Become a partner
DE EN
NADOVO

AI Compliance in Four Weeks

Someone in your company is feeding an AI data that should never leave the building. AI compliance doesn't start with the lawyer, it starts with visibility - four weeks to your own AI register.

Best Practices

AI Compliance in Four Weeks AI-generated

Someone in your company is feeding an AI data that should never leave the building. Right now.

Not in theory. Now.

A quote in ChatGPT, customer names and prices included. An employment contract in the translation tool, salary included. Code in the AI assistant, business logic included. Nobody ordered it. Nobody knows about it.

This isn’t a question for the future. This is your Tuesday morning.

You don’t have a compliance problem. You have a visibility problem.

The reflex with AI compliance is to call the lawyers. Wrong. At least not first.

You can’t assess a risk you can’t see. You can’t meet an obligation for a system nobody knows is running. Compliance doesn’t begin with the legal text. It begins with an inventory.

And that inventory almost always turns out sobering. Companies drastically underestimate their own AI landscape. Standard software gains AI features through an update, without notice. Microsoft 365 with Copilot. The CRM with lead scoring. Accounting with automatic receipt capture. Anyone using these is, in the sense of the EU AI Act, the deployer of an AI system. Even without knowing it.

What the law says, and what already applies

The EU AI Act has been in force since 1 August 2024. The world’s first comprehensive AI regulation. It applies to every company that uses AI in the EU, even if the provider is based in the US.

Much of it phases in gradually. Some of it applies today.

Since February 2025, certain AI practices have been completely banned, such as social scoring or emotion recognition in the workplace. Since the same day, Article 4 requires AI literacy: anyone who operates or supervises AI must understand what they are doing. Not a thing of the future. Applicable law.

The heavy weight follows on 2 December 2027. That’s when the full obligations for high-risk systems take effect: risk management, documentation, human oversight, reporting duties. The EU’s Digital Omnibus package pushed this deadline back from the original August 2026. More time, not less obligation.

The penalties carry weight. Up to 35 million euros or 7 percent of global annual turnover for prohibited practices. Up to 15 million or 3 percent for other violations. Sums that hit mid-sized companies too.

For most SMEs the rule is: you buy AI in rather than build it. That makes you a deployer. The obligations are manageable, but they exist.

Four risk classes, and the use case decides

The AI Act doesn’t treat every AI the same. It sorts by risk, in four tiers.

Unacceptable means banned. Social scoring. Systems that manipulate people unnoticed. Emotion recognition in the workplace. Anyone deploying something like this is already acting unlawfully today.

High means strictly regulated, and this is where it gets concrete for mid-sized companies. An AI that pre-sorts job applications falls under Annex III, the employment area. An AI that helps decide creditworthiness does too, the essential services area. Such systems require human oversight, documentation and traceable processes.

Limited means a transparency obligation. A chatbot must disclose that it is not human. AI-generated content must be identifiable.

Minimal means free. Spam filters, spell check, a draft text for marketing. No special obligations, apart from AI literacy.

The decisive point is between the lines. It’s not the tool that determines the class, but the use. The same language model is minimal in marketing and high-risk in candidate selection. One tool, two worlds.

Shadow AI isn’t on any software list

The official AI is the smaller problem. The bigger one sits at the desks.

Employees use AI tools the IT department knows nothing about. Personal data and trade secrets leave the company. No legal basis. No contract. No documentation. This isn’t only a breach of the EU AI Act, but first and foremost a solid GDPR problem.

We know shadow IT from the 2010s. Shadow AI follows the same pattern, with one difference: these tools generate content, prepare decisions and send data to external models. A different order of magnitude.

Waiting is the most expensive strategy

The most common reaction is to do nothing. The big deadlines only hit in 2027, so there’s time. A fallacy. Two obligations already apply today, and anyone who doesn’t know what’s running in the building may already be in breach. Without suspecting it.

The other escape routes are no better. Solving everything at once leads to gridlock. Loading the topic onto the data protection officer on the side underestimates it. Buying a tool before it’s clear what it should manage is just activism.

It doesn’t take a major project. It takes a stocktake. Four weeks are enough.

Four weeks to your own AI register

Nobody is fully compliant after four weeks. That’s not the goal. The goal is visibility, the basis for everything else. Four to eight hours per week are enough.

Week 1: the inventory. Go through the IT landscape, survey the departments, check cloud services. A table with system, provider, area of use, personal data. Eighty percent covered beats a hundred percent planned.

Week 2: the role. One question per system. Built in-house or bought in? In nine out of ten cases the answer is “bought in”. That makes you a deployer. Good news, because the deployer obligations are manageable.

Week 3: the risk. Here the principle from above applies, the use determines the class, not the tool. The NADOVO core formula makes it operational: asset plus area of application gives the AI process, and that determines the risk class. Every use case is assessed individually, against prohibitions, high-risk areas and transparency obligations.

Week 4: consolidate. The inventory becomes the AI register. High-risk systems first. Implement the first quick wins, such as a chatbot notice or an AI usage policy. Appoint a responsible person.

After four weeks you know what you deploy, in which role, with which risk. More than most companies have ever documented.

First aid right at this beginning

Sounds simple. Still fails in practice. An Excel table is outdated the moment the next tool is introduced.

This is where the NADOVO platform comes in. It makes the DISCOVER phase manageable: capture AI systems and shadow AI, map them to the use case, transfer them into a living AI register. One that grows with you instead of going stale.

If you need support with assessment and implementation, you’ll find it in our AI compliance consulting. Structured into three to eight weeks, from the stocktake to the implemented measure. For ongoing governance, an external AI compliance officer takes on the role.

Obligation becomes advantage

AI compliance isn’t only a burden. Customers, partners and public-sector clients ask how you handle AI. Those who answer credibly win in tenders and audits. Demonstrable AI governance becomes a quality mark, just as GDPR compliance has long been.

The hurdle is lower than many believe. Anyone who has mastered the GDPR also has the maturity for the EU AI Act. Use the existing infrastructure as a springboard instead of starting from scratch in parallel.

One question remains. It’s uncomfortable. Could you, in the next hour, list every AI system in your company? If not, your AI compliance starts right there. Our quick check gives you a first impression of where you stand.

We provide the full practical guide with all the steps and the detailed roadmap as a download. The fundamentals are covered in more depth in our article on what companies need to know now.


About the author

Jochen Stier is a co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase NADOVO framework combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.

Further reading:


← Back to blog

© 2026 CONTORO SOLUTIONS OÜ. All rights reserved.
NADOVO - nadovo.ai