Governance
Owners, roles, and records
Track who owns each AI system, what role your organisation plays, and which review records still need a human decision.
When a client, auditor, or regulator asks which AI you use, what data it touches, and who's in control — answer with a reviewable evidence trail. Built for the 99% of EU companies that need EU AI Act readiness but can't afford Big Four consulting.
Readiness support only. AICVS is not legal advice, not legal certification, and not a substitute for qualified review.
Sample readiness score. Each system connects to controls, evidence, owners, and the reports it can support.
Start with one system. AICVS shows the missing owner, evidence, controls, and report outputs attached to that record.
AICVS keeps the product simple by showing the same records through governance, risk, evidence, and reporting views. Teams can start manually, import an app list, or add technical scans when useful.
Track who owns each AI system, what role your organisation plays, and which review records still need a human decision.
Surface likely high-risk systems, personal-data flags, GPAI dependencies, and missing oversight evidence before reports are generated.
Policies, DPIA notes, scans, vendor files, monitoring logs, and literacy records can support more than one report.
Generate a focused pack for EU AI Act, SOC 2, ISO 42001, or ISO 27001 without forcing every framework into one review.
For SMEs and consultants, discovery should not require weeks of IT procurement. Start with exports and uploads; connect live integrations later when the organisation is ready.
This is the operating rhythm of AICVS: surface likely AI use, turn it into owned system records, then keep evidence attached as the system changes.
Upload a SaaS export to surface likely AI tools, or add systems directly. Each record can become an owned AI system in the inventory.
Record intended purpose, sector, data flags, vendor context, and likely risk tier for qualified review.
Link controls, policies, Annex IV draft inputs, DPIA/FRIA readiness, explainability, monitoring, incidents, and audit-pack outputs.
Most tools stop at a checklist. AICVS reads your actual code, watches your AI usage continuously, and turns readiness into something you can prove to a customer in one link.
Upload code or a ZIP — AICVS maps each finding to specific EU AI Act articles (Art.9–15) and SOC 2/ISO controls, with a signed certificate. Checklist-only GRC tools can't do this.
See the frameworks →Connect Okta, Google, GitHub, or a signed webhook. AICVS backs up to 10 controls across SOC 2, ISO 27001/42001, and the EU AI Act with always-on evidence of operating effectiveness over time — what auditors weigh most for SOC 2 Type II, not a one-time attestation.
How monitoring works →Share a live, read-only readiness page with a prospect or auditor — no login for them. Shows your score and frameworks; never your system names or gaps. Turns compliance into a sales asset.
About trust →One click produces a full ZIP — compliance PDF, Annex IV, evidence manifest, policies — or a framework-scored document pack for EU AI Act, SOC 2, ISO 27001, and ISO 42001.
Platform views →Assign built-in AI-governance training, have staff pass an end-of-module assessment to mark completion, and keep the records — meeting the EU AI Act's staff-literacy obligation without leaving AICVS.
How training works →Run readiness across many client organisations from one login, each isolated. Universities use the same engine to check student submissions for AI-written code, per assignment.
Plans →The point is not to create more documents. The point is to connect each system, control, and evidence item so reviewers can see what is covered and what is still missing.
AICVS links requirements to controls and stored evidence, then uses that trail when generating readiness reports and framework-scoped document packs.
The dashboard highlights which systems need attention, what records are missing, and which outputs can be generated from available evidence.
AICVS is EU AI Act-first, but teams often need a narrow view for SOC 2, ISO 42001, ISO 27001, or related EU operational requirements. Each view should explain the records, not bury users in acronyms.
System roles, risk classification, Annex IV inputs, DPIA/FRIA readiness, monitoring, incidents, and audit-pack records.
Read framework viewAI management system records: governance, objectives, risk treatment, operating controls, review cadence, and evidence reuse.
Read framework viewSecurity, availability, confidentiality, AI change management, access control, and evidence gaps for technical review.
Read framework viewInformation security evidence that can support AI governance: access, logging, vulnerability, supplier, and lifecycle records.
Read framework viewOperational resilience signals for ICT providers, incident routes, vendor context, and continuity records where applicable.
Read framework viewCybersecurity, personal data, lawful basis, privacy impact, and incident hand-off records that may interact with AI systems.
Read framework viewThe product helps you structure, maintain, and export records. Legal classification, conformity assessment, and regulator-facing decisions still require qualified human judgment.
A quick preview. The full pricing page carries the detailed comparison.
For learning the workflow and testing a small number of systems.
For SMEs and SaaS teams maintaining EU AI Act readiness records.
For verified university, teaching, and research teams using AICVS in a focused setting.
For procurement, SSO, high-volume review, managed onboarding, or custom terms.
Register the system, classify likely risk, attach evidence, and generate a readiness output based on available records.