Compliance inside the workflow,
not after.
Every AI Workflow Design we graft carries a compliance overlay: four controls that accompany every use case, so from day one you know what you can do, what must be reported and what must be documented. This is what they contain, in full — no scaremongering and no gates.
In most cases you use AI, you don't build it: you're a deployer. The obligations are real but lighter than those of the companies that sell the systems — and we map them for you.
The risk level
The EU AI Act ranks uses of AI by risk level. We place every use case at the right level, so you know in advance which obligations really kick in — and which don't.
-
Minimal and limited
Where most SME workflows fall: internal copilots, content generation, support bots. Light obligations — mainly transparency, like declaring that the user is talking to an AI.
-
High risk — we flag it separately
Recruitment, credit scoring, biometrics: here the heavy deployer obligations kick in — assigned human oversight, relevant input data, log retention, monitoring and incident reporting. If a use case lands here, we flag it distinctly in the catalogue, we don't hide it among the others.
SMEs get dedicated simplifications (reduced technical documentation, consultation channels, regulatory sandboxes). The AI Act deadlines are a moving target: we re-read them at every engagement rather than print a date that might no longer hold tomorrow.
The impact assessment (DPIA)
The GDPR requires a data protection impact assessment (DPIA) when the processing is "likely to be high risk". We check whether your case triggers one before we start.
Automated decisions with legal or significant effects on people
Special-category data processed at scale
Systematic monitoring of publicly accessible spaces
The piece standard templates skip
A generic DPIA covers the GDPR part but ignores AI-specific risks: model opacity, memorisation of training data, drift over time, the right to erasure clashing with an already-trained model. Our assessment carries a section dedicated to these, not just the boilerplate.
Risk labels, not prose
Every use case gets a structured label modelled on the MIT AI Risk Repository, instead of a discursive paragraph. Two axes that combine, so risk becomes traceable and comparable from one workflow to the next.
How the risk arises
Who originates it (a person, the AI, something else), whether it's intentional or not, and whether it emerges before or after going into production.
What kind of risk it is
Discrimination, privacy and security, misinformation, misuse, human-machine interaction, socioeconomic impacts, system failures.
A concrete example
A sales copilot's hallucinations get labelled as a misinformation risk, originated by the AI, unintentional, emerging after going into production — with its mitigation written alongside. A citable label instead of a sentence.
Italian regulatory oversight
On top of the European layer comes the national one: the Garante Privacy and Italy's principles on artificial intelligence. This is fast-moving territory and enforcement is real, not theoretical — so we re-read it at every engagement rather than take it for granted.
Human oversight stays part of the design
The thread that holds the four controls together: no workflow we graft makes decisions in people's place without a human checkpoint. That's how the overlay stops being a separate chapter and becomes part of the way the workflow is designed.
The overlay is part of the design. Not an add-on.
See how it plays out on a real department in the open AI Workflow Design examples, or start from the free assessment to find out where it makes sense to begin.
This page is for guidance only: it does not constitute legal advice or a specific compliance assessment, which we carry out together on your concrete case.