# EU AI Act High Risk Diagnostic Report ## 1. Overview - **Sector:** Education and vocational training - **Overall Score:** 38/100 - **Overall Rating:** weak - **Action Priority:** act soon - **Generated at:** 2026-05-22T17:32:22.083193+00:00 ## 2. Management Summary The organization operates in the education sector in Austria, has 2 to 10 employees, and develops AI systems involving personal data. It receives a weak overall rating of 38/100. Missing technical documentation and insufficient demonstrable transparency are critical and significantly endanger provider obligations. Governance, human oversight, data protection readiness and Shadow AI controls are weak, while sector-specific risk reduction and operational resilience are solid but potentially fragile without a governance foundation. The action priority is: act soon. **KPI Dashboard:** - Documentation and conformity index: 22/100 (critical) - Transparency and explainability index: 22/100 (critical) - Shadow AI control index: 26/100 (weak) - Human oversight index: 34/100 (weak) - Governance clarity index: 39/100 (weak) - Data protection readiness index: 40/100 (weak) - Operational resilience index: 61/100 (solid) - Sector sensitivity control index: 63/100 (solid) **Most critical gap:** Complete absence of technical documentation and demonstrable transparency, which prevents reliable conformity preparation and supervisory review. The full diagnostic report is available as a Markdown file. ## 3. Organizational Profile - **Country:** Austria - **Organization size:** 2 to 10 employees - **EU AI Act role:** We develop or provide AI systems for others. - **AI deployment status:** Trial use or informal testing - **AI purpose:** Administration - **Data type:** Personal data - **Tool control:** Informal recommendations - **Governance:** Responsible person, but unclear scope - **Human oversight:** Informal review - **Documentation:** Not documented ## 4. Sector Profile - **Sector:** Education and vocational training - **Sector key:** `education` ### Sector-specific answers - **How close is the AI use to assessments or educational decisions?** Learning support without assessment impact - **What learner data is processed with AI?** Only data of adult learners - **How are AI outputs checked before they affect learners?** Informal review ## 5. KPI Dashboard - **Overall Score:** 38/100 - **Overall Rating:** weak - **Action Priority:** act soon > Score logic: A high value is always good. A low value is always bad. ### Governance Clarity Index - **Score:** 39/100 - **Rating:** weak - **Priority:** act soon - **Meaning:** Measures how clearly responsibility, roles, steering and internal AI governance are already established. **Drivers:** - Starting point: We have initial rules or discussions. - Governance: Responsible person, but unclear scope - Documentation: Not documented ### Human Oversight Index - **Score:** 34/100 - **Rating:** weak - **Priority:** act soon - **Meaning:** Measures how well human review, approval and control are secured before relevant AI use. **Drivers:** - Oversight: Informal review - Sector review: Informal review - Governance: Responsible person, but unclear scope ### Data Protection Readiness Index - **Score:** 40/100 - **Rating:** weak - **Priority:** act soon - **Meaning:** Measures how well data exposure, tool control and documentation are jointly protected. **Drivers:** - General data type: Personal data - Sector data: Only data of adult learners - Tool control: Informal recommendations ### Sector Sensitivity Control Index - **Score:** 63/100 - **Rating:** solid - **Priority:** stabilize - **Meaning:** Measures how well the specific sensitivity of the selected high-risk sector is controlled. **Drivers:** - Sector proximity: Learning support without assessment impact - Sector data: Only data of adult learners - Sector review: Informal review ### Documentation and Conformity Index - **Score:** 22/100 - **Rating:** critical - **Priority:** act immediately - **Meaning:** Measures how well documentation, traceability and conformity preparation already exist. **Drivers:** - Documentation: Not documented - Governance: Responsible person, but unclear scope - Tool control: Informal recommendations ### Transparency and Explainability Index - **Score:** 22/100 - **Rating:** critical - **Priority:** act immediately - **Meaning:** Measures how well AI use, outputs and relevant effects can be explained, reviewed and traced. **Drivers:** - Documentation: Not documented - Oversight: Informal review - Sector review: Informal review ### Shadow AI Control Index - **Score:** 26/100 - **Rating:** weak - **Priority:** act soon - **Meaning:** Measures how well unauthorized, private or uncontrolled AI use is limited. **Drivers:** - Tool control: Informal recommendations - Governance: Responsible person, but unclear scope - Documentation: Not documented ### Operational Resilience Index - **Score:** 61/100 - **Rating:** solid - **Priority:** stabilize - **Meaning:** Measures how stable the organization is against incorrect AI outputs, dependency and missing fallbacks. **Drivers:** - AI use: Trial use or informal testing - AI purpose: Administration - Oversight: Informal review ## 6. Diagnostic Assessment **Organization:** Education sector · Austria · 2 to 10 employees · AI provider **Overall assessment:** 38/100 · weak · Action priority: act soon --- ## 1. Executive Diagnostic The organization develops or provides AI systems for others in the education sector, with personal data, in a regulatorily sensitive environment. The EU AI Act classifies AI systems in education as high-risk under certain conditions (Annex III). The provider role significantly increases the burden of compliance: providers carry the primary conformity responsibility, regardless of whether the system is used internally or externally. The overall score of 38/100 indicates an organization in an early, informal state. Initial discussions and rules exist, but there is no robust structure yet. Two KPIs are in the critical range. The combination of provider role, personal data and missing documentation creates a concrete regulatory risk. --- ## 2. Key Findings **Critical state:** - Documentation does not exist. For an AI provider, this is not a minor gap but a conformity failure. The EU AI Act requires technical documentation before placing a system on the market. - Transparency and explainability are not operationalized. Users and affected persons receive no structured information about the AI system. **Weak state:** - Governance depends on a person, but without a defined scope. A responsible person without clear mandates is not a governance system. - Human oversight is informal. Informal review does not meet the requirements for demonstrable human oversight under the EU AI Act. - Shadow AI is weakly controlled. In a small team with informal testing, there is an increased risk of uncontrolled AI use outside any framework. - Data protection readiness is insufficient. Personal data is processed without a robust data protection framework being visible. **Need for stabilization:** - The sector sensitivity control index (63/100) is the strongest individual value. The limitation to learning support without assessment impact and to adult learners noticeably reduces sector risk. However, this advantage is only effective if it is documented and demonstrable. - Operational resilience (61/100) is solid, but structurally fragile without a governance foundation. --- ## 3. KPI Interpretation | KPI | Score | Rating | Meaning | |---|---:|---|---| | Documentation and conformity index | 22/100 | critical | No technical documentation exists; provider conformity cannot be established without this building block | | Transparency and explainability index | 22/100 | critical | No structured information for users or affected persons; transparency obligations are not fulfilled | | Shadow AI control index | 26/100 | weak | Informal test environment without a control framework; uncontrolled AI use is likely | | Human oversight index | 34/100 | weak | Informal review does not satisfy requirements for demonstrable human oversight | | Governance clarity index | 39/100 | weak | Responsibility is person-bound, scope unclear, no structural safeguards | | Data protection readiness index | 40/100 | weak | Personal data is processed without a robust data protection framework | | Operational resilience index | 61/100 | solid | Functional capability exists, but without governance foundation it is not sustainable | | Sector sensitivity control index | 63/100 | solid | Risk reduction through focus on learning support and adult learners; advantage only works if documented | --- ## 4. Sector-related Risk Situation The education sector is explicitly listed as a high-risk area in Annex III of the EU AI Act. The concrete classification depends on the actual intended purpose and use. **Risk-reducing factors in this case:** - AI use is limited to learning support without assessment impact. Systems that influence assessments, exam outcomes or educational access decisions carry the highest risk profile. This area is not affected here. - Only data of adult learners is processed. Minors, as a particularly vulnerable group, are not affected. **Remaining risk factors:** - The provider role remains. Even if the system is not classified as high-risk under Annex III, general provider obligations apply: transparency, documentation, declaration of conformity and market monitoring. - The administrative purpose combined with personal data creates data protection obligations independently of the AI Act classification. GDPR requirements must be reviewed in parallel. - Informal tests without documentation mean that the actual system function is not demonstrable. In a dispute or supervisory review, there is no evidence base. - The boundary between learning support and assessment impact is fluid. Without a clear definition and documentation of this boundary, the risk classification cannot be kept stable. --- ## 5. Evidence Boundaries This analysis is based exclusively on the information provided by the organization. The following points cannot be externally validated: - The actual technical functionality of the AI system is unknown. The classification as learning support without assessment impact is based on self-reporting. - The scope of processed personal data is not specified. Type, volume and sensitivity of the data remain unclear. - The quality of informal review processes cannot be assessed. Informal may range from rudimentary to effectively working. - The reach of the system is unknown. How many people are affected, in which contexts and with what decision relevance? - The legal classification as a high-risk or non-high-risk system requires a full system analysis by qualified legal and technical reviewers. This diagnostic report does not replace such a review. --- ## 6. Three Next Directions **Direction 1: Establish documentation capability** The most critical individual gap is the complete absence of documentation. Without documentation, conformity cannot be demonstrated, supervisory review cannot be passed, and liability positions cannot be defended. The first direction is to clarify what the system does, how it decides, which data it processes and who is responsible for it, in a written and reproducible form. **Direction 2: Define governance scope** A responsible person without a defined scope is not a governance system. The second direction is to clarify which decisions this person is authorized to make, which escalation paths exist and how AI-related decisions become traceable. This is not a question of company size, but of clarity. **Direction 3: Clarify legal classification** The provider role in the education sector with personal data requires a sound assessment of whether the system falls under Annex III or not. This assessment must be based on the actual system functionality, not merely the intended use. The third direction is to obtain a qualified initial assessment from a specialized AI law expert as the basis for all further steps. --- *Diagnostic report · EU AI Act High Risk Check · M13 Reasoning · Austria · Education sector* *Overall score 38/100 · Two critical KPIs · Provider role active · Action priority: act soon* ## 7. Quality Assurance The diagnosis was internally checked for consistency, evidence boundaries, exaggeration risks and missing assumptions. The internal review is not part of the customer report. It was used to limit and sharpen the final assessment. ## 8. Scope Limitation of this Report This report is a diagnostic assessment. It does not replace individual legal review or a full technical system assessment. It does not contain a full AI use policy, a responsibility matrix, a technical documentation template or a complete implementation package. These artefacts belong in the subsequent Action Builder.