I
Impetora
Service - Discovery phase

AI readiness audit against EU AI Act, ISO 42001, GDPR

A standalone gap analysis of your in-flight and planned AI systems against three frames: the EU AI Act (Regulation (EU) 2024/1689), ISO/IEC 42001:2023 (the AI management-system standard), and GDPR Article 22 (automated decision-making). For enterprises that need a defendable view of where they stand before a regulator, an internal auditor, or a board risk committee asks.

2-3 wk
End-to-end duration
3
Regulatory frames covered (AI Act, ISO 42001, GDPR Art 22)
1
Per-use-case risk classification, written and dated
1
Control-gap register with remediation owners
Book a discovery callRead the TRACE methodology
Section 01

01.What does the readiness audit deliver?

Three artefacts. First, a per-use-case classification under the EU AI Act risk tiers (prohibited, high-risk, limited-risk, minimal-risk), with the Annex III citations that justify each call. Second, a control-gap register against ISO/IEC 42001 clauses, mapped to the Annex IV technical-documentation expectations of the AI Act. Third, a GDPR Article 22 review covering legal basis, meaningful information about the logic, and the right-to-explanation pathway, including the EDPB 2024 SCHUFA guidance. Each gap has a named owner and a remediation timeline expressed against your internal change-management cadence.
Section 02

02.Who is this audit for?

Chief Risk Officers, Data Protection Officers, Heads of Compliance, and General Counsel in financial services, insurance, healthcare, and any organisation operating an AI system that will fall inside the EU AI Act high-risk perimeter. Also for procurement leads who need a defendable assessment of vendor AI systems before signing or renewing. The audit is system-level, not just policy-level: we look at what is actually shipped, not only at what is documented.
Section 03

03.What is not included?

The audit is a gap analysis, not a remediation engagement. We do not write the missing controls during the audit window; the remediation plan is the deliverable. We do not provide formal certification: ISO/IEC 42001 certification is issued by accredited bodies, and we map your posture against the standard rather than issuing a certificate. We do not provide legal advice; the audit informs your General Counsel rather than replacing them.
Section 04

04.How does it differ from a typical AI audit?

A typical AI audit runs from a single frame (often only the AI Act, or only GDPR), produces a long policy document, and stops short of the system level. This audit covers all three regulatory frames in a single pass, looks at the running system as well as the policy, and returns a remediation plan tied to named owners on your side. The frame is auditor-grade, the language is plain, the remediation is dated.
Section 05

05.How does it integrate with TRACE Discovery?

It is the Trust pillar of TRACE, scoped as a standalone deliverable. Buyers who already know which use cases they want to build, but need the regulatory read first, take the audit on its own. Buyers who want both readiness and use-case prioritisation take TRACE Discovery, which contains the same regulatory analysis embedded inside a wider scope. The audit deliverable is reusable as input to a future Build engagement.
Methodology mapping

06.How this SKU sits inside the TRACE methodology

This engagement is the Discovery phase of the Impetora delivery model. Discovery is the diagnostic phase. The audit is the regulatory diagnostic, scoped to ship on its own.

T

Trust

The audit is the Trust pillar in standalone form. Risk classification, control-gap register, GDPR Article 22 review, evidence pack.
R

Readiness

We sample real system behaviour, not only the policy text. Where logs do not exist, the audit says so and treats it as a gap.
A

Architecture

The audit evaluates whether the architecture supports the controls the regulation requires (logging, traceability, human oversight).
C

Citations and evidence

Every finding cites the article, clause, or guideline it rests on. The control-gap register is queryable and dated.
Engagement model

07.What happens, week by week

  1. 01Days 1-3

    Kick-off and inventory

    Two-hour kick-off, then a documented AI inventory: every system in production, in pilot, or under procurement, with owners and data flows.

  2. 02Days 4-12

    Per-system review

    Risk classification under Annex III, ISO 42001 clause-mapping, GDPR Article 22 walk-through against the running system, with logs and policies in scope.

  3. 03Days 13-15

    Remediation plan and walk-through

    Drafted register, executive walk-through, signed-off remediation plan with named owners and dated milestones.

Scope of work

08.Inputs we need from you. Outputs we ship.

Inputs we need

From your team

  • An accurate inventory of AI systems (in production, pilot, and procurement)
  • Read access to logs, evaluation results, and prompt or model versioning where available
  • Existing AI policy, data-protection impact assessments, and any prior regulator correspondence
  • 30 minutes each from each system owner, the DPO, and General Counsel
Outputs we ship

Concrete deliverables

  • Per-system EU AI Act risk classification with Annex III citations
  • ISO/IEC 42001:2023 control-gap register, mapped to AI Act Annex IV documentation
  • GDPR Article 22 review per system: legal basis, transparency, human-review pathway
  • Remediation plan with named owners, dependencies, and dated milestones
  • Executive summary suitable for a board or regulator submission
Honest scoping

09.Who this is not for

We turn engagements down when the fit is wrong. If any of these match, a different SKU, or a different partner, will serve you better.

See the full list of fit signals we screen against
  • Buyers needing only a policy template; this audit looks at the running system, not only the policy
  • Organisations not yet operating or procuring any AI system
  • Buyers looking for a stamp of certification; certification is issued by accredited bodies, not by us
  • Cases where the General Counsel will not be available for a one-hour call during the audit window

Frequently asked questions

Does the audit produce ISO/IEC 42001 certification?

No. ISO/IEC 42001 certification is issued by accredited certification bodies. The audit maps your posture against the standard and produces the gap register and remediation plan you would take into a certification audit. Many buyers run the readiness audit, remediate, then engage an accredited body for the formal certification.

How is the audit scope sized when we have many systems?

We agree a coverage cap up front (typically 5 to 10 systems for a 2 to 3 week engagement). For larger inventories we recommend a tiered approach: full audit on the high-risk-tier systems, lighter screening on limited-risk-tier systems, and a staged plan for the rest. The scoping conversation happens before kick-off.

Do you cover the Lithuanian VDAI guidance and supervisory expectations?

Yes for organisations with Lithuanian establishment. The Lithuanian Data Protection Inspectorate (VDAI) has issued guidance that aligns with the EDPB 2024 GDPR Article 22 position, and we incorporate it where relevant. For other Member States we work against the local DPA and the EDPB position.

Can the audit cover vendor AI systems we are about to procure?

Yes. We classify the candidate system, review the vendor's available documentation against AI Act Annex IV, and write a procurement-decision memo with the residual risk and the contract clauses we recommend before signature.

What deliverable format do you ship?

A written report and a structured spreadsheet for the gap register. The walk-through is held with the steering group, and the deliverable is yours to circulate inside the organisation.

Is this audit a substitute for a formal Annex VI or Annex VII conformity assessment?

No. The conformity assessment for high-risk systems is its own regulatory process under the AI Act. The readiness audit prepares you to run that conformity assessment with a clear inventory of gaps and remediation actions.

Continue reading

10.Related work

Sister SKU

TRACE Discovery: full readiness assessment with use-case prioritisation

Read the page
Open
Sister SKU

AI operations layer: ongoing regulator-pack maintenance

Read the page
Open
Pillar page

EU AI Act overview

Read the page
Open
Industry hub

AI for banking

Read the page
Open

Book a discovery call for a fixed-scope plan.

One form. We reply within two working days with a written scope, a delivery plan, and the team you would work with.

Book a discovery callEmail info@ainora.lt
Discovery call

Book a discovery call

Tell us what you would like to build. We reply within one business day.

30-minute call. Free of charge. No obligation.