Agenticsis

AI GOVERNANCE

AI governance that stands up to scrutiny

We help you classify your AI systems by risk, map the right controls, and build the documentation, aligned with the EU AI Act, ISO/IEC 42001, NIST AI RMF, FINMA Guidance 08/2024 and the revised Swiss FADP.

Book a readiness diagnosticSee the frameworks
EU AI Act risk tiers
Unacceptable riskProhibited
Social scoring, manipulative AI, real-time public biometric ID
High-riskStrict requirements
Credit scoring, employment screening, medical devices
Limited riskTransparency duties
Chatbots, deepfakes, AI-generated content
Minimal riskNo restrictions
Spam filters, most current AI applications
Quick Answer

Why does AI governance matter now?

The EU AI Act is phasing in between 2025 and 2027: prohibited practices have been banned since February 2025, and the obligations for high-risk AI systems become mandatory on 2 August 2026. Crucially, an AI system's risk tier depends on its use case and deployment context, not on the model itself, so the same tool can be unregulated in one workflow and high-risk in another. Governance is how you tell the difference, document it, and stay ready.

The regulatory landscape we work across

We align your AI to the standards and regulations that actually apply to you: named, current, and mapped to concrete controls.

Binding (EU)

EU AI Act

The EU regulation classifying AI by risk tier, phasing in from 2025 to 2027. Its reach is extraterritorial: it can apply to you if your AI system's output is used within the EU.

Voluntary, certifiable

ISO/IEC 42001:2023

The international standard for an AI Management System (AIMS). Certifiable through accredited third-party audit, on a three-year cycle.

Voluntary

NIST AI RMF 1.0

The US risk framework, published January 2023, built on four functions: Govern, Map, Measure, Manage. Voluntary and non-certifiable.

Binding (Swiss FS)

FINMA Guidance 08/2024

Swiss financial-regulator guidance, published 18 December 2024, on governance and risk management when using AI, for banks, insurers and fund managers.

Binding (Swiss)

Revised Swiss FADP

The Federal Act on Data Protection, in force since 1 September 2023, covering automated decision-making, profiling and high-risk profiling.

Non-binding

OECD AI Principles

The international principles for trustworthy AI: inclusive growth, human-centred values, transparency, robustness and accountability.

AI is classified by use case, not by model

The EU AI Act sorts every AI use case into one of four tiers. The same model can sit in different tiers depending on how you use it.

Prohibited

Unacceptable risk

Social scoring, manipulative AI, real-time public biometric ID

Strict requirements

High-risk

Credit scoring, employment screening, medical devices

Transparency duties

Limited risk

Chatbots, deepfakes, AI-generated content

No restrictions

Minimal risk

Spam filters, most current AI applications

Example: a general-purpose model is minimal-risk when it drafts marketing copy, and high-risk when it scores credit applications. We classify each use case on its own merits.

FREE TOOL

Try the AI Risk Classifier

Classify an AI use case against the EU AI Act, with FINMA Guidance 08/2024 and Swiss FADP overlays. Deterministic and traceable: every result shows the rule that produced it.

What it does

Describe an AI use case, pick its domain and decision authority, and the classifier returns its EU AI Act risk tier, your provider or deployer status, the control set and documentation tier, plus FINMA and FADP overlays.

Deterministic and traceable

It is rule-based, not AI-powered. The same input always produces the same result, with a numbered rationale citing the exact articles and annexes behind each decision.

Where it fits

The classifier sizes up one use case in minutes, free and in your browser. A governance engagement then covers your full AI inventory, builds the controls and documentation, and prepares you for audit.

Open the AI Risk Classifier
AI Risk Classifier
EU AI Act + FINMA + FADP
ClassifyAbout

ILLUSTRATIVE OUTPUT

Automated credit decisioning

High-risk
Role
Deployer
Control set
H
Doc tier
3
FINMA 08/2024Swiss FADP
Why
  1. 1.Annex III: credit scoring
  2. 2.Decision authority: decides
  3. 3.FINMA + FADP overlays apply

Decision-support, not legal advice.

How a governance engagement works

A structured programme from board mandate to live monitoring. We scale the timeline to your size.

Foundation

Weeks 1-4

Name an accountable owner, stand up a cross-functional governance committee, secure the board mandate, approve an AI policy, and map which regimes apply to you.

Inventory

Weeks 5-8

Build a complete inventory of your AI systems, including shadow-AI discovery, and assign a business owner to every use case.

Risk assessment

Weeks 9-14

Classify every use case by EU AI Act tier, determine your provider or deployer status, and complete impact assessments for high-risk systems.

Controls & documentation

Weeks 15-20

Implement the control set for each tier, build the technical documentation, set up human oversight and logging, and test the incident response playbook.

Operate & audit

Weeks 21-24+

Activate monitoring for drift and fairness, run independent and management reviews, and optionally prepare for ISO/IEC 42001 certification.

Indicative timeline for a mid-sized organisation. It compresses to around 12 weeks for an SME and extends to 36+ weeks for a large enterprise pursuing certification.

What you receive

Six concrete artifacts your team owns and can show to auditors, regulators and customers.

AI Governance Readiness Diagnostic

An eight-dimension maturity scorecard with your baseline and target, from governance structure to incident response.

AI System Risk Classification Matrix

Your full AI inventory classified by EU AI Act tier, with control set, documentation tier and provider or deployer status per use case.

AI Control Framework Map

A per-use-case control catalogue mapped across ISO/IEC 42001, NIST AI RMF, the EU AI Act and the OWASP Top 10 for LLMs.

Documentation & Audit Trail Checklist

An EU AI Act Annex IV technical-documentation checklist, logging design, impact-assessment template and an audit-readiness self-test.

AI Incident Response Playbook

Pre-assigned roles, incident classifiers, severity levels and a regulator-notification matrix for AI-specific incidents.

AI Governance Implementation Roadmap

A sequenced, phase-gated programme with milestones, owners and deliverables, scaled to your organisation.

Why Agenticsis

Governance that is practical, defensible, and built for how you actually operate.

Multiple frameworks, mapped once

We map your controls across ISO/IEC 42001, NIST AI RMF, the EU AI Act and OWASP in one coherent framework, not four disconnected projects.

Classified per use case

We assess risk by use case and deployment context, the way the regulation actually works, so nothing is over- or under-controlled.

Governance and the build, together

We deliver governance alongside the AI implementation under one engagement, so controls are designed in, not bolted on.

Swiss and EU coverage

EU AI Act, FINMA Guidance 08/2024 and the revised Swiss FADP, delivered in English, German and Spanish.

Founder-led delivery

Sofía leads every engagement personally. You work with the methodology designer, not a junior team.

Advisory that complements your counsel

We structure the evidence and the controls; your legal counsel and accredited auditors provide the formal sign-off.

Frequently asked questions

Is this legal advice?

No. Agenticsis provides AI governance advisory and implementation support, not legal advice, and we are not a law firm. Our work is designed to complement, and not replace, qualified legal counsel and accredited audit bodies.

Does the EU AI Act apply to us if we are based in Switzerland?

It can. The EU AI Act has extraterritorial reach: it can apply where an AI system's output is used within the EU, even if your organisation sits outside it. Swiss organisations also fall under the revised FADP, and financial institutions under FINMA Guidance 08/2024. We map which regimes apply to you in the foundation phase.

We only use tools like ChatGPT or Claude, not our own models. Do we still need governance?

Yes. Obligations attach to how you deploy AI, not only to who built the model. As a deployer you still carry responsibilities, and risk is classified per use case. Substantially modifying a system can also move you into provider obligations.

When do the high-risk obligations apply?

Under the EU AI Act, prohibited practices have been banned since 2 February 2025, and the requirements for high-risk AI systems become mandatory on 2 August 2026. Models already on the market before August 2025 must comply by 2 August 2027.

Do you certify our compliance?

No. ISO/IEC 42001 certification is issued by accredited third-party auditors, and FINMA supervises financial institutions directly. We prepare you for those processes by building the controls, documentation and evidence; we do not issue certifications ourselves.

What do we actually walk away with?

Six artifacts your team owns: a readiness diagnostic, a risk classification matrix, a control framework map, a documentation and audit-trail checklist, an incident response playbook, and an implementation roadmap.

Ready to put your AI on solid ground?

Book a readiness diagnostic

A structured first look at where your AI governance stands today and what the applicable regimes require of you.

Book a diagnostic

Talk it through first

Not sure which regimes apply to you? Book a call and we will map your situation before you commit to anything.

Book a call

Agenticsis provides AI governance advisory and implementation support. We are not a law firm and this page is not legal advice. Framework names, dates and obligations are summarised for general information and may change; our work complements, and does not replace, qualified legal counsel and accredited audit bodies.