The EU AI Act is a population-first law. You classify each system, document the high-risk ones, and meet the obligations that follow. All of it depends on knowing what you have. Most organisations write an AI policy before they have measured the population it applies to, which is exactly backwards.
AI entered through dozens of doors at once: vendor features, shadow pilots, embedded models, faster than any central register could track. Teams write a policy first, but the policy describes a population they have never actually measured.
No classification, so no idea which systems are high-risk. Duplicated and conflicting risk ratings. An audit in any jurisdiction surfaces the inconsistencies. Decisions get blocked because no one can evidence what a system actually does.
EU AI Act penalties reach the higher of EUR 35m or 7 percent of global turnover for the most serious breaches. Beyond fines: deployment freezes, a deindexed AI roadmap, and an emergency remediation that costs three to five times what doing it early would have.
A spreadsheet AI register is where everyone starts, and it works for about a week. Then it goes stale, owners disagree on entries, embedded vendor AI is missed (institutions typically overestimate completeness by 30 to 50 percent), there is no classification logic, no evidence trail, and no link to the obligations each entry triggers. A static list is not governance.
Inventory before policy. A repeatable discovery sweep across business units, a single classification method tied to the AI Act risk tiers, an owned register with evidence per system, and an operating model (AI risk committee, attestation, reviewer rota) so it stays current rather than decaying within two quarters.
We run a partner-led 14-week programme: build the complete inventory, classify every system against Article 6 with the business in the room, remediate the top high-risk systems in parallel, and stand up the operating model. You receive an audit pack structured for a notified body, not a spreadsheet.
The inventory, not the policy. The policy describes how you intend to act on a population you have not yet measured, which is why we always build the inventory first.
Rarely complete. Institutions overestimate completeness by 30 to 50 percent; the embedded vendor AI is what gets missed, and it is often the highest-risk category.
A 14-week working plan for a mid-sized estate, with a compressed nine-week variant where senior sponsorship and budget are already secured.
Yes. We build one internal control catalogue and map it to the EU AI Act, the NIST AI RMF and ISO 42001 at once, so you run one governance function rather than three.