicable date
- Source hyperlink
- Last regulatory review
- Template version
- Change impact
- Required reassessment
This allows the assessment content to evolve without losing the evidence supporting earlier decisions.
A Practical EU AI Act Readiness Check
Before treating the organisation as ready, I would ask the following questions:
- Do we maintain a reliable inventory of our AI systems and models?
- Do we know their intended purpose and actual use?
- Have we determined whether the EU AI Act applies?
- Do we know which regulatory role we perform for each system?
- Have we screened for prohibited AI practices?
- Have we documented each risk-classification decision?
- Have we identified relevant transparency requirements?
- Have we separated provider, deployer and general-purpose AI obligations?
- Have we provided appropriate, role-based AI literacy?
- Are human-oversight arrangements meaningful and workable?
- Can we identify the controls supporting each material requirement?
- Is the evidence linked to the assessment?
- Are gaps assigned to accountable owners?
- Are remediation and retesting documented?
- Can we explain the complete assessment trail to an independent reviewer?
If the answer to several of these questions is no, the immediate priority may not be a lengthy legal checklist.
It may be to establish the inventory, role determination and classification process that tells the organisation what needs to be assessed.
Conclusion — Turn the Regulation into a Practical Assessment Pathway
The EU AI Act is extensive, but the assessment process need not begin with all requirements presented at once.
It should begin with the system.
Identify what the organisation develops, supplies or uses.
Determine whether the Regulation applies.
Establish the organisation’s role.
Screen for prohibited practices.
Classify the risk.
Activate the relevant assessment.
Then move systematically through the applicable requirements, controls, evidence, findings and remediation.
That approach is more proportionate, easier to explain and more useful to corporate entities and compliance service providers.
It also supports the central NORVA Solutions compliance assessment question:
Are we meeting the requirements that apply to us?
For EU AI Act compliance, the final words are especially important:
That apply to us.
The objective is not to answer every question that could possibly be asked about artificial intelligence.
The objective is to identify the organisation’s AI systems, understand their roles, assess the applicable requirements to an appropriate depth, and retain the evidence needed to support the result.
If it applies, assess it. If you rely on it, prove it.
A Practical, Structured Way to Assess EU AI Act Compliance
The planned EU AI Act assessment suite within the NORVA Solutions Compliance Assessment Toolkit is intended to help corporate entities and compliance service providers move from AI inventory and classification to evidence-based assessment, remediation and review.
The suite is being structured to help users:
- Identify relevant AI systems and models
- Determine applicable roles
- Classify prohibited, high-risk, transparency and general-purpose AI requirements
- Assess only the controls that apply
- Keep source requirements and evidence close to the assessment
- Record gaps and remediation clearly
- Produce a more consistent and defensible assessment trail
The aim is practical:
Make EU AI Act compliance assessment easier to start, easier to complete, easier to evidence and easier to review.
Source and Regulatory Status Note
This article is intended to provide general, practical information about structuring an EU AI Act compliance assessment. It is not legal advice.
The principal regulatory and implementation references considered include:
- Official text of Regulation (EU) 2024/1689
- European Commission overview of the AI Act
- Commission guidance page for high-risk AI classification
- European Commission information on AI literacy
- European Commission information on AI Act standardisation
- European Commission information on general-purpose AI obligations
- General-Purpose AI Code of Practice.