AI system inventory
A complete register of every model, Agent, and prompt in use, including the shadow AI that never went through review.
Governance & Compliance
EU AI Act & ISO 42001 Compliance. Prove your AI is governed.
The EU AI Act is enforceable, and high-risk obligations apply from August 2026. We classify every AI system you run, close the gaps against the Act and ISO 42001, and build the evidence trail your regulators and your Board expect.
Why now
AI rolled out faster than the governance around it. The EU AI Act is now enforceable, high-risk obligations apply from August 2026, and penalties reach 35 million euros or 7 percent of global turnover.
A compliance program gives you a clear inventory of every model and Agent in use, a defensible risk classification for each one, and the documentation that proves control. ISO 42001 provides the management system that holds it together, so the work becomes a repeatable operation your auditors and your Board can follow.
The risk tiers
The Act classifies every AI system by risk
Obligations follow the tier. The first step in any program is an honest classification of each system you run, because that decides what you owe.
Unacceptable risk Prohibited
Banned outright. Social scoring, manipulative or exploitative systems, and most untargeted biometric surveillance.
High risk Strict obligations
Allowed with conditions. Hiring, credit, education, critical infrastructure, and biometric identification. Requires risk management, data governance, documentation, human oversight, and conformity assessment.
Limited risk Transparency
Allowed with disclosure. Chatbots and generative content. Users must be told they are interacting with AI, and AI-generated media must be labeled.
Minimal risk Voluntary
Allowed freely. Spam filters, recommendations, and most everyday AI. No mandatory obligations, with voluntary codes of conduct encouraged.
Summary of the EU AI Act risk categories for orientation. Exact classification of your systems is confirmed during the engagement.
The clock
The obligations arrive in stages
The Act phases in over several years. The milestone in front of most teams now is the high-risk obligation date in August 2026.
Feb 2025
Prohibited AI practices banned
Aug 2025
General-purpose AI model obligations apply
Aug 2026
High-risk system obligations apply
NextAug 2027
High-risk AI in regulated products follows
How the pieces fit
The law, the management system, the control framework
Three things work together. The Act sets the obligations, ISO 42001 gives you the operating system to meet them, and NIST AI RMF supplies the practical controls.
The law
EU AI Act
Risk-based obligations with hard deadlines and penalties reaching 35 million euros or 7 percent of global turnover. It defines what you must do and by when.
The management system
ISO / IEC 42001
A certifiable AI management system that turns responsible AI into a repeatable operation and produces the evidence auditors accept.
The control framework
NIST AI RMF
A practical structure for mapping, measuring, and managing AI risk across the lifecycle, used to ground the day-to-day controls.
What we deliver
From inventory to audit-ready evidence
Saint Fox runs the program end to end, with Principal Engineers owning the technical work and the status reported to your Board.
Risk classification
A defensible tier for each system under the Act, with the reasoning documented so it holds up to a regulator's question.
Gap assessment
Your current state mapped against the Act and ISO 42001, with a prioritized plan to close each gap that matters.
Human oversight design
Oversight and intervention controls built into each high-risk system, so a person can review and step in where the Act requires it.
Conformity and evidence
Technical documentation, records, and the evidence pack that supports conformity assessment and ISO 42001 certification.
Ongoing monitoring
Continuous oversight of new and changed systems, with re-classification and refreshed evidence as your AI estate grows.
How it works
A defined path to a defensible position
A structured program that takes you from an unknown AI estate to a classified, documented, and monitored one.
01
Inventory
Discover every model, Agent, and prompt in use across the business, including shadow AI.
02
Classify
Place each system in its risk tier under the Act, with documented reasoning.
03
Close gaps
Implement the controls each tier requires, mapped to ISO 42001 and NIST AI RMF.
04
Evidence
Assemble the documentation and records that prove conformity and support certification.
05
Monitor
Keep the register current and re-attest as systems change and new ones ship.
Part of the loop
Where this sits in VIGILE
Governed AI
Identify the estate, Validate it against the Act
IdentifyEU AI Act & ISO 42001 ComplianceValidate
This program runs through the Identify and Validate motions of VIGILE, discovering every AI system and proving it meets the Act. It pairs with the AI Governance solution, which governs models, Agents, and prompts as they run.
Explore AI Governance ›FAQ
Top 10 questions, frequently asked
It can. The Act reaches providers and deployers whose AI output is used in the EU, regardless of where the company sits. If you serve EU customers or your systems touch the EU market, you should assume it applies and classify accordingly. We confirm scope at the start of the engagement.
ISO 42001 is a recognized AI management system standard that demonstrates responsible AI in a structured, auditable way. The Act is the legal obligation, and ISO 42001 is the operating system most teams use to meet and evidence it. Running them together gives you both the compliance position and a certification you can show.
High-risk uses include AI in hiring and worker management, credit and essential services, education, critical infrastructure, law enforcement, and biometric identification. These carry obligations for risk management, data governance, technical documentation, human oversight, accuracy, and conformity assessment. The classification is the first thing we establish for each system.
Responsibility is shared along the chain. Model providers carry their own obligations, and you remain the deployer of the systems you put into use. We map who owns what for each system, so the duties that fall to you are clear and covered from the start.
It depends on the size of your AI estate and how much governance exists today. Inventory and classification produce an early, usable picture, then gap closure and evidence follow. If you have an August 2026 obligation in view, we work back from it and prioritize the high-risk systems first. Timelines are confirmed at scoping.
Compliance is the regulatory layer of AI Governance. The inventory and classification feed the governance program, and the runtime guardrails from AI Governance generate evidence the compliance program uses. We run them as one operation so the same work serves the regulator, the auditor, and the security team.
The Act provides for fines up to a percentage of global annual turnover, tiered by the severity of the violation, with prohibited-practice violations at the top. The readiness program is designed so you never test those tiers.
Inventory your AI systems, classify each against the risk tiers, and put governance around the high-risk ones. Obligations phase in on a published timeline, and discovery is the step that everything else waits on.
Mostly no. Compliance is primarily inventory, classification, documentation, and controls. Where you run AI Governance with us, the same living inventory produces the Act's documentation as a byproduct.
Identify builds the system inventory, Guard implements the required controls, Implement keeps the documentation current, and Enhance turns it into Board and regulator evidence.
Related work
Solution
AI Governance
Govern every model, Agent, and prompt as it runs, with the guardrails that feed compliance.
Learn more ›ServiceISO & AI Security Audits
The audit work that turns a readiness program into a recognized certification.
Learn more ›ServiceAI Red Teaming
Adversarial testing that evidences the safety and resilience the Act expects.
Learn more ›Get ahead of the August 2026 deadline
Book a session with a Principal Engineer. We inventory your AI estate, classify the high-risk systems, and map the fastest path to a defensible position.