Skip to content Skip to footer

AI Act: The 5 Steps to Map Your Sensitive AI Flows

ART-03 · Neo Coeur Intelligence · Published: May 2026 · Updated: EC Guidelines May 19, 2026

📋 TABLE OF CONTENTS

00.Introduction
I.General Overview, the AI Act and its stakes
1.1Definition and regulatory foundations
1.2Importance and stakes
II.Detailed Analysis, classification and scope
2.1Current situation and regulatory calendar
2.2Issues encountered
2.3Concrete cases and sector examples
III.Solutions, the 5 mapping steps
3.1Step 1, Build the team and define the scope
3.2Step 2, Conduct the exhaustive inventory
3.3Step 3, Classify against the AI Act risk grid
3.4Step 4, Assess exposure and prioritize
3.5Step 5, Document and maintain over time
3.6AI Act mapping checklist
IV.Conclusion
V.Bibliographic references

Introduction

In a context where artificial intelligence systems are massively integrated into the decision-making processes of public and private organizations, the question of their regulatory compliance has become a strategic issue of the first order. The entry into force of Regulation (EU) 2024/1689, known as the AI Act, on August 1, 2024 marks the most structuring regulatory turning point of the decade for any organization deploying AI systems in Europe.

The central question this article addresses is the following: how can an organization, in a rigorous and defensible manner, identify which AI systems it deploys, assess their risk level under the Regulation, and prioritize its compliance actions before the critical deadline of August 2, 2026?

The objective of this article is to propose a five-step structured methodology to conduct this mapping, from the initial inventory of systems to the establishment of continuous governance. Each step is based on the specific provisions of the official text of Regulation (EU) 2024/1689, enriched by the guidelines published by the European Commission on May 19, 2026.

⚡ REGULATORY UPDATE, MAY 19, 2026

The European Commission has published its highly anticipated guidelines on the classification of high-risk AI systems under Article 6 of Regulation (EU) 2024/1689. Open for public consultation until June 23, 2026, these guidelines clarify that high-risk qualification depends on the concrete use case and not solely on membership in an Annex III category, reinforcing the urgency of a documented and methodical mapping.

I. General Overview: The AI Act and Its Stakes

1. Definition and Regulatory Foundations

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 constitutes the first comprehensive global legal framework dedicated to the regulation of artificial intelligence systems. Published in the Official Journal of the European Union on 12 July 2024, it establishes harmonized rules applicable across all Member States, creating a unified framework for the development, placing on the market and use of AI systems.

The Regulation adopts a risk-based approach that distinguishes four risk levels (unacceptable, high, limited and minimal) determining the regulatory regime applicable to each system. This pyramidal architecture is the cornerstone of any mapping exercise.

FIGURE 01 · AI ACT RISK PYRAMID — REGULATION (EU) 2024/1689ART. 5 · 6 · 50
⊘ PROHIBITED
Article 5
Social scoring · Manipulation
⚠ HIGH RISK
Article 6 + Annex III
Credit scoring · HR · Biometrics · Infrastructure
⚡ LIMITED RISK
Article 50
Chatbots · Generative AI · Recommendations
✓ MINIMAL RISK
No specific obligation
Spam filters · Video games · Productivity tools
Source: Regulation (EU) 2024/1689, Articles 5, 6 and 50 — risk classification structure

2. Importance and Stakes

Economic and financial stakes

The penalties provided by Article 99 of the Regulation are commensurate with the stakes. Non-compliance with provisions relating to prohibited AI practices exposes organizations to fines of up to 35 million euros or 7% of global annual turnover. Non-compliance with obligations applicable to high-risk systems can lead to penalties of up to 15 million euros or 3% of turnover.

FIGURE 02 · STRUCTURE OF SANCTIONS — ARTICLE 99, REGULATION (EU) 2024/1689ART. 99
ARTICLE 5 INFRINGEMENT
35 M€
or 7% global turnover
Prohibited AI practices
ARTICLES 9-15 INFRINGEMENT
15 M€
or 3% global turnover
High-risk system obligations
INCORRECT INFORMATION
7.5 M€
or 1% global turnover
False declarations to authorities
The higher amount between the fixed amount and the percentage of turnover applies — Article 99(5)

Regulatory stakes

The AI Act sits within a context of regulatory convergence with the GDPR (Regulation (EU) 2016/679) and, for financial organizations, with the DORA Regulation (Regulation (EU) 2022/2554). AI flow mapping is the junction point of these three regulatory frameworks: a single well-conducted exercise can simultaneously serve all three compliance regimes.

Technological stakes

The shadow AI phenomenon, the undeclared use of AI systems by business teams without centralized supervision, makes declarative inventory alone insufficient. According to recent studies by the Gartner firm, more than 40% of enterprise AI usage in 2025 escapes centralized IT supervision.

II. Detailed Analysis: Classification and Scope

1. Current Situation and Regulatory Calendar

Regulation (EU) 2024/1689 follows a progressive application calendar, each stage of which generates specific obligations and compliance actions to anticipate.

FIGURE 03 · APPLICATION CALENDAR — REGULATION (EU) 2024/1689TIMELINE
AUG 1, 2024
Regulation enters into force EFFECTIVE
Publication in the OJEU — start of the progressive application cycle
FEB 2, 2025
Prohibited practices + AI literacy EFFECTIVE
Article 5 (prohibitions) + AI training obligations for organizations
AUG 2, 2025
GPAI obligations, general-purpose AI models EFFECTIVE
Chapter V, Articles 51-56 — LLM providers, foundation models
AUG 2, 2026
⚡ MAIN DEADLINE, Annex III high-risk systems URGENT
Articles 9 to 15 + Article 26 — full obligations for providers AND deployers
AUG 2, 2027
Annex I regulated products 2027
AI in medical devices, machines, aircraft — full Annex I directive
Source: Regulation (EU) 2024/1689, Article 113 — entry into force and application

2. Issues Encountered

The dual classification pathway (Article 6)

Article 6 defines two distinct pathways through which an AI system can be qualified as high-risk. Mastering these two pathways is essential to any exhaustive mapping.

Pathway 1, Article 6(1): An AI system constituting a safety component of a product covered by Annex I (medical devices, machines, lifts, vehicles, aircraft) is automatically high-risk if the product is subject to third-party conformity assessment.

Pathway 2, Article 6(2): A system belonging to one of the eight Annex III categories is presumed high-risk, unless the Article 6(3) exclusion clause applies.

FIGURE 04 · 8 ANNEX III CATEGORIES — HIGH-RISK AI SYSTEMSANNEX III
01
🔍
Biometrics
Identification · Verification · Categorization
02
Critical Infrastructure
Energy · Water · Transport · Networks
03
🎓
Education & Training
Assessment · Orientation · Exams
04
👥
Employment & HR
ATS · Evaluation · Workplace monitoring
05
💼
Essential Services
Credit scoring · Social benefits · Insurance
06
Law Enforcement
Polygraph · Evidence · Profiling
07
🌍
Migration & Borders
Security risk · Asylum · Control
08
🏛
Justice & Democracy
Judicial assistance · Election influence
Source: Regulation (EU) 2024/1689, Annex III — list of high-risk AI systems referred to in Article 6(2)

⊘ ABSOLUTE LIMIT: PROFILING

Regardless of the configuration of use, an AI system listed in Annex III that performs profiling of natural persons can never benefit from the Article 6(3) exclusion clause. This limit is explicitly set by the Regulation.

3. Concrete Cases and Examples

💼 CASE 1, The HR paradox: the ATS presumed high-risk

An ATS (Applicant Tracking System) integrating scoring and automatic candidate triage functionalities falls under Annex III category 4. Even if the tool is presented as a simple "decision aid", as soon as it structures the presentation of candidates and orients the recruiter's choice, it generally cannot benefit from the Article 6(3) exclusion. Result: Articles 9 to 15 obligations fully applicable.

🏦 CASE 2, Automated credit scoring

A credit scoring model used by a financial institution falls under Annex III category 5 (essential services). Its direct impact on natural persons' access to credit automatically qualifies it as high-risk, with the corresponding obligations of explainability (Article 13), effective human oversight (Article 14) and FRIA assessment for the deployer (Article 27).

✓ CASE 3, Successful declassification

A predictive analysis system for a building's energy consumption (Annex III category 2) can benefit from the Article 6(3) exclusion if it limits itself to generating threshold-exceedance alerts without directly influencing decisions affecting natural persons, provided this exclusion is formally documented (Article 6(4)).

III. Solutions and Recommendations: The 5 Mapping Steps

FIGURE 05 · OVERVIEW — 5-STEP METHODOLOGYPROCESS
1
Governance & Scope
Team · RACI · Scope
2
Exhaustive Inventory
Register · Shadow AI · Sheets
3
Classification
Art. 6 · Annex III · Tree
4
Exposure & Priorities
Gap · FRIA · Action plan
5
Documentation & Governance
Annex IV · EU register · Maintenance
Neo Coeur Intelligence methodology — each step produces auditable deliverables

Step 1, Build the Team and Define the Scope

1
STEP

Governance and scope definition

Identify stakeholders, define the boundaries of the mapping and establish project governance, an indispensable condition for inventory exhaustiveness.

AI flow mapping goes well beyond the boundaries of IT alone. Systems likely to be high-risk are found in HR (recruitment, evaluation), Finance/Risk (scoring, actuarial), Operations (infrastructure supervision) and Legal. Building a multidisciplinary team from the start is a sine qua non condition.

  • Sponsor: CISO or DPO depending on the organization
  • Business representatives: HR, Finance/Risk, Operations, Marketing, Legal
  • CIO / Enterprise Architect: technical inventory
  • Specialized AI lawyer: interpretation of Articles 6, Annex III
  • Executive committee: classification validation and budget arbitration

The scope must cover the organization both as provider (Article 3(3), develops or has developed) AND as deployer (Article 3(4), uses under its responsibility), the obligations differing substantially according to this role.

Step 2, Conduct the Exhaustive Inventory

2
STEP

Inventory of all AI systems

Inventory all AI systems deployed, in development or in acquisition, including shadow AI, across all business units.

Four complementary methods must be combined to ensure exhaustiveness:

  1. Declarative questionnaire to business units, a structured form identifying AI tools (automation, NLP, vision, recommendation).
  2. Analysis of purchases and contracts, review of SaaS licenses (Microsoft 365 Copilot, Salesforce Einstein, Workday, SAP SuccessFactors).
  3. Technical review of the application portfolio, AI frameworks (TensorFlow, PyTorch, OpenAI API, Anthropic, Google).
  4. Interviews with data science teams, internally developed models, automated pipelines.

Step 3, Classify Against the AI Act Risk Grid

3
STEP

Applying the classification grid

Apply Articles 5, 6 and Annexes I, II, III to each inventoried system to determine its risk level and corresponding obligations.

Classification follows a sequential decision tree of eight questions:

  1. Does the system execute a practice prohibited by Article 5? → Absolute prohibition
  2. Is it a safety component in an Annex I product subject to third-party assessment? → High risk Art. 6(1)
  3. Does it belong to one of the 8 Annex III categories? → Potentially high risk Art. 6(2)
  4. If Annex III: does it perform profiling? → High risk without possible derogation
  5. If Annex III and no profiling: does it meet one of the Article 6(3) exclusion conditions?
  6. If yes to 6(3): mandatory documentation Art. 6(4)
  7. Is it a GPAI model (Chapter V)? → Articles 53 and 55 obligations
  8. Does the system generate content without transparency? → Art. 50

Step 4, Assess Exposure and Prioritize Actions

4
STEP

Gap analysis and prioritized action plan

Identify the obligations applicable according to the role (provider/deployer), assess current maturity and prioritize compliance actions.

FIGURE 06 · PROVIDER OBLIGATIONS — ARTICLES 9 TO 15 (HIGH-RISK SYSTEMS)ART. 9-15
ARTICLE 9
Risk Management
Iterative process covering the entire lifecycle, identification, evaluation and verification testing
ARTICLE 10
Data Governance
Documentation of origin, preparation and representativeness of training data, anti-bias measures
ARTICLE 11
Technical Documentation
14 minimum headings defined in Annex IV, kept up to date at every substantial modification
ARTICLE 12
Automatic Logging
Keeping logs allowing traceability and production monitoring over a defined period
ARTICLE 13
Transparency
Clear information on operation, capabilities and limits, complete instructions for use
ARTICLE 14
Human Oversight
Effective ability of the operator to understand, monitor, correct and stop the system
ARTICLE 15
Accuracy, Robustness and Cybersecurity
Defined and documented performance levels, resistance to errors and adversarial attacks, protection against manipulation
Source: Regulation (EU) 2024/1689, Chapter III, Section 2 — Obligations of providers of high-risk AI systems

Step 5, Document, Register and Maintain Over Time

5
STEP

Formal documentation and continuous governance

Produce Annex IV documentation, register in the European database (Article 49) and establish processes to maintain the mapping.

Article 49 requires the registration of high-risk AI systems in the public European database before placing on the market (providers) or putting into service (certain deployers). Annex VIII of the Regulation defines the information to be submitted.

Technical documentation (Annex IV) must cover 14 minimum headings: architecture, training data, performance metrics, risk management, robustness, cybersecurity, instructions for use, planned human oversight, post-market monitoring plan. This documentation must be updated at every substantial modification of the system.

Continuous governance

Three organizational mechanisms are essential to maintain the mapping over time:

  • Pre-approval AI process, any new AI initiative goes through a classification review before development or purchase.
  • Annual mapping review, complete audit of the inventory, update of classifications, alignment with NIS2 reporting cycles.
  • Continuous regulatory watch, monitoring of publications from the European Commission (AI Office), the European Parliament and competent national authorities.

📋 AI ACT MAPPING CHECKLIST

Step 1, Governance

  • Multidisciplinary team established (CISO/DPO + Business + IT + Legal + Executive)
  • Organizational and geographic scope documented
  • Roles and responsibilities formalized in RACI
  • Project calendar with milestones approved

Step 2, Inventory

  • Declarative questionnaire sent to all business units
  • Vendor contracts and SaaS licenses analyzed
  • Application portfolio reviewed with IT
  • AI Inventory register built
  • Descriptive sheets produced for each system

Step 3, Classification

  • AI Act decision tree applied to each system
  • Prohibited systems (Article 5) identified, withdrawal plan in place
  • High-risk systems classified with documented legal basis
  • Article 6(3) declassification notes drafted and retained
  • GPAI models (Chapter V) identified

Step 4, Exposure and prioritization

  • Provider vs deployer obligations identified per system
  • Maturity assessment carried out per system
  • FRIA conducted for concerned deployers (Article 26(9))
  • Prioritized and budgeted action plan validated by management

Step 5, Documentation and continuous governance

  • Annex IV documentation drafted for each high-risk system
  • Registration in the European database (Article 49) completed
  • Pre-approval AI process in place
  • Regulatory watch organized and planned

IV. Conclusion

Mapping sensitive AI flows under Regulation (EU) 2024/1689 goes beyond a simple regulatory obligation. It constitutes the foundation of responsible AI governance, the starting point of any credible compliance strategy, and the opportunity for every organization to take full measure of its algorithmic estate: its strengths, its vulnerabilities and its responsibilities.

The five steps presented in this article (build the team, conduct the inventory, classify against the AI Act grid, assess exposure, document for the long run) form a coherent and progressive process. They apply to any organization, regardless of initial maturity. The checklist provided is an immediately operational steering tool for CISO, DPO and compliance teams.

Yes, it is possible to rigorously map sensitive AI flows before August 2, 2026. The condition is simple: start now, adopt a multidisciplinary approach and treat this exercise as a strategic investment in the organization's resilience and competitiveness.

Organizations that engage in this approach today do not endure AI Act compliance. They use it to outpace competitors, reassure customers and secure contracts in an increasingly regulated digital environment. In a market where algorithmic trust is becoming a decisive differentiating factor, a well-conducted AI Act mapping is not a cost, it is an intelligence.

Assess your AI Act exposure

First 30-minute call offered

Neo Coeur Intelligence helps organizations conduct their AI Act mapping end to end, with deliverables directly usable before competent national authorities.

📧 contact@neocoeurintelligence.com · 🌐 neocoeurintelligence.com · 📍 London · Paris

→ Assess my AI risks → Book a call

V. Bibliographic References

Official legislative texts

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 (AI Act). OJEU L, 12 July 2024. eur-lex.europa.eu

Regulation (EU) 2016/679 of 27 April 2016 (GDPR). OJEU L 119, 4 May 2016. eur-lex.europa.eu

Regulation (EU) 2022/2554 of 14 December 2022 (DORA). OJEU L 333, 27 December 2022. eur-lex.europa.eu

Directive (EU) 2022/2555 of 14 December 2022 (NIS2). OJEU L 333, 27 December 2022.

Official publications of the European Commission and the AI Office

European Commission. Draft guidelines on the classification of high-risk AI systems under Article 6. May 19, 2026, public consultation until June 23, 2026. leto.legal

AI Act Service Desk, European Commission. AI Act Explorer. ai-act-service-desk.ec.europa.eu

AI Office. Guidelines on the scope of obligations for providers of General-Purpose AI (GPAI) models. July 18, 2025.

Future of Life Institute. AI Act Explorer. artificialintelligenceact.eu

Doctrinal analyses and compliance guides

Abilene Academy. EU AI Act, the complete compliance guide for the August 2, 2026 deadline. May 2026.

Marine de la Clergerie. AI Act Article 6: Rules on the classification of AI systems as high-risk systems. MDC Avocat, May 19, 2026.

Cloix Mendès-Gil. AI systems: the 4 risk levels of the European regulation. June 17, 2025.

Aumans Avocats. AI Act: High-Risk AI Systems, What Are the Challenges and Obligations? March 28, 2025.

Steptoe. EU AI Act Obligations for GPAI Models Now Applicable. August 5, 2025.

Modulos. EU AI Act, General-Purpose AI Models (Chapter V, Articles 51-56). May 2026.

Gartner Research. Shadow AI in Enterprise Organizations, 2025 Survey Data.

© 2026 Neo Coeur Intelligence, all rights reserved.
This article is provided for informational purposes only and does not constitute legal advice.
www.neocoeurintelligence.com

Leave a comment