AI governance & EU AI Act readiness
The EU AI Act gets teeth
in August 2026. Be ready.
High-risk AI obligations become enforceable next month, with penalties up to €35M or 7% of global turnover — and the Act reaches UK companies whose AI touches the EU market. We inventory and classify your AI systems, close the gaps, and implement governance as working software: documentation, human oversight, logging, evidence.
Hard deadline
High-risk obligations enforceable August 2026. Complex systems need months of lead time — the window is closing.
Reaches UK firms
Extraterritorial scope: sell into the EU, or have your AI's output used there, and obligations can apply.
Shadow AI is exposure
Most organisations can't list the AI already in use across teams and vendors. You can't govern an unknown inventory.
Engineers, not just advisors
We implement controls as working software — oversight checkpoints, logging, kill switches — not shelf-ware policy.
Risk classification
Every AI system classified, every tier with proportionate controls
Uniform governance is expensive; missing governance on the wrong system is worse. We score each system on autonomy, data sensitivity and reversibility of its actions, map it to EU AI Act categories, and apply controls proportionate to the tier.
| Tier | Typical systems | Governance intensity |
|---|---|---|
| Tier 1 — Low | Internal assistants on non-sensitive data; reversible, human-reviewed outputs | Inventory entry, named owner, standard logging, periodic review |
| Tier 2 — Medium | Personal data in scope, or some irreversible actions; limited external exposure | Pre-deployment gate, human checkpoint on consequential actions, monthly review |
| Tier 3 — High | Customer-facing decisions; regulated data; automated actions that are hard to reverse | Full control stack: model card, bias testing, oversight procedures, kill switch, senior sign-off |
| Tier 4 — Critical | EU AI Act Annex III territory: employment, credit, essential services, safety | Conformity assessment, board-level acceptance, binding ethics review, continuous monitoring |
What we implement
Governance as working software
Inventory & model cards
A live register of every AI system, and a model card per production model: purpose, training data provenance, performance, limitations, oversight requirements.
Human oversight
Confidence-threshold escalation, review queues for consequential decisions, documented override procedures, and kill switches with rule-based fallbacks.
Logging & evidence
Tamper-evident decision logs with full replayability. When an auditor or regulator asks, the answer is a query — not a documentation scramble.
Lifecycle gates
Five decision gates from use-case approval to operational acceptance, so no model reaches production without validation, bias testing and sign-off.
Engagement options
Assess, implement, stay current
Readiness assessment
2 weeks · fixed fee
- AI system inventory incl. vendor & shadow AI
- Risk classification per system
- EU AI Act gap analysis for your role(s)
- 90-day remediation roadmap, prioritised
- Deliverables yours to keep
Controls implementation
scoped fixed-fee
- Model cards & technical documentation
- Human oversight & override workflows in your systems
- Decision logging with replay capability
- Incident response playbooks & severity taxonomy
- Staff training on governance operations
Governance retainer
quarterly or monthly
- Regulatory horizon scanning (EU AI Act guidance, UK developments)
- Quarterly governance health checks
- Model card & classification reviews
- Priority support on AI incidents
- Audit preparation support
FAQ
Common questions
- Does the EU AI Act apply to us if we are a UK company?
- Quite possibly. The Act has extraterritorial scope: if your AI system is placed on the EU market, or its output is used in the EU, provider or deployer obligations can apply regardless of where you are based. Part of the readiness assessment is establishing exactly which of your systems fall in scope and in which role — provider, deployer, importer or distributor.
- What happens in August 2026?
- The EU AI Act’s obligations for high-risk AI systems become enforceable in August 2026, with penalties for non-compliance reaching €35 million or 7% of global annual turnover for the most serious violations. Prohibited-practice and AI-literacy provisions are already in force; August is when the heavy operational requirements — risk management, technical documentation, human oversight, logging, conformity assessment — start to bite.
- We only use AI through vendors (ChatGPT, Copilot, embedded features). Is that our problem?
- Partly, yes. Deployers of high-risk AI systems have their own obligations — human oversight, input-data relevance, monitoring, and record-keeping. And "shadow AI" (staff using tools without approval) is a real exposure: you can’t govern what you haven’t inventoried. The assessment starts with exactly that inventory.
- What does the two-week readiness assessment produce?
- Three deliverables: an AI system inventory with each system risk-classified (using EU AI Act tiers plus autonomy, data sensitivity and reversibility scoring); a gap analysis against the obligations that apply to you; and a prioritised 90-day remediation roadmap with effort estimates. Fixed fee, and the deliverables are yours regardless of whether we implement.
- Can you implement the controls, not just assess them?
- Yes — that’s the point of being an engineering firm rather than a pure advisory. We implement model documentation, human-in-the-loop checkpoints, kill-switch fallbacks, decision logging and evidence collection as working software in your systems. Policies without technical enforcement don’t survive an audit.
- Is this only relevant for "high-risk" AI?
- No. Even minimal-risk systems benefit from an inventory, documented ownership and basic monitoring — and classification itself is the exercise that tells you whether you have high-risk exposure. Many clients discover that one workflow (e.g. CV screening, credit decisions, safety monitoring) quietly crossed into high-risk territory.
Find out where you stand — in two weeks
Tell us roughly what AI you use or build and which markets you serve. We'll reply with whether the assessment makes sense for you and a fixed price — usually the same day.