Your board, your clients, or a regulator will ask to see your AI governance.
What will you show them?

Most organisations using AI have no written policy, no oversight rules, and no documented answer. Valorial builds yours — from first AI policy to full EU AI Act compliance.
Start here

The AI Governance Status Check

One fixed-scope engagement, whatever your starting point. You receive a written status report covering three layers:

  • Governance in practice — whether your AI policy and oversight rules hold up in day-to-day use, or exist only on paper
  • EU AI Act position — where your organisation stands against the obligations that apply to it, including whether any system is high-risk
  • Gaps, ranked by severity — with a sequenced action plan your management can execute

No prerequisites. Works whether you have a full compliance team or no written policy at all. Scope and timeline are confirmed in writing before work begins.

Path A

Governance Foundations

For organisations building responsible AI use from the ground up. Most clients start here.

  • AI use policies and employee guidelines, written for your actual use cases
  • Vendor and procurement AI rules
  • Human oversight and escalation design
  • Team training, in-house or remote
  • Grievance and feedback channels for people affected by your AI

See what you get: AI policies · Training · Grievance channels

Path B

EU AI Act Compliance Track

For deployers of high-risk systems under Annex III: credit scoring, candidate screening, insurance underwriting, education assessment, public services, biometrics.

  • Risk classification and compliance audit
  • Fundamental Rights Impact Assessment (FRIA) built on scored, weighted methodology
  • Third-party AI due diligence
  • Documentation and post-market monitoring readiness

See what you get: Compliance audit · FRIA methodology · Due diligence

If a FRIA we deliver fails Article 27 content requirements, we revise it at no charge.

Not sure which path fits? That is what the status call answers.

Where it goes wrong

The three gaps behind most AI governance failures

01

Shadow AI

Staff use AI tools nobody approved, feeding company and client data into systems nobody assessed. The organisation cannot list which AI systems it actually runs.

02

No written rules

AI use is governed by habit, not policy. When a client questionnaire, board, or regulator asks for the rules, there is nothing to show — and a verbal position is not governance.

03

No named accountability

No one can say who is responsible for a given AI system’s decisions — who approves deployment, who oversees outputs, who answers when something goes wrong.

The Status Check tells you which of these you have — and in what order to close them.

Enterprise procurement questionnaires, board risk committees, and insurance underwriters ask for AI governance evidence now — independent of any Brussels timeline. The dates below define when regulators act. Your market decides much earlier.

February 2, 2025 — In force

Prohibited AI practices banned

Social scoring, real-time biometric surveillance in public spaces, subliminal manipulation, exploitation of vulnerabilities. No grace period — these were banned from day one of application.

August 2, 2025 — In force

General-purpose AI model obligations (GPAI)

Providers of foundation models and large language models must publish technical documentation and meet copyright transparency requirements. Systemic-risk models face additional obligations: adversarial testing, incident reporting, cybersecurity measures.

August 2, 2026 — Binding

Transparency obligations (Article 50)

AI systems that interact with people must identify themselves as AI. AI-generated content must carry machine-readable disclosure. Deepfakes must be labeled. Emotion recognition and biometric categorisation systems must notify the people they process. Exception under the Omnibus: digital watermarking of AI-generated content (Article 50(2)) is extended to December 2, 2026.

December 2, 2027 — European Parliament voted June 16, 2026

High-risk AI deployer obligations — Annex III

Applies to: credit scoring · CV screening · insurance underwriting · education assessment · public services · biometric identification · law enforcement · migration · justice administration.

Deployer obligations (Article 26) include: operating the system according to the provider’s instructions, assigning trained human oversight, controlling input data, ongoing monitoring, log retention, and informing affected workers. Deployers that are public bodies, private entities providing public services, or providers of credit-scoring and life or health insurance risk-assessment systems must additionally complete a Fundamental Rights Impact Assessment (Article 27).

December 2, 2027 is the date for finished compliance — assessment, oversight design, documentation, and monitoring in place and operating — not the date to start.

(The European Parliament voted June 16, 2026 to shift this deadline to December 2, 2027 (423 for, 57 against). Council formal adoption and Official Journal publication are expected before August 2, 2026. Until OJ publication the amendment is not yet in force.)

About

The EU AI Act requires systematic AI systems analysis to meet all requirements. For this, you need more than checkbox audits that collapse under regulatory investigation.

We deliver scored severity, weighted likelihood, cumulative impact, and documented mitigation adequacy.

Dorothee Georg — LinkedIn
Not sure where you stand?
Get started

Book a status call.

One hour. You leave with your governance maturity picture, your three most critical gaps, and a clear first step. No sales pitch.

We practice what we advise.

This website sets no cookies and runs no trackers. We collect your data only when you hand it to us, and we tell you exactly what happens to it. If we treat your data this way before you are a client, you know how we will treat your compliance file when you are one.

Read our privacy notice →