DE | EN

AI Compliance Framework Overview

My AI compliance framework NADOVO: why I classify AI risks at the PROCESS level

Most companies ask the wrong question.

“Is ChatGPT HIGH-RISK or not?”

I hear this question constantly. And my answer surprises many: it depends on what you use it for. The EU AI Act does not classify tools, it classifies applications. That is exactly why I developed a framework that works at the process level.

The problem with the asset perspective

Many companies try to classify their AI systems wholesale. They create a list of all tools and then ask: which of these is HIGH-RISK under the AI regulation?

That does not work. For one simple reason:

Article 6 makes the risk class depend on the “intended purpose”. Not on the system itself, but on what you use it for. A correct risk assessment therefore always requires looking at the application context.

An example: ChatGPT

Take ChatGPT, the same tool, three completely different risk classes:

Creating marketing texts: MINIMAL RISK, no impact on fundamental rights. Supporting applicant screening: HIGH-RISK, Annex III, category 4 (employment). Carrying out code review: LIMITED RISK, transparency obligations, but not HIGH-RISK.

Same tool. Three different requirements.

If you classify ChatGPT wholesale as “MINIMAL RISK” because it is “just a chatbot”, you may overlook a HIGH-RISK application in your HR department.

My approach: the process layer

That is why I work with a different model in my AI compliance framework:

Asset + area of application = AI process, which leads to a risk class

Asset: the AI system itself (e.g. ChatGPT, Microsoft Copilot, your own ML model). Area of application: the specific purpose of use in your company. AI process: the combination of both, which is the unit that gets classified. Risk class: MINIMAL, LIMITED, HIGH-RISK or UNACCEPTABLE.

This process layer is the core of my AI compliance framework, which I am developing further under the name NADOVO, and it forms the basis for the entire AI continuous lifecycle.

The 5-phase framework

My approach is based on five phases that map an AI continuous lifecycle. This cycle ensures that compliance does not remain a one-off project but becomes an ongoing process.

Phase 1: DISCOVER, what do we have? Record all AI systems in your company. Determine your role: are you a provider (developer) or a deployer (user)? Most SMEs are deployers.

Phase 2: DEFINE, what do we use it for? This is where the actual work happens: link each asset to its areas of application. An asset can have several processes. Each process is classified individually.

Phase 3: ASSESS, which risks? For HIGH-RISK processes: a systematic risk assessment under Article 9. Bias risks, data protection, security, fundamental rights.

Phase 4: IMPLEMENT, how do we put it into practice? Implement measures: technical controls, training under Article 26(5), documentation. All audit-ready.

Phase 5: MONITOR, how do we stay compliant? The lifecycle never ends. Ongoing monitoring, incident management, annual reassessment. AI compliance is not a project, but a continuous process.

Why this matters for SMEs

With this approach you do not have to assess each AI tool individually. You assess HOW you use it.

That reduces complexity considerably:

5 AI tools with 3 applications each = 15 processes to assess. Of those, maybe 2 to 3 are HIGH-RISK, and that is where you focus. The rest: MINIMAL or LIMITED RISK with manageable obligations.

The deadline

Speaking of focus: the HIGH-RISK requirements of the EU AI Act apply from 2 August 2026. The Digital Omnibus proposal could push this to December 2027, but that has not been decided yet.

My recommendation: start now. Whoever begins today is safe in either scenario.

Conclusion

The question “Is this tool HIGH-RISK?” is the wrong question.

The right question is: “For which applications do we use this tool, and which of them are HIGH-RISK?”

The process layer in my AI compliance framework makes the AI regulation manageable. Not by simplifying the law, but through a structure that matches the EU AI Act.

In the coming weeks I will present each phase in detail. Next week: phase 1 DISCOVER, how to build your AI asset register.

With NADOVO I am working to make this framework accessible as a platform for SMEs.


About the author

Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.

© 2026 Jochen Stier / contoro.solutions