The NADOVO Compliance Cycle
The NADOVO Compliance Cycle
Many AI compliance frameworks show a linear process: step one, then two, then three. That sounds tidy, but it does not reflect reality. Not every AI process needs the same effort. Not every phase is relevant for every risk class. With the NADOVO Compliance Cycle I developed a representation that shows this flexibility. The diamond shape is not a design gimmick, but reflects the actual process logic of the EU AI Act.
Why not a circle?
Classic compliance cycles suggest that every process goes through all phases. That is true for high-risk systems. But the EU AI Act differentiates by risk class, and that has to be reflected in the process. An AI system with minimal risk needs no full risk assessment. Why should it take the same route as a high-risk system in HR?
The new representation is a diamond with four inner phases and a surrounding frame. This shape allows different paths depending on the situation.
The five phases at a glance
DISCOVER forms the top. This is where the AI asset register is created: which AI systems exist in the company? Who is a provider, who a deployer? Which shadow AI do employees use without IT approval? Without this transparency, the basis for everything else is missing.
DEFINE and ASSESS sit on the middle level, side by side. DEFINE links asset and use case into the AI process and determines the risk class. ASSESS carries out the systematic risk assessment, creates mitigation measures and documents human oversight.
IMPLEMENT sits below. This is where measures are put in place, training is carried out and standard operating procedures are created.
MONITOR surrounds everything as a continuous frame. This phase does not run once, but permanently. It monitors the running processes and, when needed, triggers a return to earlier phases.
The paths through the cycle
The main flow leads from DISCOVER through DEFINE to ASSESS and on to IMPLEMENT. That is the full path for high-risk processes under Annex III of the EU AI Act. Here you need the complete documentation, risk assessment and implementation of measures.
But not every process is high-risk. For AI systems with limited or minimal risk, there is a direct path from DEFINE to IMPLEMENT. If the risk classification shows that only transparency obligations or voluntary measures apply, ASSESS can be skipped. That saves effort without endangering compliance.
MONITOR is not an end point, but a starting point for new runs. When an existing system gets a new purpose of use, the process jumps back to DEFINE. The risk class has to be reassessed. The same applies when regulatory requirements change.
For annual reassessments or after incidents, MONITOR jumps directly to ASSESS. The existing system is reassessed without repeating the recording and definition.
Why this representation?
The diamond communicates three things at once. First: there is a structure with clear phases. Second: not all paths are equally long. Third: compliance is not a one-off project, but a continuous process.
For SMEs this is crucial. The fear of the EU AI Act is often fed by the idea that every AI tool means the same huge effort. The NADOVO Compliance Cycle shows: the effort scales with the risk. Whoever mainly uses minimal-risk systems has a lean path. Whoever operates high-risk systems invests more, but in a targeted and predictable way.
A further developed representation
The previous visualization of the NADOVO framework showed a classic cycle with arrows running clockwise. The five phases and their content remain unchanged. What changes is the way I represent the relationships. The new diamond with MONITOR as a frame reflects the flexible process logic better. It shows that MONITOR is not a phase after IMPLEMENT, but a permanent function that accompanies the entire NADOVO cycle and triggers new runs when needed. And it makes visible that not every process takes the same path.
Your next step
Check your existing AI systems: which risk class do they have? Which path through the cycle do they really need? Often it turns out that the majority of systems can take the lean path. That makes AI compliance manageable, even without an enterprise budget. Start with recording your AI systems and work through the NADOVO Compliance Cycle, step by step, at your own pace.
About the author
Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.
More articles
AI Technology Website Migration and SEO Ranking
Many fear a website migration destroys the Google ranking. That is true - if you do it wrong. What really happens and what matters.
read more ...
AI Technology Maintaining a Website Without an Agency
If you have a business website, you should be able to maintain it yourself. Why that does not work for most people - and how it can be done differently.
read more ...
AI Compliance Why I Built NADOVO
Why a process consultant with 20 years of experience builds his own AI compliance framework and his own platform - and what that has to do with the EU AI Act.
read more ...