Skip to main content
Book a Call
EU AI Act deadline: 2 August 2026

Your AI needs a governance case. We build it.

The EU AI Act applies to UK businesses selling into European markets — and most haven't started preparing. We help organisations build practical AI governance that meets regulatory requirements and survives audit, without the overhead of a Big Four consultancy.

Book a Free Scoping Call How We Work
Compliance Countdown
111
days until EU AI Act high-risk obligations take effect. Fines up to €35M or 7% of global turnover.
89%
not fully ready
54%
minimal or no governance

The EU AI Act is not optional for UK businesses

If your AI system affects anyone in the EU — customers, employees, users — you're in scope. Brexit doesn't exempt you. Here's what most businesses are getting wrong.

01

Extraterritorial reach

The Act applies to any AI system whose output is "used" in the EU — regardless of where the provider is based. If your product serves European customers, you need to comply.

02

High-risk classification

AI used in recruitment, credit scoring, education, healthcare, and critical infrastructure is classified "high-risk" under Annex III — requiring conformity assessments, documentation, and human oversight.

03

No one owns it yet

Most organisations have no designated AI governance owner. The Act requires documented accountability — "the IT team handles it" is not a compliance position.

How we work

Governance designed around your people, not just your risk register

Most compliance programmes fail because they're designed for auditors, not for the teams who have to live with them. We use user-centred design methodology to build governance that your people actually follow — because it was built with them, not imposed on them.

Understand your context

We start by mapping how AI decisions actually flow through your organisation — who touches them, who's affected, where the pressure points are. Not a questionnaire. A conversation.

Design with your teams

Governance only works if the people using it helped shape it. We co-design oversight processes with your product, engineering, and leadership teams — so what we build fits how you actually work.

Build for reality

We produce documentation, risk frameworks, and oversight mechanisms that are usable — not 80-page PDFs that sit in SharePoint. Every deliverable is tested against your actual workflows before handover.

Make it defensible

The end result isn't just compliant — it's defensible. If a regulator, client, or board member asks "how do you govern AI?", you have a clear, evidenced answer that holds up under scrutiny.

Typical consultancy

  • Sends a questionnaire
  • Produces a risk matrix
  • Hands over a 60-page PDF
  • Leaves you to implement

How we work

  • Maps your actual decision flows
  • Co-designs with the people involved
  • Builds governance into your workflows
  • Tests it works before handover
Starting points

Three ways to begin

Every engagement starts with a conversation about your specific situation. These are typical starting points — not rigid packages. We scope to your needs.

Good first step

“We need to know where we stand”

Governance Assessment · 2–3 weeks

You suspect your AI systems are in scope for the EU AI Act, but you're not sure what that means in practice. We map your exposure, classify your risk, and give you a clear picture — so your next move is informed, not reactive.

  • Walk through your AI systems together — how they work, who they affect
  • Classify each system under the Act's risk framework
  • Identify the gaps between where you are and what's required
  • Hand you a prioritised action plan you can act on immediately
1
Initial conversation — We learn about your organisation, your AI systems, and your EU market exposure. No forms. A proper discussion.
2
System mapping — We work with your teams to document every AI system, trace decision flows, and understand who's affected by each one.
3
Gap analysis — A written assessment comparing your current state against EU AI Act obligations, with clear RAG-rated findings.
4
Walkthrough — We present findings face-to-face and agree the priority actions together. You leave with a plan, not a PDF to interpret alone.
Delivered remotely · Priced on scope, not day rates
Let's Talk

“We need to get compliant”

Compliance Programme · 6–10 weeks

You know you're in scope and you need governance that actually works — not a framework document that sits in a drawer. We co-design your compliance programme with the people who'll use it, then build the documentation and processes to back it up.

  • Co-design oversight processes with your product and engineering teams
  • Fundamental Rights Impact Assessments for each high-risk system
  • Documentation and evidence packages built for audit, not for show
  • Team training so governance is embedded, not consultant-dependent
1
Deep assessment — Full governance assessment plus technical review of your AI architecture and data pipelines.
2
Impact assessment — Fundamental Rights Impact Assessment for each high-risk system, as required by Article 27.
3
Co-design workshops — We sit with your teams to design human oversight mechanisms that fit how they actually work. Not templates imposed from outside.
4
Build & document — Technical documentation, risk management records, and conformity evidence — tested against your real workflows before sign-off.
5
Handover & training — Governance playbook and hands-on team training. You should be able to run this without us.
Delivered remotely with on-site workshops · Priced on scope
Let's Talk

“We need someone in our corner”

Retained Advisory · Ongoing

AI regulation is moving fast. You've done the initial work, but you need a trusted adviser who understands your systems, tracks the regulatory landscape, and is there when your board or clients have questions.

  • Monthly governance review — we know your systems, so advice is specific
  • Regulatory monitoring — enforcement actions, guidance changes, national rules
  • Board-ready reporting so leadership has a clear AI governance narrative
  • Direct access when something urgent comes up — client queries, incidents, procurement
Monthly review — We review your governance posture, discuss new AI deployments, and flag emerging regulatory changes.
Regulatory radar — Proactive alerts on EU AI Act enforcement, guidance updates, and how national implementations differ.
Board reporting — Quarterly governance status reports written for board and investor audiences.
On-call support — Direct line for urgent questions. We already know your context, so we can respond fast.
Minimum 3-month commitment · 30 days notice to cancel
Let's Talk
Free Resources

See the thinking behind our approach

Download these resources to understand what the EU AI Act means for your business — no email gate, no sales pitch.

PDF Briefing

EU AI Act: What UK Businesses Need to Do Before August 2026

One-page briefing covering the deadline, who's in scope, what high-risk means, and the 5 steps to start now. Cited sources throughout.

Read the briefing →
Interactive Tool

AI Risk Classifier

Answer 5 questions about your AI system and find out whether it's likely classified as prohibited, high-risk, limited-risk, or minimal-risk under the Act.

Try the classifier →
Checklist

EU AI Act Compliance Checklist

The 12-point checklist we use with our own clients. Covers system inventory, risk classification, documentation, human oversight, and registration requirements.

Get the checklist →
Interactive Tool

Find out where your AI system sits

The EU AI Act classifies AI systems into four risk tiers: prohibited, high-risk, limited-risk, and minimal-risk. Your obligations — and the deadline pressure — depend entirely on which tier applies to you. This 60-second assessment gives you an indicative classification based on five questions about what your system does and where it operates.

Is your AI system high-risk?

Answer these questions to get an indicative risk classification under the EU AI Act.

Question 1 of 5

Does your AI system make or influence decisions about individual people?

For example: hiring decisions, credit scoring, medical diagnosis, student assessment, insurance pricing, or benefit eligibility.

Why Defensible AI

Not another generic consultancy

AI governance is a design problem — it requires processes that real people can actually follow. That's where 20 years of user-centred design meets regulatory compliance.

  • Active government delivery

    Currently delivering on UK government AI programmes — we see how governance is interpreted in practice, not just in policy documents.

  • Human-centred methodology

    20+ years designing processes people actually use. Your governance framework won't gather dust — it'll be embedded in how your teams work.

  • Cross-sector experience

    Defence, professional services, and public sector. AI governance challenges are sector-specific — we bring patterns from across industries.

  • SME-friendly pricing

    Big Four firms charge £200k+ for AI governance programmes. We deliver the same rigour at a fraction of the cost, because SMEs deserve expert guidance too.

Sector Expertise

AI governance tailored to your industry

Every sector has its own regulatory landscape, procurement requirements, and operational realities. We build governance frameworks that speak your industry's language.

Healthcare & HealthTech

MHRA, EU AI Act Annex III, and NHS procurement governance for clinical AI systems. Patient safety governance that satisfies all three frameworks.

Healthcare services →
Frequently Asked Questions

Common questions about AI governance

Straight answers, no jargon.

Yes, if your AI system's output is used within the EU — by customers, employees, or users — you're in scope regardless of where your company is based. This is similar to how GDPR applies extraterritorially.

The Act's Annex III defines specific use cases: recruitment and HR decisions, credit scoring, education assessment, healthcare diagnosis, critical infrastructure management, and others. If your AI makes or influences significant decisions about people, it's likely high-risk.

High-risk AI system obligations take effect on 2 August 2026. Prohibited AI practices (social scoring, certain biometric uses) are already banned as of February 2025. General-purpose AI model rules apply from August 2025.

GDPR governs personal data. The EU AI Act governs AI systems specifically — including their design, testing, documentation, and deployment. They overlap (AI often processes personal data) but the AI Act adds requirements around risk assessment, human oversight, and transparency that go beyond data protection.

Size doesn't determine scope — use case does. A 10-person startup selling an AI hiring tool into France has the same obligations as a multinational. The difference is that SMEs can build lean governance frameworks; they don't need the same infrastructure as HSBC.

Fines up to €35 million or 7% of global annual turnover, whichever is higher. Beyond fines, non-compliance can mean your AI system is banned from the EU market entirely — which means losing access to 450 million potential users.

AI governance readiness takes months, not weeks.
Start now — regardless of deadline shifts.

Procurement teams, investors, and auditors will ask for evidence of AI governance readiness — whether the deadline is August 2026 or later. Book a free 30-minute scoping call to assess your position.

Book a Free Scoping Call