PLAYBOOK · COMPLIANCE & GOVERNANCE
Generate an EU AI Act compliance report by scanning your repositories.
The EU AI Act asks every deployer to maintain an inventory of AI systems, classify their risk, and document the controls in place. Scanning code by hand is unreasonable at enterprise scale. VDF AI turns it into a tractable engineering problem — a repo scan, an AI System Register, and a prioritized gap report.
The EU AI Act is now law, and the operational burden is real. Every deployer needs an AI System Register, Annex III risk classification, and documented controls. Doing that by hand at enterprise scale is a non-starter. VDF AI turns the problem into a repo-scan-plus-classification job — engineers can ship the work as if it were any other backlog item.
The problem
Nobody knows where AI is actually running
ML models leak into microservices, prompts hide in Helm charts, third-party APIs get called from random scripts. Privacy and legal teams ask "give us the inventory" — and engineering has no clean way to answer.
The VDF AI approach
A discovery network that reads your stack
VDF AI scans repositories, infrastructure, and document stores; classifies each AI usage against EU AI Act Annex III; and produces the AI System Register, technical documentation links, and a list of compliance gaps with severity.
WHY THIS MATTERS NOW
Compliance is operational, not aspirational
Regulators will not be patient with "we are still building our inventory" once the implementation deadlines hit. Most enterprises do not have a complete inventory because no system can produce one from current code, configs, and prompts. VDF AI fills that gap.
A Scanner Agent uses built-in MCP tools — github, api_surface_extractor, detect_tech_stack — to identify AI usage signatures across repositories. A Risk Classifier maps each candidate against Annex III. A Gap Reporter ranks remediation by severity. The output is the AI System Register every internal stakeholder asks for, plus a backlog engineering can work.
WHAT YOU NEED TO START
Prerequisites for a pilot
Sources to scan
- Source repositories (GitHub, GitLab)
- Infrastructure-as-code (Terraform, Helm)
- Configuration stores
- Document repositories (Confluence, Drive)
Policy
- Internal AI-risk policy mapped to Annex III
- High-risk use-case definitions
- Documentation and oversight standards
- Post-market monitoring expectations
People
- One privacy / legal lead
- One AI governance lead
- One head of engineering
- Optional: external auditor liaison
REFERENCE ARCHITECTURE
From repo scan to AI System Register
github · gitlab · monorepos
Helm · Terraform · K8s
Confluence · Jira
uses github · api_surface_extractor · detect_tech_stack
Annex III mapping
Intent: build-ai-register
PLAYBOOK · STEP BY STEP
From scan to regulator-ready evidence
Connect repos and config sources
VDF AI's built-in github, repo_map, and api_surface_extractor MCP tools inspect every repository. Add Confluence and Jira for human context.
Run the Scanner Agent
It identifies AI usage signatures — model SDKs, prompt strings, embedding calls, scoring services — and produces a candidate list of AI systems.
Classify each system
The Risk Classifier maps each candidate to Annex III categories (unacceptable, high, limited, minimal) using your internal policies as RAG context.
Generate the AI System Register
Output a structured register: system, use case, classification, owner, evidence links, and current control coverage — backed by a Vault audit ledger.
Report and remediate
Gap report ranks each system: missing technical documentation, missing human oversight, missing post-market monitoring. Privacy and engineering work the same backlog.
OUTCOMES
An EU AI Act program that engineers can ship
to first complete AI System Register — not multi-quarter audits.
candidate systems carry classification, owner, and evidence links.
audit ledger of every scan, classification, and remediation step.
SEEMR REFERENCE
Compliance that learns with the regulation
Annex III is a moving target. SEEMR's Knowledge Graph mode ingests guidance updates and re-classifies systems automatically — the program stays current without re-engagement cycles.
FREQUENTLY ASKED QUESTIONS
What teams ask before shipping this playbook
How is this different from a manual privacy audit?
A manual audit asks engineers to fill in spreadsheets. The Scanner Agent extracts evidence directly from code and config. The auditor still owns the call — but with better evidence.
What happens to the AI System Register after generation?
It lives as a versioned artifact, regenerable on every push. Drift between code and register is itself a finding.
Can we tailor risk classification to other regimes?
Yes. The Risk Classifier can be configured for the EU AI Act, NIST AI RMF, U.S. state laws, or your internal taxonomy.
Will this find AI usage we did not know about?
Usually yes. Most enterprises find shadow AI usage on the first scan — prompts hidden in scripts, models called by third-party integrations, embedded smarts in vendor SaaS.
How is sensitive code protected during scanning?
All scanning happens on-prem. No source leaves your network.
How long to first report?
Two to four weeks for a mid-size estate. Larger enterprises scan progressively by business unit.
RELATED PLAYBOOKS
Continue with related VDF AI patterns
GET IN TOUCH
You Have Questions
Tell us what you’re trying to achieve—governed AI Networks, enterprise RAG, deep integrations, or on‑premise deployment. We’ll help you map the right architecture, security posture, and rollout path. If you’re moving beyond AI pilots and need scalable, auditable execution, reach out—our team is ready to help.