Classify every agent by risk before it reaches production
The EU AI Act demands risk classification. Your board demands accountability. But you can't classify what you can't see. Roval maps every agent to a risk tier across four dimensions, automatically.
You can't govern what you haven't classified
Over half of organizations lack systematic inventories of AI systems, making risk classification impossible
EU AI Act compliance analyses, 2025For CTOs, CIOs, and AI teams, the challenge is no longer 'Can we build AI?' but 'Can we govern AI well enough to deploy it safely, sustainably, and defensibly?'
AI system boundaries are not obvious. Sorting out what is in scope and what is out takes analytical work that simply did not exist with ISMS implementations.
Agents are non-deterministic, context-dependent, and operate across fluid boundaries. The semantic gap between what our detection tools expect and what agents actually do is significant.
Risk classification is the foundation of Roval's AI governance platform. Every policy, certification, and audit report builds on the risk tier assigned here.
From unknown exposure to defensible governance
Four dimensions, one risk score
Classify across data sensitivity, decision authority, blast radius, and regulatory exposure. Configurable dimension weights. The composite tier determines which compliance frameworks apply and which gates the agent must pass.
See the agent registryEU AI Act risk levels, mapped automatically
Map every agent to the EU AI Act risk pyramid. High-risk systems get mandatory documentation, human oversight requirements, and conformity assessment tracking. Penalties reach EUR 35 million or 7% of global revenue.
See compliance integrationProduction gates that enforce policy
High-risk agents cannot reach production without completed risk classification and required certifications. The gate is enforced by the platform, not by process.
See lifecycle managementAuto-classification with human review
The auto-classifier analyzes agent metadata and suggests a risk tier with reasoning you can review. Accept or override with one click. Every classification decision is logged.
See it in action- Agent handles PII (email, SSN) in request payloads
- Makes autonomous decisions without human review loop
- Serves 50,000+ users, blast radius is high
- Touches payment data, PCI DSS scope applies
Frameworks that mandate risk classification
Risk tiering is a legal requirement under these frameworks, not a nice-to-have.
Four-tier risk classification: unacceptable, high, limited, minimal. High-risk obligations enforceable August 2026.
MAP function requires categorizing AI risks by likelihood and severity across trustworthiness dimensions.
Clause 6.1.2 requires AI risk assessments covering impact, likelihood, and risk treatment decisions.
Article 35 mandates Data Protection Impact Assessments for AI processing that poses high risks to individuals.
Risk classification is built into the platform
Every risk tier flows directly from the agent registry into compliance tracking and audit evidence. No manual hand-off. No spreadsheet exports.
Agent Registry
Register agents, assign owners, classify risk, and enforce lifecycle gates from a single registry that stays current automatically.
Explore the registryCompliance & Certification
Risk tiers drive which frameworks apply. EU AI Act, SOC 2, HIPAA, ISO 42001. Continuous drift detection and one-click audit evidence export.
Explore complianceStart classifying your agents
Most teams complete their first full classification sweep in under a day.