VDF AI Compliance

EU AI Act Readiness — From Inventory to Impact Assessment

Ten compliance use cases mapped to real enterprise gaps, regulatory obligations, and deliverable outcomes — so your team knows exactly what to build first.

Section 3

10 Use Cases: Detailed Roadmap

Each use case reflects a gap seen in enterprise AI compliance hiring — with severity, prevalence, the business problem, regulatory drivers, a practical demo scenario, and concrete deliverables.

These 10 compliance use cases are also listed on the full Use Cases catalog (filter by Compliance).

01

AI Inventory & Shadow AI Discovery

Severity: Critical Prevalence: 16% explicit / ~100% implicit

The Enterprise Problem

Only 16% of job postings explicitly mention AI inventory, yet it is the prerequisite for every other compliance obligation. You cannot classify risk you do not know exists. Lenovo (2026) found 70% of employees using AI weekly with 33% beyond IT oversight; BlackFog found 49% using unauthorized tools. EU AI Act compliance is mathematically impossible without a baseline inventory — yet most companies have not internalized this dependency.

Regulatory Obligation

  • EU AI Act: Art. 49 — AI Register
  • EU AI Act: Art. 4 — AI Literacy Prerequisite
  • ISO 42001: Clause 6.1 — Risk Inventory
  • NIST AI RMF: GOVERN 1.1

VDF AI Compliance Demo

Demo Scenario

A European bank deploys VDF AI Compliance on-premises. The platform connects to the systems where AI work already lives — code repositories, document stores, project tools, and collaboration platforms. An automated discovery sweep finds machine-learning usage in code, model files in shared drives, third-party AI services in use, and employee-declared tools. Each discovered system is classified against EU AI Act high-risk criteria. The result is a live AI System Register showing system name, owner, use case, data processed, user count, vendor or internal status, and risk tier — available to compliance teams through a central dashboard.

Deliverables

  • Automated AI System Register (live, queryable, audit-backed)
  • Shadow AI Discovery Report (systems found beyond IT oversight)
  • Annex III Risk Pre-Classification for each discovered system
  • Gap Report: systems lacking required documentation or oversight
02

AI Risk Assessment & Classification

Severity: Critical Prevalence: 68% of postings

The Enterprise Problem

Companies do not know which of their AI systems are 'high-risk' under the EU AI Act. An appliedAI study of 106 enterprise AI systems found 40% had unclear risk classification. The stakes are existential: misclassification means the wrong compliance pathway, potentially missing the August 2026 high-risk system deadline, and exposure to fines of up to €35M or 7% of global annual revenue. The ambiguity is genuine — a hiring chatbot could be 'limited risk' (transparency obligations only) or 'high risk' (employment decision support under Annex III Article 6).

Regulatory Obligation

  • EU AI Act: Annex III — High-Risk Categories
  • EU AI Act: Art. 6 — Classification Rules
  • EU AI Act: Art. 9 — Risk Management System
  • NIST AI RMF: MAP 1.1

VDF AI Compliance Demo

Demo Scenario

A manufacturing company with critical-infrastructure exposure uses the VDF AI Compliance Risk Assessment Wizard. A structured interview captures use case, data inputs, affected populations, and decision impact from the system owner. The platform applies the EU AI Act Article 6 two-step test — Annex III category plus significant safety or rights impact — grounded in the regulation text. It produces an official classification decision with a written rationale. High-risk systems are automatically restricted to approved models only, ensuring regulated workloads never run on unvetted AI.

Deliverables

  • Risk Classification Certificate per AI system (EU AI Act Article 6 compliant)
  • AI Risk Register with tier breakdown (High / Limited / Minimal / Unacceptable)
  • Policy templates per risk tier (ready to deploy)
  • Escalation workflow for systems with ambiguous classification
03

AI Literacy Training Platform

Severity: High Prevalence: 79% of postings — highest frequency

The Enterprise Problem

EU AI Act Article 4 has been in force since 2 February 2025. It mandates a 'sufficient level of AI literacy' for all providers and deployers — and non-compliance is an aggravating factor in enforcement. 79% of job postings cite AI literacy as a requirement because companies have no baseline training programs, no role-specific content, no completion records, and no mechanism to update training as regulations evolve. Generic e-learning does not satisfy Article 4: it requires role-specific depth, documented evidence, and biannual updates.

Regulatory Obligation

  • EU AI Act: Art. 4 — AI Literacy (in force Feb 2025)
  • EU AI Act: Art. 26(6) — Staff Training
  • ISO 42001: Clause 7.2 — Competence
  • GDPR: Staff Awareness

VDF AI Compliance Demo

Demo Scenario

VDF AI Compliance deploys a role-adaptive AI literacy program. Training draws on the EU AI Act, the company's own AI system register, and role-specific obligations for deployers, providers, and general staff. Employees work through scenario questions — for example, "Your team wants to use a GenAI tool for CV screening — what are the compliance steps?" — and receive regulation-grounded feedback. Completion timestamps, role, score, and training version are logged as documentary evidence for Article 4 compliance. Managers see team completion dashboards in the compliance portal.

Deliverables

  • Role-specific training modules (General Staff / AI Deployer / AI Developer / Leadership)
  • Article 4 Compliance Certificate per employee (timestamped, audit-backed)
  • Organisation-wide Literacy Compliance Dashboard
  • Automated re-training trigger when regulations change
04

Bias Detection & Fairness Auditing

Severity: High Prevalence: 63% of postings

The Enterprise Problem

AI bias is the compliance obligation that companies understand the least and fear the most. Unlike financial model validation (a mature discipline with established methodologies), AI bias testing lacks standardized playbooks. The technical-legal gap is real: data scientists understand statistical bias; lawyers understand discrimination law; almost nobody bridges both. Sectors with the highest exposure — banking (credit scoring), insurance (underwriting), HR tech (hiring) — are also the most regulated. EU AI Act Article 10(5) prohibits training on data leading to prohibited biases; Annex III classifies employment and credit AI as high-risk.

Regulatory Obligation

  • EU AI Act: Art. 10(5) — Training Data Bias
  • EU AI Act: Art. 10 — Data Governance for High-Risk
  • GDPR: Art. 22 — Automated Decision Making
  • NIST AI RMF: MEASURE 2.5

VDF AI Compliance Demo

Demo Scenario

An insurance company connects their model training dataset to VDF AI Compliance. The platform profiles demographic features across the training data, evaluates model decisions across demographic groups, and applies the EU AI Act Article 10 prohibited-bias checklist. It produces a Fairness Audit Report with a bias severity score, affected protected characteristics, recommended mitigations, and a remediation plan. Baseline fairness metrics are recorded so ongoing monitoring can alert the team if fairness degrades after deployment.

Deliverables

  • Fairness Audit Report (EU AI Act Article 10 aligned, per protected characteristic)
  • Bias Severity Score and Traffic-Light Dashboard
  • Remediation Plan with technical mitigations (re-sampling, re-weighting, post-processing)
  • Baseline Fairness Metrics Record (seed for ongoing monitoring)
05

Data Governance Integration

Severity: High Prevalence: 58% of postings

The Enterprise Problem

AI inherits every data governance failure at scale. EU AI Act Article 10 mandates that training datasets be 'relevant, sufficiently representative, and to the best extent possible, free of errors.' GDPR Article 17's right to erasure collides directly with model weights — personal data baked into model parameters cannot be simply deleted. 58% of postings require data governance integration because most companies have data governance on paper but not in practice: no Critical Data Element (CDE) definitions, no data lineage, no quality baselines. AI initiatives routinely fail at the data layer before they reach the model layer.

Regulatory Obligation

  • EU AI Act: Art. 10 — Data Governance for High-Risk AI
  • GDPR: Art. 17 — Right to Erasure
  • EU Data Act — Data Sharing Obligations
  • ISO 42001: Clause 8.4 — Data Management

VDF AI Compliance Demo

Demo Scenario

An energy utility uses the VDF AI Compliance Data Governance module. The platform connects to the utility's enterprise data sources and discovers all datasets used by registered AI systems. It profiles data quality (completeness, consistency, duplication), maps data lineage from source to model training, identifies Critical Data Element candidates, and flags GDPR Article 17 risk — datasets containing personal data used in model training with no erasure mechanism. Output includes a Data Governance Gap Report and a remediation roadmap prioritized by AI system risk tier.

Deliverables

  • Data Lineage Map per registered AI system (source to model)
  • Data Quality Scorecard (EU AI Act Article 10 aligned)
  • GDPR Article 17 Risk Register for AI training datasets
  • Critical Data Element (CDE) Definitions and Ownership Matrix
06

AI Governance Framework Builder

Severity: Critical Prevalence: 53% of postings

The Enterprise Problem

McKinsey (2024) found only 18% of organisations have an enterprise-wide AI governance council with real decision authority. Only 28% place AI governance under CEO ownership; only 17% have board-level oversight. The core failure is not a lack of policy documents — it is a lack of governance operating model: no RACI, no approval workflows, no AI risk appetite statement, no cross-functional coordination mechanism. Job postings reveal companies trying to build all of this from zero while already running AI in production.

Regulatory Obligation

  • EU AI Act: Art. 26 — Deployer Obligations
  • EU AI Act: Art. 27(4) — Fundamental Rights Officer
  • ISO 42001: Clause 5 — Leadership
  • NIST AI RMF: GOVERN 1.2

VDF AI Compliance Demo

Demo Scenario

A consultancy uses VDF AI Compliance to build their own governance framework in three days. The platform generates an AI Governance Council charter, AI Risk Appetite Statement, RACI matrix, and AI system approval lifecycle — from intake through risk classification, impact assessment, council approval, deployment, and monitoring. All documents are versioned, stored with full approval audit trails, and aligned to ISO 42001 leadership requirements and EU AI Act Article 26 deployer obligations.

Deliverables

  • AI Governance Council Charter (roles, decision rights, cadence)
  • RACI Matrix for all AI governance activities
  • AI Risk Appetite Statement (board-ready)
  • AI System Approval Lifecycle (intake to deployment to monitoring)
  • ISO 42001 Clause 5 Gap Assessment
07

Policy & Technical Documentation Generator

Severity: High Prevalence: 37% of postings

The Enterprise Problem

EU AI Act Articles 11 and 13 mandate extensive technical documentation for high-risk systems: risk management system records, dataset documentation, testing results, human oversight specifications, transparency disclosures, and technical accuracy specifications. ISO 42001 Clause 7.5 requires documented information for 38 controls. Developers universally resist documentation; model cards and dataset sheets are seen as bureaucratic overhead. The result: most companies have AI systems in production with zero compliant documentation.

Regulatory Obligation

  • EU AI Act: Art. 11 — Technical Documentation
  • EU AI Act: Art. 12 — Record Keeping
  • EU AI Act: Art. 13 — Transparency
  • ISO 42001: Clause 7.5 — Documented Information

VDF AI Compliance Demo

Demo Scenario

A financial services firm needs Article 11 technical documentation for their credit scoring AI system before the August 2026 deadline. VDF AI Compliance interviews the system owner through a structured questionnaire covering use case, training data, testing methodology, performance metrics, human oversight design, and update procedures. The platform generates EU AI Act Annex IV technical documentation, Article 13 user-facing transparency disclosures, and Article 12 logging specifications. All documents are versioned, tamper-evident, and accessible for regulatory inspection.

Deliverables

  • EU AI Act Annex IV Technical Documentation per high-risk system
  • Article 13 Transparency Disclosure (user-facing)
  • Article 12 Record-Keeping Specification (logging architecture)
  • Decision Log (audit-backed, all governance decisions with rationale)
08

Vendor AI Risk Assessment

Severity: High Prevalence: 21% of postings

The Enterprise Problem

EU AI Act Article 28 places compliance obligations on deployers of high-risk AI systems — even when the underlying model is provided by OpenAI, Anthropic, Google, Salesforce, or any other third party. Standard SaaS contracts do not cover EU AI Act obligations. Companies using Microsoft Copilot, ChatGPT, HireVue, or any AI-enabled SaaS are deployers under the law. Most have no vendor AI risk program, no contractual protections, and no method for assessing whether their AI vendors are compliant.

Regulatory Obligation

  • EU AI Act: Art. 28 — Deployer Obligations
  • EU AI Act: Art. 55 — GPAI Transparency
  • DORA: Art. 30 — Third-Party ICT Risk
  • ISO 42001: Clause 8.6 — External Provision

VDF AI Compliance Demo

Demo Scenario

An insurance company needs to assess their AI vendors before the August 2026 deadline. VDF AI Compliance collects publicly available information about each vendor — model documentation, transparency reports, certification status, and EU AI Act compliance statements. It delivers a structured vendor questionnaire covering risk classification, bias testing, data governance, human oversight, logging, and incident notification. Results are scored against an EU AI Act Article 28 compliance rubric and stored in a Vendor Risk Register. Approved vendor lists feed directly into deployment policies for regulated workflows.

Deliverables

  • Vendor AI Risk Register (all AI vendors scored against EU AI Act Art. 28)
  • Approved Vendor List (feeds into deployment policies automatically)
  • Vendor Questionnaire Template (contractual gap analysis)
  • DORA–AI Act Combined Vendor Assessment (for financial services)
09

Model Monitoring & Drift Detection

Severity: Medium Prevalence: 11% of postings

The Enterprise Problem

EU AI Act Article 61 requires providers of high-risk systems to establish post-market monitoring systems that actively collect and analyze data on system performance throughout its operational lifetime. Model decay is real: models trained on 2023 data degrade on 2026 data as real-world distributions shift. Only 11% of postings mention this explicitly — yet it is an Article 61 mandatory requirement for all high-risk systems. The low posting rate suggests companies have not yet internalized that compliance does not end at deployment: it is a continuous obligation.

Regulatory Obligation

  • EU AI Act: Art. 61 — Post-Market Monitoring
  • EU AI Act: Art. 72 — Serious Incident Reporting
  • ISO 42001: Clause 9 — Performance Evaluation
  • NIST AI RMF: MANAGE 4.1

VDF AI Compliance Demo

Demo Scenario

A manufacturing company runs their quality control AI system under continuous monitoring by VDF AI Compliance. Baseline fairness and performance metrics established at deployment are stored as the reference point. After each production batch, the platform re-evaluates recent model outputs against the same fairness criteria. If fairness score degrades beyond a configured threshold — for example, demographic disparity grows more than 5% — the system routes queries to a fallback approved model, generates an EU AI Act Article 72 serious incident draft report, and notifies the designated compliance officer.

Deliverables

  • Continuous Monitoring Dashboard (per AI system, per metric)
  • Drift Alert Configuration (per system, per regulatory threshold)
  • Automated Article 72 Serious Incident Report Draft on breach
  • Post-Market Monitoring Plan per high-risk system (Article 61 compliant)
10

DPIA / FRIA Integrated Impact Assessment

Severity: High Prevalence: 5% explicit / 100% implied

The Enterprise Problem

GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) before high-risk automated processing. EU AI Act Article 27 requires a Fundamental Rights Impact Assessment (FRIA) before deploying high-risk AI systems. These two assessments share substantial scope but sit under different legal frameworks, require different legal expertise, and are owned by different teams (Privacy vs. Compliance). Only 1 of 19 job postings explicitly mentions impact assessments, yet every company with high-risk AI systems faces both obligations. Running them as separate processes is duplicative and inconsistent. Running an integrated process is best practice but the playbook does not yet widely exist.

Regulatory Obligation

  • EU AI Act: Art. 27 — FRIA Obligation
  • GDPR: Art. 35 — DPIA Requirement
  • EU AI Act: Art. 26 — Deployer Responsibility
  • NIST AI RMF: MAP 5.1

VDF AI Compliance Demo

Demo Scenario

A bank is preparing to deploy a credit scoring AI system before the August 2026 deadline. VDF AI Compliance runs an integrated DPIA/FRIA workflow in a single session. One structured interview collects system description, affected populations, data processed, and automated decision scope. The platform produces a GDPR Article 35 assessment (data minimization, proportionality, safeguards, residual risks) and an EU AI Act Article 27 assessment (impacts on fundamental rights: non-discrimination, dignity, freedom of expression, access to justice, privacy). A cross-reference step identifies overlaps and inconsistencies between the two assessments. Both documents are versioned, approved through the governance workflow, and stored as pre-deployment evidence required by both frameworks.

Deliverables

  • Integrated DPIA + FRIA in single workflow (single interview, two compliant outputs)
  • Cross-Reference Report (overlaps and inconsistencies between DPIA and FRIA)
  • Pre-Deployment Gate: deployment blocked until FRIA is approved
  • Assessment Template Library (reusable for all Annex III system categories)

See VDF AI Compliance in your environment

Book a demo and we'll walk through the use cases most relevant to your regulatory timeline — starting with inventory and classification.

Explore Use Cases