Service
AI policy and AI Act compliance
In many companies employees already use AI, just without rules and without management knowing. We set it up so that AI is under control, not in a grey area.
- ISO/IEC 27001
- 3000+ workstations
- Since 2017
The AI Act applies in stages, and GDPR has applied for a long time. We put the use of AI tools in your company in order: who, for what and under what rules, so that the benefit does not turn into a risk of a leak or a fine.
Scope of AI governance
Documents and mechanisms that turn chaotic AI use into a controlled process.
-
AI usage policy
One clear document for the whole company: what is allowed, what is not and what data may be entered into AI tools. No legal jargon.
-
Risk-based classification of use cases
We assign specific use cases to the risk levels from the AI Act. It is clear what is allowed straight away, what needs oversight and what is prohibited.
-
Compliance with the AI Act and GDPR
We review tools and processes against the AI Act and the processing of personal data. We document the grounds so the company is ready for questions from an inspection.
-
Oversight and roles
We establish who in the company is responsible for AI, how new tools are reported and how reviews look. Responsibility has a name.
-
Register of AI systems
A list of AI tools and use cases used in the company together with a risk assessment. A starting point for audits and purchasing decisions.
AI is already in your company, you just do not know it
Banning AI does not work, because employees paste data into free tools from private accounts anyway, to finish a task faster. The problem is that along with the text, client data, offers and fragments of contracts go there too, over which the company loses control. This is exactly the grey area that is not visible in any system.
An AI policy is created not to forbid, but to set clear boundaries: which tools we use, what data may be entered into them and where the line is that we do not cross. When the rules are simple and known, people follow them, and management knows what is happening to company data.
What a risk-based approach is
The AI Act does not treat all use cases the same. An assistant that summarises meeting notes is a completely different category than a system that rates employees or clients. That is why we do not write one general rule, but classify specific use cases and match the requirements to them.
As a result the company does not needlessly block simple tools, while at the same time catching those use cases that truly require oversight, assessment or complete exclusion. That is the difference between paper compliance and real control.
How we run the project
From finding out what is already happening in the company, to finished documents and implemented rules.
- 2-3 weekstypical time to prepare the policy
- workshopstart from real use cases
- finished documentspolicy, register and risk classification
- GDPR + AI Actcompliance in a single project
- We establish the actual state. We check which AI tools the company already uses and for what. Without that, the policy would be detached from reality.
- We classify and write the rules. We assign use cases to risk levels and write the policy in plain language. The rules should be understandable to every employee, not only to a lawyer.
- We implement and train the team. We hand over the documents, establish roles and explain to the team why the rules make sense. A policy in a drawer protects no one.
- We keep it up to date. The AI Act comes into force in stages, and the tools change. We can come back for a review so the documents keep up with the regulations and practice.
How we bill
We quote this service individually after a short scope analysis.
Let us talk about your project
Answer 2 questions about your company. You will see a simple estimate right away, and we will prepare a full proposal within 24 business hours.
- 2 minutes, no commitment
- You talk to an engineer, not a salesperson
- No spam, one contact about your quote