From Asset to Use Case
From asset to use case
An AI register lists systems. That is necessary, but not sufficient. For compliance work, what counts is not the tool, but what it is used for. The same AI can be minimally risky or high-risk depending on its use. Establishing the link between system and purpose is the central task of the DEFINE phase in the NADOVO framework.
Why the asset list is not enough
The DISCOVER phase records all AI systems in the company: purchased software, cloud services, embedded features, shadow AI. The result is a complete AI register. But this inventory does not yet answer the decisive question: which regulatory requirements apply?
The EU AI Act classifies not by technology, but by purpose of use. A large language model is not a high-risk system just because it is technically complex. It becomes a high-risk system when it is used for applicant selection, performance evaluation or creditworthiness checks. The technology stays the same; the purpose makes the difference.
The equation: asset plus area of application equals AI process
In the DEFINE phase, each asset is linked to its specific use cases. An AI system can have several use cases, and each forms its own AI process. ChatGPT for marketing texts is one process. ChatGPT for customer complaints is another. ChatGPT for HR screening a third. All use the same asset, but each process has its own risk class.
This distinction is not bureaucracy for its own sake. It reflects the logic of the regulation. Article 6 defines the risk class via the intended purpose, not via technical properties. Whoever understands this logic can steer compliance deliberately instead of treating everything as high-risk across the board.
What an AI process documents
Every AI process needs a clear description. Which asset is used? In which business area? For what specific purpose? Which people are affected? Which decisions are influenced? Which data flows in?
The purpose definition must be precise. Not just which area, but which specific task. Not recruiting, but pre-selection of applications based on CVs. Not customer service, but automatic answering of standard enquiries. The precision pays off in the risk classification.
Identifying affected people is crucial. The EU AI Act primarily protects natural persons whose fundamental rights are affected by AI decisions. Employees with HR systems, customers with scoring, applicants with recruiting. Who is affected co-determines which protective provisions apply.
From process definition to risk class
With the complete process description, the risk class can be determined. The check follows a clear scheme. Does the use case fall under Annex III of the EU AI Act? Then the system is, in principle, high-risk. Does an exception apply because the system has no significant influence on decisions? Then it remains at Limited or Minimal Risk.
The classification is done per process, not per asset. A company can operate the same AI system in different risk classes at the same time. That increases complexity, but also the possibilities for control. A high-risk HR process requires the full compliance effort. The same chatbot for general FAQ answering remains unaffected.
The compliance path branches
The risk class determines the further path through the NADOVO framework. High-risk processes go through the ASSESS phase with systematic risk assessment, mitigation planning and a fundamental rights review. Limited Risk primarily requires transparency measures. Minimal Risk can move directly into the IMPLEMENT phase.
This branching is intentional. The EU AI Act follows a risk-based approach. Effort should arise where risks exist. Whoever classifies their processes cleanly avoids both under-compliance with critical systems and over-compliance with non-critical ones.
Involve stakeholders early
The DEFINE phase is the right moment to identify affected stakeholders. Who uses the system? Who is affected by decisions? Who bears responsibility? These questions clarify not only regulatory requirements but also organizational responsibilities.
For high-risk systems in the workplace, there is an explicit obligation to inform employee representatives. For certain deployers, a fundamental rights impact assessment is required. These obligations presuppose that the affected people and groups were already identified in the DEFINE phase.
The result: a classified process register
At the end of the DEFINE phase stands a complete process register. Each asset is linked to its use cases. Each process has a documented risk class. Stakeholders are identified. The further compliance path is clear.
This register is the working basis for everything that follows. The ASSESS phase works only with the high-risk processes. The IMPLEMENT phase knows which measures to put in place for which risk class. The MONITOR phase monitors by priority. Without a clean DEFINE phase, all further work remains inefficient.
About the author
Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.
Further reading:
More articles
AI Technology Website Migration and SEO Ranking
Many fear a website migration destroys the Google ranking. That is true - if you do it wrong. What really happens and what matters.
read more ...
AI Technology Maintaining a Website Without an Agency
If you have a business website, you should be able to maintain it yourself. Why that does not work for most people - and how it can be done differently.
read more ...
AI Compliance Why I Built NADOVO
Why a process consultant with 20 years of experience builds his own AI compliance framework and his own platform - and what that has to do with the EU AI Act.
read more ...