---
title: "AI readiness audit: EU AI Act, ISO 42001 | Impetora"
description: "Standalone gap analysis of your AI use against the EU AI Act, ISO/IEC 42001, and GDPR Article 22, with a written readiness file you can ship to audit."
url: https://impetora.com/services/ai-readiness-audit
locale: en
dateModified: 2026-04-28
author: Impetora
---

# AI readiness audit against EU AI Act, ISO 42001, GDPR

> A standalone gap analysis of your in-flight and planned AI systems against three frames: the EU AI Act (Regulation (EU) 2024/1689), ISO/IEC 42001:2023 (the AI management-system standard), and GDPR Article 22 (automated decision-making). For enterprises that need a defendable view of where they stand before a regulator, an internal auditor, or a board risk committee asks.

*Updated 2026-04-28. By Impetora. Email info@ainora.lt to discuss this service.*

## Anchor metrics

- **2-3 wk** - End-to-end duration
- **3** - Regulatory frames covered (AI Act, ISO 42001, GDPR Art 22)
- **1** - Per-use-case risk classification, written and dated
- **1** - Control-gap register with remediation owners

## What does the readiness audit deliver?

Three artefacts. First, a per-use-case classification under the EU AI Act risk tiers (prohibited, high-risk, limited-risk, minimal-risk), with the Annex III citations that justify each call. Second, a control-gap register against ISO/IEC 42001 clauses, mapped to the Annex IV technical-documentation expectations of the AI Act. Third, a GDPR Article 22 review covering legal basis, meaningful information about the logic, and the right-to-explanation pathway, including the EDPB 2024 SCHUFA guidance. Each gap has a named owner and a remediation timeline expressed against your internal change-management cadence.

## Who is this audit for?

Chief Risk Officers, Data Protection Officers, Heads of Compliance, and General Counsel in financial services, insurance, healthcare, and any organisation operating an AI system that will fall inside the EU AI Act high-risk perimeter. Also for procurement leads who need a defendable assessment of vendor AI systems before signing or renewing. The audit is system-level, not just policy-level: we look at what is actually shipped, not only at what is documented.

## What is not included?

The audit is a gap analysis, not a remediation engagement. We do not write the missing controls during the audit window; the remediation plan is the deliverable. We do not provide formal certification: ISO/IEC 42001 certification is issued by accredited bodies, and we map your posture against the standard rather than issuing a certificate. We do not provide legal advice; the audit informs your General Counsel rather than replacing them.

## How does it differ from a typical AI audit?

A typical AI audit runs from a single frame (often only the AI Act, or only GDPR), produces a long policy document, and stops short of the system level. This audit covers all three regulatory frames in a single pass, looks at the running system as well as the policy, and returns a remediation plan tied to named owners on your side. The frame is auditor-grade, the language is plain, the remediation is dated.

## How does it integrate with TRACE Discovery?

It is the Trust pillar of TRACE, scoped as a standalone deliverable. Buyers who already know which use cases they want to build, but need the regulatory read first, take the audit on its own. Buyers who want both readiness and use-case prioritisation take TRACE Discovery, which contains the same regulatory analysis embedded inside a wider scope. The audit deliverable is reusable as input to a future Build engagement.

## TRACE methodology mapping

This SKU sits inside the **Discovery** phase of the Impetora delivery model. Discovery is the diagnostic phase. The audit is the regulatory diagnostic, scoped to ship on its own.

### T - Trust

The audit is the Trust pillar in standalone form. Risk classification, control-gap register, GDPR Article 22 review, evidence pack.

### R - Readiness

We sample real system behaviour, not only the policy text. Where logs do not exist, the audit says so and treats it as a gap.

### A - Architecture

The audit evaluates whether the architecture supports the controls the regulation requires (logging, traceability, human oversight).

### C - Citations and evidence

Every finding cites the article, clause, or guideline it rests on. The control-gap register is queryable and dated.

## Engagement model, week by week

1. **Kick-off and inventory** (Days 1-3). Two-hour kick-off, then a documented AI inventory: every system in production, in pilot, or under procurement, with owners and data flows.
2. **Per-system review** (Days 4-12). Risk classification under Annex III, ISO 42001 clause-mapping, GDPR Article 22 walk-through against the running system, with logs and policies in scope.
3. **Remediation plan and walk-through** (Days 13-15). Drafted register, executive walk-through, signed-off remediation plan with named owners and dated milestones.

## Inputs we need from you

- An accurate inventory of AI systems (in production, pilot, and procurement)
- Read access to logs, evaluation results, and prompt or model versioning where available
- Existing AI policy, data-protection impact assessments, and any prior regulator correspondence
- 30 minutes each from each system owner, the DPO, and General Counsel

## Outputs we ship

- Per-system EU AI Act risk classification with Annex III citations
- ISO/IEC 42001:2023 control-gap register, mapped to AI Act Annex IV documentation
- GDPR Article 22 review per system: legal basis, transparency, human-review pathway
- Remediation plan with named owners, dependencies, and dated milestones
- Executive summary suitable for a board or regulator submission

## Who this is not for

- Buyers needing only a policy template; this audit looks at the running system, not only the policy
- Organisations not yet operating or procuring any AI system
- Buyers looking for a stamp of certification; certification is issued by accredited bodies, not by us
- Cases where the General Counsel will not be available for a one-hour call during the audit window

## Frequently asked questions

### Does the audit produce ISO/IEC 42001 certification?

No. ISO/IEC 42001 certification is issued by accredited certification bodies. The audit maps your posture against the standard and produces the gap register and remediation plan you would take into a certification audit. Many buyers run the readiness audit, remediate, then engage an accredited body for the formal certification.

### How is the audit scope sized when we have many systems?

We agree a coverage cap up front (typically 5 to 10 systems for a 2 to 3 week engagement). For larger inventories we recommend a tiered approach: full audit on the high-risk-tier systems, lighter screening on limited-risk-tier systems, and a staged plan for the rest. The scoping conversation happens before kick-off.

### Do you cover the Lithuanian VDAI guidance and supervisory expectations?

Yes for organisations with Lithuanian establishment. The Lithuanian Data Protection Inspectorate (VDAI) has issued guidance that aligns with the EDPB 2024 GDPR Article 22 position, and we incorporate it where relevant. For other Member States we work against the local DPA and the EDPB position.

### Can the audit cover vendor AI systems we are about to procure?

Yes. We classify the candidate system, review the vendor's available documentation against AI Act Annex IV, and write a procurement-decision memo with the residual risk and the contract clauses we recommend before signature.

### What deliverable format do you ship?

A written report and a structured spreadsheet for the gap register. The walk-through is held with the steering group, and the deliverable is yours to circulate inside the organisation.

### Is this audit a substitute for a formal Annex VI or Annex VII conformity assessment?

No. The conformity assessment for high-risk systems is its own regulatory process under the AI Act. The readiness audit prepares you to run that conformity assessment with a clear inventory of gaps and remediation actions.

## Related

- [TRACE Discovery: full readiness assessment with use-case prioritisation](https://impetora.com/services/trace-discovery)
- [AI operations layer: ongoing regulator-pack maintenance](https://impetora.com/services/ai-operations-layer)
- [EU AI Act overview](https://impetora.com/eu-ai-act/overview)
- [AI for banking](https://impetora.com/industries/banking)

## About this service

**AI readiness audit** - Standalone gap analysis of in-flight and planned AI systems against the EU AI Act, ISO/IEC 42001, and GDPR Article 22. Deliverable: per-system risk classification, control-gap register, remediation plan with named owners.

Submit a project: https://impetora.com/?service=ai-readiness-audit#discovery-call