This article provides the governance-professional-level implementation guide, explaining the methodology, week-by-week activities, COMPEL stage alignment, milestone gates, and practical guidance for programme management. It is designed to be used alongside the detailed 100-day plan data structure available in the COMPEL platform.
Programme Design Principles
The 100-day programme is built on five design principles:
Principle 1: Workstream Parallelism
Seven workstreams operate in parallel rather than sequentially. Compliance cannot be achieved by completing inventory, then classification, then documentation, then assessment — each in isolation. The workstreams are designed to operate concurrently, with coordination points at milestone gates.
The seven workstreams are:
- AI Inventory — Cataloguing all AI systems across the organisation
- Risk Classification — Applying the Article 5/6 classification framework
- Documentation — Producing technical documentation and instructions for use
- Conformity — Conducting conformity assessment and establishing QMS
- GPAI Assessment — Addressing general-purpose AI model obligations
- Governance Bodies — Establishing governance structures and processes
- Training — Building AI literacy and compliance competency
Principle 2: COMPEL Stage Alignment
Each programme phase maps to one or two primary COMPEL stages. This alignment ensures that governance professionals can leverage their COMPEL training and organisational COMPEL infrastructure. The mapping is:
- Phase 1 (Weeks 1-2): Primarily Calibrate and Organize
- Phase 2 (Weeks 3-4): Primarily Calibrate and Model
- Phase 3 (Weeks 5-7): Primarily Model and Produce
- Phase 4 (Weeks 8-10): Primarily Produce and Evaluate
- Phase 5 (Weeks 11-12): Primarily Evaluate
- Phase 6 (Weeks 13-14): Primarily Learn and Organize (transition to standing operations)
Principle 3: Evidence-First Approach
Every activity in the programme is designed to produce tangible, auditable evidence. The programme does not aim for conceptual compliance (“we have a process”) but for evidenced compliance (“here is the documented process, here are the records of its execution, here are the results”).
Principle 4: Milestone Gates
The programme includes six milestone gates at approximately two-week intervals. Gates serve three purposes: forcing accountability (are we on track?), enabling course correction (do we need to adjust?), and providing governance committee checkpoints (does leadership agree with our approach?).
Principle 5: Transition to Operations
The programme is explicitly designed to transition from a time-boxed project to ongoing compliance operations. Phase 6 (Weeks 13-14) is dedicated to this transition, ensuring that compliance does not decay after the programme ends.
Programme Governance
Programme Sponsor
The programme requires an executive sponsor at C-suite or equivalent level. The sponsor’s role is to:
- Provide authority and visibility for the programme across the organisation
- Remove organisational blockers (competing priorities, resource constraints)
- Approve programme scope and resource allocation
- Represent the programme to the board
- Approve milestone gate outcomes
Programme Manager
A dedicated programme manager should be assigned to coordinate across all seven workstreams. This person should have:
- Project management competence
- Understanding of the EU AI Act (at minimum, the content covered in Module 1.5, Articles 13-14)
- Organisational authority to coordinate across business units
- Access to the governance committee and executive sponsor
Workstream Leads
Each of the seven workstreams requires a named lead. Workstream leads are responsible for:
- Executing workstream tasks within the programme timeline
- Producing workstream evidence outputs
- Reporting workstream status to the programme manager
- Escalating blockers and risks
Workstream leads need not be full-time on the programme, but they must have sufficient time allocated to meet the programme’s pace.
Governance Committee
The existing AI governance committee (or a newly established one) provides oversight. The committee should meet at each milestone gate to review progress, approve outputs, and make decisions on classification, conformity pathway, and risk tolerance.
Phase-by-Phase Implementation Guide
Phase 1: Discovery and Inventory (Weeks 1-2)
Primary COMPEL stages: Calibrate + Organize
This phase establishes the programme foundation. The three priority activities are: knowing what AI systems exist, establishing governance structures, and building awareness.
Week 1 focuses on:
The AI Inventory workstream launches with broad organisational outreach. The governance professional should prepare a structured questionnaire that captures: system name, business owner, intended purpose, affected population, deployment geography, data inputs and outputs, vendor/developer, and deployment status. Distribute to all department heads and IT application owners.
Simultaneously, the Governance Bodies workstream appoints the programme sponsor, identifies or establishes the governance committee, and defines the programme governance structure. The committee charter should be drafted and circulated for review.
The Training workstream develops and delivers an executive briefing covering: what the EU AI Act is, why it matters to this organisation, the compliance timeline, and the potential financial exposure. This briefing is essential for securing executive commitment and resource allocation.
Week 2 focuses on:
Consolidating inventory responses into a unified register. The governance professional should not wait for 100% response rate — aim for 90% coverage of known AI systems and continue expanding throughout the programme.
The Risk Classification workstream begins with Article 5 prohibited practices screening. Every system in the register must be screened against each prohibited practice. Systems that are clearly not prohibited can be quickly cleared; systems that may be prohibited require immediate detailed assessment.
The milestone gate at the end of Week 2 validates inventory completeness and programme governance readiness.
Common Week 1-2 challenges:
- Low survey response rates: Mitigate with executive sponsor communication, department head accountability, and IT system scanning to identify AI tools in use
- Shadow AI discovery: Expect to discover AI systems that no one formally approved — procurement records, cloud service logs, and browser extension audits can reveal undocumented AI usage
- Scope ambiguity: Teams will ask whether tools like smart email filtering, predictive text, or business intelligence dashboards count as AI systems. Err on the side of inclusion at this stage — it is easier to reclassify a system as minimal risk than to discover an unregistered high-risk system during an inspection
Phase 2: Classification and Gap Analysis (Weeks 3-4)
Primary COMPEL stages: Calibrate + Model
This phase moves from inventory to assessment. Every registered system gets a risk classification, and every high-risk system gets a gap analysis.
Week 3 focuses on:
Detailed Article 6 classification for each system flagged in the preliminary screening. The governance professional should use the classification decision tree, documenting the rationale for each classification decision. Edge cases should be escalated to legal counsel.
The Documentation workstream conducts a gap analysis comparing existing documentation against Annex IV requirements. For many organisations, this analysis will reveal significant gaps — the typical engineering team’s documentation covers system architecture and API specifications but not risk management, bias assessment, or human oversight design.
The GPAI Assessment workstream determines whether GPAI models are in use, whether the organisation is a provider or deployer relative to those models, and what documentation has been received from GPAI model providers.
Week 4 focuses on:
Establishing the documentation architecture (templates, standards, version control) and determining the conformity assessment pathway for each high-risk system. The governance professional should decide early whether to pursue internal assessment or engage a notified body — the latter requires lead time.
The Training workstream delivers role-specific training to AI system owners, data engineers, and ML engineers on their specific compliance obligations.
The milestone gate at the end of Week 4 validates that all classifications are finalised, gaps are identified, and the compliance programme has approved budget and resources.
Phase 3: Foundation Building (Weeks 5-7)
Primary COMPEL stages: Model + Produce
This phase builds the compliance infrastructure. Documentation production begins in earnest, the QMS is enhanced, and operational processes are designed.
Weeks 5-6 focus on:
The Documentation workstream produces technical documentation for the highest-priority high-risk systems. Start with the systems that are most business-critical, face the nearest compliance deadline, or carry the highest risk exposure. The governance professional should aim to complete three systems in this period.
The Conformity workstream enhances the QMS to meet Article 17 requirements. For organisations with existing ISO certifications, this is an extension exercise. For organisations without, it is a more substantial effort — consider engaging QMS consultants.
The Governance Bodies workstream establishes the fundamental rights impact assessment process, incident reporting procedures, and change control process. These operational processes must be designed, documented, and tested before the conformity assessment phase.
Week 7 focuses on:
Completing the first batch of technical documentation and beginning peer review. Documentation quality is critical — a poorly drafted technical documentation package will not withstand conformity assessment or regulatory inspection. Build review into the schedule.
The Training workstream launches the Article 4 AI literacy programme. This is a broad-based training effort targeting all staff who interact with AI systems.
The milestone gate at the end of Week 7 validates that foundation systems are operational: inventory process integrated, classification methodology documented, first documentation packages complete, QMS enhancement underway, and AI literacy training launched.
Phase 4: Implementation (Weeks 8-10)
Primary COMPEL stages: Produce + Evaluate
This phase executes the core compliance work: completing documentation, conducting conformity assessments, and fulfilling GPAI obligations.
Weeks 8-9 focus on:
The Conformity workstream conducts internal conformity assessments for the first batch of high-risk systems. Each assessment should follow the structured protocol designed in Phase 3, examining QMS compliance, technical documentation, data governance, human oversight, accuracy and robustness, and logging.
The GPAI Assessment workstream finalises and publishes training data summaries and energy consumption data. These publications are regulatory obligations — they must be publicly accessible.
The Governance Bodies workstream conducts fundamental rights impact assessments for public-facing high-risk systems and prepares the board compliance status report.
Week 10 focuses on:
Completing documentation for all remaining high-risk systems and conducting the incident response drill. The drill simulates a serious incident and tests the reporting procedure end-to-end.
The milestone gate at the end of Week 10 validates that conformity assessments are complete, documentation is finished, GPAI obligations are met, and the training programme has achieved target completion rates.
Phase 5: Validation and Hardening (Weeks 11-12)
Primary COMPEL stage: Evaluate
This phase stress-tests the compliance programme through mock inspection, independent review, and gap remediation.
Week 11 focuses on:
The mock regulatory inspection is the centrepiece of this phase. Simulate a competent authority visit by:
- Requesting all documentation packages with limited advance notice
- Interviewing AI system owners about their compliance responsibilities
- Requesting demonstration of human oversight mechanisms
- Testing incident reporting procedures
- Examining logging and record-keeping
- Reviewing the AI system register for completeness
The mock inspection should be conducted by personnel who were not directly involved in producing the compliance outputs — internal audit, external consultants, or colleagues from a different business unit.
The Classification workstream secures an independent legal review of all risk classifications. This provides an external validation layer and identifies any classification decisions that may not withstand regulatory challenge.
Week 12 focuses on:
Addressing all findings from the mock inspection and classification review. Remediation should be prioritised by severity: critical findings (systems that would be found non-compliant) first, then significant findings (documentation gaps or process weaknesses), then observations (improvement opportunities).
The milestone gate at the end of Week 12 validates that all critical findings are resolved, documentation is finalised, and the programme is ready for operationalisation.
Phase 6: Operationalization (Weeks 13-14)
Primary COMPEL stages: Learn + Organize
This phase transitions from programme mode to standing operations.
Week 13 focuses on:
Executing the formal regulatory acts: submitting EU database registrations, affixing CE markings, signing and archiving EU declarations of conformity, and activating post-market monitoring. These are not administrative formalities — they are legal requirements that must be completed before the system is placed on the market or put into service.
The governance transition is equally important: the programme governance structure (programme manager, workstream leads, programme steering) transitions to a standing compliance governance structure (compliance owner per system, standing governance committee, regular review cadence).
Week 14 focuses on:
Finalising the operational AI System Register, establishing automated inventory health checks, documenting lessons learned, and transitioning the training programme to ongoing delivery. The programme completion report summarises what was achieved, what remains to be done, and what ongoing activities are required.
The final milestone gate validates full operational readiness: systems registered, declarations signed, monitoring active, governance standing, training established, and the programme formally closed.
Resource Planning
Typical Resource Requirements
The 100-day programme resource requirements vary significantly by organisation size and AI portfolio complexity. The following provides indicative ranges:
| Role | Small Portfolio (1-5 high-risk systems) | Medium Portfolio (6-20 high-risk systems) | Large Portfolio (20+ high-risk systems) |
|---|---|---|---|
| Programme Manager | 0.5 FTE | 1.0 FTE | 1.0 FTE |
| Workstream Leads | 0.2 FTE each | 0.3 FTE each | 0.5 FTE each |
| Technical Writers | 0.5 FTE | 1-2 FTE | 3-5 FTE |
| Legal Counsel | Advisory basis | 0.3 FTE | 0.5-1.0 FTE |
| External Expertise | Spot consultancy | Programme support | Embedded advisory |
Budget Considerations
Key budget items beyond personnel:
- External legal review of classifications
- Notified body engagement (if applicable)
- QMS enhancement or certification (if not already certified)
- Training programme development and delivery
- Documentation management system (if not already in place)
- Post-market monitoring tooling
Success Metrics
Track programme progress with quantitative metrics:
| Metric | Target at Day 50 | Target at Day 100 |
|---|---|---|
| Inventory completeness | 90% of AI systems registered | 98%+ |
| Classification coverage | 100% preliminary, 80% finalised | 100% finalised |
| Documentation completion (high-risk) | 50% of systems documented | 100% |
| Conformity assessment completion | 0% (in progress) | 100% (internal) or engaged (notified body) |
| Training completion (AI literacy) | 40% of target population | 80%+ |
| Outstanding critical findings | N/A | 0 |
Post-Programme: Sustaining Compliance
The 100-day programme creates the compliance foundation. Sustaining compliance requires ongoing activities:
- Quarterly: Inventory reconciliation, classification review, documentation update cycle
- Annually: Comprehensive compliance audit, training refresher, governance effectiveness review
- Continuously: Post-market monitoring, incident tracking, regulatory horizon scanning
The COMPEL framework’s Learn stage provides the natural home for these activities. The governance committee reviews compliance status at regular intervals, identifies emerging gaps or risks, and commissions remediation. Compliance is not a destination — it is a continuous governance discipline.
The 100-day programme gets you to the starting line. Sustained compliance is the race itself.