Vai al contenuto principale
Compliance overlay

Compliance inside the workflow, not after.

Every AI Workflow Design we graft carries a compliance overlay: four controls that accompany every use case, so from day one you know what you can do, what must be reported and what must be documented. This is what they contain, in full — no scaremongering and no gates.

In most cases you use AI, you don't build it: you're a deployer. The obligations are real but lighter than those of the companies that sell the systems — and we map them for you.

01 · EU AI Act

The risk level

The EU AI Act ranks uses of AI by risk level. We place every use case at the right level, so you know in advance which obligations really kick in — and which don't.

  • Minimal and limited

    Where most SME workflows fall: internal copilots, content generation, support bots. Light obligations — mainly transparency, like declaring that the user is talking to an AI.

  • High risk — we flag it separately

    Recruitment, credit scoring, biometrics: here the heavy deployer obligations kick in — assigned human oversight, relevant input data, log retention, monitoring and incident reporting. If a use case lands here, we flag it distinctly in the catalogue, we don't hide it among the others.

SMEs get dedicated simplifications (reduced technical documentation, consultation channels, regulatory sandboxes). The AI Act deadlines are a moving target: we re-read them at every engagement rather than print a date that might no longer hold tomorrow.

02 · GDPR

The impact assessment (DPIA)

The GDPR requires a data protection impact assessment (DPIA) when the processing is "likely to be high risk". We check whether your case triggers one before we start.

Automated decisions with legal or significant effects on people

Special-category data processed at scale

Systematic monitoring of publicly accessible spaces

The piece standard templates skip

A generic DPIA covers the GDPR part but ignores AI-specific risks: model opacity, memorisation of training data, drift over time, the right to erasure clashing with an already-trained model. Our assessment carries a section dedicated to these, not just the boilerplate.

03 · Tassonomia

Risk labels, not prose

Every use case gets a structured label modelled on the MIT AI Risk Repository, instead of a discursive paragraph. Two axes that combine, so risk becomes traceable and comparable from one workflow to the next.

How the risk arises

Who originates it (a person, the AI, something else), whether it's intentional or not, and whether it emerges before or after going into production.

What kind of risk it is

Discrimination, privacy and security, misinformation, misuse, human-machine interaction, socioeconomic impacts, system failures.

A concrete example

A sales copilot's hallucinations get labelled as a misinformation risk, originated by the AI, unintentional, emerging after going into production — with its mitigation written alongside. A citable label instead of a sentence.

04 · Italia

Italian regulatory oversight

On top of the European layer comes the national one: the Garante Privacy and Italy's principles on artificial intelligence. This is fast-moving territory and enforcement is real, not theoretical — so we re-read it at every engagement rather than take it for granted.

Human oversight stays part of the design

The thread that holds the four controls together: no workflow we graft makes decisions in people's place without a human checkpoint. That's how the overlay stops being a separate chapter and becomes part of the way the workflow is designed.

The overlay is part of the design. Not an add-on.

See how it plays out on a real department in the open AI Workflow Design examples, or start from the free assessment to find out where it makes sense to begin.

This page is for guidance only: it does not constitute legal advice or a specific compliance assessment, which we carry out together on your concrete case.

We use cookies

We use cookies and similar technologies to improve your experience, analyse traffic and personalise content. You can accept all cookies or customise your preferences.

Cookie preferences

Necessary cookies Always on

Essential for the site to work. They cannot be disabled.

Analytics cookies

They help us understand how you use the site so we can improve your experience.

Marketing cookies

Used to show you relevant ads and measure campaigns.

Personalisation cookies

They let us personalise content and features.