AI & Copilot · Governance
As an AI governance partner for Microsoft Copilot and Foundry, we bring your AI use cases into a solid governance framework — without paralyzing daily operations. The EU AI Act is no longer a distant warning: training duty under Article 4 since February 2025, full penalty framework up to €35 million or 7% of annual turnover in force since August 2026.
What the EU requires
EU Regulation 2024/1689 — known as the EU AI Act — places every use of artificial intelligence into one of four risk classes. From this, concrete duties follow. We help classify each of your AI use cases correctly.
Certain practices are inadmissible — for example, social scoring by public authorities, manipulative systems, untargeted mass biometric collection. Anyone using such systems risks the highest penalties. We don't take on such use cases at all.
HR pre-selection, credit scoring, biometric identification, critical infrastructure, education assessment. Strict requirements: conformity assessment, risk management, technical documentation, continuous monitoring. Specialized legal support is needed here — we refer from our partner network.
Chatbots, deepfakes, emotion recognition, generative AI with external impact. Duty: transparency toward users. Typically a large share of Copilot Studio agents fall here. The duty is achievable — but it must be practiced and documented.
Spam filters, recommendation algorithms with low impact, simple classifiers. No specific duties apply from the AI Act here — but the general duties (GDPR, training Art. 4) still apply.
Our AI Governance program
We don't take the AI Act as a brake but as a structural aid. Four building blocks we build with you in 8 to 12 weeks — pragmatic, without bureaucratic overkill.
We map all AI use cases running in your company today — visible and invisible. Microsoft Copilot, custom agents, the ChatGPT browser plugin used by marketing teams, the recruiting application filter. Shadow AI is real and must become visible first.
Training duty per Art. 4 EU AI Act. We build a role-based concept: management different from sales different from IT different from data protection. With documented training records that stand up to a regulator — not just a checkbox.
Every identified use case is classified: prohibited, high-risk, limited-risk, minimal. Concrete duties follow from each class. From the classification follow the measures — from the transparency notice in the chatbot to the conformity assessment for a high-risk use case.
We build an audit trail on top of Microsoft Purview and Microsoft Entra ID. Who used which agent, when, with which question, which answer, which data source. This isn't only EU AI Act duty — in a damage event it's the only way to investigate a hallucination after the fact.
Concrete compliance checks
This list is not exhaustive, but it shows the depth of our first review. Each topic is documented with status (red, yellow, green), reasoning, and concrete action.
Are all staff who work with AI systems demonstrably trained? Is a role-specific concept in place? Are trainings refreshed annually? Are new staff included at onboarding? Frequent gap: Excel list with checkboxes, lacking content depth.
When a person interacts with an AI system, they must know it. For chatbots, service agents, generative AI with external impact. We check whether the notices are unambiguous, persistent, and not hidden. Frequent gap: notice only in the terms, not in the interface.
Microsoft 365 Copilot can be configured for EU data residency. We check the tenant setup, region assignment, and data-flow logic. Frequent gap: tenant configured "worldwide", US data flow not excluded.
We check whether Copilot or custom agents can access data they shouldn't see. Frequent weakness: SharePoint sites with "anyone in the company can read" that grew historically and today contain HR records.
Per custom agent we check the use case against the EU AI Act risk class. An internal FAQ bot is usually "limited risk". An applicant pre-selection agent is high-risk. From the classification follow the measures — up to recommending not to build the agent this way.
We check whether all relevant AI interactions are logged. Microsoft Purview provides a good standard but must be configured correctly. Frequent gap: logs enabled but never reviewed — and with retention of 30 days instead of 12 months.
Honest carve-out
We are not a law firm. We are Microsoft consultants with deep knowledge of the EU AI Act and its technical implementation. For formal legal assessments, for conformity assessments with notified-body support for high-risk systems, and for on-site audits by a regulator, we refer to specialized law firms in our DACH partner network.
What we do deliver: a pragmatic, technically grounded AI governance that fits the Microsoft stack — Copilot, Copilot Studio, Microsoft Purview, Microsoft Entra ID. We advise, document, train. The legal stamp at the end is set by a law firm we sit at the table with.
FAQ
EU Regulation 2024/1689 distinguishes four risk classes: prohibited practices (Art. 5), high-risk systems (Annex III), limited-risk systems with transparency duty, and minimal risk. Since February 2025, the AI training duty under Art. 4 applies to all companies that use or provide AI systems. From August 2026 the full penalty framework applies to high-risk systems.
Yes. The training duty from Art. 4 EU AI Act applies to every organization that uses AI systems — regardless of whether they develop them themselves or buy them as a service. Anyone using Microsoft 365 Copilot, ChatGPT Enterprise, or custom agents must demonstrably train their staff. The depth depends on role and risk class of the system.
The EU AI Act provides for penalties of up to €35 million or 7% of global annual turnover — depending on the violation and company type. Violations of provisions for high-risk systems attract the highest range. Violations of transparency or training duties are lower but still significant.
Annex III of the EU AI Act lists the high-risk areas — including HR pre-selection, credit scoring, biometric identification, critical infrastructure, and education assessment. Anyone using a Copilot Studio agent in one of these areas must meet strict compliance requirements.
For mid-sized companies we work in a fixed-price frame — depending on the number of AI use cases, organization size, and depth of training-concept design. Larger organizations with their own model development are quoted individually.
A typical program run takes 8 to 12 weeks — risk inventory in the first two weeks, classification and training-concept development in parallel, then rollout of the training and audit-trail buildout. The result is a documented AI governance framework reviewed annually.
No — and we say so explicitly. We are Microsoft consultants with deep knowledge of the EU AI Act and its technical implementation. For formal legal assessments, conformity assessments with notified-body support, and on-site audits we recommend specialized law firms — we work with three permanent partners in DACH.
30 min · confidential · no obligation
We listen to your situation, make a first risk assessment of your active AI use cases, and tell you honestly where the biggest need for action lies — before the regulator asks.
Accompanying services
Engineering projects rarely stand alone — license logic, architecture clarification, quality gates, knowledge transfer, and follow-on operations usually run in parallel. Here are the most common accompanying services we add to Discovery Spikes, sprint fixed-price engagements, or Application Care contracts.
Up front · architecture
Before implementation: tenant structure, data model, security concept, integration mapping. The result is an architecture document any engineering team can pick up — including one other than us.
Read more →
Up front · CSP
Which license bundles for which users, which add-on SKUs are needed, where you are over- or under-licensed. Procured via Microsoft Licensing Partner — with the option to use CSP purely as a control mechanism without margin maximization.
Read more →
During · quality gate
Independent second opinion during a running implementation project — whether we are delivering it or another partner. CMMI-based quality gates, risk reviews, fixed price per gate.
During · adoption
Not the classic two-day workshop that's forgotten after a week — but a dynamic learning program over 4–6 weeks with kickoff training, application phases, and advanced sessions. Training matrix for roles and topics.
Read more →
After · operations
After go-live: a predictable Application Care contract with monthly flat rate, SLA-based. Includes releases, hotfixes, extensions, tenant hardening — and continuous support instead of merely reacting to tickets.
Read more →
After · knowledge
When the original developers are gone, the previous partner is no longer reachable, or the documentation is outdated — reverse engineering of the existing solution with a documented result: code map, data model, customization inventory.
Read more →
