Best Practices
Fundamentals
AI-generated In what unit do you measure your AI compliance?
Most companies answer without realising it: in systems. A tool list, a „risk” column, done. But that’s the wrong unit. Systems don’t have a risk class. Use cases do.
That’s exactly why the core of the NADOVO methodology has its own name: the AI process. One unit, one formula - AI system + area of application = AI process. This single line decides the risk class, the obligations and your role. And it’s the reason NADOVO works differently from any system list.
The wrong unit: the system
The question „Is ChatGPT high-risk?” can’t be answered. Not because it’s difficult, but because it’s the wrong question.
The EU AI Act doesn’t classify technologies, but use cases. A language model that drafts marketing copy: minimal risk. The same model as a customer service chatbot: transparency obligation. The same model pre-screening job applications: high-risk under Annex III, the employment area. The technology is identical. What changes is the purpose, and with it the entire set of obligations.
That’s not a NADOVO invention. It’s in the law, in Article 6 and Annex III. And yet compliance practice looks different almost everywhere: Excel lists of system names. Tool inventories with a single „risk” column holding one value per system. As if a tool had a risk class.
It doesn’t. And this is exactly where system inventories break down: a company that uses the same tool in three departments for three purposes doesn’t have one risk, but three.
The core formula
That’s why at the centre of the NADOVO framework is a formula that runs through everything we do:
AI system + area of application = AI process. And the AI process determines the risk class.
An example, played through. The system: a language model, say ChatGPT. At a mid-sized company it gives rise to three AI processes. First „ChatGPT - Marketing”: product texts and draft posts, minimal risk, no special obligations. Second „ChatGPT - Customer service”: a chatbot on the website, limited risk, it has to identify itself as AI. Third „ChatGPT - Recruiting”: pre-screening applications, high-risk, with human oversight, documentation and the full deployer obligations.
One asset. Three processes. Three risk classes. Whoever records only the system sees one line and no risk. Whoever thinks in processes sees three entries and knows exactly what to do for each.
Everything hangs on the process
The formula is more than a mnemonic. At NADOVO, the AI process is the unit on which the entire compliance hangs.
The risk class belongs to the process, not the system. The assessment evaluates the process. The measures, from human oversight to training, apply per process. Even your role in the sense of the law can differ per process: for the bought-in tool in marketing you’re a deployer, for the repurposed use in recruiting possibly already a provider.
And here an underrated side effect shows: the process view is your early warning system for the role change. In this logic, a change of purpose isn’t an invisible drift, but a new AI process that has to be defined and assessed. Exactly the moment when a deployer can become a provider becomes visible before it happens.
How the formula runs through the framework
Our framework has five phases, and the formula is their common thread.
In DISCOVER you capture the AI systems, including the embedded and the unofficial AI. That’s the inventory, doable in four weeks. In DEFINE the decisive step happens that most skip: each system is assigned to its concrete use cases, assets become AI processes. In ASSESS each process gets its risk class, checked against prohibitions, high-risk areas and transparency obligations. IMPLEMENT puts the measures into practice per process. And MONITOR keeps the picture current, because a new purpose means: a new process, a new assessment.
The NADOVO platform is built exactly this way. AI systems and AI processes are separate, linked objects there, and the risk classification runs rule-based on the process, not the system. That’s why it can answer questions that system lists fail at: which of our use cases are high-risk? Where has a purpose changed? Which process needs which measure?
Why this is our standard
Honestly: that the use case is what counts, everyone could know, it’s in the law. The difference lies in drawing the consequences from it.
Most tools and templates track systems, because systems are easy to count. We built the framework and the platform around the AI process from the start, because only it answers the question the law asks. That’s more uncomfortable to record and invaluable in compliance: every assessment, every measure, every piece of evidence has a unique address.
Governance as an enabler means exactly that to us. Not more bureaucracy, but the right unit, so that every obligation lands where it belongs.
The question that sorts everything
One question to close. Take your most important AI tool and count not what it is, but what it’s all used for. Do you get more than one purpose? Then you’ve just defined your first AI processes, and probably more risk classes than your system list shows.
How to get from the system to the use case is also described by our co-founder Jochen Stier on Contoro: From asset to use case. Where you stand overall is shown by the quick check, and if you want to set up the process view in your company, we accompany you in our AI compliance consulting.
About the author
Jochen Stier is a co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase NADOVO framework combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.
Further reading: