Converxys Blog

The EU AI Act has been in force since 2024 and is taking effect in stages. For many mid-sized companies the question is no longer whether, but how quickly they need to respond – especially where AI sits inside regulated or risk-sensitive processes such as lending, hiring, or safety-relevant industry. If you use or are introducing AI, you should know your status now rather than scrambling under deadline pressure.

The four risk classes – briefly explained:

• Unacceptable risk: prohibited (e.g. social scoring). These systems must not be operated.
• High risk: permitted, but with strict obligations – risk management, documentation, data quality, and human oversight. This is where most of the effort sits, e.g. AI in lending.
• Limited risk: transparency obligations, such as labelling chatbots or AI-generated content.
• Minimal risk: no special obligations – the majority of operational AI.

For many high-risk applications the central deadlines are approaching. In concrete terms, this means four steps for mid-sized companies:

• Inventory: Which AI systems are in use – including purchased SaaS features that use AI "under the hood"?
• Risk classification: Assigning each system to the AI Act categories.
• Gap analysis: Comparing the current state against the obligations of each class.
• Action roadmap: prioritised to-dos with effort estimates and ownership.

And what comes after: Compliance is not a one-off date but an ongoing state. The more sustainable task begins after the first deadline – meeting obligations continuously, setting up new systems to be compliant from the start, and keeping documentation current. Structure this well once, and every further AI project gets easier.

Note: Converxys delivers the technical and organisational implementation of compliance, not legal advice. For detailed legal questions we work with specialised lawyers.

More about Converxys →

An AI agent is more than a chatbot. Where a chatbot answers, an agent acts: it breaks a task into steps, reaches into tools and systems – email, ERP, databases, internal APIs – and works semi-autonomously toward a goal. That is exactly where the appeal lies, and also the risk.

Where agents deliver real value today:

• Research & preparation: gathering information from many sources, summarising it, and handing it over structured.
• Service desk triage: classifying requests, enriching them with context, and preparing or resolving routine cases.
• Document processing: extracting data from invoices, contracts, or forms and feeding it into downstream processes.
• Preparing decisions: laying out options with reasoning – the sign-off stays with a human.

And where the limits are:

• Reliability: agents can sound plausible and still be wrong. Without a verification step, that is dangerous in critical processes.
• Determinism: the same input does not always produce the same output – which complicates testing and traceability.
• Accountability: the company is liable for decisions, not the model. Responsibilities must be clear.
• Cost: long tool chains can become slow and expensive if you do not constrain them.

What makes an agent production-grade is therefore less the model than the frame around it: tight tool permissions, a human in the loop for critical actions, a traceable audit trail, and clear stop conditions. The pragmatic entry point: deploy agents where mistakes are cheap to correct and a human keeps the final sign-off – and raise the level of autonomy only as reliability is proven.

In most companies, knowledge is scattered: across PDFs, wikis, emails, tickets, and people's heads. Employees spend a significant share of their time searching rather than working. This is exactly where retrieval-augmented generation (RAG) comes in.

Put simply: instead of answering from "memory", the AI is handed the relevant passages from your documents for each question and formulates its answer based on them. The model does not need expensive retraining – the knowledge base stays current and in your hands.

What this delivers in practice:

• Fast answers to questions about internal knowledge – instead of long searches.
• Source references: answers can be traced back to the original document – essential for trust and auditability.
• No fine-tuning needed; new documents become available quickly.
• Access rights and tenant separation can be enforced.

What RAG does not solve:

• Poor data quality stays poor: outdated or contradictory documents lead to outdated or contradictory answers.
• No guarantee against errors: without source display and spot checks, even a RAG system can be wrong.
• Sensitive data needs masking and clear rules before it is processed.

Success depends less on the model than on the groundwork: clean data preparation, consistent rights and tenant separation, visible sources, and monitoring that makes quality measurable. Done right, the result is an auditable knowledge bot that reliably answers from your own content.

An impressive AI prototype can be built in days today. Surprisingly few of them ever reach production. The "demo effect" is deceptive: a convincing demonstration on hand-picked examples is something entirely different from a system that runs daily, reliably, and securely within your existing landscape.

The typical stumbling blocks:

• Integration: the prototype lives in isolation; in production it must connect to ERP, CRM, and data sources.
• Data quality: what shines on a curated demo dataset often fails on the reality of legacy data.
• Operations & monitoring: without oversight of quality, cost, and errors, running it is flying blind.
• Security & compliance: data protection, access rights, and – increasingly – AI Act obligations must be designed in from the start.
• Ownership: without a clear owner, even a good prototype fizzles out.

What production-grade solutions have in common: a clear business case rather than technology for its own sake, integration instead of an island solution, guardrails and monitoring from day one, documentation (which the AI Act requires anyway), and an iterative rollout in small, manageable steps.

This is exactly where agentic and low-code approaches help: they shorten the path from idea to a viable solution – without neglecting operations, security, and traceability. The goal is not the most impressive demo, but the solution that is still running six months from now.