Is your AI system high-risk under the EU AI Act? How to find out
The EU AI Act's Annex III lists 8 categories of high-risk AI. Most AI teams don't know whether their system is in scope. Here's how to determine your risk tier — and what it means for what you need to build.
An AI Risk Disposition that holds up in regulator review
Most AI risk dispositions are written for internal approval, not external scrutiny. When a regulator or auditor asks for the record, they look for different things — here is what must be in the disposition to hold up.
EU AI Act Article 9 risk management — what evidence is required
Article 9 of the EU AI Act requires a risk management system for high-risk AI. This piece translates each of its six requirements into specific evidence artefacts — what an auditor will ask for, and the gaps that appear most often when organisations try to produce it.
Mapping AI security review evidence to EU AI Act articles
Every AI security review produces evidence. This piece maps that evidence to the EU AI Act articles it satisfies, so organisations can trace from their review records to their compliance obligations without rebuilding the evidence from scratch.
Running RAG over regulated data — the review checklist
RAG over GDPR-regulated, HIPAA-regulated, or financial data requires controls at the data layer, the retrieval layer, and the output layer. This checklist maps the requirements by data class and the evidence an AI security review must produce.
The EU AI Act timeline and what to prepare first
The EU AI Act applies in phases. Different provisions came into effect at different dates, and the obligations for high-risk systems differ from those for GPAI. This piece maps the timeline and the preparation steps that deliver the most value first.
Reviewing how an AI vendor handles your data
What happens to the data you send to an AI vendor? Is it used for training? Who can access it? Where is it stored? These questions are not always answered in the DPA. This piece defines the data-handling review for AI vendors.
General-purpose AI obligations under the EU AI Act
The GPAI provisions of the EU AI Act introduce obligations for foundation model providers. This piece explains what GPAI means, which obligations apply, and what deployers of GPAI-powered systems need to understand.
EU AI Act obligations for deployers (not just providers)
Most EU AI Act coverage focuses on providers — organisations that develop or place AI systems on the market. But deployers — organisations that use AI systems for their own purposes — have significant obligations of their own.
PII leakage through RAG retrieval
RAG pipelines built over internal document corpora frequently contain personal data that was never intended to be queryable by the model. PII leakage through retrieval is the most common data-protection issue we encounter in RAG security reviews.
EU AI Act vs GDPR — where they overlap for AI systems
The EU AI Act and GDPR overlap significantly for AI systems that process personal data. This piece maps the overlap, explains where the obligations are additive rather than duplicative, and identifies the review artefacts that satisfy both.
AI subprocessor risk in your vendor chain
When a vendor's AI feature is powered by a third-party model provider, the model provider is an AI subprocessor. The data that passes through the model may be subject to additional retention, training, or transfer rules that the original DPA did not contemplate.
The technical documentation the EU AI Act expects
The EU AI Act requires technical documentation before a high-risk AI system is placed on the market. This piece breaks down what Annex IV requires, what it means in practice, and the gaps that appear most often in documentation we have reviewed.
Running a DPIA for an AI system
A Data Protection Impact Assessment for an AI system has requirements that standard DPIA templates do not address: model training data, inference data flows, automated decision-making obligations, and re-assessment triggers. This piece fills the gaps.
High-risk AI obligations under the EU AI Act
High-risk AI systems under the EU AI Act face a set of specific obligations: risk management, technical documentation, data governance, transparency, human oversight, and accuracy. This piece maps each obligation to the evidence that satisfies it.
A DPO's guide to AI systems in the organisation
Data Protection Officers are increasingly asked to sign off on AI systems. This guide maps the data-protection risks specific to AI — training data, inference data, model outputs, and retention — and the review questions a DPO should ask.
Building an EU AI Act system inventory
The EU AI Act requires organisations to know which AI systems they deploy and which tier each one falls into. Building that inventory is harder than it sounds when AI is embedded in SaaS, vendor products, and internal tooling.
EU AI Act risk tiers, explained for engineers
The EU AI Act classifies AI systems into four risk tiers: unacceptable, high, limited, and minimal. The classification determines the obligations. This piece explains how to classify a system and what each tier requires.