Skip to content
Spekir

FROM SCATTERED INITIATIVES TO REGISTER AND CONTROL

AI Governance Starter

A two-week structured engagement that gives you an overview of AI initiatives, risk classification and a governance model proportional to your needs.

2 weeks

What is it?

Mapping your AI initiatives, risk classification and a governance model proportional to your needs.

We map your current AI initiatives, classify them by risk, define decision authorities and create an AI register in Atlas. All proportional to your actual risk profile — not a bureaucracy.

What do you get?

  • AI register in Atlas
  • Governance one-pager
  • Decision matrix for AI initiatives
  • Compliance approach proportional to risk profile

When does it make sense?

  • You have 5+ AI initiatives without central oversight
  • EU AI Act requires documentation you don't yet have
  • Leadership asks what AI costs and who decides what
  • You want to anchor AI responsibly before it scales

HIDDEN AI FEATURES IN YOUR SAAS

Shadow AI across sales, customer service, marketing and operations

AI features are being switched on in Salesforce, HubSpot, Zendesk, Intercom, Mailchimp, Adobe and Microsoft 365 without IT in the loop. Customer data, pipeline information, support conversations, email lists and internal notes are being sent to models no one has approved. For CIO and CISO it's a governance problem, not a sales, support or marketing enablement question.

Three regulatory points are typically overlooked:

  1. 1

    Chatbots must disclose they are AI

    AI Act transparency requirement. Hits Zendesk AI, Intercom Fin, Drift, HubSpot chatbot and internal GPT wrappers on customer service.

  2. 2

    AI-generated content must be identifiable

    AI Act requirement covering text, images, video and audio made with Copy.ai, Jasper, HubSpot Breeze, Adobe Sensei or internal pipelines.

  3. 3

    Automated decisions require human review

    GDPR Art. 22. Hits marketing automation and lead scoring that decides which customers get which offers without human review.

In addition, emotion recognition on employees is prohibited under AI Act Art. 5. Voice analysis on customer calls can hit GDPR and AI Act simultaneously. Using these tools isn't inherently a problem, but it is a problem if no one checked the rules before they were switched on.

HR AI AND THE EU AI ACT

HR AI is high-risk. Few have figured that out yet.

The EU AI Act classifies AI used in recruitment, screening, selection, performance evaluation and decisions on hiring, promotion and termination as high-risk. In parallel, emotion recognition on employees in workplace contexts is prohibited.

That means HR departments using HireVue, Workday Skills Cloud, LinkedIn Recruiter or internal tools for CV screening or performance evaluation carry obligations they didn't choose:

  • Conformity assessment of the system
  • Fundamental Rights Impact Assessment (FRIA)
  • Registration in the EU AI database
  • Human oversight of AI output
  • Documentation and log-keeping
  • Transparency to employees and candidates
  • GDPR Art. 22 human review of individual decisions

Most midmarket organisations already run HR AI without these obligations in place. Not because someone made a bad decision, but because AI features got switched on as part of a standard subscription. We help CIO, CHRO and DPO map which HR AI systems are in use, which fall under high-risk, and which obligations follow.

THE DATA TRACK

Where does data actually go when AI gets switched on?

AI governance starts with data governance. Most organisations that ask us about AI governance don't have a clear picture of where data sits, who owns it, or which data is OK to send to an external model. It's not necessarily a standalone data strategy project. But it's a question that must be answered before AI can be switched on responsibly.

Inside the AI Governance Starter we map the data flow for AI features already in use: which systems draw on customer data, pipeline data, employee data, finance data? Where is it sent? Is it inside the EU? Who approved it? That gives you a realistic data governance baseline to build from.

We don't do full data strategy, data mesh implementation, master data management or Collibra/Alation configuration. That's partner territory. We do what you need to activate AI responsibly.

WHAT WE DON'T PROMISE

Honesty before selling

  • We don't implement Salesforce Einstein, HubSpot Breeze, Zendesk AI, Intercom Fin, Workday, HireVue, LinkedIn Recruiter or Copy.ai. That's partner territory.
  • We don't build lead scoring, chatbots, sentiment analysis models, CV screening or marketing content generation pipelines.
  • We're not lawyers. We point to the obligations and map the exposure. Conformity assessment, FRIA and GDPR documentation are produced with your counsel and DPO.
  • We don't claim AI reduces bias in recruitment. The research is mixed and often negative. It's a red flag if a vendor claims it without evidence.

Ready to get started?

Send an email and we'll find two weeks that work for you.

Talk to us about AI governance →