Unless they start with your actual situation.
- If you are a medium-sized company and just starting out:
→ Start with an AI inventory. What you don't know, you can't control. - If you are already using AI but have no documentation:
→ Start by classifying the application. High-risk or not – that changes everything. - If you are certified to ISO 42001, but ignore the AI Regulation:
→ Start by mapping roles. Your AI system Owner ≠ Provider or Operator. - If you are a software provider and are embedding AI:
→ Start with supply chain clarity. Are you a provider or an operator? Wrong answer = wrong obligations. - If you work in HR, Finance, or customer-facing roles:
→ Start with prohibited practices. Some AI applications are now simply illegal. - If you are already compliant, but scaling AI usage:
Start planning your conformity assessment. High-risk systems require auditable documentation.
The inconvenient truth:
There is no universal starting point.
Generic compliance checklists are a waste of time.
Your entry point depends on where you stand – not on where consultants want you to be.
I've seen organisations build governance frameworks for low-risk systems while ignoring prohibited practices. I've seen others chasing ISO certifications while completely missing out on AI regulation classification.
Different situations, different priorities, different consequences.
The question is not: „What should we do first?“
The question is: „Where are we exposed first?“
Author: Achim Korten, February 2026