AI Compliance Framework Overview
My AI compliance framework NADOVO: why I classify AI risks at the PROCESS level
Most companies ask the wrong question.
“Is ChatGPT HIGH-RISK or not?”
I hear this question constantly. And my answer surprises many: it depends on what you use it for. The EU AI Act does not classify tools, it classifies applications. That is exactly why I developed a framework that works at the process level.
The problem with the asset perspective
Many companies try to classify their AI systems wholesale. They create a list of all tools and then ask: which of these is HIGH-RISK under the AI regulation?
That does not work. For one simple reason:
Article 6 makes the risk class depend on the “intended purpose”. Not on the system itself, but on what you use it for. A correct risk assessment therefore always requires looking at the application context.
An example: ChatGPT
Take ChatGPT, the same tool, three completely different risk classes:
Creating marketing texts: MINIMAL RISK, no impact on fundamental rights. Supporting applicant screening: HIGH-RISK, Annex III, category 4 (employment). Carrying out code review: LIMITED RISK, transparency obligations, but not HIGH-RISK.
Same tool. Three different requirements.
If you classify ChatGPT wholesale as “MINIMAL RISK” because it is “just a chatbot”, you may overlook a HIGH-RISK application in your HR department.
My approach: the process layer
That is why I work with a different model in my AI compliance framework:
Asset + area of application = AI process, which leads to a risk class
Asset: the AI system itself (e.g. ChatGPT, Microsoft Copilot, your own ML model). Area of application: the specific purpose of use in your company. AI process: the combination of both, which is the unit that gets classified. Risk class: MINIMAL, LIMITED, HIGH-RISK or UNACCEPTABLE.
This process layer is the core of my AI compliance framework, which I am developing further under the name NADOVO, and it forms the basis for the entire AI continuous lifecycle.
The 5-phase framework
My approach is based on five phases that map an AI continuous lifecycle. This cycle ensures that compliance does not remain a one-off project but becomes an ongoing process.
Phase 1: DISCOVER, what do we have? Record all AI systems in your company. Determine your role: are you a provider (developer) or a deployer (user)? Most SMEs are deployers.
Phase 2: DEFINE, what do we use it for? This is where the actual work happens: link each asset to its areas of application. An asset can have several processes. Each process is classified individually.
Phase 3: ASSESS, which risks? For HIGH-RISK processes: a systematic risk assessment under Article 9. Bias risks, data protection, security, fundamental rights.
Phase 4: IMPLEMENT, how do we put it into practice? Implement measures: technical controls, training under Article 26(5), documentation. All audit-ready.
Phase 5: MONITOR, how do we stay compliant? The lifecycle never ends. Ongoing monitoring, incident management, annual reassessment. AI compliance is not a project, but a continuous process.
Why this matters for SMEs
With this approach you do not have to assess each AI tool individually. You assess HOW you use it.
That reduces complexity considerably:
5 AI tools with 3 applications each = 15 processes to assess. Of those, maybe 2 to 3 are HIGH-RISK, and that is where you focus. The rest: MINIMAL or LIMITED RISK with manageable obligations.
The deadline
Speaking of focus: the HIGH-RISK requirements of the EU AI Act apply from 2 August 2026. The Digital Omnibus proposal could push this to December 2027, but that has not been decided yet.
My recommendation: start now. Whoever begins today is safe in either scenario.
Conclusion
The question “Is this tool HIGH-RISK?” is the wrong question.
The right question is: “For which applications do we use this tool, and which of them are HIGH-RISK?”
The process layer in my AI compliance framework makes the AI regulation manageable. Not by simplifying the law, but through a structure that matches the EU AI Act.
In the coming weeks I will present each phase in detail. Next week: phase 1 DISCOVER, how to build your AI asset register.
With NADOVO I am working to make this framework accessible as a platform for SMEs.
About the author
Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.
More articles
AI Technology Website Migration and SEO Ranking
Many fear a website migration destroys the Google ranking. That is true - if you do it wrong. What really happens and what matters.
read more ...
AI Technology Maintaining a Website Without an Agency
If you have a business website, you should be able to maintain it yourself. Why that does not work for most people - and how it can be done differently.
read more ...
AI Compliance Why I Built NADOVO
Why a process consultant with 20 years of experience builds his own AI compliance framework and his own platform - and what that has to do with the EU AI Act.
read more ...