Your AI systems respect your access rules, from day one

Access control is set up at several levels. At the vector-store level, each document chunk is tagged with its original ACLs. At query time, the system filters results according to the authenticated user's permissions, retrieved from your Active Directory or your IAM. No out-of-scope document is passed to the LLM in the context. This approach is detailed in our article on RAG access-control architectures.

EU Regulation 2024/1689 classifies each AI system by its risk level. High-risk systems listed in Annex III (employment, credit scoring, access to essential services, etc.) must comply with Articles 9 to 15: risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy and cybersecurity. Chatbots and generative systems have a transparency obligation under Article 50. The Digital Omnibus of 7 May 2026 postponed the application of the Annex III obligations to 2 December 2027 (instead of 2 August 2026) to allow technical standards to be finalised. Penalties, set out in Article 99, run up to €35 million or 7% of worldwide turnover for breaches of Article 5 (prohibited practices), €15 million or 3% for the other obligations.

IgnitionAI estimate based on 8 engagements run in 2024-2025: once at least two AI systems are deployed in production, a steering committee is useful. It typically brings together the DPO, the CISO, a representative from risk management, a business sponsor and a technical lead. The frequency varies with the number of systems: quarterly for two to three systems, monthly beyond five. The European regulation does not explicitly require such a committee of deployers; it becomes necessary in practice to meet the Article 14 (human oversight) and Article 9 (risk management) obligations.

Yes. Article 17 of EU Regulation 2016/679 (GDPR) provides for the right to erasure of personal data, applicable even when that data is ingested into a vector store or used to train a model. The architectures we design include a targeted erasure mechanism that removes the corresponding vectors without full reindexing. For fine-tuned models, the answer depends on the type of data and whether the weights are identifying, and is analysed case by case with your DPO.

AI governance builds on the data governance already in place. The data catalog references the datasets used by the AI systems. Classification policies (public, internal, confidential, secret) determine which documents an AI system can ingest. Access validation processes extend to the new AI channels. This alignment is documented in a governance map delivered with every engagement.

IgnitionAI estimate based on 8 engagements in 2024-2025: an initial audit of an AI system in production with no compliance documentation takes two to three weeks and costs between €12,000 and €25,000 depending on complexity. The compliance work itself ranges from €15,000 for a simple documentation clean-up to €80,000 if the access architecture needs to be redesigned. These ranges can vary by ±30% depending on your precise context. A firm quote is issued after the audit phase.

The ISO/IEC 42001:2023 standard is the first certifiable international standard dedicated to AI management systems. For a mid-market company operating at least two AI systems in production, the investment pays off on three counts: it covers 80 to 85% of the AI Act's requirements and so eases upcoming regulatory compliance; it is an assurance signal for your clients and partners, particularly in regulated markets; it structures your AI governance along an independently auditable framework. IgnitionAI estimate: a complete certification process takes between 8 and 14 months for a mid-market company, with a total investment (audit, compliance work, certification by an accredited body) between €40,000 and €120,000 depending on initial maturity.

These frameworks don't conflict but reinforce one another. The AI Act brings risk classification and technical-documentation obligations. The GDPR covers the protection of personal data used by AI systems. DORA applies to the financial sector and imposes operational resilience. NIS2 targets the cybersecurity of essential and important entities. For multi-framework mid-market companies, the recommended approach is to build a unified governance layer that aggregates the common requirements (system registry, logging, monitoring, incident plan) and identifies the sector-specific ones. ISO/IEC 42001 certification often serves as the operational skeleton for this integrated approach.

IgnitionAI ranges based on our 2024-2025 engagements: scoping starts around €8,000, a prototype sprint runs between €25,000 and €60,000, and a full production rollout between €80,000 and €250,000 depending on document volume, criticality and the required compliance level — training and code transfer included. Recurring inference costs come on top and are estimated at scoping time. Possible variation of ±30%; a firm quote is issued after the first conversation.

Three workstreams to start now: inventory the AI systems in use (including SaaS tools with embedded AI), classify each system by risk level under Annex III, and document the transparency required by Article 50 for chatbots and generated content. The Digital Omnibus of 7 May 2026 postponed the Annex III obligations to 2 December 2027, but prohibited practices (Article 5) and the transparency obligations already apply. Our AI governance white paper details the full timeline and provides the templates.

The recurring causes we observe on our engagements: a POC validated on ten clean documents but never confronted with real volume, inference costs discovered after the fact, no measurable acceptance criteria, and compliance (access rights, GDPR, AI Act) handled at the end of the project when it actually shapes the architecture. That is exactly what the written go/no-go scoping eliminates: every engagement starts with two weeks that price these four risks before the budget is committed.

The right criterion isn't the daily rate but the cost of delay and the risk of learning on your critical project. Outsourcing the build to a senior consultancy and then bringing operations in-house combines both: production in a few months, and your trained teams take over a documented system whose code you fully own. That is our standard model — intellectual-property transfer is contractual.

Yes. We deploy on your infrastructure or on a French sovereign cloud, with self-hosted open-weights models or European models when the context requires it. The data perimeter is contractual: no document is sent to a third-party API outside your control, the data flows are documented for your DPO and CISO, and the architecture is audited against ANSSI's 35 recommendations for generative AI.