designed to support This methodology uses the calibration register per REV-5: claims describe intent and risk-reduction, not guaranteed compliance outcomes.

AI-Act-in-a-Box

A structured regulator workshop that maps your AI portfolio against EU AI Act risk tiers and produces a traceable compliance posture register.

Evaluation & Verification → ← Library

Regulatory complexity is not a friction to manage. It is a competitive posture to engineer.

What it is

AI-Act-in-a-Box is a structured workshop product — typically delivered over two to three days — that maps an enterprise AI portfolio against the EU AI Act risk-tier framework and produces a traceable compliance posture register. It is designed for organisations that need to establish their AI Act position before the relevant prohibitions and obligations take effect, and for regulated-sector clients (financial services, healthcare, critical infrastructure) where the Act’s high-risk classification may apply to systems already in production.

The workshop runs in three phases: portfolio enumeration (every AI system catalogued with its decision type, the population it affects, and the data it processes); risk-tier classification (each system assessed against the Act’s classification criteria — prohibited practices, Annexes II and III high-risk categories, general-purpose AI provisions, limited-risk transparency obligations); and gap-to-obligation mapping (for every high-risk system, specific Article 9–17 obligations mapped to current posture, prioritised by regulatory timeline and remediation effort).

All positions are written in the calibration register: “designed to support compliance”, “aligned to EU AI Act Article 9 requirements”, “engineered for conformity assessment readiness”, “materially reduces audit risk.” Not as absolute compliance guarantees. The calibration register is the appropriate posture before a notified body has completed a conformity assessment.

The output is a compliance posture register — a structured document mapping every system to its risk tier, every identified gap to a priority and a remediation path, providing the evidence base for a Data Protection Officer, Legal, or a notified body to review.

When you reach for it

AI-Act-in-a-Box applies when an organisation needs to move from “we are aware of the EU AI Act” to “we have a documented posture and a prioritised remediation plan” — and when the gap between those two states needs to close within a defined regulatory timeline rather than a vague strategic horizon.

It is the right methodology for regulated-sector clients whose AI systems may fall into the high-risk categories (biometrics, critical infrastructure, employment, credit, education, law enforcement, administration of justice); for organisations with general-purpose AI models that may trigger the GPAI provisions; and for any client facing an imminent audit, investor due diligence, or board governance review that requires a documented AI posture.

What you ship

  • A risk-tier classification register — every AI system in scope, classified against the EU AI Act’s prohibited, high-risk, limited-risk, and minimal-risk tiers, with the classification rationale stated and the specific Annex provision cited.
  • A gap-to-obligation register — for every high-risk system, each Article 9–17 obligation mapped to the organisation’s current posture, with a traffic-light status and a remediation priority. Designed to support a notified body’s conformity assessment when that stage is reached.
  • A board-ready posture summary — a one-page executive summary of the organisation’s AI Act position, written for a board audience rather than a legal or technical one, with three prioritised actions and their associated timelines.

Linked methodologies

AI-Act-in-a-Box is the entry point for the Regulated Encoder methodology in AI Act contexts: once a system is classified as high-risk, the Regulated Encoder provides the deterministic, auditable rule-enforcement architecture that the Act’s Article 9 (risk management system) and Article 10 (data governance) requirements are designed to support.

The Karpathy-6 Adversarial Verification gate applies to the gap-to-obligation register before it is delivered — specifically checking for FM-3 Inference Leakage (regulatory knowledge from LLM training imported as sourced compliance positions) and FM-4 Severity Inflation (gaps rated higher than the evidence supports).

Start here

AI-Act-in-a-Box is available as a standalone two-to-three-day engagement, or as the regulatory module within a broader Stream A transformation programme. Book a discovery conversation.

Continue reading

← Back to the library Implementation Verification → Evaluation & Verification →

Apply this methodology to your outputs.

The Stream D Evaluation Audit runs a structured verification pipeline against any analytical document you already have. Bring the output and the source evidence. You receive a faithfulness score, a structured findings report, and corrected text for every Category A finding.

Book an evaluation audit →