Your AI, by the book

Answer the AI questions on every security review — without a compliance team.

Annex turns how your company uses AI into an ISO 42001-aligned policy, an AI use register, and ready-to-send questionnaire answers. So enterprise deals stop stalling on the AI section.

Get founding access — $299 → See how it works

Built for AI-using SaaS teams selling into the enterprise

📋 Vendor Security Assessment · AI & Model Governance 0 / 5 answered
Is your AI management system aligned with ISO/IEC 42001?Unanswered
Describe model provenance and third-party AI APIs in use.Unanswered
What controls mitigate prompt injection and data leakage?Unanswered
How do you document and approve internal AI tool use?Unanswered
Do you disclose AI to end users (EU AI Act Art. 50)?Unanswered
ISO/IEC 42001 aligned / EU AI Act transparency & literacy / CAIQ & SIG AI sections / Generated in an afternoon
The bottleneck

A security review used to ask about encryption. Now it asks about your AI — and you don't have the answers.

01New questions, no playbook. Enterprise questionnaires now ask about model provenance, training data, prompt-injection defenses, and ISO 42001 alignment — questions that didn't exist three years ago.
02The deal stalls. A senior engineer disappears for days doing copy-paste archaeology while the prospect waits, and the close slips by weeks.
03Auto-fill makes it worse. Generic answer tools pull from a knowledge base you haven't built — so they fill in claims a reviewer catches on sight. You need the governance to be real first.
What you get

Three artifacts that make your AI posture defensible.

Answer a short intake about how you build with and use AI. Annex generates the documentation a buyer's security team — and a regulator — actually want to see.

Policy

AI governance policy

An ISO/IEC 42001-aligned AI management policy, written for your stack and the way your team actually works.

AIMS_policy_v1.pdf
└ Annex A controls mapped ✓
Register

AI use register

Every model, provider, and internal AI tool inventoried — with purpose, data flow, and risk tier in one place.

ai_register.csv
└ 3 models · 2 providers ✓
Answers

Questionnaire answers

Copy-paste responses for the AI sections of CAIQ, SIG, and bespoke DDQs — grounded in the policy and register above.

ai_responses.md
└ Ready to send ✓
How it works

From "we'll get back to you" to sent — same day.

STEP 01

Describe your AI

A guided intake: what you build, which model APIs you call, what your team uses internally, and whether EU users touch it.

STEP 02

Classify

Annex maps your usage to the AI Act risk tiers and flags anything that needs a closer look before you ship answers.

STEP 03

Generate

Your policy, register, and questionnaire answers are drafted from your real answers — not boilerplate.

STEP 04

Share

Export the docs, or send a hosted AI-trust summary so prospects can self-serve before the review even starts.

Where you land

The AI Act sorts systems by risk. Most SaaS isn't high-risk — but it still has duties.

Knowing your tier is the first thing a buyer asks and the first thing Annex settles. We place each of your AI uses, explain why, and generate only the obligations that actually apply to you.

Unacceptable
Banned outright — social scoring, manipulative systems.
Prohibited
High-risk
Hiring, credit, biometrics. Heavy obligations — deadline now Dec 2027.
Flagged for review
Limited risk
Chatbots & AI features — transparency & disclosure duties. Where most SaaS lands.
You're likely here
Minimal risk
Spam filters, basic tooling — no specific obligations.
Unregulated
Why now

The deadlines are real — and closer than the headlines suggest.

The dramatic "high-risk" deadline moved to 2027, but the duties that touch ordinary AI-using SaaS are already landing. And your buyers aren't waiting for any of them.

Feb 2025
AI literacy duties apply to providers and deployers.
In force
Aug 2026
Transparency obligations — disclose AI interaction (Art. 50).
Landing now
Dec 2026
AI-generated content labeling for existing systems.
Upcoming
Dec 2027
High-risk (Annex III) obligations, deferred by the Digital Omnibus.
Upcoming
Founding access

Lock in the founding rate before launch.

$299 $499One-time readiness package · founding price for the first 50 teams
  • AI governance policy, use register, and questionnaire answers
  • Risk-tier classification with reviewer notes
  • Direct line to the founder while we build with you
  • Optional $39/mo to keep docs current as rules evolve
Reserve your spot

No charge today. We'll email you the founding link before launch. Not legal advice.

Straight answers

Questions you're already asking.

Is this legal advice?

No. Annex produces governance documentation and questionnaire answers for your team and your counsel to review. It's scaffolding that gets you audit- and buyer-ready — not a legal opinion or a certification.

I'm a US company. Does the EU AI Act apply to me?

Often, yes. The Act reaches non-EU companies whose AI output is used in the EU. If you have EU users or customers, you're likely in scope for at least the transparency duties.

Which frameworks do you cover?

ISO/IEC 42001 as the backbone, the EU AI Act's transparency and literacy obligations, and the AI sections of CAIQ and SIG-style questionnaires. More on the roadmap.

What if my AI actually is high-risk?

Annex flags it rather than papering over it. High-risk systems need work Annex doesn't pretend to replace — but you'll know exactly where you stand before a buyer or regulator does.