Organizations that use AI often lack a clear overview of exactly what is in use. For example, AI applications may be built in-house, purchased through SaaS contracts, or left unmanaged. At the same time, transparency around AI is extremely important—both for your customers and for preparing for upcoming regulations. So the question is: how do you gain insight into what’s happening within your organization?
We’ll answer 3 questions:
- What obligations does the EU AI Act entail?
- What steps should you take now to ensure compliance?
- How can you gain insight into your AI landscape?
Limited understanding of AI usage is a major risk
Many organizations lack a complete picture of their AI usage. Which is not surprising, as AI is now found everywhere: in the CRM system that ranks sales opportunities, in the HR system that filters resumes, and in financial tools that assess credit risks or insurance outcomes.
It is precisely these systems that the European AI Act refers to when discussing high-risk applications. They are described in Annex III of this new law. This annex identifies specific sectors and areas of application subject to additional obligations. These high-risk applications are subject to the strictest requirements, but most of the records organizations maintain today do not provide sufficient insight into them.
Compliance, therefore, does not start with the lawyer. It starts with the IT architect who knows what is running.
The first requirements under the EU AI Act have already taken effect
The AI Act includes several deadlines. Those who are just getting started now have some catching up to do, but the law still allows for a structured approach. For example, Article 4 on AI literacy among employees has been in effect since February 2, 2025. The governance requirements for General Purpose AI will follow thereafter.
The most stringent obligations under the AI Act focus on high-risk applications and transparency requirements: Annex III and Article 50. These apply in later phases and already require insight into what is happening within your organization.
Specifically, this involves three components:
- A comprehensive AI registry. For each system, identify the business owner, the vendor behind it, the data used, the decision-making impact, and whether logging is active. Without this registry, you lack an overview, and it becomes difficult to justify your choices during an investigation.
- Compliance files for high-risk systems. Examples include CV screening (Annex III.4), AI-driven performance monitoring, or credit scoring (Annex III.5). For these systems, the law requires, among other things, risk management, bias testing, human oversight, and an incident workflow.
- Transparency checks based on Article 50. Systems that communicate with customers or employees, from chatbots to AI-generated content, must be recognizable as AI. On March 5, 2026, the European Commission published a second draft of the Code of Practice, which you can now use as a basis for tooling choices.
What exactly is considered high-risk?
The strictest requirements under the AI Act apply to specific sectors, divided into 8 categories as set out in Annex III. For Dutch organizations, the most important ones are:
- HR and recruitment: resume screening, performance monitoring, candidate selection
- Financial services: credit scoring, risk assessment in insurance
- Education: systems that influence admission or performance evaluation
- Critical infrastructure: AI in energy or water management
- Law enforcement and immigration: systems that directly influence individual decisions
AI governance in low-code applications
Low-code platforms such as Mendix and OutSystems combine user-friendly application development with robust governance, security, and enterprise-grade control. For many Dutch organizations, they have become the foundation of their digital processes. Yet it is precisely in this area where insight is lacking.
Applications on these platforms increasingly incorporate built-in AI: layered decision models, intelligent process routing, and generative features deeply embedded in the application logic. These belong in the AI registry but are not automatically included there. Especially when deployed in HR, customer, or financial processes, these are domains that the law considers high-risk.
But there is a solution. Both platforms offer built-in audit trails, version control, deployment approval workflows, and role-based access control. These features can be used directly as proof of compliance for technical documentation and human oversight. So you don’t have to rebuild this from scratch.
Gartner predicts that global spending on AI governance platforms will rise to $5.8 billion by 2026. In 2023, that figure was less than $400 million. This growth is not driven by hype, but by a practical realisation: Excel-based governance does not provide sufficient evidence when a regulator comes knocking.
How do you approach AI compliance?
The AI Act affects multiple areas of your organization simultaneously. This makes it difficult to determine where to start and how to maintain an overview.
In the projects we manage, we therefore opt for a phased approach: the 4D model. This model provides structure and translates insights into concrete steps.
Discover: understanding your AI landscape
Compliance starts with a complete overview. In the Discover phase, we map out the entire AI landscape: internally developed systems, purchased SaaS solutions, and embedded AI in low-code applications such as Mendix and OutSystems. We analyse which systems fall under Annex III, who the business owners are, what data flows through them, and the decision-making impact. It allows you to build a comprehensive AI registry that provides insight into risks and accountability to regulators.
Design: governance tailored to your organization
Knowing the law is one thing; turning it into a workable architecture is another. In the Design phase, we translate the requirements of the AI Act into a governance framework that aligns with your organisation’s existing framework. We build on existing risk processes, security frameworks, and audit structures, so that governance becomes part of what already works. For each high-risk system, we define who is responsible, what requirements apply, and what documentation is needed.
Develop: processes that stand up to an audit
Governance that exists only on paper is not enough when a regulator asks for evidence. That is why, during the Develop phase, we build the actual processes and documentation structures: monitoring workflows, incident reporting, bias-testing procedures, and auditable training records. We work iteratively with sprints and demos, so that you can continuously validate throughout the process whether the solution meets legal requirements and practical needs.
Drive: compliance that grows with you
The AI Act is not a one-time project. Regulations change, AI systems are updated, and oversight is increasing. During the Drive phase, we keep the approach up to date through periodic reviews, dashboards for the board and management, and updates in response to changes in the law. This ensures your AI governance remains in order and that you are prepared for future audits.
We do not use a standard compliance checklist. Every project starts with the actual AI landscape, existing governance, and the systems that carry risk.
Do you already have a clear understanding of your IT landscape?
The AI Act doesn’t change what AI does. It does, however, change who is responsible for it and how you demonstrate that responsibility. Organizations that invest now in an AI registry and a governance approach that works aren’t just building compliance. They gain insight into what’s running, how systems make decisions, and where risks lie. Make this transparent to your customers with an AI statement.
Schedule a session and talk to one of our experts.
