Rate

Classify risk, decompose obligations, conduct gap analysis, and establish governance maturity. The Rate phase transforms the regulatory landscape mapped during Triage into a quantified governance posture — providing the decision framework for resource allocation across all remaining TRACE phases.

Core Activities

From landscape to quantified posture

Five structured activities that produce risk classifications, an obligation register, gap analysis, maturity scoring, and a prioritised remediation roadmap.

Multi-Framework Risk Classification

EU AI Act Art. 5-6GDPR Art. 35NIS2MDR

Classify each AI system under every applicable framework's risk taxonomy, then synthesise into a composite risk level. The EU AI Act establishes four tiers: unacceptable, high-risk, limited risk, and minimal risk. GDPR assesses risk contextually through DPIA triggers. NIS2 classifies entities, not individual systems. Sector-specific classifications add further layers.

EU AI Act: Annex I product safety, Annex III use-case categories, Article 6(3) exception analysis, GPAI systemic risk threshold (10^25 FLOPs)
GDPR: large-scale processing, special category data, systematic monitoring, automated decision-making with legal effects
Composite risk synthesis: Critical, High, Moderate, or Low — set by the highest individual classification across all frameworks
Critical and High systems receive full TRACE treatment; Moderate receives proportionate treatment; Low receives streamlined governance with periodic review

Obligation Decomposition

EU AI Act Art. 9Cross-framework mapping

Framework-level requirements are broad provisions containing numerous discrete obligations. EU AI Act Article 9 alone decomposes into more than 30 distinct obligations relating to risk management system design, implementation, documentation, and review. Each obligation is atomic: a single compliance criterion, independently assessable, evidenced by a specific artefact.

Extract individual requirements from each applicable provision — a single article may contain 10+ atomic obligations
Cross-map overlapping requirements: EU AI Act Art. 10 (data quality), GDPR Art. 5(1)(d) (accuracy), ISO 42001 data quality requirements can be satisfied through a single programme
Each obligation entry captures: source instrument, obligation text, simplified criterion, TRACE phase addressed, evidence artefacts, cross-references, and compliance status
A high-risk system under EU AI Act + GDPR + NIS2 + ISO 42001 may generate 500+ individual requirements

Gap Analysis

5-point scaleSeverity weighting

Assess the organisation's current compliance status against each obligation using a structured five-point compliance scale: Not Started (0), Initiated (1), Partially Addressed (2), Substantially Compliant (3), and Fully Compliant (4). Each gap is assigned a severity weight based on enforcement timeline proximity, penalty exposure, reputational risk, and operational dependency.

Assessment combines document review, stakeholder interviews, technical inspection, and automated compliance scanning
Severity weighting: EU AI Act fines up to 7% of global turnover, GDPR fines up to 4% — penalty exposure drives prioritisation
Operational dependency scoring: foundational obligations (e.g., Art. 9 risk management system) cascade across the compliance programme
Cross-framework gap consolidation identifies remediation actions that close gaps across multiple frameworks simultaneously

Governance Maturity Assessment

8 dimensions5 levels

Gap analysis measures compliance against specific obligations. Maturity assessment measures the overall capability of the organisation's AI governance programme. An organisation may be compliant with many obligations through ad hoc effort while lacking the systemic capability to sustain that compliance over time.

Eight dimensions: governance structure, risk management, technical controls, documentation, monitoring, stakeholder engagement, supply chain governance, continuous improvement
Five levels: Ad Hoc, Repeatable, Defined, Managed, Optimising — each scored independently per dimension
Weighted composite score provides overall maturity rating with benchmark comparisons against industry peers
Assessment conducted at programme inception and repeated at least annually to track trajectory

Remediation Roadmap Construction

PrioritisationDependency mapping

Translate the gap analysis and maturity assessment into a sequenced, resourced, and tracked plan for closing gaps and advancing maturity. Prioritisation uses a composite score from regulatory deadline urgency, gap severity, effort estimate, and cross-framework leverage.

High-leverage items deliver disproportionate compliance value per unit of effort — a single data quality programme may address obligations under 4+ frameworks
Dependency mapping prevents scheduling work that cannot proceed until prerequisites are complete
Resource allocation accounts for specialist expertise gaps, external advisory requirements, and tooling investment
Executive dashboard reporting: percentage of obligations at full compliance, critical gaps remaining, maturity score trend, time to next deadline

Maturity Model

Five levels of governance capability

Maturity measures the overall capability of the governance programme. An organisation may be compliant with many obligations through ad hoc effort while lacking the systemic capability to sustain compliance over time.

Ad Hoc

AI governance activities are reactive and unstructured. Compliance is addressed on a case-by-case basis. No formal governance framework exists.

Repeatable

Basic governance processes exist and are followed for some AI systems. Processes are dependent on individuals rather than institutionalised. Documentation is inconsistent.

Defined

Governance processes are formally defined, documented, and applied consistently across all in-scope AI systems. Roles and responsibilities are clear. Documentation is systematic.

Managed

Governance processes are monitored through metrics. Performance is measured and tracked. Continuous improvement mechanisms exist. Governance decisions are data-driven.

Optimising

Governance processes are continuously improved based on quantitative feedback, regulatory change, and industry best practice. The organisation contributes to standards development. Governance is a competitive differentiator.

Artefacts

Rate phase outputs

Six structured deliverables that drive resource allocation and remediation planning across all remaining TRACE phases.

Risk Classification Records

One per AI system, documenting the formal risk classification under each applicable framework, the supporting analysis, and the composite risk level.

Obligation Register

Unified database of all decomposed obligations across all applicable frameworks, with cross-mapping, compliance criteria, evidence requirements, and current status.

Compliance Gap Register

All identified gaps with severity weights, remediation priorities, cross-framework consolidation opportunities, and assigned owners.

Maturity Assessment Scorecards

Dimension-level and composite maturity scores with supporting evidence, commentary, and benchmark comparisons.

Remediation Roadmap

Prioritised, sequenced, resourced, and dependency-mapped plan for gap closure and maturity advancement, with executive reporting dashboards.

Composite Risk Synthesis

Cross-framework risk view that drives governance effort allocation — Critical, High, Moderate, or Low based on the highest individual classification.

Quantify Your Governance Posture

From regulatory landscape to prioritised remediation — risk classification, gap analysis, and maturity scoring in one unified framework.

Request Access Talk to Us