Profiling Wizard — the 11 questions that hide irrelevant obligations
For: all
Tier: starter+
Time: ~6 min
Why you'd do this
EU AI Act decomposes into 247 obligations across 44 articles. Most projects only touch ~30-40% of them. The Profiling Wizard asks 11 yes/no questions about your role(s), data sources, and value-chain responsibilities, then auto-marks irrelevant obligations Not Applicable so the dashboard only shows what you can act on. Average reduction across our test fixtures is ~64% of obligations filtered out without false negatives.
Before you start
- Starter+ tier (free tier sees the entry but the wizard renders an upgrade prompt)
- OWNER role on the repo (members see the wizard read-only)
- Clarity on your role: are you placing the system on the EU market (Provider), using it operationally (Deployer), reselling it (Distributor), bringing it across the EU border (Importer), or acting as the EU contact for a non-EU provider (Authorised Rep)?
Step 1
Two ways to enter:
- Dashboard banner — emerald "Run Wizard →" CTA appears when no owned repo has wizard answers yet (it disappears as soon as ANY repo gets profiled)
- Compliance Profile page — at the bottom of the per-repo section, a "Configure repo applicability" link
Both lead to /dashboard/repos/<id>/profiling-wizard. The wizard is per-repo, not account-wide — different repos can have different role configurations (e.g. one repo where you're a Provider, another where you're a Deployer).
What you'll see: Step 1 of 11 — "Are you established in the EU?" with three options: Yes / No / Not sure / skip. The header shows current step + estimated obligations that will auto-mark NA based on answers so far.
Step 2
Q1: Are you established in the EU? — Drives Art. 22 (Authorised Representative requirement). Non-EU providers MUST designate an EU rep before placing high-risk systems on the market.
Q2: Is the AI a product covered by Annex I (medical device, machinery, etc.)? — Annex I products are high-risk by default and route through sectoral conformity assessment (Art. 6(1)).
Q3: Does the AI fall under any Annex III category? — Eight high-risk use cases: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice. Selecting one classifies the system as high-risk under Art. 6(2). Selecting none means limited / minimal risk paths only.
Step 3
Q4: Does the system use training data? — Routes Art. 10 (data governance). "No" hides the entire data-quality obligation set (relevance, representativity, error rate, bias examination). Most ML systems answer Yes; rule-based or expert-system AI without statistical training answers No.
Q5: Does the system generate synthetic content? — Triggers Art. 50 transparency obligations (label generated outputs as AI-produced). Generative AI = Yes; classifiers / detectors = No.
Q6: Is this a General-Purpose AI model (GPAI)? — Adds Art. 53-55 obligations (model documentation, downstream provider info, systemic-risk assessment). Foundation models = Yes; narrow-task models = No.
Q7: Has the GPAI been deemed to pose systemic risk? (visible only if Q6 = Yes) — Art. 51 designation based on compute (≥ 10²⁵ FLOPS) or Commission decision. Adds the heavy Art. 55 systemic-risk obligations.
Step 4
Q8: Are you a DEPLOYER of this system? — Routes Art. 26 (deployer obligations: human oversight, instruction adherence, input monitoring). Many in-house systems answer Yes here even when they answered Provider above (single legal entity wearing multiple roles).
Q9: Are you an IMPORTER? — Bringing a non-EU system to the EU market (Art. 23). Triggers verification + record-keeping obligations.
Q10: Are you a DISTRIBUTOR? — Reselling without modification (Art. 24). Lighter than Provider/Importer but still has CE marking + record-keeping duties.
Q11: Do you have Art. 25 substantial-modification responsibilities? — Re-purposing or significantly modifying a system shifts you into the Provider role for that modified system. Most users answer No; relevant for systems integrators and downstream developers.
Each question can be answered "Not sure / skip" — the related obligations stay visible (default to safe inclusion).
Step 5
After the last question, click Save. The dashboard returns you to the repo overview with a confirmation banner showing "NN obligations auto-marked Not Applicable based on your answers".
These changes apply to the LATEST scan immediately (no re-scan needed) — applicability is derived at read time from your answers + the current finding set. Re-running cl_scan later respects the same answers; you only re-open the wizard if your role or data sources change.
To revisit: the wizard is always available from the same entry — it pre-fills with your last answers. Changing one answer recalculates the NA set; nothing else moves.
What you'll see: Repo overview after wizard completion: KPI counts now reflect the trimmed obligation set (e.g. "0 of 87 NC" instead of "0 of 247"), and the profiling-nudge banner is gone.
What can go wrong
- Wizard shows "upgrade required" even though I'm on the Pro plan — The wizard checks
tierLimits.applicabilityCustomizationfrom your account's CURRENT plan. If you just downgraded then re-upgraded, the cached tier may be stale — sign out and back in to force a tier-cache refresh. If still blocked, your account may have been put into asubscription_status: past_duestate (open Settings → Billing to verify). - After running the wizard, a finding I expected to see disappeared — That's the wizard working — your answers indicated the obligation doesn't apply. To verify: open the repo's Compliance Profile, scroll to the per-question summary, and find the obligation in the "Auto-marked NA based on answers" list. If you disagree, change the corresponding answer to "Not sure / skip" — the obligation will reappear in the next read.
- The 11 questions don't seem to cover my situation — The wizard covers EU AI Act applicability — it doesn't model GDPR, NIS2, ISO 42001, or other adjacent regimes. If your compliance need is broader than EU AI Act, the wizard scopes ComplianceLint's surface but doesn't suppress your need to address those other regimes elsewhere. "Not sure / skip" leaves obligations visible if you'd prefer to make the call case-by-case.
Related
Last updated: 2026-04-30