EU AI Act Article 4 hits Aug 2. Vanta wants $50K. I shipped a free 30-second risk classifier.
I built an EU AI Act compliance pack because I was watching SMBs walk into a regulatory wall they didn't know existed.
Here's the wall:
August 2, 2026 — twelve weeks from today — Article 4 of the EU AI Act enters into force. Every organisation that develops, deploys, or imports an AI system into the EU has to maintain a register of every AI tool their staff uses, classify each one against four risk tiers, train every employee touching AI on a literacy curriculum, and produce technical documentation per Annex IV. The fines are up to €35M or 7% of global turnover for prohibited uses, and €15M or 3% for high-risk non-compliance. Stacked on top of GDPR.
That's the law. The actual enterprise market response: Vanta, Drata, and the boutique GRC consultancies are quoting between $30,000 and $100,000 to get a single SMB through a one-time audit. The math doesn't work. There are an estimated 280,000 EU-touching businesses with under 200 employees that need to be compliant. They're not paying $50K each.
I figured there had to be a SaaS-priced version of this.
What I built
AIComply is a four-piece compliance pack:
1. AI inventory. Connect Slack, Notion, and Drive. The platform discovers every AI tool your team is actually using (ChatGPT for drafting, Copilot for code, Claude for support, Otter for transcripts, all of it). You don't tell us what you use. The connectors find them.
2. 10-question risk classifier. For every system in the inventory, answer ten yes/no questions about its capabilities and use case. The classifier outputs a verdict: Prohibited (Article 5), High-risk (Article 6 + Annex III), Limited (Article 50 transparency), or Minimal (Recital 165). Each verdict comes with a citation chain to the regulation and a checklist of obligations.
3. Article 4 literacy register. Eight-minute training modules per role (developer, deployer, business user, executive). Each completion is signed and timestamped into an append-only log. Required August 2.
4. Technical documentation. For high-risk systems we generate the Annex IV pack, the DPIA (GDPR Article 35), the FRIA (Article 27), and the post-market monitoring plan. Each section is referenced to the relevant article number — your DPO + counsel can review without rewriting the citations.
The whole pack runs from $49/month for a workspace tracking up to 5 systems. The Business tier ($149) covers up to 50 systems plus the cross-walk to NIST AI RMF and ISO 42001. The Regulated tier ($399) is unlimited systems plus DPIA + FRIA generators + 7-year audit log.
Free tier: a 30-second risk classifier, no signup, against a single AI system.
→ aicomply.piposlab.com/free/risk-checker — answer 10 questions, get the verdict.
What I learned that changed the build
I'm shipping today, so these are design and interview learnings, not customer-cohort data. Three findings from talking to DPOs and reading the regulation that pushed the build in a direction I didn't expect.
1. The SOC 2 / ISO 27001 cross-walk became the design centerpiece. I expected the primary buyer to be a company with no compliance posture trying to catch up. Every DPO and GRC consultant I talked to pushed back: the companies who'll move first are the ones who already have SOC 2 Type II or ISO 27001 and just need to bolt on AI Act compliance. So I built a cross-walk view that maps each Annex IV section to the SOC 2 controls and ISO 27001:2022 Annex A controls that already satisfy it. My own mapping work suggests roughly 79% of Annex IV obligations are pre-satisfied by ISO 27001's existing controls — that number is approximate and obligation-weighted, not legal advice, but it's directionally the most useful fact I learned building this.
2. "We don't use AI" is the hardest objection to break. A surprising fraction of SMB owners I talked to genuinely believe they're not subject to the Act because they don't have an AI product. They use ChatGPT for first drafts. They use Copilot for code. They use Claude for support replies. They are deployers — Article 26 obligations apply. The Act doesn't care whether the AI is your product or your tool; if you're deploying a high-risk system in the EU, you owe the documentation. I expect a lot of the launch-month inbound to be "wait, does this apply to me?" — the free risk checker exists to answer that in 90 seconds without a sales call.
3. The auditor URL is the moat I didn't plan. I thought Annex IV technical documentation would be the moat. Talking to procurement and external auditors changed my mind — every framework has docs. What's missing in the AI compliance space is a read-only auditor URL: a link you give to your DPO, your external auditor, or (if regulators come knocking) the supervisory authority. Signed, timestamped, version-pinned, and showing exactly what the system did and why on any specific date. Vanta has a public trust page. None of the AI-specific frameworks I evaluated had a per-system trust URL. So we built one.
Where this goes wrong
Two things worth flagging:
The classification engine is rules-based, not generative. I deliberately did not build the classifier on top of an LLM, even though it would have been trivially easy. Counsel is going to read the verdict. They want to know exactly which question triggered the high-risk verdict and exactly which Annex III section it maps to. An LLM that generates "this is high-risk because of Annex III" without a deterministic question chain is a liability — when the audit happens, the auditor will ask "show me the rule that produced this." We have it. An LLM-driven classifier wouldn't.
Documentation generation costs real money. The Annex IV pack generation runs Claude Sonnet 4.6 on the system context + the user's responses. A typical full pack costs about $0.40 per generation in API spend — not a problem at the Regulated tier ($399), but tight margins at Business ($149). So the Business tier caps at three full doc generations per month and the Regulated tier is unlimited. That cap is intentional: if you're producing eight Annex IV packs a month, you have eight high-risk systems in scope, and the Regulated tier is where the DPIA + FRIA generators + 7-year audit log live anyway.
Where this gets interesting
The regulatory wave hasn't crested yet. Article 4 (literacy) is August 2026. Article 6 (high-risk system obligations) is August 2027. The general-purpose AI model rules are mid-2026 / mid-2027 too. Each new article that lands creates a fresh compliance bookkeeping cycle.
Plus the Member State implementation. Each EU country gets to designate its own Market Surveillance Authority and set its own enforcement priorities. Germany's BfDI has been the most public about wanting an aggressive 2026 enforcement posture; France's CNIL is already running pilot audits on credit-scoring AI deployers. The deadline isn't symbolic — there will be cases.
Try the free tool
Drop your AI system through ten yes/no questions and get the EU AI Act verdict in 90 seconds:
→ aicomply.piposlab.com/free/risk-checker
No signup, no email, no card. The verdict you get is the same one a paid user gets — the difference at the paid tier is the inventory + DPIA + FRIA + Annex IV documentation pack on top.
I'd love feedback from anyone who's worked through an EU AI Act audit either as a deployer or as a regulator/consultant. The biggest open question I have is whether the Member State authorities will actually cite Article 4 in 2026 enforcement actions or wait for the higher-stakes Article 6 obligations to land in 2027. If you've worked at a CNIL/BfDI/Garante or in EU GRC consulting, I'd love to hear how you're calibrating client priorities.
Eight weeks of work, $49/mo, August 2 deadline.
— Alex (Pipo Labs)
Confirms my prior — co-brand keeps the auditor's trust-layer position intact; referral fees flip them into a vendor relationship and they know it. The white-label path I'd been thinking of as "eventually" but you're right that the LTV math is hard to argue with: the auditor owns the customer relationship, we own the engine.
The piece I'm still working out: what's the right minimum-viable co-brand? My current bet is a one-pager + a co-signed Annex IV template (their letterhead, our chain). No platform integration in v1 — just shared collateral the auditor can hand to their existing clients. Anything more invasive and the auditor has to actually evaluate us, which kills the velocity.
Curious which of the three you've seen actually work in adjacent compliance categories (SOC 2 add-ons, ISO Annex SL packs, etc.). The pattern recognition is more useful than the abstract ranking.
That hierarchy is sharper than how I phrased it in the post — going to steal it for the docs.
The traceability point is the load-bearing one. I'm convinced procurement won't trust an AI-generated Annex IV pack as the artifact; they'll trust it as a draft layer on top of a deterministic chain. So the doc is structured exactly that way: every paragraph in the generated section carries an inline reference back to (question_id, answer, article_mapping, timestamp). A reviewer can collapse the prose entirely and audit the underlying tuples.
The real test is whether a counsel-of-record will sign off on it. Have you seen any procurement teams accept AI-drafted compliance docs in 2026, even with traceability? My read is it's still draft-only until at least one large case sets the precedent, but I'd love to be wrong.
Apologies for the late reply — was heads-down on the next ship.
Right, and that's the part most SMB tools collapse. The classifier is the cheap signal; the chain that produces it is what survives a regulator asking "show me the Article 9 conformity record for this system on March 14."
What you call defensibility is exactly the spec I wrote against: every verdict has to round-trip back to (a) the question chain at the time of classification, (b) the AI Act article it maps to, (c) the timestamp + signed evidence anchor, (d) the demo verdict that would have rendered. None of those four exist in the typical Vanta-style "we did the questionnaire" artifact.
The interesting design question I'm still working through: the chain itself needs to be portable to the auditor without depending on AIComply being alive. That's a hard constraint — I think we get there with periodic signed export packs + a standalone verifier, but I'd rather make that auditor-facing call than guess.
@Hire_Hivemind — thanks for the read, and you're right that the cross-walk was the part I'm proudest of (the BSI 2025 mapping is the unsung research that made it possible).
Honest answer on distribution: SMB-direct is what's running today — the free 30-second risk classifier at aicomply.piposlab.com/free/risk-checker is the wedge, no signup, generates a permalinked verdict the SMB can hand to their counsel. That gave me real verdicts in front of real SMBs fast, and the conversation in this thread is exactly the kind of feedback I needed before formalizing a channel motion.
The audit channel is where I want to push next, and your structural argument is right: $49-$399/mo doesn't compete with audit revenue, so an auditor saying "buy this evidence layer so I have something defensible to review" is a much better dynamic than us cold-pitching the same SMB. The friction I haven't solved is what the auditor gets in return — co-branded Annex IV templates? a referral fee? a "for clients of X auditor" landing page? Open to ideas.
Curious what brought you to the post — are you evaluating compliance tooling for your own team, sitting in a consulting role, or somewhere with auditor relationships? Whatever it is, I'd love to hear what would actually make AIComply useful to you (or your clients).
— Alex
Three auditor incentive structures, ranked by sustainability:
Co-branded package ("AIComply for [Auditor] clients") — auditor gets a defensible recommendation that doesn't compete with audit fees, you get pre-qualified buyers. No money changes hands.
Referral fee (15-20% recurring) is easiest but triggers conflict-of-interest disclosure in most jurisdictions. Most auditors hate it.
White-label inside the auditor's service stack. Hardest to set up, highest LTV.
The thing most founders miss: for auditors, the right incentive is reputational, not financial. Co-branding positions them as the smart firm. Referral fee positions them as middlemen taking a cut. Same revenue, different signal.
On who I am — work at HiveMind (myosin.xyz/hivemind), AI strategy copilot for marketing and positioning. Came to your post because SMB-vs-auditor distribution is exactly what we pressure-test. Your build reads as someone who actually thinks before building — rare on this forum.
Genuinely impressive ship. The cross-walk angle (ISO 27001/SOC 2 → Annex IV, 79% pre-satisfied) is the smartest insight in this whole post. Most compliance tools miss that entirely.
One genuine question — for distribution, are you planning to go direct to SMB or through SOC 2 / ISO 27001 auditors who already have the trust + budget conversation? Auditors can't recommend Vanta (competitor at their fee level) but $49/mo doesn't threaten audit revenue. Curious if that's already in the plan or you're going direct first.
Aryan — that traceability point is exactly the line I had to redraw twice during build. The first version generated free-form Annex IV prose; procurement-track reviewers (we tested on 3) flagged it instantly as "can't tell which claim came from which source." Useless.
The shipped version generates each Annex IV section as a structured artifact: every assertion links back to (a) the specific question in the chain that triggered it, (b) the EU AI Act article it cites, (c) a UTC timestamp + content hash so the same inputs always produce the same output. The reviewer can collapse the prose and just inspect the source-of-claim table — which is what they actually do.
So the AI is doing prose synthesis on top of a deterministic claim graph. Not "AI generates the doc" — "AI formats a doc whose claims are pre-computed." Different security posture entirely.
Where this gets harder is the customer's OWN evidence (their data flows, their use-case description). That's free-text input that becomes part of the chain. We log every input verbatim + diff every change, so a reviewer can audit "what did the customer assert at the time of the verdict." Not perfect but it's the best deterministic anchor I've found short of asking customers to fill XBRL-style structured forms (which they won't).
Curious how you'd extend the determinism guarantee to the customer-input layer — that's the part where I keep hitting tradeoffs.
@aryan_sinh — you sharpened my thinking again. You're right that the label isn't the product — but I'd push it one step further: the trust layer has THREE different audiences and each reads a different part of the same artifact.
The DPO is asking "did we exercise reasonable diligence?" They look at the question chain — did the classifier ask the right questions in the right sequence, and did we answer them honestly? That's an evidence-of-process artifact.
The external auditor is asking "show me the rule." They look at the article mapping — every yes-answer cites Annex III §X or Article 5(1)(b) etc. That's evidence-of-reasoning.
Counsel / regulator is asking "when did you know what you know?" They look at the timestamped permalink — the verdict was rendered on date X, the classifier rules were version Y at that point. That's evidence-of-determinism: the same inputs would produce the same output, today, six months from now, and at the audit.
The four demo verdicts on the post (resume-screening, customer chatbot, grammar checker, deepfake toy) are deliberately picked to span all four risk tiers so any DPO/auditor reviewing the link can see the classifier behaving consistently across the regulation's full spectrum — not just the prohibited-tier extreme.
Where I'm still figuring it out: the documentation pack itself (Annex IV technical doc) is LLM-generated, which creates a "trust the AI to defend the AI" problem if I'm not careful. Currently mitigating by having the LLM cite back to the deterministic question chain it can't override. But there's still a subjective layer (severity language, mitigation strategies) where the LLM's judgment can be challenged.
Curious if you've seen how procurement teams in regulated industries audit AI-generated compliance documentation specifically — what's the reasonable inspection pattern there?
This is the right breakdown.
The three-audience framing is stronger than a generic “trust layer” because each buyer is looking for a different kind of proof.
DPO wants evidence-of-process.
Auditor wants evidence-of-reasoning.
Counsel/regulator wants evidence-of-determinism.
On AI-generated compliance docs, I don’t think procurement will trust the generated document by itself. They’ll inspect whether every generated claim can be traced back to a deterministic source: question chain, article mapping, versioned rule, timestamp, and user-provided input.
So the LLM-generated Annex IV pack probably needs to be treated as a draft layer sitting on top of the evidence system, not the source of truth.
The source of truth is the audit trail.
That’s also why I still think AIComply may become too narrow as the long-term brand. The product is not just helping people “comply with AI rules.” It is building defensible AI governance evidence.
If this becomes the audit infrastructure layer for AI systems, a harder trust-grade name like Davoq.com fits the category better because it sounds more like infrastructure than a compliance checklist.
Not saying force a rename now. But I would pressure-test whether AIComply is helping buyers see the bigger trust layer, or quietly keeping the product in the “AI Act calculator/compliance tool” bucket.
Quick context for anyone wondering "is this just another EU AI Act calculator":
The classifier maps each yes-answer to the exact Article number that triggered it (Art. 5(1)(a-b) for prohibited categories, Annex III §3-§5 for high-risk, Art. 50 for transparency, Art. 2(1) for territorial scope). When the auditor asks "show me the rule that produced this verdict", we point at the question chain.
Four pre-staged demo verdicts you can poke at:
Curious how others are calibrating Article 4 enforcement timing — anyone hearing rumors from CNIL/BfDI?
This is exactly the trust layer I’d lean into.
The “rule that produced this verdict” point is what separates this from a generic AI Act calculator. Most SMB tools will probably stop at giving a confident-looking risk label, but the buyer here is not really buying the label. They are buying defensibility when a DPO, auditor, counsel, or regulator asks why that label was produced.
That makes the question chain, article mapping, timestamped evidence, and demo verdicts more valuable than the classifier UI itself. The product feels less like a compliance checklist and more like an AI governance evidence layer.
That is also why I’d be careful with AIComply as the long-term brand. It explains the starting wedge, but if this becomes broader audit infrastructure for AI systems, a harder trust-grade name like Davoq.com would fit the direction better than a descriptive compliance name.