AI Act Compliance
EU AI Act compliance audit, dedicated training and platform, everything in one place.
We audit your systems, train your employees to regulatory standards and migrate your compliance into the AI & Shine platform. Total security and audit readiness, delivered through one streamlined process.
- ✓20 years in digital & e-commerce
- ✓AI operators, not theorists
- ✓AI, risk and AI Act compliance: audited and implemented
Audit, training and platform. The full cycle, one team.
AI Compliance Audit
Complete tool inventory, risk classification under the AI Act, gap analysis and a precise remediation roadmap. From total chaos to a clear strategy in just 2–3 weeks.
AI Literacy Training
Certified, role-based programs. We fulfil Article 4 requirements, generate irrefutable proof for regulators and tangibly boost your team's AI competencies.
AI & Shine Platform
Your compliance command center: system registers, policies, transparency notices and audit evidence in one place. Compliance as a continuous process, not a static PDF.
How many AI systems are actually running in your company? Likely more than you think.
You cannot ensure legal compliance for AI systems you don't know exist, and in most companies employees adopt AI far faster than the IT department can track it.
What Shadow AI is
Unauthorized, unmonitored use of AI inside your organization: ChatGPT on a personal account, an assistant built into your CRM, browser extensions, image generators in marketing. Today this is the operational standard, not a rare exception.
Why it's a critical risk
Every hidden system can trigger strict AI Act obligations (content labeling, risk classification) and create data-leak vulnerabilities. “We didn't know our employees were using AI” is not a legal defense. That is why our audit starts with a rigorous discovery of what is actually running.
Four numbers that change the board's priorities
AI training is not an option. It's a legal obligation that already applies to you.
The obligation to ensure AI literacy has been in effect since 2 February 2025, and strict enforcement begins in August 2026. It is the deploying company's responsibility and cannot be outsourced to software vendors. Article 4 applies to anyone using Copilot, ChatGPT or AI features embedded in CRM and ERP systems.
The liability is yours
Not OpenAI's, not Microsoft's. You cannot check this box by sending your team a link to a user manual.
Tailored to the role
The scope of knowledge must match responsibilities. A marketing assistant needs different guidelines than a manager overseeing a scoring model.
Hard evidence for auditors
Regulators (in Poland: KRiBSI) will demand completion logs, competency assessments and change records. Without systematic documentation you cannot prove compliance.
Enforcement is imminent
Full oversight begins on 2 August 2026. A lack of documented training is an aggravating factor in any audit or data-breach incident.
Practice and evidence, not another slide deck
Role-based tracks
Distinct modules for the C-suite, HR, marketing, operations and IT, proportional to real responsibility.
Full Article 4 compliance
Curriculum, personalized completion logs, certificates and audit trails, all prepared for regulatory review.
Practice, not theory
We teach teams to verify outputs, spot bias and hallucinations, and safely manage proprietary company data.
Managed via AI & Shine
A centralized database of competencies and evidence, kept up to date in one place.
The AI Act is more than watermarks. Our audit covers the entire spectrum.
Reducing the AI Act to labeling generated text or images is a dangerous oversimplification. Our audit surgically maps the whole regulation to your organization's operational reality.
Updated: June 2026.
| AI Act area | Specific focus | Status & penalties |
|---|---|---|
| Prohibited practices (Art. 5) | Subliminal manipulation, social scoring, emotion recognition at work/school, mass facial scraping. | Active since 2 Feb 2025. Fines: up to €35M / 7% of global turnover. |
| AI literacy (Art. 4) | Mandatory training for employees at the deploying organization. | Active since 2 Feb 2025. Enforcement from 2 Aug 2026. |
| High-risk systems (Annex III) | HR, credit scoring, critical infrastructure. Requires Fundamental Rights Impact Assessments (FRIA) and human oversight. | Shifted to 2 Dec 2027 (audits required now). Fines: up to €15M / 3% of turnover. |
| Transparency (Art. 50) | Chatbot disclosures, labeling of synthetic content and deepfakes. | Active from 2 Aug 2026. Fines: up to €15M / 3% of turnover. |
| General-purpose models (Art. 53) | Strict obligations imposed directly on creators and providers of AI models. | Active from 2 Aug 2025. |
| Misinformation to authorities | Supplying incomplete or misleading data during a regulatory audit. | Fines: up to €7.5M / 1.5% of turnover. |
Operational takeaway: before you label content or publish notices, you must know exactly which legal thresholds your company crosses. That is the fundamental clarity our audit provides.
From risk and chaos to a precise roadmap in 2–3 weeks.
Our audit is an operational roadmap: it shows what systems you run, where your legal vulnerabilities are and what to deploy, step by step, for total security. You get a business map built by operators who have managed multimillion-euro e-commerce budgets, not a law firm billing for empty hours.
- 01
Discovery (Shadow AI)
We relentlessly inventory the AI tools your team actually uses, including those flying under IT's radar.
- 02
Risk classification
We map every system against the AI Act: prohibited, high-risk, transparency-required or minimal risk.
- 03
Gap analysis
We pinpoint exactly what is missing (assessments, policies, training, labels) to reach a compliant status.
- 04
Task prioritization
An action plan synced to the AI Act rollout calendar, to neutralize immediate business risk first.
- 05
Audit evidence
We build a rigid framework for your evidentiary documentation, ready to show a regulator.
- 06
Platform migration
We transfer all findings to AI & Shine. Your compliance becomes a living process, not a one-off file.
Concrete documents, not generalities
The honest boundary: the audit is an operational foundation, not a substitute for formal legal counsel. Where systems border on complex interpretation we collaborate directly with your legal department. We implement solutions, not just opinions.
- ✓A complete AI system register with legal classifications.
- ✓An audit covering the entire scope of the AI Act.
- ✓A prioritized vulnerability list with assigned owners and deadlines.
- ✓A library of ready-to-use policies, notices and templates.
- ✓A customized training roadmap (Article 4).
All your AI Act documentation under total control
Compliance is not a project with a fixed end date. Regulations evolve, software changes, employees rotate. The audit is the gateway; true operational compliance lives on the platform.
Active AI register
A living inventory of all systems and their risk levels.
Corporate AI policies
Always-updated usage rules for your team.
Risk management (FRIA)
Built-in templates for Fundamental Rights Impact Assessments.
Transparency notices
Ready-to-deploy disclaimers for your site (chatbots, deepfakes).
Education hub (Art. 4)
A definitive log of completed training, scores and regulatory certificates.
Evidence vault + timeline
One secure repository for evidence plus automated alerts for upcoming deadlines.
How to legally label AI content? Copy-and-paste templates.
Proper labeling works on two layers at once: visible (a clear label for humans) and machine-readable (C2PA / Content Credentials metadata embedded in the file). The patterns below follow the Article 50 Code of Practice (June 2026 standards).
“This content was generated by artificial intelligence.”
“Image generated by AI. (Requires an “AI” badge + C2PA data.)”
“IPTC metadata “Digital Source Type: trained algorithmic media”.”
“This text was prepared by our team using AI tools.”
“This material was written by a human and edited with AI assistance.”
“Standard spelling/grammar checks with built-in tools do not require labeling.”
“You are interacting with an AI assistant. You may request to speak with a human at any time.”
“This material (image/audio/video) was artificially generated or altered using AI.”
“This text, published to inform the public, was generated by AI and verified by our editorial team.”
Disclosures must be clear, easily accessible and shown at the point of first contact. We weave them naturally into your site architecture so they never harm UX or conversion.
What does it look like in practice? Four business scenarios.
An AI audit is not an out-of-the-box product. Risk scales and procedures look drastically different for an e-commerce giant, a media publisher, a software house and a B2B services firm.
E-commerce / Retail
- ✓Starting point: thousands of mass-generated descriptions, unsupervised sales chatbots, Cloudflare blocking AI crawlers, a team unaware of the legal risk.
- ✓Implementation: uncover the full spectrum of shadow AI → deploy Art. 50 labels and safe prompt policies → unblock AI crawler traffic → launch team certification.
- ✓Result: full legal compliance, higher visibility in AI Overviews and a confident team running safe prompts.
Media & Publishers
- ✓Starting point: high volume of AI-assisted content, reputational deepfake risk, zero labeling taxonomy.
- ✓Implementation: “fully AI vs. assisted” taxonomy at the CMS level → a strict AI editorial policy → mandatory journalist training.
- ✓Result: a fast, modern newsroom that stays impeccably compliant under media-oversight audits.
SaaS / Software
- ✓Starting point: new AI features every sprint, unsure whether they are a “provider” or “deployer”, enterprise clients demanding compliance proof.
- ✓Implementation: hard role classification → impact assessments (FRIA) on AI & Shine → human-in-the-loop production controls.
- ✓Result: a certified compliance posture used as a weapon to close large B2B contracts.
Professional services (B2B)
- ✓Starting point: the dangerous belief that “this doesn't apply to us”, while leadership and bid teams routinely run confidential financial data through LLMs.
- ✓Implementation: an eye-opening audit revealing widespread shadow AI → strict AI privacy policies → literacy training to halt data leaks immediately.
- ✓Result: the risk of multimillion-euro fines for data breaches and leaks is eliminated.
Four steps: from total uncertainty to certified compliance.
- 01
Diagnostic (30 min, free)
Rapid landscape mapping. We reveal exactly which parts of the AI Act apply to you and where your exposure to fines is highest.
- 02
The audit
Operational shadow-AI inventory, legal classification, vulnerability identification and a concrete deployment plan.
- 03
Implementation (AI & Shine)
Policies, correct Art. 50 labels, unlocked GEO visibility and certified Art. 4 training.
- 04
Continuous protection
Unbroken oversight on AI & Shine: we monitor deadlines, update team knowledge and archive your defense evidence.
Frequently asked questions
Exactly what is an AI compliance audit?
It is a precise inventory of all AI systems used within your company, a risk assessment based on the EU AI Act, and an operational roadmap to eliminate legal vulnerabilities. We cover the entirety of the regulation, from prohibited practices to mandatory training, not just superficial content labeling.
Does the AI Act apply to my company if we only use off-the-shelf tools like ChatGPT?
Almost certainly, yes. As a deployer of AI you are already subject to Article 4 (mandatory staff training), and if you generate market-facing content you fall under Article 50. Being unaware of your employees' AI usage does not protect you from large fines.
Is AI competency training absolutely mandatory?
Yes. This is explicitly mandated by Article 4. The obligation to adequately educate personnel has been active since 2 February 2025, and strict enforcement by national oversight bodies begins in August 2026.
What is Shadow AI?
Shadow AI is employees using AI solutions without the formal approval or monitoring of the company. It is currently the single largest, unrecognized legal vulnerability for modern organizations.
What are the penalties for violating the EU AI Act?
There are three tiers of financial penalties: up to €35M (or 7% of global turnover) for prohibited practices; up to €15M (or 3%) for breaching core high-risk and transparency obligations; and up to €7.5M (or 1.5%) for providing incorrect data during a government audit.
What is the national oversight authority?
In Poland this is KRiBSI (the Commission for the Development and Security of Artificial Intelligence), established in June 2026. Similar authorities exist across the EU. They can levy fines, process breach reports and rapidly block unsafe AI systems.
What is the AI & Shine platform used for?
It is a digital environment where all documentation required by the AI Act (system registers, risk analyses, staff training logs) is generated and secured in real time. The platform ensures you always have audit-ready evidence at your fingertips.
Does every piece of AI-generated content require a label?
No. If AI served a purely auxiliary function (such as grammar correction on a human-written text) that did not significantly alter the final message, the content is exempt from strict labeling requirements.
Does your audit replace a formal opinion from a law firm?
No. Our work is deeply operational and technical, we provide business execution. Where a system sits on the borderline of hard legal interpretation, we work closely with your legal counsel, giving them the exact data they need rather than replacing them.
Were the AI Act deadlines ultimately delayed?
Only partially. The deadline for high-risk systems (Annex III) was shifted via the Digital Omnibus to 2 December 2027. However, AI training (Article 4) and transparency rules (Article 50) have not changed. The requirements impacting 90% of companies are legally binding right now.
Start with 30 minutes. Gain full control and lasting peace of mind.
Knowledge is the cheapest form of compliance. The sooner you map the hidden AI systems in your company, the cheaper it is to remove the risk and turn legal compliance into a market advantage. The first 30-minute diagnostic with an expert is free and fully non-binding.
Book a free diagnostic