Verifiable governance · not declared

Governing AI isn't a document. It's a system you can verify.

Policy, register, human oversight, evidence. Every rule we write leaves a trace an auditor — or you — can check. No facade seals.

Governance is what makes AI usable without fear.

01 · Why govern

Without direction, AI isn't an abstract risk. It's a cost that matures.

Tools used untracked, company data in the hands of unapproved services, outputs never verified. This is shadow AI: when it matters — an audit, an incident, a client — your word isn't enough.

  • Outputs used without review → errors no one traces.
  • Company data in unapproved tools → shadow AI.
  • AI Act obligations ignored → exposure to penalties.
  • No evidence → in a check, you can prove nothing.

The AI Act provides for penalties up to €35 million or 7% of worldwide annual turnover for prohibited practices (art. 5); for other obligations penalties reach up to €15 million or 3% (art. 99). SMEs are subject to the lower of the two amounts.

Reg. (EU) 2024/1689, arts. 5 and 99 · Law No. 132 of 23 September 2025

02 · What governing means

Not a slogan. Five concrete pillars.

Compliant · AI Act art. 26

"Governing AI" stays an abstraction until it takes a verifiable shape. Here are the five pillars we build on — each with its anchor in the AI Act.

01 · Register

Register of systems

Every AI system used in the company, recorded: purpose, owner, data, risk. Including shadow AI.

art. 26

02 · Risk

Risk classification

Every use placed in its AI Act category, from prohibited uses to minimal risk, with the obligations that follow.

arts. 5, 6, 50

03 · People

Human oversight

A competent person oversees high-risk systems. AI proposes, the human decides.

art. 14

04 · Rules

Policy & roles

Who can use what, with which data, within which limits. Written and assigned, not implicit.

art. 26

05 · Evidence

Evidence & logs

Every decision leaves a trace that is kept: logs retained for at least six months, ready for a check.

art. 26, para. 6

03 · How we make it verifiable

Every control we write produces a proof you can verify.

In short: a rule doesn't stay on paper. It's applied in the process, leaves a logged piece of evidence and hands over to a person when a check is needed.

Rule

Definedwritten, not implicit

Application

In the processwhere work happens

Evidence

Loggedtraced and retained

Oversight

The person decides

The verification chain

Six steps, from the rule to audit readiness. Tap a step to see what it leaves behind.

  1. The usage rule, in writing.

    What it leaves: a written policy and assigned roles — not rules implicit in people's heads.

  2. The risk of each system.

    What it leaves: each system placed on prohibited / high-risk / transparency / minimal, with the obligations that follow (arts. 5, 6, 50).

  3. The system in the register.

    What it leaves: an entry in the systems register with purpose, owner, data and revision date (art. 26).

  4. With a competent person.

    What it leaves: defined human-oversight points on high-risk systems. AI proposes, the person decides (art. 14).

  5. The evidence, over time.

    What it leaves: logs retained for at least six months, ready for a check (art. 26, para. 6).

  6. Ready for readiness and audits.

    What it leaves: documentation and controls aligned, ready for an ISO/IEC 42001 readiness or an audit.

Why this concerns you even if you don't "develop" AI: anyone who uses an AI system in the course of their professional activity is a deployer. For high-risk systems, the deployer has specific obligations — including human oversight and log retention (art. 26).

Reg. (EU) 2024/1689, arts. 14, 26 and 50

04 · AI Act & ISO 42001, no myths

What's law, what's voluntary, what we don't do.

Citable sources

The AI Act classifies systems into four levels: prohibited (art. 5), high-risk (art. 6 and Annex III), transparency obligations (art. 50) and minimal risk. We identify where your system sits and which obligations follow.

  • Prohibited · art. 5
  • High-risk · art. 6, Annex III
  • Transparency · art. 50
  • Minimal risk

Reg. (EU) 2024/1689, arts. 5, 6, 50 and Annex III

Following the Digital Omnibus (adopted by the EU Council on 29 June 2026), obligations for high-risk systems apply from 2 December 2027 (stand-alone systems, Annex III) and from 2 August 2028 (AI embedded in regulated products, Annex I).

Digital Omnibus, EU Council, 29 June 2026 · dates "from", framework evolving

Myth vs reality

The myth

  • "The AI Act only concerns those who develop AI."
  • "You certify us for ISO 42001 yourselves."
  • "One document and we're fine."

The reality

  • It concerns those who use it too: you're a deployer (art. 26).
  • No. Only an accredited body certifies it: we prepare the readiness.
  • You need a system with evidence maintained over time.

On ISO/IEC 42001 we're blunt — and it's a proof of seriousness, not a limit.

ISO/IEC 42001:2023 · voluntary standard, complementary to the AI Act

05 · Governance in action

What governance done well looks like.

Illustrative example

An extract — simplified — of how the systems register we build with you looks: each system, its risk, the active controls.

Extract of the AI systems register 4 systems · tracked
Email assistant (drafts)Limited risk
Sales lead scoringHigh risk
Document classifierMinimal risk
Website chatbotTransparency · art. 50
Active controls
  • Human oversight on the high-risk system (art. 14).
  • Logs retained for at least six months (art. 26, para. 6).
  • Workers informed about the use of AI.
Next step

Define the real scope with an AI Entry Assessment. Govern

Illustrative example — real client data never appears on this site

06 · Proportionate governance

Rules tailored to an SME. Not to a multinational.

Governance shouldn't weigh more than the problem it solves. We calibrate it to your reality — and to the only obligations that actually apply to you.

Proportionate

Only the obligations that really apply to you: first we understand which, then we act.

Modular

You start with an assessment and grow only if you see value. No corporate setup imposed.

No lock-in

No mandated software: we govern what you already use, with technological neutrality.

Transferable

The team stays autonomous: governance mustn't depend on us to keep working.

The first step

Want to know which obligations actually apply to you?

The starting point is the AI Entry Assessment: mapping of systems, gap analysis against the AI Act and ISO/IEC 42001, prioritised roadmap. From there, every rule will have its proof.