DA Defensible AI
Book a call
Currently delivering on UK MOD AI programmes Deadline 02 Aug 2026 File № 001 — Implementation

Your lawyer writes the policy.
We make it real.

The EU AI Act demands operational evidence — running risk systems, human-oversight workflows, automated logging, and months of audit-ready records. A legal opinion alone will not pass conformity assessment. We build the governance your AI product actually needs to sell into European markets.

Book a 30-min scoping call Not ready? Check your risk in 60s →
Conformity countdown · 02 Aug 2026
Days
Hrs
Min
Sec

Until high-risk obligations take effect. Enterprise procurement teams are already demanding evidence.

89%
of UK AI firms not fully ready for conformity assessment
54%
have minimal or no operational governance in place
€35M
or 7% of global turnover — maximum penalty
Currently delivering UK MOD AI programmes 20 years · Royal Navy · GDS · Google You speak to James, not a BDR
§ 00 · First question

"We have lawyers.
Why do we need you?"

Because regulators and enterprise procurement teams audit running systems, not policy documents. Your lawyer produces the opinion. We produce the evidence.

 
Legal counsel
Defensible AI
Output
Legal opinion, drafted policies
Running risk system, logs, audit evidence
Art. 9 risk mgmt
Interprets requirement
Designs & implements the process
Art. 12 logging
Flags obligation
Builds the logging architecture
Art. 14 oversight
Explains the clause
Designs the human-in-loop UX
Procurement Qs
Reviews vendor contracts
Answers them with operational evidence

We work alongside your lawyer, not instead of. If you don't have one, we'll introduce you to specialists we trust.

§ 01 / Problem

Paper compliance won't protect you.

Regulators have learned from GDPR. The Act is designed to catch firms with the documents who haven't done the work. Here's what enforcement actually targets.

01

Regulators audit systems, not folders

"Inadequate technical and organisational measures" is GDPR's third-largest fine category — 18.6% of violations. Companies had the policies. They hadn't implemented them. The AI Act is structured the same way.

02

Conformity demands operational evidence

Article 9 requires a continuous, iterative risk management system. Article 12 requires automated logging. Article 14 requires designed-in human oversight. These aren't documents — they're running systems producing months of auditable records.

03

Your enterprise clients audit you first

Before any regulator arrives, enterprise customers will demand compliance evidence in vendor assessments. No operational governance = lost contract. That revenue doesn't come back.

§ 02 / Approach

Governance that produces evidence, not just documents.

Your legal counsel interprets the regulation. We design and implement the operational systems — risk processes, oversight interfaces, logging architecture, team workflows — that generate the continuous evidence conformity assessment actually requires.

I
Step 1 · Weeks 1–2

Map systems & exposure

Every AI system inventoried, decision flows traced, risk classified under Annex III. Working sessions with your product and engineering teams — not a questionnaire.

II
Step 2 · Weeks 3–5

Design the systems

Human-oversight interfaces (Art. 14), risk management workflows (Art. 9), and logging architecture (Art. 12), co-designed so governance fits your dev cycle.

III
Step 3 · Weeks 6–10

Build & generate evidence

Implementation begins. Risk registers, oversight records, incident logs, training, audit trails — the months of operational evidence you'll need before any assessment.

IV
Step 4 · Handover

Stand behind it

We train your teams to run governance independently, hand over the evidence package, and stay on as retained advisers when enterprise clients or regulators ask for proof.

Alternative

Legal advice alone

  • Interprets the regulation
  • Drafts policies and risk assessments
  • Produces a compliance opinion
  • Leaves you to build the systems
Defensible AI

Legal + implementation

  • Builds the risk management system
  • Designs human-oversight interfaces
  • Implements logging and monitoring
  • Generates months of audit-ready evidence
§ 03 / Sectors

UK AI companies in regulated European markets.

If your AI makes decisions about people — healthcare, finance, recruitment, critical infrastructure — it's likely classified high-risk under Annex III. These are the sectors where conformity assessment is mandatory.

№ 01

Healthcare AI

Annex III · CE marking + EU MDR

Clinical decision support, diagnostic AI, patient triage. Dual compliance with AI Act and Medical Devices Regulation. We've worked in clinical environments where oversight design is life-critical.

Healthcare services →
№ 02

Insurance & FinTech

Annex III · Category 6 — essential services

Underwriting automation, credit scoring, fraud detection. Enterprise clients like Allianz and HDI already demand operational compliance evidence in vendor onboarding.

№ 03

Recruitment & HR

Annex III · Category 5 — employment

AI-powered hiring, skills assessment, workforce analytics. One of the most scrutinised categories, with explicit human-oversight requirements built into the Act.

№ 04

Defence & Infrastructure

Annex III · Categories 7–8

Threat detection, security AI, infrastructure monitoring. We bring direct UK MOD delivery experience to commercial defence AI governance — the same rigour, commercial context.

Not sure if you're in scope? Take the 60-second risk check — instant indicative classification.

Check your risk
Seen enough?

Book 30 minutes with James. No pitch.

We'll tell you honestly whether we're a fit — and if not, point you to someone who is.

Book a 30-min call Or check your risk →
§ 04 / Services

Three ways to begin.

Engagements scale to where you are. Most clients start with a Gap Analysis and only commit to a Build once they've seen the findings.

Which one is for you?
If you're thinking…
"We don't even know what's in scope."
Start with Gap Analysis →
If you're thinking…
"We know it's high-risk — we need to pass."
Go straight to Implementation Build →
If you're thinking…
"We've done the work — keep us current."
Choose Retained Advisory →
01 / Scope Good first step
"We need to know our exposure."
Conformity Gap Analysis2–3 weeks

You build AI products serving EU markets but aren't sure what conformity actually requires. We map systems against Annex III, identify which need assessment, and show you exactly what evidence is missing.

  • Inventory every AI system and classify risk under Annex III
  • Separate legal gaps from operational gaps
  • Benchmark against AESIA and CNIL guidance
  • Prioritised roadmap with evidence timelines
Initial conversationWe learn about your AI systems and EU exposure. No forms.
System mappingDocument every AI system, trace decision flows, understand who's affected.
Gap analysisWritten assessment vs AI Act obligations, RAG-rated findings.
WalkthroughFindings presented face-to-face, priority actions agreed together.
Start here
02 / Build
"We need to pass assessment."
Implementation Build8–12 weeks

You know your AI is high-risk and need operational systems to prove it. We build the risk management system, design oversight workflows, implement logging, and start generating audit-ready evidence.

  • Risk management system — design & implementation (Art. 9)
  • Human-oversight interfaces built into product UX (Art. 14)
  • Logging architecture and monitoring (Art. 12)
  • Months of operational evidence before assessment
Deep assessmentGovernance plus technical review of your AI architecture and pipelines.
Fundamental rights impactFRIA per high-risk system, as required by Article 27.
Co-design workshopsOversight mechanisms designed to fit how your teams actually work.
Build & documentTech docs, risk records, conformity evidence — tested against real workflows.
Handover & trainingGovernance playbook + hands-on training. Run it without us.
Start here
03 / Stay ready
"We need someone in our corner."
Retained AdvisoryOngoing

AI regulation moves fast. You've done the initial work but need a trusted adviser who knows your systems, tracks enforcement, and is there when your board or clients ask questions.

  • Monthly governance review — advice specific to your systems
  • Regulatory monitoring — enforcement, guidance, national rules
  • Board-ready quarterly reporting
  • Direct access for urgent client and procurement queries
Monthly reviewPosture check, new deployments, regulatory shifts.
Regulatory radarProactive alerts on enforcement and national implementations.
Board reportingGovernance reports written for board and investors.
On-call supportDirect line. We already know your context.
Start here
§ 05 / Tool

60-second risk check.

The EU AI Act classifies systems into four risk tiers — prohibited, high-risk, limited-risk, minimal-risk. Your obligations depend entirely on which applies. Five questions, indicative classification.

Is your AI high-risk? Step 1 of 5

Does your AI make or influence decisions about individual people?

For example: hiring, credit scoring, medical diagnosis, student assessment, insurance pricing, or benefit eligibility.

Does your AI process data about people located in the EU?

Including EU customers, EU employees of your clients, or EU end-users — even if your company is UK-based.

Which sector does your AI operate in?

Certain sectors trigger automatic high-risk classification under Annex III.

Does your AI use biometric data, real-time monitoring, or emotion recognition?

Some capabilities are prohibited or subject to the highest level of scrutiny.

Do you have documented AI governance processes?

Risk assessments, technical documentation, oversight procedures, or AI system inventory.

Talk about next steps
§ 06 / Why us

The implementation partner your lawyer needs.

Article 14 isn't a legal clause. It's a UX challenge — human-in-the-loop design that teams actually use.

James Nicholls · Founder

  • I

    Government-grade methodology

    Currently delivering on UK MOD AI programmes. The same rigour applied to commercial governance — tested where getting it wrong has real consequences.

  • II

    Human oversight is a design problem

    20+ years designing human-in-the-loop systems for MOD, Royal Navy, GDS, and Google. Oversight interfaces your teams actually use — not forms they work around.

  • III

    Legal + technical network

    We work alongside specialist AI regulation lawyers, data scientists, and security professionals. One team, assembled for your engagement — without Big Four overhead.

  • IV

    Built for AI companies, not enterprises

    We work at your pace, inside your development cycle. No 18-month transformation programmes. No 200-page decks. Governance that ships alongside your product.

§ 07 / Library

See the thinking behind the approach.

No email gates. No sales pitches. Practical material you can use today — the same resources we share with clients.

PDF Briefing · 8 pages

EU AI Act: What UK businesses must do before August 2026

Deadline, scope, high-risk definitions, and the 5 steps to start now. Cited sources throughout.

Read the briefing → Interactive tool · 60 seconds

AI Risk Classifier

Answer 5 questions, get an indicative classification — prohibited, high-risk, limited, or minimal.

Try the classifier → Checklist · 12 points

EU AI Act Compliance Checklist

The 12-point checklist we use with clients. Inventory, classification, documentation, oversight, registration.

Get the checklist →
§ 08 / Questions

Common questions, answered.

Straight answers. No jargon.

Your lawyer handles legal interpretation — risk classification, regulatory opinion, policy drafting. But the Act also requires operational systems: a running risk management process, human oversight built into your product UX, automated logging, and months of evidence that these systems work. That's implementation work, not legal work. We handle the part your lawyer can't.

Yes — if your AI system's output is used within the EU (by customers, employees, or users), you're in scope regardless of where your company is based. Similar extraterritorial reach to GDPR.

Annex III defines specific use cases: recruitment, credit scoring, education assessment, healthcare diagnosis, critical infrastructure, and more. If your AI makes or influences significant decisions about people, it's likely high-risk.

High-risk AI system obligations take effect on 2 August 2026. Prohibited AI practices are already banned as of February 2025. General-purpose AI model rules apply from August 2025.

GDPR governs personal data. The AI Act governs AI systems specifically — design, testing, documentation, deployment. They overlap but the AI Act adds risk assessment, human oversight, and transparency requirements that go beyond data protection.

Fines up to €35M or 7% of global annual turnover. Beyond fines, non-compliance can mean your AI is banned from the EU market entirely — losing access to 450 million potential users.

The clock is running

Conformity evidence takes months to accumulate.
Enterprise clients won't wait.

Book a free 30-minute scoping call to identify your evidence gaps. Honest conversation, no pitch — if we're not a fit, we'll tell you.

Book a free scoping call
30 minutes No sales pitch Speak to James directly
Book a free scoping call