How it works

This page walks through the AI Governance Review workflow. For SBOM upload, CVE mapping, and compliance views, use the SBOM Analyzer or demo.

Five phases, one session

Each phase builds on the last. By the end of phase five, you have a complete accountability package — five stakeholder-specific reports ready to share. Pricing

1
Phase 1

Define System

You start by naming the AI system and describing what it does. The tool then walks you through EU AI Act risk tier classification — Unacceptable, High, Limited, or Minimal. Each field comes with a plain-language explanation of why it matters and which regulatory obligation it fulfills.

What you get: A formal system record with a unique identifier, risk classification, and an accountable owner on record.
2
Phase 2

Component Inventory

You answer 32 guided questions across six governance domains: Models, Data, Vendors, Infrastructure, Controls, and Monitoring. Every question shows you why it matters and which regulation it corresponds to — EU AI Act, GDPR, NIST AI RMF 1.0, or SBOM-for-AI minimum elements. You don't need to know the regulations; the tool surfaces the context for you.

What you get: A complete, structured evidence record across all six governance domains — the factual foundation for everything that follows.
3
Phase 3

Gap Analysis

The gap register is generated automatically from your inventory answers — no manual analysis required. Every gap includes a severity rating (Critical, Major, or Minor), the specific regulatory article or standard it maps to, a plain-language explanation of the risk if it remains unaddressed, and a precise description of what evidence would close it.

What you get: A regulatory-cited gap register organized by severity — ready to share with auditors, counsel, or the board.
4
Phase 4

Assess & Assign

For each gap, you assign an owner (by name or role), select a remediation approach, and set a target date. This is where a list of findings becomes an action plan. The ownership data flows directly into every report — so when the board sees a gap, they also see who is responsible for closing it and by when.

What you get: A working action plan with named owners and target dates embedded into every stakeholder report.
5
Phase 5

Evidence Package

With one action, you generate five stakeholder-specific HTML reports from the record you've built. Each report is written for its intended audience — the board report uses narrative and summary; the technical record includes every question and answer; the legal package focuses on GDPR and EU AI Act obligations; the CISO report covers controls and monitoring; the procurement review surfaces vendor obligations. All five download as self-contained files you can share immediately.

What you get: Board report · Technical audit record · Legal/DPO package · CISO assessment · Procurement review — all from one session.

Who runs the review

Designed for cross-functional teams — not just technical users.

Governance & Compliance

  • AI governance officers and DPOs
  • EU AI Act and GDPR readiness
  • Audit and regulator evidence packages
Cross-functional

Legal, Security & Procurement

  • Legal counsel and privacy teams
  • CISOs and risk officers
  • Procurement teams evaluating AI vendors
  • Each gets a report written for their role

Technical Teams

  • ML engineers and system architects
  • Infrastructure and DevOps leads
  • Technical audit record produced automatically

Ready to start?

Both products run in your browser. No account required for the free tier. Your SBOM files and governance answers stay on your device.

Open SBOM Analyzer Start AI Review Request a demo See Pricing