This document outlines how ISMS Copilot complies with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). It confirms the system’s classification as a non-high-risk AI system, ensures it avoids prohibited practices, and details transparency and governance measures. Our aim is to foster trust, protect health, safety, and fundamental rights, and align with the Act’s principles for a trustworthy AI ecosystem.
ISMS Copilot is an AI system under Article 3(1) AI Act. It uses machine learning and algorithmic techniques, powered by third-party general-purpose AI (GPAI) models (e.g., Claude 3.7, GPT-4), to process user queries and generate advisory outputs, such as ISO 27001 compliance guidance, policy drafts, and gap analyses. Its automated reasoning subjects it to the Act’s provisions for AI systems.
ISMS Copilot is available to users across the European Union, constituting placement on the EU market per Article 3(9) AI Act. As the provider, we ensure deployment, documentation, and updates comply with EU law and are prepared to demonstrate adherence to authorities upon request.
ISMS Copilot is a civilian tool for compliance support, not used for military, defense, or national security purposes (Article 2(3) AI Act). It is fully subject to the Act’s requirements with no exemptions.
Unlike general-purpose AI (GPAI) systems adaptable across domains (Article 3(63) AI Act), ISMS Copilot is specialized for compliance tasks, primarily assisting consulting firms with ISO 27001 certification and related infosec, AI governance, and data protection frameworks (e.g., SOC 2, GDPR, DORA, NIS2). This focused scope simplifies risk assessment and compliance, as outlined in the Commission’s GPAI guidelines (Section 3.1.1).
As the provider, we ensure ISMS Copilot meets AI Act requirements before market placement (Article 3(3)). As a deployer, when using the system to serve clients, we ensure responsible use, transparency, and alignment with its advisory purpose (Article 26). This includes:
ISMS Copilot avoids prohibited practices under Article 5 AI Act, including: