Skip to main content

AI governance & EU AI Act readiness

The EU AI Act gets teeth
in August 2026. Be ready.

High-risk AI obligations become enforceable next month, with penalties up to €35M or 7% of global turnover — and the Act reaches UK companies whose AI touches the EU market. We inventory and classify your AI systems, close the gaps, and implement governance as working software: documentation, human oversight, logging, evidence.

Hard deadline

High-risk obligations enforceable August 2026. Complex systems need months of lead time — the window is closing.

Reaches UK firms

Extraterritorial scope: sell into the EU, or have your AI's output used there, and obligations can apply.

Shadow AI is exposure

Most organisations can't list the AI already in use across teams and vendors. You can't govern an unknown inventory.

Engineers, not just advisors

We implement controls as working software — oversight checkpoints, logging, kill switches — not shelf-ware policy.

Risk classification

Every AI system classified, every tier with proportionate controls

Uniform governance is expensive; missing governance on the wrong system is worse. We score each system on autonomy, data sensitivity and reversibility of its actions, map it to EU AI Act categories, and apply controls proportionate to the tier.

TierTypical systemsGovernance intensity
Tier 1 — LowInternal assistants on non-sensitive data; reversible, human-reviewed outputsInventory entry, named owner, standard logging, periodic review
Tier 2 — MediumPersonal data in scope, or some irreversible actions; limited external exposurePre-deployment gate, human checkpoint on consequential actions, monthly review
Tier 3 — HighCustomer-facing decisions; regulated data; automated actions that are hard to reverseFull control stack: model card, bias testing, oversight procedures, kill switch, senior sign-off
Tier 4 — CriticalEU AI Act Annex III territory: employment, credit, essential services, safetyConformity assessment, board-level acceptance, binding ethics review, continuous monitoring

What we implement

Governance as working software

Inventory & model cards

A live register of every AI system, and a model card per production model: purpose, training data provenance, performance, limitations, oversight requirements.

Human oversight

Confidence-threshold escalation, review queues for consequential decisions, documented override procedures, and kill switches with rule-based fallbacks.

Logging & evidence

Tamper-evident decision logs with full replayability. When an auditor or regulator asks, the answer is a query — not a documentation scramble.

Lifecycle gates

Five decision gates from use-case approval to operational acceptance, so no model reaches production without validation, bias testing and sign-off.

Engagement options

Assess, implement, stay current

Readiness assessment

2 weeks · fixed fee

  • AI system inventory incl. vendor & shadow AI
  • Risk classification per system
  • EU AI Act gap analysis for your role(s)
  • 90-day remediation roadmap, prioritised
  • Deliverables yours to keep
Enquire
Core engagement

Controls implementation

scoped fixed-fee

  • Model cards & technical documentation
  • Human oversight & override workflows in your systems
  • Decision logging with replay capability
  • Incident response playbooks & severity taxonomy
  • Staff training on governance operations
Enquire

Governance retainer

quarterly or monthly

  • Regulatory horizon scanning (EU AI Act guidance, UK developments)
  • Quarterly governance health checks
  • Model card & classification reviews
  • Priority support on AI incidents
  • Audit preparation support
Enquire

FAQ

Common questions

Does the EU AI Act apply to us if we are a UK company?
Quite possibly. The Act has extraterritorial scope: if your AI system is placed on the EU market, or its output is used in the EU, provider or deployer obligations can apply regardless of where you are based. Part of the readiness assessment is establishing exactly which of your systems fall in scope and in which role — provider, deployer, importer or distributor.
What happens in August 2026?
The EU AI Act’s obligations for high-risk AI systems become enforceable in August 2026, with penalties for non-compliance reaching €35 million or 7% of global annual turnover for the most serious violations. Prohibited-practice and AI-literacy provisions are already in force; August is when the heavy operational requirements — risk management, technical documentation, human oversight, logging, conformity assessment — start to bite.
We only use AI through vendors (ChatGPT, Copilot, embedded features). Is that our problem?
Partly, yes. Deployers of high-risk AI systems have their own obligations — human oversight, input-data relevance, monitoring, and record-keeping. And "shadow AI" (staff using tools without approval) is a real exposure: you can’t govern what you haven’t inventoried. The assessment starts with exactly that inventory.
What does the two-week readiness assessment produce?
Three deliverables: an AI system inventory with each system risk-classified (using EU AI Act tiers plus autonomy, data sensitivity and reversibility scoring); a gap analysis against the obligations that apply to you; and a prioritised 90-day remediation roadmap with effort estimates. Fixed fee, and the deliverables are yours regardless of whether we implement.
Can you implement the controls, not just assess them?
Yes — that’s the point of being an engineering firm rather than a pure advisory. We implement model documentation, human-in-the-loop checkpoints, kill-switch fallbacks, decision logging and evidence collection as working software in your systems. Policies without technical enforcement don’t survive an audit.
Is this only relevant for "high-risk" AI?
No. Even minimal-risk systems benefit from an inventory, documented ownership and basic monitoring — and classification itself is the exercise that tells you whether you have high-risk exposure. Many clients discover that one workflow (e.g. CV screening, credit decisions, safety monitoring) quietly crossed into high-risk territory.

Find out where you stand — in two weeks

Tell us roughly what AI you use or build and which markets you serve. We'll reply with whether the assessment makes sense for you and a fixed price — usually the same day.

AI governance & EU AI Act readiness — assessment to implementation