For AI product & HR-tech teams
Hiring tools are high-risk under the EU AI Act. Get ahead of it.
If your product touches recruitment, HR, credit, or biometrics, it's an Annex III high-risk system. Thalus turns the project docs you already have into the documented risk evidence buyers and insurers ask for.
- Get your EU AI Act tier and a documented risk assessment from a one-pager, PRD, or architecture doc.
- Confirmed timeline, not speculation: Annex III high-risk obligations apply December 2, 2027 (postponed from August 2026 under the EU's Digital Omnibus).
- The deadline that bites first is commercial — enterprise procurement and insurers want AI risk evidence before they sign.
From your project doc to a tier and controls list in about 20 minutes.
The problem
AI risk assessment is slow, manual, and out of date the moment it's written.
By hand, every time
A skilled analyst stitches Word, Excel, ChatGPT and framework PDFs into one assessment — per use case.
Hard to defend
Every assessment looks a little different, and the reasoning lives in one person's head instead of a repeatable method.
Regulation keeps moving
NIST, ISO 42001 and the EU AI Act shift faster than a hand-built template can keep up.
How it works
Three steps from intake doc to defensible report.
Drop in the documents
Upload the artifacts you already have — a charter, a one-pager, a PRD, an architecture doc. No new questionnaire.
The engine assesses
Thalus analyzes against a proprietary taxonomy synthesized from the MIT AI Risk Repository and NIST AI RMF — each risk with its evidence and required controls, the EU AI Act tier, and a flag on anything it couldn't determine.
Export the report
Toggle NIST, EU AI Act and ISO 42001 lenses in one click. Export a branded PDF you can hand to a buyer or insurer.
Why Thalus
What makes the output defensible.
Built on real risk research
The MIT AI Risk Repository plus the NIST AI RMF — not a checklist someone wrote last quarter.
Tri-framework lens-switching
Show the same assessment through NIST AI RMF, the EU AI Act, or ISO 42001 — whichever your buyer's security team asked for.
Evidence on every risk
Each identified risk carries the signal it was found from, so the report stands up to a procurement review.
Branded PDF export
A clean, shareable document — the artifact buyers, insurers and your own board keep asking for.
6.5 hours of manual assessment → about 20 minutes.
And the result is more defensible, not less — every risk carries its evidence and maps to the framework your buyer asked for.
What you get
Risks, controls, and your EU AI Act tier.
The report opens with two numbers — risks identified and controls required — then lets you drill into the evidence behind each.
Risks identified
Every risk in your product traced to the document excerpts behind it and marked as a contributor, mitigator, or missing-evidence signal — with severity and confidence under a named theme.
Controls required
The controls each risk needs, with present / operating / relevant status and every treatment gap flagged for procurement.
EU AI Act tier
Your system gets an overall tier with plain-English reasoning — plus an honest list of what it couldn't determine and what to upload to be sure.
Prohibited
Banned practices — social scoring, certain biometric uses.
High-risk
Hiring, credit, biometrics, critical infrastructure. Likely you.
Limited
Transparency duties — chatbots, generated-content disclosure.
Minimal
Most AI. Few or no obligations under the Act.
Pricing
Start free. Pay when it's saving you hours.
See your EU AI Act tier in about 20 minutes.
Bring a real project doc. Run it free — no card, no sales call.