DE | EN

AI Strategy and Risk Classes

The AI strategy determines the risk class

Many companies develop their AI strategy with an eye on efficiency, innovation and competitive advantage. Very few consider which regulatory consequences their decisions have. Yet the EU AI Act states clearly: it is not the technology that defines the risk, but the specific use case. Whoever understands this can design their strategic AI planning so that compliance is considered from the start, instead of becoming a problem after the fact.

The core principle: the use case determines the risk class

One and the same AI system can be classified completely differently depending on the area of use. ChatGPT for creating marketing texts falls under minimal risk. The same system, integrated into application screening, is classified as high-risk under Annex III of the EU AI Act. The difference lies not in the technology, but in the context. For your planning this means: every planned AI rollout needs an assessment of the use case in advance. Not only at the compliance check, but already in the planning phase.

Three strategic options

Once you know that the use case determines the risk class, you have three options for action.

First: deliberately avoid high-risk. You design the use case so that it does not fall under the high-risk categories. An AI system that sorts applications is high-risk. The same system that optimizes job ads is not. Sometimes a deliberate narrowing of the purpose of use is enough to change the risk class.

Second: deliberately take on high-risk. Some use cases are business-critical and inevitably fall under high-risk. That is no problem, as long as you are prepared. High-risk means: a risk management system, technical documentation, human oversight, continuous monitoring and training records. That requires budget, staff and processes that have to be planned in the strategic planning. The difference between a planned high-risk system and one discovered after the fact is considerable: planning instead of panic.

Third: redesign the use case. Check whether the goal can also be achieved with a differently designed process. Instead of a fully automated decision, an AI-based suggestion with a final human decision might be enough. That reduces the compliance requirements considerably and keeps the use case below the high-risk threshold.

What a compliance-aware AI strategy contains

An AI strategy that considers compliance does not begin with tool selection. It begins with the question: which business problems do we want to solve with AI, and into which risk classes do these use cases fall?

Concretely, three elements belong in every AI strategy. An inventory of all existing AI systems, to know what is already in use. An assessment of planned AI rollouts by risk class, before budget is released. And a realistic estimate of the compliance costs for high-risk systems, so that no nasty surprises arise.

In the NADOVO framework, the DISCOVER phase forms exactly this basis: complete transparency over all AI systems in the company. On that builds the DEFINE phase, in which each use case is classified. Whoever connects their AI strategy to this way of thinking makes better decisions.

AI strategy is AI governance

This strategic view of risk classes is not an additional task alongside technology planning. It is part of AI governance. Governance does not only mean rules and controls, but the deliberate steering of how a company uses AI. Whoever builds governance only after the AI rollout regulates after the fact what could have been planned beforehand. An AI strategy that includes risk classes from the start makes governance an enabler instead of a blocker.

The most common mistake

I regularly see companies introduce AI systems and only afterwards realise they have landed in the high-risk category. Then frantic retrofitting begins: creating documentation, catching up on risk assessments, organizing training. That is more expensive, slower and riskier than forward-looking planning.

The EU AI Act has been partly in force since February 2025. The deadline for high-risk systems is approaching. Whoever plans their AI strategy now without a compliance perspective builds up technical debt that becomes expensive later.

Your next step

Take your current AI planning and ask one question for each planned system: into which risk class does this use case fall? If you do not know the answer, that is the first item on your agenda. If the answer is high-risk, plan the compliance costs before you decide on the rollout.

Conclusion

An AI strategy without compliance awareness is incomplete. The EU AI Act makes the use case the decisive criterion. Whoever takes this into account in their strategic planning avoids expensive retrofitting, makes more deliberate decisions and creates the basis for sustainable AI innovation.


About the author

Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.

© 2026 Jochen Stier / contoro.solutions