Triage

Which regulatory instruments apply to this AI system, and in what capacity? The question is deceptively simple because the answer is rarely straightforward. Applicability depends on technical characteristics, intended purpose, sector, jurisdictions, supply chain roles, and the nature of the data processed. An error in Triage propagates through every subsequent TRACE phase.

Core Activities

Regulatory landscape scoping

Four structured activities that produce a comprehensive, defensible picture of the regulatory obligations applicable to each AI system.

AI System Inventory and Registration

EU AI Act Art. 3(1)Shadow AI

Build a complete inventory of AI systems with metadata sufficient for applicability analysis: system description, AI technique, intended purpose, domain, deployment geography, data categories, supply chain position, and lifecycle stage. Shadow AI — teams adopting AI-powered tools without central governance approval — is pervasive and must be discovered through procurement review, vendor questionnaires, and technical architecture analysis.

Classify each system against the EU AI Act Article 3(1) definition — machine-based systems with varying levels of autonomy that infer from inputs to generate outputs
Document classification rationale for borderline systems — include borderline systems in inventory and resolve during detailed analysis
Flag personal data, special category data, criminal offence data, and data relating to children
Record whether the organisation is provider, deployer, distributor, importer, or authorised representative

Jurisdictional and Territorial Scoping

EU AI Act Art. 2GDPR Art. 3NIS2

Each regulatory instrument has its own territorial scope provisions. The EU AI Act applies to providers placing systems on the EU market regardless of establishment, to EU-established deployers, and to non-EU providers whose system outputs are used in the EU. GDPR applies wherever EU data subjects' personal data is processed. NIS2 applies to essential and important entities providing services within the EU.

Map establishment, market placement, data subject location, and output usage for each system
Account for both EU and UK regulatory perimeters — UK operates its own data protection regime and sector-led AI regulation approach
Assess cross-border scenarios: a single system may engage six or more regulatory instruments across multiple jurisdictions
Document territorial scope determinations for both positive and negative applicability findings

Regulatory Instrument Mapping

EU AI Act Art. 5-6GDPR Art. 22, 35NIS2MDR

Map each AI system against the full set of potentially applicable regulatory instruments using structured decision trees. For the EU AI Act: screen for prohibited practices, classify high-risk status via Annex I and Annex III, evaluate the Article 6(3) exception, assess limited risk transparency obligations, check GPAI model obligations, and determine minimal risk status.

EU AI Act: prohibited practice screening, high-risk classification, Article 6(3) exception analysis, limited risk transparency, GPAI model obligations
GDPR: personal data involvement, controller/processor determination, Article 22 automated decision-making assessment, Article 35 DPIA trigger analysis
NIS2: essential or important entity qualification based on sector and entity size
Sector-specific: MDR/IVDR for healthcare, MiFID II/DORA for financial services, Machinery Regulation for manufacturing
Standards: ISO 42001, ISO 27001, ISO 5338, NIST AI RMF, CEN/CENELEC harmonised standards

Supply Chain and Value Chain Analysis

EU AI Act Art. 25, 28GPAI Title IIIA

AI systems are built upon foundation models, trained on third-party datasets, deployed through cloud infrastructure, and integrated into broader products. Governance obligations are distributed across this supply chain. Identify upstream actors — foundation model providers, training data suppliers, cloud infrastructure providers — and downstream deployers, then map the contractual mechanisms needed to ensure compliance.

Upstream: foundation model providers, pre-trained model suppliers, training data providers, labelling services, cloud infrastructure, component software
GPAI model providers carry Title IIIA obligations — downstream providers must obtain sufficient information to fulfil their own obligations
Downstream: supply deployers with instructions for use, enable transparency obligations, cooperate in post-market monitoring
Contractual flow-down: provider-deployer agreements must address conformity responsibilities, incident reporting, and data governance

Decision Framework

EU AI Act applicability decision tree

A structured sequence of determinations applied to every AI system during Triage.

Prohibited Practice Screening

Art. 5

Social scoring, real-time remote biometric identification in public spaces (subject to exceptions), emotion recognition in workplaces and education, biometric categorisation based on sensitive characteristics, untargeted facial recognition scraping, and manipulation or exploitation of vulnerabilities.

High-Risk Classification

Art. 6, Annex I & III

Safety component of a product covered by EU harmonisation legislation (Annex I), or a system within Annex III use cases: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, administration of justice, democratic processes.

High-Risk Exception Analysis

Art. 6(3)

Narrow procedural task, improvement of previously completed human activity, decision pattern detection without replacing human assessment, or preparatory task — if exception applies and no significant risk of harm, provider may determine system is not high-risk.

Limited Risk and GPAI Assessment

Art. 50, Title IIIA

Transparency obligations for systems involving direct interaction, synthetic content generation, emotion recognition, or biometric categorisation. GPAI model obligations where the system incorporates a general-purpose AI model.

Artefacts

Triage phase outputs

Five structured deliverables that feed into every subsequent TRACE phase. Re-triage is a continuous scanning and assessment process — the Triage phase is never truly complete.

AI System Inventory

Complete register of AI systems with metadata as specified: identifier, description, AI technique, intended purpose, domain, geography, data categories, supply chain position, integration dependencies, and lifecycle stage. Maintained as a living database.

System Regulatory Profile

One per AI system. Captures every applicable instrument, the specific provisions triggered, the organisational role under each instrument, and the basis for each applicability determination. A living document updated whenever the system, organisation, or regulatory landscape changes.

Applicability Decision Log

Structured record of every applicability determination, including rationale for both positive and negative determinations. Negative determinations demonstrate that the assessment was comprehensive.

Supply Chain Map

Visual and tabular representation of upstream and downstream actors, their roles under applicable frameworks, and the contractual mechanisms governing each relationship.

Triage Review Schedule

Defined cadence for re-triage, including triggers for immediate re-assessment: new regulatory instruments, significant system modifications, geographic expansion, supply chain changes, or sectoral classification changes.

Map Your Regulatory Landscape

Start with a comprehensive inventory and applicability analysis — the foundation of structured AI governance.

Request Access Talk to Us