EU AI Act & AI Compliance for Icon Map

Icon Map currently includes one optional AI-assisted feature. Tekantis governs it under a formal, risk-based framework aligned with the EU AI Act and the NIST AI Risk Management Framework, designed so that your data stays in your control.

This page explains where Icon Map uses AI, exactly what data is and is not sent to AI services, and how we govern these features. For our wider security architecture, see the Icon Map Pro security whitepaper (PDF).

Our approach to AI

Tekantis treats AI as something to be governed, not bolted on. Every AI feature in our products is assessed before release, recorded in an internal AI System Register, and classified against the EU AI Act's risk categories. Our current AI feature is assistive, helping a user find and rank information, and the person always remains in control of the outcome.

Where Icon Map uses AI

We believe in being explicit about where AI is involved. Icon Map currently uses AI in one feature:

AI-assisted catalogue search (Icon Map Catalog)

When a user types a natural-language request to find a dataset in the Icon Map catalogue, an AI model helps interpret the request and rank the most relevant datasets. Technically, the search prompt is converted into an embedding, a vector search is run against catalogue metadata, and a large language model ranks the candidate datasets by relevance. The models are hosted within Microsoft Azure AI Foundry.

The feature is limited to discovering and ranking catalogue datasets. It does not read, analyse or transmit the data inside your reports. It is optional and can be disabled.

Other Icon Map capabilities (rendering maps, layers, slicing, catalogue hosting) are not AI features and are covered by the security whitepaper.

What data is sent to AI, and what is not

This is the question customers most want answered, so we answer it plainly.

Sent to the AI service

• The text the user types into the catalogue search box
• Selected catalogue metadata (dataset titles and descriptions) for ranking

Never sent to the AI service

• Your datasets or report data
• Power BI model or visual data
• Personal, health or other regulated business data
• Anything used to identify or profile individuals

Our EU AI Act position

The EU AI Act (Regulation (EU) 2024/1689) is risk-based. It places the heaviest obligations on "prohibited" and "high-risk" AI, with lighter transparency duties for AI that interacts with people. Tekantis has carried out a formal internal assessment of its AI feature against these categories.

• AI-assisted catalogue search is assessed as a minimal-risk feature with a transparency touchpoint. It is not a prohibited practice and not a high-risk system under the Act.
• It does not operate critical infrastructure, or make decisions about employment, credit, insurance, essential services, law enforcement, migration or justice.
• Icon Map already tells users when AI is being used to assist catalogue search, the transparency measure the EU AI Act formally requires from August 2026. We continue to monitor the EU AI Act timeline and update our controls as each obligation takes effect.
• AI features can be disabled for a customer account on request.

We describe our features as assessed against the EU AI Act rather than "certified", because the Act does not provide a product certification scheme for low-risk AI.

United States and the NIST AI Risk Management Framework

There is currently no single, comprehensive federal AI law in the United States equivalent to the EU AI Act. The recognised benchmark that US enterprise customers ask about is the NIST AI Risk Management Framework (AI RMF 1.0).

• Tekantis aligns its AI governance with the NIST AI RMF and operates in conformance with its four functions: Govern, Map, Measure and Manage.
• The same controls that satisfy the EU AI Act, such as risk classification, data-flow mapping, transparency, human oversight and review, also support US due-diligence and procurement reviews.
• We monitor evolving US federal and state AI requirements and adjust our governance where needed.

The NIST AI RMF is voluntary guidance, not a certification scheme; "conformance" means we follow its functions and practices.

Transparency and human oversight

• Users are informed that AI is used to assist catalogue search and ranking.
• AI results are presented as suggestions, so the user reviews them and decides what, if anything, to use.
• No automated decisions are made about individuals.
• Where supported, AI processing can be routed to a customer's own approved AI environment.

Governance and accountability

Behind these features sits a defined governance process, so our position is repeatable and evidenced rather than ad-hoc:

• An AI System Register recording each AI feature, its data flow, risk classification and controls.
• An AI System Governance & EU AI Act Compliance Procedure that every new or changed AI feature passes through before release.
• An LLM & Generative AI Usage Policy covering both staff use of AI tools and AI in our products.
• A named owner (CTO) and a regular review cycle, with reassessment whenever a feature's purpose, data, model or hosting changes.

Supporting your compliance reviews

Icon Map is designed to slot into your existing governance. We can support:

• Vendor security and AI due-diligence questionnaires
• EU AI Act and NIST AI RMF supplier assessments
• Data Protection Impact Assessments (DPIAs) under UK/EU GDPR
• Internal security and procurement reviews

More information

More detailed governance documents are available to customers and prospective customers on request, including our:

• AI System Register
• EU AI Act feature assessment
• AI Governance & EU AI Act Compliance Procedure
• LLM & Generative AI Usage Policy

For our wider security architecture, external resources, coding standards and assurance options, read the Icon Map Pro security whitepaper (PDF). You may also be interested in our Healthcare Compliance (HIPAA & NHS) page.

To request documentation or discuss an AI or security review, please get in touch.