ISMS Copilot for AI startup compliance
Classify your own AI system, stand up an AI Management System, and answer the automated-decision question before customers ask it.
What AI startups actually have to do
- Classify your AI system under the EU AI Act risk tiers — prohibited, high-risk, limited-risk transparency, or minimal
- Work through conformity-assessment and technical-documentation duties if the system is high-risk
- Stand up an ISO 42001 AI Management System (AIMS) with AI risk assessment and treatment
- Draft GDPR Article 22 safeguards where decisions are made solely by automated processing with legal or similarly significant effects
- Produce AI impact assessments and human-oversight procedures
- Cross-map ISO 42001 controls to the EU AI Act so you write each requirement once
Built for the AI startup compliance lead
EU AI Act risk-classification assessment and transparency-obligation guidance
ISO 42001 AIMS implementation and control library
GDPR Article 22 automated-decision and profiling safeguards
AI impact assessment and human-oversight templates
ISO 42001 ↔ EU AI Act cross-mapping
Customer security-questionnaire responder for AI-specific due diligence
Classifying your own AI product before customers ask
Every enterprise buyer now asks an AI vendor the same first question: what is your system under the EU AI Act, and what governance sits behind it? Get this wrong and the deal stalls in security review. The Act is risk-tiered — a prohibited use is off the table, a high-risk system (the Annex III categories) triggers conformity assessment, technical documentation, logging, and human oversight, while a limited-risk system needs transparency disclosure. ISO 42001 is the management-system answer: it specifies an AI Management System for establishing, implementing, and improving responsible AI governance, and it maps cleanly onto the Act's governance expectations. On top, GDPR Article 22 restricts decisions based solely on automated processing that produce legal or similarly significant effects — directly relevant if your model scores, ranks, or gates people. ISMS Copilot runs the classification and drafts the governance behind it.
ISO 42001 framework details →Free EU AI Act risk-tier checker for the founding team
Before you scope the AI governance work, classify each system. The free EU AI Act Risk-Tier Checker gives a structured first-pass prohibited/high-risk/limited/minimal classification (with the GPAI axis) against Regulation 2024/1689 — a starting point that anchors the early-stage governance choices above. Annex III borderline cases still need legal review.
Open the free EU AI Act Risk-Tier Checker →Frequently Asked Questions
How do I know if my AI system is high-risk?
The EU AI Act defines high-risk systems through Annex III use-case categories and product-safety rules. ISMS Copilot walks you through the classification questions so you can determine whether you are prohibited, high-risk, limited-risk (transparency only), or minimal, and what each tier requires.
Is ISO 42001 worth it for an early-stage startup?
Increasingly yes. ISO 42001 gives you a recognised AI Management System that answers enterprise due diligence and supports EU AI Act governance duties at the same time. ISMS Copilot helps you implement a proportionate AIMS rather than an over-engineered one.
Does GDPR Article 22 apply to our model?
If your system makes a decision based solely on automated processing that has a legal or similarly significant effect on a person — credit, employment, access — then Article 22 applies and you need specific safeguards including human review rights. ISMS Copilot helps you assess this and draft the safeguards.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.