// Built for the calendar

Responsible by default.

EU AI Act general obligations come into force on 2 August 2026. ISO/IEC 42001 is the AI management system standard your audit committee will start asking about. NIST AI Risk Management Framework is the risk language your insurer reads. Alvio is built for that calendar. Every engagement meets these obligations by default, not by extra fee.

// EU AI Act · Article 4

AI literacy across the workforce.

Article 4 requires that anyone in your organisation involved in the operation or use of an AI system has sufficient AI literacy for their role. The standard is functional, not ceremonial: people must understand what the system does, where its limits are, and what to escalate.

How we meet it. Every Sprettur and Áfram engagement includes training at three levels — executive (one-hour briefing), manager (half-day session), frontline (role-specific working session). Training material is your-tenant-specific and your-use-case-specific, not generic. Attendance is logged. Material is handed over for re-use. The literacy obligation is closed in one motion alongside the build, not as a separate workshop.

// EU AI Act · Article 50

Transparency obligations.

Article 50 requires that interactions with AI systems are disclosed to the people affected — content generated by AI is labelled, deepfakes are marked, AI-mediated decisions are made knowable. The obligation lands on the deployer.

How we meet it. Every capability we ship is configured with the platform's own disclosure surfaces: Copilot Studio response labelling, citation footers in Microsoft 365 Copilot answers, audit logging through Microsoft Purview, and content provenance markers where applicable. The disclosure pattern is in the build configuration, not in an operating manual that nobody reads.

// Our own DPIA

Data Protection Impact Assessment.

Our own DPIA covers Alvio as a processor when we work in your tenant. It documents lawful basis, data flows, retention, recipients, transfers, security measures, and subject rights handling for the data we encounter during engagements. Published. Versioned. Available on request to legal and procurement teams.

DPIA download — coming soon. Request the current version from agust@alvio.is.

// Our AI inventory

What we use, where, and why.

Our own AI inventory lists every AI capability used inside Alvio — Microsoft 365 Copilot, Copilot Studio agents, Azure OpenAI deployments, third-party assistants. For each entry: purpose, data classification, risk classification under the EU AI Act, controls in place, and an owner.

See our AI inventory

// Our conformity statement

The standards we hold ourselves to.

Our conformity statement is a public commitment: which AI Act obligations apply to us today, how we meet them, how we measure compliance, and what we do when we find a gap. Updated quarterly.

See our conformity statement

// ISO/IEC 42001 · NIST AI RMF

The two frameworks we ship against.

ISO/IEC 42001 is the AI management system standard published in 2023. It is what your audit committee will eventually ask about. The Sprettur controls memo and the Áfram-Steer quarterly review template both map to 42001 control areas. We do not chase a 42001 certification on your behalf — that is a customer decision — but our artefacts make the certification path materially shorter.

NIST AI Risk Management Framework is the risk vocabulary your insurer, your re-insurer, and your enterprise risk team are reading. The Sprettur measurement report uses NIST AI RMF risk categories so the AI capabilities you ship plug into the risk register you already maintain.

If you need to take this to your audit committee, your data-protection officer, or your AI governance board, email agust@alvio.is and we will send you the current DPIA, the AI inventory, and the conformity statement together as one bundle.