Platform
© 2026 Grasp — All rights reserved.
Prohibited AI practices have been enforceable since February 2025. The high-risk obligations follow in December 2027. Both assume something most companies do not have: a complete, classified inventory of every AI system in use. You cannot classify what you have not found - and an employee can adopt a tool that crosses the line in an afternoon.
The hard part is not writing another policy. It is keeping the operating picture current while teams adopt tools, vendors change terms, and auditors keep asking for evidence.
Grasp discovers every AI system in use, then classifies each one as Prohibited, High, Limited, or Minimal. Anything in the Prohibited tier is flagged and blocked the moment it appears. Everything else is assessed, documented, and evidenced, so when the high-risk obligations land, your inventory is already built and your sign-offs are already signed.
A cleaner operating rhythm: find the signal, attach the context, route the decision, and keep the evidence.
Every detected tool is mapped to Prohibited, High, Limited, or Minimal risk as it enters the inventory.
Grasp is designed to reuse the same inventory, risk, vendor, and evidence data across the frameworks your team already reports against.
The Act runs alongside GDPR. Any tool processing personal data still needs lawful basis and a DPA.
ISO 42001 and the EU AI Act ask for the same foundations: inventory, risk assessment, and documented governance.
Your ISO 27001 system already covers inventory and supplier risk. Grasp bridges those controls to AI.
Vendor and risk-management criteria overlap with the Act's documentation duties. The same evidence supports both.