You don't need a compliance programme yet.
You need to see where you stand.

See exactly what you have — and what's missing — before you spend on compliance. One system. 72 hours. A review-ready evidence pack you can take to your board, auditor, or advisor.

If you cannot produce this evidence today, you are not ready for review.

From USD 3,500 per defined AI system Human-reviewed release Defined scope · 72-hour delivery Article 26 logging support

Defined scope confirmed before work begins. No surprises.

engagement_ref: "ENG-XXXX-0091"
system_name: "[AI System Name]"
risk_classification: null
intended_purpose: "[Extracted from vendor documentation]"
bias_testing: "Algorithms tested for protected characteristics" DOCUMENTED
human_oversight: "[Oversight mechanism description]"
training_data: null
validation_state: "incomplete"
evidence_coverage: "4/10"
requires_action: true

reviewer_id: "[human_reviewer]"
reviewed_at: "YYYY-MM-DDTHH:MM:SSZ"
payload_hash: "a8f3e71d04b29c6f88...b4c209e7"
status: "released"

EU AI Act enforcement begins August 2, 2026, with evolving timelines under current regulatory proposals. Most organisations remain unprepared for structured evidence requirements.

The real problem

Most teams do not have a compliance gap first. They have an evidence visibility gap.

You do not need a six-figure programme to find out where the gaps are.

Before committing to consultants, governance platforms, or internal build work, most teams need one thing first: a bounded, credible answer they can review quickly.

That is what AnnexLayer delivers. One AI system. Defined inputs. Structured output. 72 hours. It is not consulting. It is not certification. It is not legal advice.

What usually forces action

Teams move when someone asks for evidence they cannot produce.

Board or leadership asks where the organisation stands

Procurement or vendor-risk review demands AI governance evidence

Internal audit asks for structured documentation

External advisor or legal team needs a bounded starting position

Timelines compress before anyone knows the size of the problem

How the workflow works

From scattered documentation to a review-ready evidence state.

01
Documentation intake
You provide source documentation for one defined AI system: vendor materials, policies, terms, DPAs, or internal references.
02
Independent extraction
Structured extraction identifies what is documented, what is missing, and where fields return no usable evidence.
03
Human-reviewed release
Flagged discrepancies are reviewed before release, with reviewer ID, timestamp, and rationale recorded for traceability.
04
Decision-ready delivery
You receive a report and JSON evidence pack showing where you stand now, before you commit to any larger spend.

This is what "where we stand" actually looks like.

A released, human-reviewed evidence state for one AI system. One report for governance review. One payload for system ingestion. One release gate before anything moves forward.

These are the gaps auditors, regulators, and governance teams will see first.

AnnexLayer · Evidence Report · ConfidentialRedacted Output
4 of 10 Annex IV fields carry documented evidence.6 fields returned no evidence from source documentation. Remediation required before formal review.
Annex IV FieldStatusExtracted ValueAction
System NameDOCUMENTED[AI System Name]
Bias TestingDOCUMENTEDAlgorithms tested for protected characteristics
Intended PurposeDOCUMENTED[Intended purpose as stated by vendor]
Human OversightDOCUMENTED[Oversight mechanism description]
Risk ClassificationNOT DOCUMENTEDNo evidence in source documentationRemediate
Training Data SourcesNOT DOCUMENTEDNo evidence in source documentationRemediate
Data Retention PeriodNOT DOCUMENTEDRemediate
This system cannot proceed to conformity assessment in its current evidence state. 6 critical gaps require remediation.
RELEASE APPROVED
Release Gate — Human Review
Reviewed by: [Human Reviewer]
Release Status: Approved
Reviewed: DD MMM YYYY · HH:MM UTC
SHA-256: a8f3e71d...b4c209e7
System Output · Structured EvidenceImmutable After Release
System Output — evidence.json
Machine-readable · Immutable after release
evidence.json
{
"engagement_ref": "ENG-XXXX-0091",
"system_name": "[AI System Name]",
"risk_classification": null,
"intended_purpose": "[Extracted purpose]",
"bias_testing": "Protected characteristics",
"human_oversight": "[Oversight mechanism]",
"training_data": null,
"annex_iii_category": null,
"data_retention": null,
"sub_processors": null,
"last_audit_date": null,
 
// validation state
"validation_state": "incomplete",
"evidence_coverage": "4/10",
"remediation_flags": 6,
"requires_action": true,
"critical_nulls": [
"risk_classification",
"training_data",
"data_retention",
"sub_processors",
"last_audit_date",
"annex_iii_category"
],
 
// release control
"status": "released",
"release_blocked": false,
"reviewer_id": "[human_reviewer]",
"reviewed_at": "YYYY-MM-DDTHH:MM:SSZ",
"corrections": N,
"immutable_after": "YYYY-MM-DDTHH:MM:SSZ",
"payload_hash":
"a8f3e71d04b29c6f8812de4a7b5
f093c21ea684db9017f4c2b4c209e7"
}

Every engagement ends here. Either the evidence is documented — or the gaps are surfaced. Both outcomes move you forward.

All identifying data anonymised. Structure reflects real engagement output.

Start with clarity

The smallest credible first step before bigger compliance spend.

Most teams delay because every option looks like a large commitment. Start with one system, see the gaps, and then decide what to do next.

Pre-Evidence Engagement

Defined-scope evidence workflow for one AI system. Shows what is documented, what is missing, and what needs remediation — before you commit to anything bigger.

From USD3,500 one-time · one defined system
One AI system, defined scope confirmed before work begins Annex IV field mapping and evidence classification Gap identification with remediation context Human-readable evidence report (PDF) Machine-readable JSON evidence pack Human-reviewed release with audit trace 72-hour delivery after confirmed input completeness
See where you stand in 72 hours

Scope is confirmed before work begins. No surprises. No open-ended commitment.

Need broader scope? Additional systems, conformity pre-checks, or ongoing evidence maintenance are scoped and quoted after initial engagement. Discuss broader scope →
What happens after your report

Once you can see the shape of the problem, you can decide what to do next.

Brief leadership

Put a bounded, reviewable answer in front of your board or governance lead.

Engage advisors

Bring structured evidence into consultant or legal conversations instead of starting from uncertainty.

Prepare for audit

Use identified gaps to prepare for internal review or external readiness work.

Decide whether to build

Determine whether internal remediation or platform spend is justified based on clear evidence.

Expand carefully

Move from one system to wider coverage only after the first evidence state is visible.

Scope and limitations

A bounded answer. Clear edges. No ambiguity.

What is included

  • Structured evidence extraction for one defined AI system
  • Annex IV-aligned field mapping
  • Evidence classification: documented, partial, or missing
  • Gap identification and remediation guidance
  • Review-ready PDF report and structured JSON evidence pack
  • Human-reviewed release with corrections log

What is not included

  • Legal advice or regulatory interpretation
  • Notified body assessments
  • Full conformity assessments
  • On-site audits or implementation work
  • Unlimited systems without defined scope

What we need from you

  • System documentation and relevant materials
  • System context and intended use case
  • Existing policies or logs where applicable
  • Defined scope for the system under review

Delivery and terms

  • Delivery within 72 hours after confirmed input completeness
  • Includes PDF report and structured JSON evidence pack
  • Payments are non-refundable once processing has started
  • Outputs support review, procurement, and audit preparation
Built for review and release

Every output is reviewable, traceable, and structured for governance workflows.

Evidence Visibility First

The purpose is to show exactly what is documented, what is missing, and where visibility ends.

Human-Reviewed Release

No output is released without human review. Reviewer actions, timestamps, and corrections are recorded before release.

Auditability & Retention

Structured traceability, release markers, and records aligned to Article 26 logging and retention workflows.

Machine + Human Use

Outputs are prepared for both governance review and downstream system ingestion.

No client data is used for AI model training. Processing is configured with explicit training opt-outs and controlled data handling.

Frequently asked questions

The questions budget approvers ask before they say yes.

Why not go straight to consultants?

Most teams don't yet know the size of the gap. This gives a bounded answer first, before larger spend is committed.

What do we receive in 72 hours?

A human-readable evidence report and a machine-readable JSON evidence pack for one defined AI system, with human-reviewed release and audit trace.

What does "where we stand" mean?

Which fields carry documented evidence, which return nothing, and where remediation is required — in a structured format you can review and share.

What counts as one AI system?

One distinct AI application, model, or workflow with a defined intended purpose. Scope is confirmed before work begins.

Is this enough before audit?

It is the first step. A defensible evidence position you can use before internal audit, advisor engagement, or wider programme decisions.

What if we have multiple systems?

Start with one. Understand the shape of the problem before deciding whether broader scope is justified.

How is this different from internal work?

Internal teams know documentation exists but can't see the evidence state clearly. AnnexLayer compresses that discovery into a bounded deliverable.

Is this legal advice or certification?

No. AnnexLayer prepares structured evidence outputs to support internal review, procurement, audit preparation, and advisory workflows.

Regulatory Notice. AnnexLayer provides structured evidence outputs derived from client-supplied documentation and publicly available information sources. Such outputs are prepared to support governance review, procurement evaluation, evidential preparation, and pre-audit decision-making workflows.

Service Limitation. AnnexLayer does not provide legal advice, regulatory interpretation, notified body services, conformity assessments, or any formal determination of compliance under the EU AI Act or any other regulatory framework.

Responsibility Allocation. Responsibility for regulatory compliance, documentation accuracy, implementation decisions, and deployment controls remains solely with the deploying organisation and its appropriately qualified advisors.