01DAYS 1–2
Audit & inventory
Workshop with key users. We map everything AI-related today — tools, data, flows, automated decisions.
01 — PRODUCTION
2 weeks to make your AI operable at scale.
Production Sprint — secure, document, industrialize
Audit trail, human-in-the-loop, vendor selection, AI Act and GDPR compliance. Everything your AI needs to hold in production — and survive an audit.
02 — WHY
What happens when AI gets deployed without guardrails.
Why a Production Sprint?
When an AI agent gets deployed in an SMB without preparation, two scenarios await. First: an employee pastes client data into ChatGPT, unintended leak, GDPR exposure. Second: France's CNIL or Bpifrance audits you, you have no usage inventory, no audit trail, no internal policy — you end up improvising under pressure.
The EU AI Act came into force in phases between 2025 and 2027. Maximum penalties: €35M or 7% of worldwide turnover for prohibited practices, €15M or 3% for non-compliance. The vast majority of European SMBs have no visibility on their exposure.
The Production Sprint fixes that in two weeks. Not a theoretical audit. An operational hardening pass: what you have, what's risky, what we document, how we design what comes next so it actually holds.
03 — DELIVERABLES
What you hold in hand after 2 weeks.
What you receive
- Complete inventory of AI usage in the company (declared + shadow IT).
- AI Act classification: each use case mapped to the 4 risk levels.
- GDPR review of AI-related data processing (DPIA where needed).
- Human-in-the-loop architecture for sensitive decisions.
- Logging and audit trail design (legal-grade traceability).
- Vendor selection report: OpenAI, Anthropic, Mistral, open-source — what to pick when, with EU hosting.
- Internal AI policy (3-5 pages, signable by employees).
- Operational usage charter (10-15 pages).
- Training pack: slides + 30 min recorded session.
Every deliverable is board-ready: presentable to the executive committee, the DPO, or a Bpifrance / CNIL auditor.
04 — PROCESS
Four phases, two weeks.
The 4-phase process
02DAYS 3–5
Risk analysis
AI Act + GDPR + data security. For each case, we identify exposure zones and priority corrective actions.
03DAYS 6–8
Technical design
Human-in-the-loop architecture, logging, audit trail, vendor and model selection. We design what AI should look like in 6 months.
04DAYS 9–10
Final documentation
Policy, charter, training pack. 90-minute board readout. You leave with everything you need to face an audit.
05 — INVESTMENT
Fixed-price sprint.
Investment
The Sprint is fixed-price. No day-rate creep. Calibrated to your organization's size and complexity.
SMB UNDER 30 PEOPLE
2-week sprint, tight scope on 5 to 10 AI use cases.
SMB 30 TO 100 PEOPLE
2-week sprint, broader multi-department coverage.
OVER 100 PEOPLE
Multi-site or multi-country organizations.
Optional quarterly follow-up: €1,500 ex. VAT / quarter — 1 audit day + document refresh to stay compliant over time.
06 — QUESTIONS
What people often ask us.
Frequently asked questions
Does the AI Act apply to my SMB even if I haven't built any AI model?
Yes. The AI Act covers any AI usage in business, not just model builders. If you use ChatGPT to support HR decisions, or an agent to process client data, you're concerned. Obligations depend on the risk level of the use case.
If we only use ChatGPT internally, are we still concerned?
Yes. Minimum: internal usage policy, employee training, and a rule for data shared with the AI. If ChatGPT is used for decisions affecting people (hiring, client scoring, moderation), obligations are heavier.
What's the penalty if we do nothing?
For prohibited practices (social scoring, manipulation, etc.): up to €35M or 7% of worldwide turnover. For governance non-compliance: €15M or 3%. For SMBs, exposure is more often indirect (client lawsuit, CNIL inspection, reputational impact) than direct fines.
What happens after the sprint?
You leave with all documents up to date and presentable. If your AI usage evolves (new use case, new vendor, new regulation), an optional quarterly follow-up keeps things compliant. Without follow-up, we recommend at least an annual refresh.
Can you be our AI DPO?
No. The DPO is an internal function (or outsourced to a certified firm). What we do: prepare the ground for your existing DPO — they receive the inventory, risk classification and documentation, and can lean on it for their GDPR obligations.
07 — BOOK A CALL
30 minutes to scope your exposure.