Riseplan from Roast & Rise
AI Governance and Regulation Readiness: Your Move Before the EU AI Act Deadline
Navigate new AI rules and protect your business before the deadline lands.
Most small and mid-size companies believe the EU AI Act targets only large enterprises. That is a myth. This RisePlan cuts through confusion: map your company’s AI risk, close your compliance gaps, and build a routine that fits small teams and tight timelines—without a legal department.

Course thesis
The EU AI Act’s 2 August 2026 deadline is a hard stop, not a distant worry. Most small and mid-sized companies risk major penalties because they wrongly think regulatory pressure only applies to big tech. This plan dismantles that assumption and delivers concrete, workable steps for SMBs to diagnose, simplify, and act—while avoiding legal paralysis and generic one-size-fits-all templates.
What you leave with
By the end, you will know if your company falls under the EU AI Act, classify your AI systems by risk, spot missing documentation, and use a clear 30-day plan to start building your compliance foundation—no legal team required.
For
Founders, operations or legal leads, and board members at small to mid-sized companies using or developing AI systems, inside or for the EU, who need to get AI Act-ready without hiring a legal department.
Workflow
Company-wide review, assessment, and early implementation of EU AI Act compliance—starting from scope and risk mapping, to documentation gap analysis, to a first compliance sprint, tailored for small and mid-sized teams.
Change
Delivers a shift from ignoring or deferring AI regulation to proactive, confident action—mapping risk, closing the real compliance gaps, and building a lightweight ongoing routine.
What you can do
Use these as checks while you move through the plan.
Identify whether your company is in scope for the EU AI Act and which requirements apply.
Classify each company AI system by the correct EU AI Act risk tier.
Spot missing or incomplete documentation, especially for high-risk or transparency-attributable systems.
Draft a company-specific compliance map and 30-day action plan that works with existing resources.
Avoid major mistakes (like assuming immunity due to size or waiting for regulators to act first).
Chapters
01
Wake-Up Call: Does the EU AI Act Apply to You?
Stop relying on hearsay or hope: use real criteria to determine if—and how—the EU AI Act applies to your company, with a not-fake, fill-in worksheet you can defend to your board or your team.

Why this matters in the workflow
The EU AI Act looks like a distant, enterprise-only issue. But its scope is broad, and penalties are calibrated to scare companies of any size—up to 7% of global turnover. Even if you’re just deploying AI from vendors, publishing basic transparency notices, or building tools with small teams, you are likely in scope.
Failing to check—before product launches or new hires—means betting on luck. Every delay increases the risk that a single regulator’s email or a customer asking tough questions will catch you exposed, incoherent, and scrambling. The goal is simple: close the guesswork gap. Get your company’s answer in writing.
The working model
Quality checklist
All AI uses, vendor tools, and internal deployments listed—not just flagship products.
EU market connection clearly marked.
SME/SMC criteria checked against real company data.
Gaps flagged with an assigned owner for any unclear field.
Status summary gives a clear, plain-language view of what action is needed next.
File is dated and shareable for audit or board review.
Common mistakes
Leaving out internal or experimental AI tools.
Assuming 'we’re just a user of X' means out of scope.
Not updating SME/SMC status with real, current data.
Letting ambiguous fields linger without flagging or ownership assigned.
Treating the worksheet as a legal memo instead of a decision map for operations.
Checkpoint
Are you confident you can defend your company's in-scope or out-of-scope status, point to documentary proof, and assign ownership for any open gaps—without waiting for a lawyer?
Exercise
Pin Down Your Scope: Complete Your EU AI Act Company Status Worksheet
Goal: Fill a real, defensible worksheet for your company’s EU AI Act status.
Steps:
- Download or copy the worksheet template below.
- Answer each question using public information, internal product docs, sales records, and org charts.
- If any field is unclear, flag it and name the responsible team member to resolve.
- Summarise your company’s current status (in/out of scope, SME/SMC status, documentation health) in one paragraph.
- Save the output with a filename and date—share with your exec or board contact. This is your audit trail starter.
Output: A filled status worksheet plus status summary; ready to defend when asked.
Template and checklist follow.
Use this at work tomorrow
Take 15 minutes: Fill the worksheet for a single product or your whole company, share with one other decision-maker, and book a follow-up on any flagged gaps.
02
Risk Mapping: Classify Every AI Use in Your Stack
Pin down—now, not later—every AI system or use in your company and give it a real risk class under the EU AI Act, using the law’s own definitions as of the 2026 ‘AI omnibus’ agreement. This isn’t a theory drill: the output will defend you under real audit, even if you have no legal department.

Why this matters in the workflow
Most SMBs sleepwalk into AI Act risk. Many founders assume risk mapping is an enterprise headache, or only needed for commercially sold products. Wrong. The law is explicit: if your company puts an AI system to use in the EU, you’re in the scope game. Fail to classify and—when the audit or complaint lands—you’ll scramble with guesses, not facts. Classify now, with your live stack and roadmap.
The working model
- The EU AI Act defines four buckets:
- Prohibited: No-go uses—remote biometric mass surveillance, or manipulative AI for social scoring, for example.
- High-risk: Uses defined in the Act or added by the ‘AI omnibus’: e.g., HR screening, credit scoring, access to education, employee monitoring, and AI-controlled critical infrastructure. High risk = strictest documentation and controls.
- Limited/Transparency: Chatbots, content generators, deepfakes. If people may think AI is human, you must flag it clearly (enforced from 2 December 2026, per AI omnibus).
- Minimal/no risk (Out of Scope): Internal analytics, spell-check, non-AI automation. Few obligations—but document why you ruled them out.
Quality checklist
Every material AI system/use is listed. No hidden in-house, vendor, or pilot projects skipped.
Risk class uses up-to-date Act definitions. No wishful thinking or handwaves.
Rationale applies Act language—or names the nearest legal category.
Unclear cases are flagged, with owners for follow-up.
Map is reviewed by someone who can defend it to board or regulator.
Common mistakes
Missing internal uses or vendor-powered AI tools.
Assigning ‘minimal risk’ without evidence or Act reference.
No one checks or challenges the map—leaving gaps.
Rationale is vague or uses only generic descriptions (e.g., 'low risk because it’s internal').
Failure to update after new AI uses roll out.
Checkpoint
Can you show a clean, classified list of every major AI use in your company—and explain each risk class in plain language under the AI Act?
Exercise
Build Your Company AI Use Risk Classification Map
Goal: In 15 minutes, draft a real risk map for every active or planned AI use in your company. Assign an EU AI Act risk tier and write the logic clearly enough that a board member or regulator could follow it—with no legalese.
Steps
- Inventory: List every AI system, tool, or use (internal and external) currently active or planned in the next 12 months. Include pilots, core products, support tools, and AI-powered vendor services.
- Classify: For each, select the risk class:
- Prohibited
- High-risk
- Transparency-triggered (requires inform/disclosure)
- Minimal/Out of Scope
- Rationale: Write a sentence or two on why you assigned this risk tier. Use the Act’s language where you can (e.g., “Credit scoring is a named high-risk use under the Act, Article X”).
- Flag ambiguities: Where risk class is unclear, note what additional info or review is needed and assign an owner.
- Save this map and share with at least one company lead for review. This is your defendable evidence base.
Use this at work tomorrow
Run a 15-minute mapping session: get every team to list their AI-powered tools and uses, draft your first company-wide risk map (even if rough), and schedule a cross-check this week.
03
Gap Check: What Documentation Are You Missing?
Find your actual compliance gaps—no padding, no paralysis. Inventory what your company already documents, what the EU AI Act really expects at your size and risk level, and what you still need to close the loop. Build a prioritized, company-owned checklist, not a vague intention.

Why this matters in the workflow Strict deadlines loom: the EU AI Act becomes fully applicable on 2 August 2026. Most companies guess—or hope—they’re covered. Regulators won’t care. Non-compliance isn’t theoretical: penalties climb to 7% of global revenue. Small and mid-size companies avoid overload with a focused gap check, not a legal memo. This is the bridge: from guesses and half-steps to a minimal, practical, actionable list of what you actually need to document.
The working model
- The EU AI Act expects technical documentation, risk controls, and policies—for every AI use, tailored to its risk class. High-risk uses bring big obligations (risk management system, data governance, logs, human oversight, accuracy/cybersecurity controls). SME and small mid-cap rules grant simplification, but only if you use them and document them clearly.
- Checklist, not prose: For each system, note what's already documented, what is missing, and, by law, what's not required at your size and risk.
- Work backward: start from legal requirements for each risk tier (and SME simplification), not blanket policies.
How to apply it
- Pull your AI Use Risk Classification Map (last chapter): every system/use-case, each with an assigned risk class.
- For each AI use:
- Check the Act’s documentation/control requirements for your system risk level.
- For SMEs/small mid-caps: use the simplified requirements (fewer details, clear technical explanations, minimum viable policy).
- List, for each requirement: Is it covered? Where? Or missing? Or not required for this system?
- Build a live checklist: single doc or sheet, naming gaps, who owns each, and a fast deadline.
Example on live work Scenario: You run a 45-person SaaS. Three AI uses: (1) internal helpdesk automation (not high-risk); (2) AI-powered loan decision module (high-risk); (3) content-generation for marketing (triggers transparency post-2-Dec-2026, low compliance load now). Gap check, high-risk system (loan decisions):
- Risk management procedure: Partial—policy exists, but no evidence it’s applied to new AI module. Gap: real process, not just written policy.
- Data governance: Missing—no stated data source checks or data retention plan. Gap: document data profiling and retention.
- Technical doc: Partial—dev notes, but no structured record of training/testing data, or audit trail. Gap: pull SME template, document as per Act’s minimums.
- Automatic logging: Missing—logs exist but not stored or reviewed with intent. Gap: implement retention and periodic review.
- Human oversight: Weak—single manual check, not a routine. Gap: write, schedule oversight step, document in process.
Quality checklist
Checklist matches each system/use from risk map (none missing).
Requirements are tied to risk levels and SME rules (no over- or under-documenting).
Missing/partial items identified, not glossed over.
Owners and deadlines clear for each gap.
The checklist is kept live (edit-ready), not static or hidden.
Uncertainties or assumptions flagged for follow-up.
Common mistakes
Leaving out internal or vendor AI, only tracking customer-facing products.
Treating generic IT policies/documents as enough for technical documentation.
Not marking items as 'not required' when justified by SME rule.
Failing to assign a real, accountable owner and deadline to each gap.
Letting checklist languish in someone's folder with no update date.
Checkpoint
Can you show (and defend) a gap checklist that specifies, for each AI system: required documentation, what exists, what’s missing, and who owns closing every gap?
Exercise
Draft Your Documentation Gap Checklist (SMB, Actual Use-Cases, Real Gaps)
- Gather your AI Use Risk Classification Map from the previous step.
- For each system or use, look up the act's minimum documentation required for its risk class (use the EU AI Act and SME rules as reference; if unsure, flag the assumption).
- In the checklist template:
- List all requirements per system (risk management, data governance, technical doc, logging, oversight, etc.)
- Mark each as: Exists (source/link), Missing, or Not Required (state why; cite SME rule if used).
- Assign a person responsible for each missing item and a target deadline (max 30 days).
- Set one immediate next-review date—block 15 minutes next week for an update.
Output:
- Drafted, company-specific checklist covering all systems, current documentation, all current gaps, and named owners/deadlines. Invite check/edit from a founder/lead.
Use this at work tomorrow
Run your company's first AI documentation gap check—name owners, give every gap a date, and skip the legalese.
04
The 30-Day Plan: Your First Lightweight Compliance Sprint
Turn your intention into a real, finished sprint—assign owners, set the clock, and check off the first wave of compliance steps. Your plan must be visible, doable, and not disappear in the next busy week.

Why this matters in the workflow
You’ve mapped your risk. You know what’s missing. None of that helps if it isn’t acted on. The EU AI Act takes effect in August 2026. Delaying now is gambling: on luck, on invisibility, on someone else cleaning up. A sprint is a clock—short, is visible, and forces progress. It works for tiny teams and companies with no legal budget. A compliance sprint turns shelfware into momentum.
The working model
The 30-day compliance sprint is project management, stripped back. Take the gap list. Assign real owners for each missing item—documentation, controls, oversight. Lock these into a timeline, with simple check-ins: halfway and at the finish. No hiding. Progress is public—at least to leadership or the board. At the end, you have progress in hand, and a routine ready to repeat (with fewer headaches).
Quality checklist
Clear, real tasks—no vague or generic points
Owner named for each item—no ambiguity
All dates inside a real 30-day window
Both midpoint and end reviews scheduled
Plan shared outside your personal inbox—visible to team or leadership
All known blockers or risks surfaced in comments section
Common mistakes
Assigning tasks to functions or teams—not names
Letting 30 days slip by without a check-in
Leaving unfinished tasks out of the next plan
Not sharing the sprint plan, keeping it private
Writing unclear or wishful tasks ("sort out docs")
Checkpoint
Can you show your completed 30-day sprint plan with three named owners, two review dates, and proof it’s been shared beyond your own inbox?
Exercise
Build, Assign, and Launch Your 30-Day Compliance Sprint
Your goal: a single-page, visible 30-day compliance sprint plan with owners, due dates, and check-ins. Use the template—real names, not roles. Minimum three items. Schedule your first review before closing this exercise.
Steps:
- List at least three real documentation/control gaps from your last checklist.
- For each, estimate work needed and name the real owner (with backup if out).
- Pick start date, midpoint check-in, and end-of-sprint review date (within 30 days).
- Share the plan with your company lead, founder, or board contact.
- Write the plan in the structure below. The plan isn't finished until it's visible and a review is scheduled.
Plan Submission Template
- Sprint title & dates
- Assigned items (gap, owner, estimate)
- Midpoint check-in date
- End-of-sprint review date
- Share-out method (where, who)
- Comments/next steps (space for blockers)
Action: Post/schedule this output to your wider team before moving on.
Use this at work tomorrow
Fill in your sprint plan, assign each gap, and schedule your first review by end of day—no delay, no hiding.
05
Keep It Up: Building an Ongoing, Low-Burden Compliance Routine
Sustain EU AI Act readiness by embedding a lightweight compliance routine, mapped to your business’s reality. Build in calendar check-ins, real owners, and alert systems for regulatory change—so you never drift back into exposure.

Why this matters in the workflow
Compliance is not an audit stunt. It’s a living process—especially under the EU AI Act, where AI systems shift, staff change, and laws keep moving. A one-time compliance push fades fast. This chapter is your next fail-safe: building an embedded, lightweight routine that keeps your business ready, not scrambling for another fix when the heat returns.
The working model
A compliance routine must be:
- Simple: No bureaucracy. Just the essentials, in writing.
- Rhythmic: Anchored to calendar events—quarterly or annual reviews, plus check-ins after big product or vendor changes.
- Owned: Each action must have a named human (not just a department) responsible.
- Alert: Includes a mechanism for monitoring EU AI Act updates and internal AI use expansions.
Quality checklist
Every field in the template is filled with specific, real assignments—not placeholder names or vague dates.
Check-in cadence is feasible (at least annual), with next dates set on a live calendar.
At least one reliable regulatory monitoring channel is named, with a real person assigned.
Documentation review list covers all key compliance docs and new AI uses.
Steps are concise, numbered or bulleted, clear enough for a new joiner to understand and execute without confusion.
Plan is sent/shared with all relevant owners/leaders, not filed away.
Common mistakes
Only writing the routine—never setting the calendar event.
Leaving the owner unassigned or vague; using just 'Ops' or 'Legal'.
No regulatory update source picked; nobody tracking changes.
Routine is overly complex—impossible to run without a compliance desk.
Failing to include review of new AI systems or process shifts since last check-in.
Checkpoint
Can you name your routine owner, next review date, and update channel without checking your notes? If not, finalize and commit your plan before moving on.
Exercise
Build Your Company's Compliance Routine & Checkpoint Calendar
Your Task (15 Minutes)
Set up a live, low-burden compliance routine that fits your company size and AI risk. Complete the below steps and ready it for action.
Steps:
- Decide your check-in schedule: Annual (minimum), biannual, or quarterly? Mark the next two on your company calendar.
- Assign an owner: Name the main person responsible (plus a backup/secondary for absence/turnover).
- List documentation to review/update: Include your gap checklist, risk map, and any new AI uses.
- Choose a regulatory update channel: Identify a news source or tool (newsletter, alert, or RSS) and assign who monitors it.
- Set the update routine: Write short steps for what happens at each check-in (document update, owner report, board memo/minute, new risks logged).
- Finalize calendar invites: Create recurring events; link to this routine; copy the owner and backup.
Fill out the template. Save and circulate to all relevant owners and leadership.
Use this at work tomorrow
Set your first compliance checkpoint date, assign a real owner, and subscribe to an AI regulatory update channel—before today ends.
30-day path
Day 1-3: Complete company scope worksheet and risk classification map.
Day 4-6: Run documentation gap check and assign owners for missing items.
Day 7: Hold a kickoff review with founders/board; agree on the 30-day sprint.
Weeks 2-4: Execute sprint: fill documentation gaps, implement priority controls, run first check-ins.
Day 30: Hold a close-out review, update compliance routine template, and calendar next periodic review.
Success signals
Company has a completed risk classification map, reviewed by at least one C-level or board member.
AI Act documentation gap checklist is filled, prioritized, and assigned to responsible owners.
30-day compliance sprint is planned, scheduled, and tracked—in writing.
First sprint results in documented controls, policies, and traceable progress.
Compliance routine and next review date are scheduled; board/leadership sign-off recorded.
Reflection prompts
Where does this topic show up in real work?
What behavior should change first?
What evidence would prove this Riseplan worked?
Manager checklist
Choose one owner for the behavior change.
Use the exercise on live work.
Review the output before scaling the habit.
Decide what changes after 30 days.
Want this shaped around your company?
Risey can research your company foundation first, then build a version of this path around your real workflows, customers, and culture.
Start with your company