Ready to see the process in action?
Book a free 20-minute discovery call. We will walk you through exactly what the assessment would cover for your organisation.
How It Works
Simple, structured, and finished in five days.
Here is exactly what happens from the moment you contact us to the moment you receive your report.
-
Duration: 20 minutes
What happens
We have a brief conversation to understand your organisation, what AI tools you use, and what concerns or questions you have. We confirm whether an assessment is the right fit. You ask us anything. If we proceed, we agree on scope and confirm the start date.
What we need from you
Nothing in advance. Just a 20-minute slot in your calendar.
-
Duration: 60-minute call
What happens
We conduct a structured scoping call with the relevant people in your organisation — typically IT, legal, and one business lead. We define the systems in scope, agree on a point of contact, and collect any available documents such as existing policies, vendor contracts, and tool lists.
What we need from you
A list of AI tools in use if one exists, any existing AI or data governance policies, and availability of 2–3 stakeholders for short interviews.
-
Duration: 3 working days
What happens
We conduct the full assessment independently. This includes document review, short stakeholder interviews (30 minutes each, conducted remotely), regulatory mapping, and — for the Security Deep-Dive tier — technical review of AI systems and APIs. We do not require extended access to your team during this phase.
What we need from you
Availability for short interviews (scheduled in advance). Access to relevant documents via secure file sharing. For the Security Deep-Dive: read-only access to API configurations where applicable.
-
Duration: Report delivered by end of day + 30-minute call
What happens
You receive the full written report in PDF format. We then hold a 30-minute briefing call with your leadership or compliance team to walk through findings, answer questions, and confirm ownership of each action item.
What we need from you
A 30-minute slot for key stakeholders. The report is yours to keep, share internally, and act on.
The deliverable
What the report looks like
A professional, confidential PDF — typically 20–35 pages depending on scope. Six structured sections, every finding tied to a specific action and risk rating.
-
Executive Summary
Overall AI readiness rating with key findings at a glance.
-
AI System Inventory
Complete register of AI tools with EU AI Act risk classification for each.
-
Regulatory Gap Analysis
Obligations identified, articles cited, gaps mapped.
-
Risk Assessment
Findings by domain — legal, data governance, vendor, policy.
-
Security Findings
Deep-Dive tier only: vulnerabilities, attack surface, technical recommendations.
-
Prioritised Action Plan
Immediate, 30-day, and 90-day actions — each with an owner and risk rating.
Common questions
Before you reach out
- Do we need to give you access to our systems?
- For the standard assessment, no. We work from documents, interviews, and publicly available information about your AI tools. For the Security Deep-Dive, we may request read-only access to specific API configurations — agreed in advance and nothing is accessed without explicit written permission.
- How much of our team's time does this require?
- Minimal. Beyond the two calls (scoping and briefing), we typically need 30 minutes each from 2–3 people for structured interviews. Total time commitment from your side is approximately 3–4 hours across the full engagement.
- What if we only use common tools like ChatGPT or Microsoft Copilot?
- Those tools are precisely what we assess. Many organisations assume that using widely-adopted AI tools means no compliance risk. The EU AI Act creates obligations based on how you use AI, not just which tools you use. We assess your use case, the data involved, and the controls around it.
- Is this a one-time engagement or ongoing?
- The assessment itself is a one-time, fixed-scope engagement. We do offer optional follow-on services including quarterly governance reviews and policy drafting, but there is no obligation to continue after the initial report.
- Do you work with companies outside Romania?
- Yes. All engagements are conducted remotely. We work with organisations across the European Union and the assessment covers EU regulatory requirements regardless of where in the EU the client is based.