AI Risk Assessment
A guided questionnaire that surfaces the compliance risks no website scanner can find: internal AI tools your team uses, AI-powered HR or recruitment systems, third-party AI vendors, and governance gaps. Included in every paid plan.
Why Automated Scanning Is Not Enough
Website scanners check what is publicly visible. They cannot see the AI tools your team uses internally — the ChatGPT subscription your marketing team uses to write content, the AI-powered ATS screening job applicants, or the third-party analytics platform profiling user behavior. Each of these can create EU AI Act or GDPR exposure that no external scan will ever detect.
The EU AI Act classifies AI systems into risk tiers. High-risk AI — which includes systems used in hiring, credit scoring, and employee monitoring — requires a formal risk management system, data governance documentation, and human oversight procedures. If your organization uses any high-risk AI, the documentation burden is significant and the fines for non-compliance are the highest under the Act.
The AI Risk Assessment is a structured questionnaire included in every paid SiteProof AI plan. It asks targeted questions about your internal AI use, your vendor relationships, your governance documentation, and your DPIA status — and surfaces the specific obligations that apply to your organization beyond what the website scanner finds.
What We Detect
- Internal AI tools and systems not visible from outside your website — often the largest hidden compliance risk
- AI in HR, recruitment, or employee monitoring — high-risk category under the EU AI Act requiring specific documentation
- Third-party AI vendor relationships — shared compliance obligations your contracts may not address
- Missing DPIA — GDPR Article 35 requires a Data Protection Impact Assessment for high-risk AI processing
- AI governance gaps — missing policies, oversight structures, and documentation that regulators increasingly expect
How the AI Risk Assessment Works
Answer questions about your AI use
The assessment asks about chatbots, internal tools, HR systems, AI vendors, automated decisions, and governance documents. Questions are plain-language — no legal expertise required.
Get your risk classification
Based on your answers, the assessment classifies your AI use cases as minimal, limited, or high risk under the EU AI Act — and explains what each classification means for your obligations.
See your hidden compliance gaps
Findings that the website scanner cannot detect are surfaced here: missing DPIAs, undocumented AI vendor contracts, high-risk AI without required oversight procedures.
Receive a combined compliance report
The assessment findings are merged with your website scan results into a single compliance report — giving you a complete picture of your AI compliance posture.
High-Risk AI Enforcement Cases
| Company / Date | Regulator | Action | Year |
|---|---|---|---|
| Uber | Dutch DPA | €10 million fine for opaque automated decision-making affecting drivers | 2023 |
| Clearview AI | Multiple EU DPAs | €75 million+ in combined fines for unlawful AI-based biometric processing | 2022–2024 |
| Irish DPC | €310 million fine for unlawful behavioral profiling | 2024 | |
| Multiple EU employers | Various DPAs | Fines for AI-based employee monitoring without DPIA or disclosure | 2023–2025 |
Legal Basis
- EU AI Act (Regulation 2024/1689) — Articles 9 & 10: Risk management system and data governance requirements
- EU AI Act — Article 26: Obligations of deployers of high-risk AI systems
- GDPR (Regulation 2016/679) — Article 35: Data Protection Impact Assessment requirements
- GDPR — Article 25: Data protection by design and by default
- ISO/IEC 42001:2023 — AI Management System standard for organizational AI governance
Potential Consequences
Organizations deploying high-risk AI systems without proper risk assessment and governance may face EU AI Act fines up to €35 million or 7% of global annual revenue. Failure to conduct required DPIAs under GDPR can result in fines up to €10 million or 2% of global turnover. Beyond fines, inadequate AI governance can lead to operational disruptions, reputational damage, and loss of customer trust. See our website AI compliance audit guide for the full process.
Frequently Asked Questions
What counts as high-risk AI under the EU AI Act?
High-risk AI systems include those used in hiring and HR decisions, credit scoring, educational assessment, biometric identification, law enforcement, and critical infrastructure. If your organization uses AI in any of these areas, the EU AI Act imposes significant documentation and oversight requirements.
Do I need a DPIA for every AI system?
No. GDPR Article 35 requires a DPIA for AI processing that is 'likely to result in high risk' to individuals — systematic profiling, large-scale sensitive data processing, or automated decisions with significant effects. For most limited-risk AI tools, a DPIA is recommended but not mandatory.
What is an AI governance gap?
An AI governance gap is any missing policy, procedure, or oversight structure that regulators expect organizations using AI to have in place. Common gaps include: no AI usage policy, no process for reviewing AI vendor contracts for compliance obligations, no human oversight procedure for automated decisions, and no record of processing activities for AI systems.
Is the Risk Assessment available on the free plan?
No. The AI Risk Assessment is included in every paid plan — Single Report ($9.99 one-time), Starter ($14.99/mo), and Pro ($38.99/mo). It is not available on the free scan.
Uncover the risks you can't see from outside
Get your compliance report in 60 seconds. No signup required.
SiteProof AI is an automated analysis tool. Results are informational and do NOT constitute legal advice. Consult a qualified legal professional for compliance decisions.