EU AI Act readiness

Gamut helps you work towards EU AI Act readiness: mapping AI systems, classifying them by risk class, working through the relevant obligations, and building a practical readiness evidence pack you can show to boards, buyers and reviewers.

Not legal advice

Gamut provides product-safe operational summaries of public legal obligations, with article and risk-category references for traceability. This is not legal advice and does not replace a licensed copy of the regulation or qualified legal counsel. Verify obligations and their current status with appropriate advisers before relying on them.

The six risk classes

The EU AI Act is a risk-tiered regime. Gamut routes each system into one of six risk classes, which determine the obligations that apply:

Risk class	What it means
Scope / role	Establishing whether and how the Act applies, and your role (provider, deployer and so on).
Prohibited / unacceptable risk	Practices banned outright under Article 5.
High-risk	Systems subject to the full Article 8 to 15 requirements.
Transparency / limited risk	Systems with behaviour-based transparency duties under Article 50.
GPAI model route	General-purpose AI models and their supply-chain obligations.
N/A evidence trail	Documented evidence that an obligation does not apply.

The eleven assessment categories

Gamut structures EU AI Act readiness into eleven categories, each anchored to specific articles for traceability:

Category	Articles
Scope, role and timing	Arts 2, 3, 4, 113
Prohibited practices (hard gate)	Art 5
High-risk classification	Art 6
High-risk system requirements	Arts 8 to 15
Provider, deployer and conformity duties	Arts 16 to 20, 26, 43, 47 to 49
Fundamental Rights Impact Assessment (FRIA)	Art 27
Behaviour-based transparency	Art 50
High-risk post-market monitoring and serious incidents	Arts 72 to 73
GPAI systemic-risk monitoring	Art 55
GPAI and model supply chain	Chapter V
Non-applicability evidence trail	Arts 2, 6, 27, 50, Chapter V

The prohibited practices category is a hard gate: a system that falls under Article 5 cannot proceed regardless of other controls. The non-applicability category is deliberately included so that “this does not apply to us” is itself an evidenced, defensible decision rather than a silent assumption.

How readiness maps to the lifecycle

1. Inventory, register the AI systems in scope in the Registry.
2. Classify, use intake and risk tiering to place each system into its risk class.
3. Assess, work through the categories relevant to that class, with article references for traceability.
4. Evidence, capture evidence of governance, oversight, documentation and risk management. The FRIA category draws on the same impact-assessment work as ISO/IEC 42005.
5. Report, produce a readiness pack that demonstrates where you stand and what remains.

Crosswalk

Evidence gathered for the EU AI Act crosswalks to GTSAF (every GTSAF control carries EU AI Act article anchors), NIST AI RMF and ISO/IEC 42001. See Frameworks overview and the GTSAF crosswalk table.

Next

• Intake & risk tiering, the basis for risk classification.
• ISO/IEC 42005, the impact-assessment companion for FRIA work.
• Reporting & exports, producing the readiness pack.