Skill Guide

EU AI Act compliance mapping and gap analysis

The systematic process of identifying all AI systems within an organization, classifying them according to the EU AI Act's risk tiers, and meticulously mapping each system's current design, data, and deployment practices against the Act's mandatory requirements to identify specific compliance deficiencies.

This skill is critical for mitigating severe regulatory and financial risk, as non-compliance can lead to fines up to €35 million or 7% of global turnover. It directly enables strategic decision-making, allowing organizations to prioritize resources for remediation, avoid market bans, and build a defensible position of responsible AI governance.

1 Careers

1 Categories

9.2 Avg Demand

15% Avg AI Risk

How to Learn EU AI Act compliance mapping and gap analysis

Focus on mastering the EU AI Act's structure: the four risk categories (Unacceptable, High, Limited, Minimal), the definitions of an 'AI system' and 'provider,' and the core requirements for high-risk systems (e.g., data governance, transparency, human oversight). Study Annex I (AI definition) and Annex III (high-risk use cases) as primary references.

Apply the Act to real-world AI use cases. Practice performing a preliminary risk classification for a given AI system (e.g., a recruitment screening tool) using the Act's criteria. Key skills include interpreting ambiguous scenarios, identifying the data pipeline's compliance implications, and drafting a basic gap analysis report that links a specific requirement to a technical or procedural shortfall.

Master the integration of compliance mapping into enterprise risk management and product development lifecycles. Develop strategies for managing complex system landscapes (e.g., multiple interacting AI systems), lead cross-functional remediation teams, and interpret evolving regulatory guidance to future-proof compliance frameworks. Focus on creating scalable audit trails and governance dashboards.

Practice Projects

Beginner

Case Study/Exercise

Classifying and Mapping a Standalone AI Tool

Scenario

A mid-sized bank uses an AI-powered chatbot for initial customer service inquiries. Your task is to perform a first-pass compliance mapping.

How to Execute

1. Define the AI system: Analyze the chatbot's function, data inputs (customer queries, internal knowledge base), and outputs (responses). 2. Classify the risk: Use the Act's criteria to determine if it's Minimal/Limited risk (likely Limited due to interaction with natural persons, requiring transparency obligations). 3. Map requirements: Identify Article 52 (transparency) and the need for clear disclosure that the user is interacting with AI. 4. Gap analysis: Check the chatbot's current interface and user flows for this disclosure and document the gap.

Intermediate

Case Study/Exercise

End-to-End High-Risk System Analysis

Scenario

A company is deploying a new high-risk AI system for CV screening in its hiring process. You are tasked with a full gap analysis against the Act's high-risk requirements.

How to Execute

1. System Decomposition: Break the system into components (data collection, model training, inference, human-in-the-loop interface). 2. Requirement Mapping: For each component, map against Articles 8-15 (e.g., data governance under Article 10, technical documentation under Article 11, transparency under Article 13). 3. Conduct Deep-Dive: Analyze the training data for bias (Art. 10), test the model's explainability outputs, and interview the HR team on their oversight procedures. 4. Produce Deliverable: Create a gap register with columns for Requirement, Current State, Gap, Risk Level, and Suggested Remediation Owner.

Advanced

Project

Enterprise-Wide Compliance Mapping and Remediation Roadmap

Scenario

You are the Head of AI Governance for a multinational corporation. The board has mandated a company-wide EU AI Act compliance program. The organization has over 200 AI/ML models across R&D, marketing, and operations.

How to Execute

1. Establish Governance: Design and implement an AI Risk Committee and a standardized system inventory and risk assessment process for all business units. 2. Build a Scalable Framework: Develop a digital compliance platform (using tools like ServiceNow, Jira, or a GRC suite) that hosts the risk classification questionnaire, requirement library, and gap tracking. 3. Orchestrate Remediation: Run prioritization workshops with business leaders, using a risk-based approach to sequence remediation sprints. Oversee the creation of new technical documentation, conformity assessments, and audit trails. 4. Monitor and Report: Implement KPIs (e.g., % of high-risk systems with complete documentation) and provide quarterly compliance status reports to the board and supervisory authorities.

Tools & Frameworks

Regulatory & Reference Frameworks

EU AI Act Official Text (especially Annexes I, III)ISO/IEC 42001:2023 (AI Management System)NIST AI Risk Management Framework (AI RMF)

The EU AI Act is the core legal text. ISO 42001 provides a certifiable management system structure that aligns well with the Act's governance requirements. NIST AI RMF offers a robust, voluntary framework for risk management that can be used to operationalize the Act's principles.

Project Management & Governance Tools

GRC Platforms (ServiceNow, Archer)Project & Issue Tracking (Jira, Asana)Document Management & Wikis (Confluence, SharePoint)

GRC platforms are ideal for enterprise-scale compliance tracking. Jira/Asana manage remediation tasks and sprints. Confluence/SharePoint are essential for centralizing and versioning the massive technical documentation, impact assessments, and policies required by the Act.

Technical Assessment & Documentation

Data Catalog & Lineage Tools (Collibra, Alation)Model Cards / System CardsRisk Assessment Templates (Custom-built or from legal firms)

Data catalogs are critical for mapping data governance (Article 10). Model Cards provide a standardized way to document system capabilities and limitations. Structured risk templates ensure consistent classification and gap analysis across all AI systems.

Interview Questions

Answer Strategy

Test the candidate's methodical approach and their understanding of the Act's definitions. A strong answer will start by clarifying the system's exact function and impact. Strategy: 1) Define the AI system's purpose and actors. 2) Check against the 'prohibited practices' (Article 5). 3) Systematically check Annex III for high-risk categories (e.g., critical infrastructure? No. Employment? No. Access to essential services? No. Law enforcement? No.). 4) Conclude with the likely classification (Minimal/Limited risk) and mention key remaining obligations, like record-keeping for training data if it's not high-risk. Sample Answer: 'First, I'd clarify the system's inputs (order data, traffic, vehicle capacity) and outputs (optimized routes). I'd confirm it doesn't fall under prohibited practices like subliminal manipulation. Then, I'd cross-reference its use case-optimizing logistics routes for a private courier-against each category in Annex III. This use case doesn't align with the high-risk domains listed, such as critical infrastructure management or employment. Therefore, I'd preliminarily classify it as a minimal-risk AI system under the Act, which imposes no specific obligations beyond general principles. However, I'd document this assessment and recommend we verify there are no unexpected uses that could alter its risk profile.'

Answer Strategy

Test leadership, communication, and translation of legal/technical requirements. The core competency is bridging the gap between technical implementation and regulatory obligation. Strategy: Use the STAR method (Situation, Task, Action, Result). Focus on how you translated the requirement into actionable tasks for each team. Sample Answer: 'Situation: We were implementing Article 13 transparency requirements for a high-risk credit scoring system. Engineers focused on model explainability (SHAP values), product managers on user interface, and legal on disclosure wording. Task: My goal was to create a single, coherent implementation plan that satisfied the legal requirement while being technically feasible and user-friendly. Action: I facilitated a workshop where I presented the specific text of Article 13. I translated it into a checklist: 1) Technical: The model must provide meaningful explanations of the main factors. 2) Product: The UI must display this explanation clearly to the user. 3) Legal: Disclosures must be provided pre-interaction. I had each team draft their component, then we integrated them into a unified feature specification. Result: We delivered the feature on time, passing our internal audit. The clear documentation from this process became a template for other high-risk system projects.'