AI Act Compliance Audit — Northwind E-commerce LLC

Audit period: April 2026 · Engagement #PL-2026-0042 · Delivered May 8, 2026

Executive summary

Northwind E-commerce (a 75-person Shopify store doing $14M GMV, US-based with shipping to EU customers) uses 23 distinct AI-powered tools across operations, marketing, and customer support. Of these:

3 high-risk per EU AI Act Article 6 (employment/screening + algorithmic pricing for EU customers)
9 limited-risk requiring transparency disclosures (consumer chatbot, AI-generated content)
11 minimal-risk with documentation/monitoring obligations only

Critical action required by Aug 2, 2026: 3 high-risk systems need full DPIA + human-oversight documentation. Estimated 28 hours of in-house work, or we can complete the documentation as a follow-on engagement.

Section 1 — AI Tool Inventory

This inventory was built from (a) workspace scans of Google Workspace and Slack integrations, (b) 4 async team interviews, and (c) cross-reference against the AICPA-AI Tool Registry.

Category	Tool	Used by	Purpose	EU risk
Marketing	Klaviyo AI	Mktg (3)	Email subject-line generation, send-time prediction	Min
Marketing	Jasper	Mktg (2)	Blog drafts, product descriptions	Lim
Operations	Notion AI	All (52)	Doc summaries, meeting notes	Min
Operations	Otter.ai	Ops (8)	Meeting transcription	Min
Operations	Loom AI	Eng (12)	Video transcript + summary	Min
Pricing	Prisync	Mktg (1)	Algorithmic price-matching for EU + US customers	High
Support	Gorgias AI	Support (6)	Customer-facing chatbot, ticket triage	Lim
Support	Ada	Support (4)	Pre-purchase chatbot on EU site	Lim
People	HireVue	HR (2)	Video-interview scoring for warehouse hires (EU + US)	High
People	Lattice AI	HR (2)	Performance review summaries	High
People	Calendly AI	All (38)	Meeting scheduling	Min
Engineering	GitHub Copilot	Eng (12)	Code completion	Min
Engineering	Cursor	Eng (5)	Code editing	Min
Engineering	Vercel v0	Eng (3)	UI component generation	Min
Finance	Brex AI	Finance (2)	Expense categorization	Min
Finance	Vena	Finance (1)	Financial forecasting	Lim
Legal	Spellbook	Legal (1)	Contract review	Lim
Data	Mixpanel AI	Data (3)	Insight generation on customer behavior	Lim
Data	Anthropic Claude API	Eng (4)	Custom internal tooling (research assistant, dashboards)	Lim
Data	OpenAI ChatGPT Team	All (60)	General-purpose assistance	Lim
Sales	Apollo AI	Sales (3)	Lead enrichment, outreach drafting	Min
Sales	Gong	Sales (3)	Call recording + analysis	Lim
Sales	Clay	Sales (1)	Multi-source lead enrichment	Min

Section 2 — Jurisdiction Risk Classification

EU AI Act (effective Aug 2, 2026)

Three Northwind systems trigger high-risk obligations under EU AI Act Annex III:

HireVue (employment screening) — Annex III, point 4(a). Requires DPIA, human oversight documentation, bias testing, and registration in the EU AI System Registry.
Lattice AI (performance review) — Annex III, point 4(b). Same obligations as above.
Prisync (algorithmic pricing to consumers) — Annex III, point 5(d). Requires transparency documentation and consumer-facing disclosure.

Nine systems are limited-risk requiring consumer-facing transparency notices (chatbots, AI-generated content).

Colorado SB 205 (effective Feb 1, 2026)

Same three high-risk systems trigger Colorado SB 205 obligations because Northwind makes consequential decisions about Colorado residents (4.2% of customer base). Requires:

Risk management policy documenting the high-risk AI use
Annual impact assessment
Consumer-facing notice + appeal process for AI-influenced decisions

NYC Local Law 144 (AEDT, in effect)

HireVue use for hiring of NYC-resident candidates triggers a bias audit obligation within 12 months prior to use. Northwind's last bias audit was Sept 2024 — out of window. Action: schedule fresh audit before next hiring cycle.

Section 3 — Recommended Actions (priority order)

By Jun 15, 2026: Schedule NYC AEDT bias audit for HireVue (vendor-provided or 3rd-party).
By Jul 1, 2026: Publish consumer-facing AI transparency notice on northwind.com and northwind.eu (template provided in Appendix A).
By Jul 15, 2026: Complete DPIA for HireVue, Lattice AI, and Prisync (template provided in Appendix B).
By Aug 1, 2026: Register the 3 high-risk systems in EU AI System Registry once operational (registry opens Aug 2026).
By Aug 1, 2026: Implement human-oversight protocol for HireVue and Lattice AI hiring/perf decisions (template provided in Appendix C).
Ongoing: Add AI use disclosure to Gorgias and Ada chatbot opening messages.
Ongoing: Adopt the governance policy (Appendix D) and assign an internal AI compliance owner.

Section 4 — Vendor Compliance Verification

Of the 23 tools, 14 vendors have published AI Act compliance statements. The remaining 9 require direct outreach; templates for that outreach are included in Appendix E.

Appendices (in full report)

Appendix A: Consumer AI transparency notice templates (US + EU versions, 4 variants)
Appendix B: DPIA template tailored to the 3 high-risk systems
Appendix C: Human-oversight protocol templates
Appendix D: Internal AI governance policy (10-page document)
Appendix E: Vendor compliance verification outreach templates
Appendix F: 30-day implementation checklist with owner assignments

Plumbline AI Act Compliance Audit — Sample Report
Audit methodology: 5-minute async interviews × 4 team members; workspace scan via Google Workspace + Slack API; cross-reference against EU AI Act (Reg. 2024/1689), Colorado SB 205, NYC Local Law 144, and AICPA AI Tool Registry. Audit completed within 10 business days of engagement start.

This is a fictional sample for illustration. Real engagements deliver this report PLUS a Notion compliance workspace, a 30-min walkthrough call, and 30 days of follow-up support — all for $1,500 flat.