01 · Register
Register of systems
Every AI system used in the company, recorded: purpose, owner, data, risk. Including shadow AI.
art. 26
Policy, register, human oversight, evidence. Every rule we write leaves a trace an auditor — or you — can check. No facade seals.
Governance is what makes AI usable without fear.
01 · Why govern
Tools used untracked, company data in the hands of unapproved services, outputs never verified. This is shadow AI: when it matters — an audit, an incident, a client — your word isn't enough.
The AI Act provides for penalties up to €35 million or 7% of worldwide annual turnover for prohibited practices (art. 5); for other obligations penalties reach up to €15 million or 3% (art. 99). SMEs are subject to the lower of the two amounts.
Reg. (EU) 2024/1689, arts. 5 and 99 · Law No. 132 of 23 September 2025
02 · What governing means
"Governing AI" stays an abstraction until it takes a verifiable shape. Here are the five pillars we build on — each with its anchor in the AI Act.
01 · Register
Every AI system used in the company, recorded: purpose, owner, data, risk. Including shadow AI.
art. 26
02 · Risk
Every use placed in its AI Act category, from prohibited uses to minimal risk, with the obligations that follow.
arts. 5, 6, 50
03 · People
A competent person oversees high-risk systems. AI proposes, the human decides.
art. 14
04 · Rules
Who can use what, with which data, within which limits. Written and assigned, not implicit.
art. 26
05 · Evidence
Every decision leaves a trace that is kept: logs retained for at least six months, ready for a check.
art. 26, para. 6
03 · How we make it verifiable
In short: a rule doesn't stay on paper. It's applied in the process, leaves a logged piece of evidence and hands over to a person when a check is needed.
Rule
Definedwritten, not implicitApplication
In the processwhere work happensEvidence
Loggedtraced and retainedOversight
The person decidesThe verification chain
Six steps, from the rule to audit readiness. Tap a step to see what it leaves behind.
The usage rule, in writing.
What it leaves: a written policy and assigned roles — not rules implicit in people's heads.
The risk of each system.
What it leaves: each system placed on prohibited / high-risk / transparency / minimal, with the obligations that follow (arts. 5, 6, 50).
The system in the register.
What it leaves: an entry in the systems register with purpose, owner, data and revision date (art. 26).
With a competent person.
What it leaves: defined human-oversight points on high-risk systems. AI proposes, the person decides (art. 14).
The evidence, over time.
What it leaves: logs retained for at least six months, ready for a check (art. 26, para. 6).
Ready for readiness and audits.
What it leaves: documentation and controls aligned, ready for an ISO/IEC 42001 readiness or an audit.
Why this concerns you even if you don't "develop" AI: anyone who uses an AI system in the course of their professional activity is a deployer. For high-risk systems, the deployer has specific obligations — including human oversight and log retention (art. 26).
Reg. (EU) 2024/1689, arts. 14, 26 and 50
04 · AI Act & ISO 42001, no myths
The AI Act classifies systems into four levels: prohibited (art. 5), high-risk (art. 6 and Annex III), transparency obligations (art. 50) and minimal risk. We identify where your system sits and which obligations follow.
Reg. (EU) 2024/1689, arts. 5, 6, 50 and Annex III
Following the Digital Omnibus (adopted by the EU Council on 29 June 2026), obligations for high-risk systems apply from 2 December 2027 (stand-alone systems, Annex III) and from 2 August 2028 (AI embedded in regulated products, Annex I).
Digital Omnibus, EU Council, 29 June 2026 · dates "from", framework evolving
Myth vs reality
On ISO/IEC 42001 we're blunt — and it's a proof of seriousness, not a limit.
ISO/IEC 42001:2023 · voluntary standard, complementary to the AI Act
05 · Governance in action
An extract — simplified — of how the systems register we build with you looks: each system, its risk, the active controls.
Define the real scope with an AI Entry Assessment. Govern
Illustrative example — real client data never appears on this site
06 · Proportionate governance
Governance shouldn't weigh more than the problem it solves. We calibrate it to your reality — and to the only obligations that actually apply to you.
Only the obligations that really apply to you: first we understand which, then we act.
You start with an assessment and grow only if you see value. No corporate setup imposed.
No mandated software: we govern what you already use, with technological neutrality.
The team stays autonomous: governance mustn't depend on us to keep working.
The first step
The starting point is the AI Entry Assessment: mapping of systems, gap analysis against the AI Act and ISO/IEC 42001, prioritised roadmap. From there, every rule will have its proof.