Workshop: Gap analysis
Assess Meridian against the EU AI Act and NIST AI RMF: classify each system's regulatory tier, list the obligations, and produce a prioritized compliance gap analysis.
A gap analysis is what a company commissions when it realizes AI regulation applies to it and asks 'where do we stand?' You'll produce Meridian's: for each AI system, its regulatory classification, its obligations, what it currently does, and the gap between them — the document that turns 'we should comply' into a work plan.
Step 1 — Classify each system
- 1Take your risk map's systems. For each, determine Meridian's role first: build or buy? Bought from a vendor and used as instructed → deployer; built in-house, or a bought model fine-tuned or substantially modified → provider. Record it as the first column — the role decides which obligation set everything downstream checks. Meridian is a deployer for the bought HR tool; it would be a provider for anything it fine-tunes itself.
- 2Then determine the EU AI Act tier: unacceptable / high / limited / minimal. The HR screening tool → high (employment). The support agent → limited (chatbot disclosure) under the Act — though your internal map tiers it elevated: the Act's tiers and your internal low/moderate/elevated/critical scale answer different questions, and the internal one still drives your own controls. Analytics assistant → minimal.
- 3Note any that touch multiple regimes (the HR tool also triggers NYC LL144-style bias-audit rules if used for NYC hiring). Governance lives in these overlaps.
Step 2 — List obligations per system
- 1For the high-risk HR tool, write out both sides: Meridian's deployer obligations (use per the vendor's instructions, assign trained human oversight, retain the logs, notify candidates) and the provider obligations Meridian must verify its vendor holds (risk management, data governance, technical documentation, conformity assessment) — this is the bulk of the work.
- 2For the limited-risk support agent, the transparency obligation (disclose AI; label generated content).
- 3For minimal-risk, note 'voluntary best practice' — but still governed under your internal program.
Step 3 — Find the gaps
- 1For each obligation, mark Meridian's current state: Met / Partial / Missing, with a one-line reason. ('Human oversight — Partial: the support agent has approval gates for refunds, but the HR tool auto-rejects candidates with no human review — a critical gap.')
- 2Cross-reference the NIST functions: which Govern/Map/Measure/Manage activities are absent? A missing model inventory is a Map gap; no bias testing is a Measure gap.
- 3The HR tool's gaps should dominate — that's the point. High-risk systems generate the most obligations and usually the biggest gaps.
Step 4 — Prioritize
Rank the gaps by legal exposure × effort-to-close. A high-risk system auto-deciding without human oversight and without a bias audit is a top-priority legal-and-ethical gap; a missing content label is quick and cheap. Give every remediation item issue-management fields: a named owner, a due date tied to the relevant phase-in deadline, and validation-before-closure (someone other than the owner confirms the fix before the item closes). And one explicit rule: statutory obligations cannot be risk-accepted past their deadline — by the date the law bites, the gap is remediated or the system is turned off; 'we accepted the risk' is not a legal state. Produce GAP-ANALYSIS.md: the role-and-classification table, the obligations, the met/partial/missing assessment, and the ranked remediation list. This feeds directly into the controls (Module 4) and the roadmap (capstone).
In the workbook: a company's four AI systems and a claim from its legal team that 'we're a US company, the EU AI Act doesn't apply'. Assess whether the claim holds for each system (extraterritorial reach!), classify the tiers, and identify the one system whose non-compliance carries the greatest penalty exposure.