Book a governance call
Solutions
Autonomous AI agentA digital co-worker that finishes the job Experience the agentThe experience in a two-minute scroll AI GovernanceEU AI Act-ready, with a living register AI Agent PlaybookBuild it yourself with copy-paste templates For installersQuotes, scheduling and client communication Interim AI leadProgramme steering, hands-on on site
Explore
How it worksThe interactive demo, step by step BlogInsights on AI, governance and the EU AI Act About FlowBaasWho builds this, and why Book a governance call
NL | EN
AI Governance · EU AI Act foundation

The foundation under every agent.

Done-for-you agents are the front line. Governance is the foundation that keeps them working, even when the auditor drops by, a vendor swaps out its model or the EU AI Act takes effect.

Book a governance call → Or see our approach first
AI register · live27 systems
SystemRiskOwnerStatus
Quote agent Medium @Sales in use
Client screening High @Compliance review →
Mail triage Low @Service in use
Reporting bot Low @Finance classified
Last change: Anthropic Claude · model bumped · 18 May 2026
Compliant withEU AI ActGDPRISO 27001-aligned·Governance discipline of an AI Portfolio Lead at a top-3 bank
EU AI Act · urgency

The law is coming. No need to panic.

Three deadlines that matter. One is already active in 2025, one becomes binding in a few months. No draconian slowdown, just a timely approach, with an owner for each obligation.

EU AI Act · the clock is ticking
Feb 2025 · activeProhibited practices Aug 2025 · activePenalties & GPAI Aug 2026 · deadlineFull compliance Aug 2027 · followsHigh-risk Annex II Today
We handle risk classification and documentation within the 12 weeks days left until full compliance
Feb 2025 — active
Prohibited AI practices
Social scoring, real-time biometrics, manipulation, all punishable. Check your use cases.
Aug 2025 — active
Penalty rules & GPAI
Fines of up to 7% of global turnover. General-purpose AI models gain obligations.
Aug 2026 — act now
Full compliance required
High-risk systems: register, documentation, human oversight, monitoring.
Aug 2027 — follows
High-risk Annex II
Sector-specific products (medical, vehicles, machinery) face extra requirements.

Not intended as legal advice, but as an honest route through the timeline.

The register · living

One living AI register. No Excel on a shared drive.

Which system, which purpose, which data type, which vendor, which risk, which owner, mapped out in two weeks. Not as a snapshot, but as a source that refreshes the moment something changes.

What goes in, and what comes out.

An AI register that passes the audit needs three things at once: coverage (no system is missing), discipline (one definition per field) and refresh (reality is not static).

  • Name & purpose — what does it do, what is the intended use?
  • Risk class — unacceptable / high / limited / minimal, with a rationale.
  • Data type & legal basis — personal data? Which category, which GDPR basis?
  • Vendor & model version — who, which model, which version, which contract.
  • Owner & review cadence — one name per system, reviewed every quarter.
  • Status & measurements — in use, in review, paused; with the KPIs that matter.
System Risk Data type Owner Status
Quote agent
Generates quotes from the CRM
Medium Customer data · name & address M. de Vries · Sales In use
Client screening
Risk indication for onboarding
High Personal data · special category L. Bakker · Compliance Review needed
Mail triage
Sorts & routes the inbox
Low Email metadata J. Visser · Service In use
Reporting bot
Summarises monthly figures
Low Aggregated data A. Smit · Finance Classified
Traceability · model → data flow

When an audit question comes up, you prove it in days. Not weeks.

"Which model touches which customer data?" is, when things go wrong, an uncomfortable question. With a linked record of models, integrations and data flows it becomes a query instead of a project.

What we link

Not a single Excel file, but three living maps that reference each other. Change one and you see the others adjust.

  • Model register — which models run, at which vendor, in which version.
  • Data map per agent — which data types go in, where they come from, which legal basis.
  • Integrations / interfaces — which systems talk to which agent, with which authorisations.

When the auditor asks, "does model X touch customer data Y?", you click the path open instead of racking your brain.

Example · client-screening agent
Anthropic Claude 4.7v2026-05
OpenAI GPT-4.xfallback
Name, address & CoCCRM
Risk signalsCompliance DB
Decision & rationaleaudit log
Path on demand. Every model links to its data flows; every data flow to its legal basis & retention period.
Versions & change

A vendor changes its model? You know before your customer notices.

AI vendors push silent upgrades, deprecate endpoints and recalibrate models. Without change tracking you only find out when the reporting drifts. We make that change measurable, and tie it to an owner.

What we track

Three kinds of change, all with the same discipline: what, when, who checks and what is the effect.

  • Model versions — vendor bumps, your own prompt or agent revisions.
  • Vendor policy — changes to data retention, sub-processors, jurisdictions.
  • Policy & classifications — recalibration of a risk class after an incident or audit.

With every change: a short note, an impact indication and a re-test of the KPIs. No surprises in the management report.

Changelog · last 30 days Live
18 May 2026
Anthropic Claude · model bump

Claude 4.6 → 4.7. KPIs recalibrated; no significant drift on the quote agent.

Model
07 May 2026
OpenAI · DPA update

Sub-processor added (US). Retention period unchanged, customer informed.

Vendor
29 Apr 2026
Client screening · risk class

Limited → High after reclassification. Human review mandatory; logging expanded.

Policy
14 Apr 2026
n8n · workflow revision

Quote flow simplified; turnaround time −18%, no data impact.

Model
The EU AI Act without panic

Four anchors. One owner per obligation.

The law is big, the practice is small. Get four things in order, risk class, documentation, owner, audit readiness, and you get calm instead of adrenaline.

01 — Risk classification

Per use case, with a rationale

For every AI system: a classification (unacceptable / high / limited / minimal) and a rationale that meets the law. No copy-paste from a generic template.

02 — Documentation

That meets the law, no more, no less

Purpose, data requirements, human oversight, monitoring, limitations. In one readable dossier per high-risk system; ready for inspection.

03 — Owner per obligation

No orphaned rules

Every article of the Act that applies to you gets a name next to it. Not "compliance will handle it", but: this person, this obligation, this deadline.

04 — Audit readiness

Not "ready for the audit", ready for inspection

Everything a regulator might ask for is on hand, in the same structure as your register. An audit becomes a query, not a sprint.

The 12-week roadmap

From AI chaos to proof, in 12 weeks.

Five phases, each with a checkpoint and a deliverable. No annual contract without proof; every phase ends with something you can show your board or a regulator.

01–02Week 1–2 · foundation

Foundation — go decision, team, scope

Who is the owner, which disciplines are at the table (IT, Legal, Business, HR), which AI systems fall within scope, and what is the intended outcome?

  • Go/No-go and governance team assembled
  • Scope document with use-case longlist
  • Stakeholder interviews completed
→ go decision + scope
03–04Week 3–4 · registration

Registration — visibility on everything

Set up the living AI register. Every system in view, classified, with an owner. First KPIs defined.

  • AI register live with all known systems
  • Risk classification high / medium / low
  • Draft governance policy v1
→ living register
05–08Week 5–8 · deepening

Deepening — policy, vendors, oversight

Build the structure: roles, escalation, vendor assessment, a privacy impact assessment where needed, technical monitoring and human oversight.

  • Policy v2 with roles & escalation
  • Vendor assessment framework
  • Monitoring and logging operational
→ control & oversight
09–10Week 9–10 · embedding

Embedding — documentation, dashboard, round table

Lock in what works. KPI dashboard live, escalation procedures tested, governance steering group cadence in place.

  • Dashboard with first real measurements
  • Documentation complete per high-risk system
  • Steering group cadence (monthly) live
→ measurable governance
11–12Week 11–12 · readiness

Readiness — self-assessment & first report

How do things really stand? An improvement plan for gaps, a first compliance report to the board or regulator, preparation for an external audit.

  • Self-assessment against the EU AI Act
  • Compliance report v1 to the board
  • Audit-readiness playbook
→ audit-ready

No background work required, all templates, checklists and dashboards are ready. Your team supplies the facts; we supply the structure.

A guide, not a guru

Built by someone who has run this at enterprise scale.

Portrait of Nisse Klaaijsen, founder of FlowBaas
Founder · Nisse Klaaijsen

AI Portfolio Lead at a top-3 bank, now translated to SMEs.

As AI Portfolio Lead in an organisation with 5,000+ engineers, Nisse steered AI roadmaps, governance frameworks and adoption programmes at enterprise scale, within regulatory frameworks that leave no room for demo magic. The same discipline, translated to the SME reality: smaller in scope, identical in seriousness.

20+
years of IT transformation
8
FS institutions advised
5,000+
engineers in the portfolio
2
pilots in regulated sectors (2026)
Start

Start with a conversation, not a contract.

30 minutes. We look at where you stand, which deadlines are heading your way and whether a governance programme, or a smaller piece of it, fits you. If it is not a fit, we will say so honestly and point you onwards.

Book a governance call → Send an email
Usually responds within 1 business day. No obligation, no sales funnel.