7-day fixed-price audit. Single AI system. Triple-framework methodology (EU AI Act + ISO 42001 + NIST AI RMF). €3,999 founding rate for the first 10 customers. No Big4 €15-50K bill. No SaaS-platform-without-human-audit shortcut. Builder-grade evidence of enforcement, not documentation theater.
5 founding spots remaining · Launching Pt 30.05.2026 · 7-day delivery commitment
Across scoping conversations the pattern recurs: founders self-categorize Annex III high-risk when Article 6(2) actually places them out-of-scope or limited-risk. The cost: over-investing in compliance theater instead of shipping evidence of enforcement. The fix: precise risk classification first, then Article 26 deployer cluster readiness against actual scope — not assumed high-risk theater.
EU AI Act enforcement applies to deployers — not just providers. Article 26 imposes seven concrete obligations on the company using a high-risk AI system. Audit-in-a-Box™ maps each one to your actual scope, surfaces gaps, and gives you the evidence trail before market surveillance authorities come asking under Article 74.
Deployers shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use. Most mid-market deployers can't produce the instructions trail. We audit the gap + draft remediation language.
Deployers shall assign human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support. We audit whether the named person actually exists, has training records, and has authority to override — not just a nominal title on the org chart.
To the extent the deployer exercises control over input data, that deployer shall ensure input data is relevant and sufficiently representative in view of the intended purpose. Most SaaS deployers using vendor LLMs miss the input-control distinction. We surface where the obligation lands — provider vs. deployer.
Deployers shall monitor the operation of the high-risk AI system on the basis of the instructions for use and, where relevant, inform providers in accordance with Article 72. Monitoring without provider- feedback loop = audit gap. We map the runtime instrumentation needed.
Deployers shall keep logs automatically generated by the high-risk AI system, to the extent such logs are under their control, for a period appropriate to the intended purpose, of at least six months. Tool-level granularity covers deployer scope — API-call retention is provider territory (Article 18, ten-year).
Deployers of high-risk AI systems referred to in Annex III that make decisions or assist in making decisions related to natural persons shall inform the natural persons that they are subject to the use of the high-risk AI system. Cross-references with Article 50 transparency obligations effective August 2, 2026.
Deployers shall cooperate with the relevant competent authorities in any action those authorities take in relation to the high-risk AI system. When Article 74 market surveillance authorities request reconstructable execution traces, this is the trigger clause. Logs (26(6)) + monitoring (26(5)) + cooperation (26(12)) form the deployer enforcement triangle.
Documentation of intent ≠ evidence of enforcement. Without deterministic replay, retention discipline, and operational evidence at runtime, the deployer's compliance program is observational — not authoritative — and inadmissible when surveillance authority comes asking. Audit-in-a-Box™ ships the evidence layer.
EU AI Act articles → ISO 42001 clauses → NIST AI RMF functions, mapped in a single decision framework. AI-assisted document review accelerates mechanical work; expert judgment drives interpretation. Aligned with Article 50 transparency principles — every audit report discloses the AI-assisted workflow in the footer.
AI system deep dive. Article 6 + Annex III classification verification. Deployer vs. provider role lock.
Document review (0-5 maturity scoring). Triple-framework crosswalk. Niche framework addenda. Remediation drafting.
Self-audit findings accuracy. Methodology language consistency. Article 50 disclosure footer. Peer network insights woven.
PDF generation. Executive summary separate. Klient pre-read materials sent 24 hours in advance.
Executive summary walkthrough. Deep dive findings. Remediation roadmap. 30-day email Q&A access begins.
Every Audit-in-a-Box™ engagement ships the same ten artifacts. Add-ons available for multi-system audits, niche frameworks (Colorado SB + FRIA + GPAI Article 56), and on-site presentation.
Risk-class determination with reasoning trail. Includes over-classification check against scoping interview data.
All four sub-paragraphs audited — provider disclosure (50(1)), AI-generated content marking (50(2)), emotion / biometric (50(3)), deepfake disclosure (50(4)).
Sub-paragraph specific: 14(4)(a-e) audit. Override decision (14(4)(d)) vs. automation bias awareness (14(4)(b)) vs. stop button (14(4)(e)) — three distinct layers.
Canonical log envelope check. Pre-cursor to Article 26(6) deployer log retention obligation.
(1)(2)(4)(5)(6)(11)(12) — operating instructions, named oversight, input data control, monitoring, log retention, natural-person notification, cooperation duty.
Post-market monitoring readiness. Serious incident reporting trigger map.
Article 10 data governance / Article 15 accuracy + robustness — surfaces dual provider / deployer roles for SaaS with embedded ML.
EU AI Act articles → ISO 42001 clauses → NIST AI RMF functions, mapped to your scope.
Prioritized actions, ownership assignment, budget estimates. Linked to your Article 26 readiness assessment.
CFO / CEO 1-page version + CTO / Legal / DPO 15-25 page deep version + Article 50 disclosure footer template + 30-day email Q&A.
Founding rate locked at €3,999 for the first 10 customers ever. Standard rate €4,999 activates after customer #10. One-time payment. Founding cohort opens May 30, 2026.
Stripe checkout activates Pt 30.05.2026 launch day. Reserve your founding spot now via free 15-min discovery call · Cal.com booking · 4h SLA reply. EU B2C 21% IVA inclusive · EU B2B 0% reverse charge · Non-EU 0% export.
Specialization compounds. Six months exclusively on EU AI Act, ISO 42001, and NIST AI RMF — Big4 auditors split time across 50+ frameworks. AI-augmented workflow handles mechanical document review and crosswalking; expert judgment focuses on interpretation, remediation strategy, and peer- level conversation with your team. Result: 80-90% Big4 quality at 25% price, delivered in 7 days vs. 4-8 weeks, with personal delivery — not junior associate handoff.
Audit-in-a-Box™ covers dual provider / deployer roles. If your SaaS embeds ML scoring you built yourself, Article 10 (data governance) and Article 15 (accuracy + robustness) apply. If you're a vendor LLM wrapper, deployer obligations under Article 26 dominate. The audit surfaces both layers and maps each to its appropriate cluster. Some companies are both — Day 1 scoping locks the role split.
Two reasons. First, capacity discipline: 10 customers × 7 days = focused delivery quality, no batching or junior offshoring. Second, peer-builder economics: founding cohort gets locked-in pricing, lifetime priority on future product launches, and direct founder access — not a retainer treadmill. Standard pricing (€4,999) activates automatically after customer #10.
The Omnibus delay applies to Annex III standalone high-risk classification enforcement. Article 50 transparency obligations (deepfake disclosure, AI-generated content marking, emotion / biometric notification) and GPAI Article 53 obligations enter into force August 2, 2026 — not postponed. Most mid-market SaaS deployers face the Article 50 layer before Annex III. Audit-in-a-Box™ addresses both timelines.
Same way modern professional services use Excel for financial modeling — AI tools are analytical infrastructure. They don't make audit decisions. They accelerate the mechanical work (document review, regulatory crosswalking, redundancy detection) so 70% of my time goes to expert judgment: interpretation, remediation strategy, peer-level conversation with your team. We disclose this in every audit report footer, aligned with Article 50 transparency principles.
Yes — additional AI systems for the same company are €1,997 per system add-on (declared pre-audit during Day 1 scoping). For enterprises with 5+ AI systems or full Tier 3 comprehensive audit needs (multi-system, 3-4 weeks), see /pricing for the full ladder including Tier 3 (€15,997) and Tier 4 Custom (€47,997+).