Public Methodology Document
ORIENT
Methodology
Six-stage governance framework for AI systems under regulatory pressure.
"Compliance is an orientation, not a checklist. Governance is a disposition, not a deliverable."
From the Greek hexis (εξις) — a stable disposition acquired through practice. ORIENT provides the structured practice; hexis is the governance capacity that results.
Version 1.0
Published: March 2026
Last reviewed: March 2026
Next scheduled review: September 2026
Update model: Internal review
Feedback: [email protected]
Section 01
The ORIENT Framework
ORIENT applies governance reasoning in six sequential stages. Each stage produces a defined output that feeds the next. The cycle is continuous — Track feeds back into Observe as systems, contexts, and regulations evolve.
O
Stage 01
Observe
What is this system?
Identify the AI system, its role, context, and stakeholders. Establish the governance scope.
Output
AI System Inventory Card
R
Stage 02
Risk
What is the risk level?
Classify risk level per EU AI Act categories. Determine governance pathway intensity.
Output
Risk Classification Report
I
Stage 03
Identify
What must we comply with?
Map applicable legal obligations from EU AI Act, KVKK, and sector-specific regulation.
Output
Obligation Register
E
Stage 04
Evaluate
Where do we stand?
Assess current governance maturity against identified obligations. Quantify compliance gaps.
Output
Governance Activation Matrix
N
Stage 05
Navigate
What must we do?
Chart the path from current state to compliance. Prioritize actions by urgency and impact.
Output
Action Roadmap
T
Stage 06
Track
Are we on course?
Set deadlines, review triggers, and monitoring cadence. Maintain governance posture over time.
Output
Governance Record & Review Schedule
ORIENT
Observe · Risk · Identify · Evaluate · Navigate · Track
Continuous loop — Track feeds back into Observe every 6 months
Section 02
Risk-Based Pathways
After the Risk stage, ORIENT branches into three intensity pathways. Every organization completes Observe and Risk. The depth of subsequent stages depends on the classified risk level.
After Stage 02 (Risk)
Three Governance Pathways
High Risk
EU AI Act Annex III / Annex I systems
Observe — Full system inventory
Risk — Formal classification
Identify — Full obligation mapping
Evaluate — Complete gap analysis + FRIA
Navigate — Detailed action roadmap
Track — Continuous monitoring cycle
All six stages in full depth. Mandatory FRIA (Art. 27) for deployers of high-risk systems.
Limited Risk
Transparency obligations (Art. 50) + GPAI
Observe — System inventory
Risk — Formal classification
Identify — Transparency obligations
Evaluate — Focused gap check
Navigate — Light action plan
Track — Annual review cycle
All stages, reduced scope. Focus on transparency requirements and GPAI model cards.
Minimal Risk
Voluntary codes of conduct (Art. 95)
Observe — Basic inventory
Risk — Classification confirmed
Identify — AI literacy (Art. 4) only
Evaluate — Basic self-check
Navigate — Governance basics
Track — Annual review
Observe + Risk mandatory. Remaining stages apply at minimum depth. KVKK obligations may still apply in full if personal data is processed.
KVKK Note: KVKK (Law No. 6698) obligations apply regardless of EU AI Act risk level when personal data is processed. A minimal-risk AI system that processes personal data must still address KVKK Madde 5 (lawful basis), Madde 10 (disclosure), and Madde 11(1)(g) (automated decision-making rights). The dual lens approach ensures KVKK is evaluated at every stage.
Section 03
Stage Definitions
Each ORIENT stage has defined inputs, processes, outputs, legal references, and transition conditions. This structure ensures traceability and repeatability across different organizations and risk levels.
O
Stage 01
Observe
What is this AI system and what does it do?
Inputs
System description or vendor documentation
Deployment context and use case
Stakeholder identification
Data flow overview
Process
Document system purpose and function
Map affected persons and rights
Identify AI components vs. traditional software
Define governance scope boundaries
Outputs
AI System Inventory Card
Stakeholder map
Scope definition document
EU AI Act
Art. 3 (definitions), Art. 4 (AI literacy), Art. 9 (risk management system)
KVKK
Madde 3 (definitions), Madde 10 (disclosure obligation)
ISO 42001
§4.1 (context), §4.2 (interested parties), §6.1 (risk/opportunity)
Transition to Risk
AI System Inventory Card is complete and approved. System scope is defined.
Return trigger
Scope change, new AI component, or system purpose modification → return to Observe.
Hexis Tool
Generator — System Identification Form
Live
R
Stage 02
Risk
What risk level does this system carry?
Inputs
AI System Inventory Card (from Observe)
EU AI Act risk categories
Sector-specific regulation context
Process
Check Art. 5 prohibited practices
Evaluate Art. 6(1) product safety / Annex I
Check Art. 6(2) Annex III high-risk areas
Assess Art. 50 transparency obligations
Evaluate Art. 51–56 GPAI classification
Outputs
Risk Classification Report
Applicable article references
Governance pathway determination
EU AI Act
Art. 5 (prohibited), Art. 6 (high-risk), Art. 50 (transparency), Art. 51–56 (GPAI)
KVKK
Madde 5–6 (lawful basis), Madde 11(1)(g) (automated decision rights)
ISO 42001
§6.1.2 (risk assessment), Annex B (AI risk sources)
Transition to Identify
Risk classification confirmed. Governance pathway (high/limited/minimal) selected.
Return trigger
Regulatory reclassification, new Annex update, or system capability change → return to Risk.
Hexis Tool
Generator — Risk Classifier Wizard (6-step)
Live
I
Stage 03
Identify
What specific obligations apply to this system?
Inputs
Risk Classification Report (from Risk)
Organization role (provider/deployer/distributor)
Sector-specific requirements
Process
Map EU AI Act article-by-article obligations
Cross-reference KVKK requirements
Identify conformity assessment path (Art. 43)
Map technical documentation requirements (Annex IV)
Outputs
Obligation Register
System-specific compliance checklist
KVKK cross-reference table
EU AI Act
Art. 8–15 (high-risk requirements), Art. 16–27 (provider/deployer obligations), Annex IV
KVKK
Madde 5–6 (processing conditions & special categories), Madde 8 (transfer rules), Madde 12 (data controller obligations)
ISO 42001
§6.1.3 (risk treatment), §6.2 (objectives), Annex A (controls)
Transition to Evaluate
Obligation Register complete. All applicable articles and KVKK cross-references documented.
Return trigger
New legal requirement, organization role change, or sector regulation update → return to Identify.
Hexis Tool
EU AI Act Compliance Checklist
Live
E
Stage 04
Evaluate
Where does our governance stand relative to obligations?
Inputs
Obligation Register (from Identify)
Current governance documentation
Organizational maturity self-assessment
Process
Score oversight, monitoring, documentation maturity (5 levels)
Apply weighted maturity calculation (O:1.5, M:1.4, D:1.0)
Apply minimum safeguard principle
Generate Governance Activation Matrix position
Conduct FRIA (Art. 27) for high-risk deployers
Outputs
Governance Activation Matrix position
Activation posture + urgency index
Gap analysis report
FRIA report (if applicable)
EU AI Act
Art. 9 (risk management), Art. 14 (human oversight), Art. 27 (FRIA), Art. 17 (QMS)
KVKK
Madde 12 (technical & organizational measures adequacy), Madde 11(1)(g) (automated decision objection)
ISO 42001
§8.4 (AI risk assessment), §9.1 (performance evaluation)
Transition to Navigate
Matrix position calculated. Activation posture and gap analysis confirmed.
Return trigger
Material organizational change, new governance capability, or maturity regression → return to Evaluate.
Hexis Tool
Governance Activation Matrix Generator + FRIA Tool
Live
N
Stage 05
Navigate
What actions move us from current state to compliance?
Inputs
Activation posture + gap analysis (from Evaluate)
Enforcement timeline and deadlines
Organizational capacity and resources
Process
Prioritize gaps by urgency index
Define immediate actions (0–30 days)
Define medium-term targets (30–90 days)
Assign ownership and accountability
Estimate resource requirements
Outputs
Action Roadmap with deadlines
Responsibility assignment matrix
Resource allocation plan
30-day target state definition
EU AI Act
Art. 17 (QMS), Art. 11 + Annex IV (technical documentation), Art. 43 (conformity)
KVKK
Madde 12 (adequate measures), Madde 16 (VERBİS registration), Madde 11 (data subject rights)
ISO 42001
§6.2 (objectives & planning), §8.1 (operational planning), §10.1 (improvement)
Transition to Track
Action Roadmap approved. Ownership assigned. First review date set.
Return trigger
Budget constraint, priority shift, or organizational restructuring → return to Navigate for re-prioritization.
Hexis Tool
Action Roadmap Template
Planned
T
Stage 06
Track
Are we maintaining compliance over time?
Inputs
Action Roadmap (from Navigate)
Implementation evidence and records
Regulatory change monitoring feed
Process
Monitor action completion against deadlines
Conduct periodic governance reviews
Track regulatory changes and new guidance
Detect maturity drift or regression
Trigger re-entry to earlier stages when conditions change
Outputs
Governance Record (versioned)
Review schedule and audit trail
Maturity progression tracking
Re-entry trigger notifications
EU AI Act
Art. 72 (post-market monitoring), Art. 73 (serious incident reporting), Art. 17 (QMS review)
KVKK
Madde 12 (periodic audit & breach notification), Madde 15 (data controller registry)
ISO 42001
§9.2 (internal audit), §9.3 (management review), §10.2 (continual improvement)
Loop back to Observe
Every 6 months, or when a return trigger fires. Full ORIENT cycle restarts with updated context.
Return triggers
New AI system → Observe. Regulation change → Risk. New obligation → Identify. Maturity change → Evaluate.
Hexis Tool
Governance Review Schedule Template
Planned
Section 04
Dual Lens: EU AI Act × KVKK
ORIENT operates as a single process with two concurrent perspectives. At each stage, both EU AI Act and KVKK requirements are evaluated in parallel — not as separate workflows but as two lenses on the same governance question.
Stage
EU AI Act Lens
Regulation (EU) 2024/1689
KVKK Lens
Law No. 6698
O
Observe
System classification: AI system, GPAI model, or excluded scope?
Data processing inventory: personal data categories, cross-border transfers?
R
Risk
Risk level per Art. 5/6/50: prohibited, high, limited, or minimal?
Data sensitivity: special categories (Madde 6), automated decisions (Madde 11(1)(g))?
I
Identify
Applicable articles, provider/deployer obligations, conformity path
Lawful basis (Madde 5), data controller obligations (Madde 12), VERBİS
E
Evaluate
Governance maturity assessment, FRIA (Art. 27), gap analysis
Data protection impact assessment, technical/organizational measures adequacy
N
Navigate
Compliance roadmap aligned to enforcement deadlines
KVKK compliance action plan, data breach notification procedures (Madde 12(5))
T
Track
Post-market monitoring (Art. 72), regulatory change tracking
Periodic KVKK audit (Madde 12), data breach monitoring & notification (Madde 12(5))
Section 05
Governance Activation Matrix
The Governance Activation Matrix is the primary output of the Evaluate stage. Risk exposure alone does not determine governance response. The required activation posture emerges from the intersection of exposure level and governance maturity. The same high-risk system requires fundamentally different action depending on whether governance is absent or embedded.
← Risk Exposure →
← Governance Maturity →
maturity ↓ / exposure →
Low
Moderate
Elevated
High
Absent
Define Governance Scope
Map boundaries & impact
Initiate Minimum Governance
Establish ownership & controls
Assign Risk Owner Immediately
Structure accountability now
Intervene — Suspend or Constrain
No operation without oversight
Ad Hoc
Begin Light Structuring
Document existing practices
Define Repeatable Processes
Assign ownership, start docs
Formalize Oversight Structure
Set roles & review cadence
Activate Formal Governance Now
Mandate human oversight
Structured
Observe & Stabilize
Confirm coverage periodically
Define & Track Metrics
Build monitoring baseline
Activate Monitoring Cadence
Schedule review cycles
Intensify Monitoring & Clarify Roles
Define escalation path
Continuous
Run Periodic Checks
Verify controls efficient
Optimize Coverage & Efficiency
Review scope vs. changes
Track Performance & Detect Drift
Enable drift alerting
Run Audit & Stress Test
Review bias & failure modes
Embedded
Maintain Standard Operations
No immediate action
Maintain & Schedule Reassessment
Annual regulatory review
Sustain & Verify Alignment
Check scope or context changes
Maintain Continuous Assurance
Commission external audit
Governance maturity dimensions are weighted according to regulatory impact priority (Oversight 1.5 · Monitoring 1.4 · Documentation 1.0). See Section 06 for full weight justification. Minimum safeguard principle: if any dimension scores Absent, overall maturity is capped at Ad Hoc.
Low
Moderate
Elevated
High
Section 06
How the Engine Reasons
The Governance Activation Matrix produces activation postures through a deterministic reasoning chain. Each component is normatively grounded and independently traceable.
Component 01
Exposure Profile
LowIndirect or negligible human impact. No regulatory category trigger.
ModeratePotential human impact in bounded context. Regulatory signals present.
ElevatedDirect human impact. Regulatory sensitivity confirmed. Technical uncertainty present.
HighSignificant human impact. High-risk category under EU AI Act Annex III or equivalent.
Component 02
Maturity Dimensions & Weights
DimensionWeightRegulatory basis
Oversight1.5EU AI Act Art. 14 — human oversight obligations
Monitoring1.4NIST AI RMF Measure & Manage — drift detection
Documentation1.0ISO 42001 §8 — audit readiness, accountability
Minimum Safeguard Principle: If any single dimension scores Absent, overall maturity is capped at Ad Hoc — regardless of weighted average. A critical governance gap in one dimension cannot be masked by strength in others.
Component 03
Urgency Index
Urgency index is a proportional heuristic reflecting regulatory exposure dominance over governance maturity. Exposure weight (1.6) exceeds maturity mitigation weight (0.8) because unmanaged risk scales faster than governance matures.
The urgency index determines the visual severity signal (left-edge bar) in each matrix cell. It is not a compliance score. It signals the relative pressure between current risk exposure and current governance capacity. Urgency is a pressure signal — activation posture is determined by the matrix position and safeguard principle.
Section 07
Return Triggers
ORIENT is not a one-way process. Defined conditions trigger re-entry to earlier stages, ensuring governance remains aligned with changing reality. The Track stage monitors all triggers continuously.
New AI system or component added
Return to → Observe
System purpose or scope changes
Return to → Observe
Regulatory reclassification or Annex update
Return to → Risk
System capability or performance changes
Return to → Risk
New legal requirement or sector regulation
Return to → Identify
Organization role changes (provider ↔ deployer)
Return to → Identify
Governance maturity regression detected
Return to → Evaluate
Organizational restructuring or resource change
Return to → Navigate
Scheduled re-entry: Every 6 months, Track triggers a full cycle restart through Observe — regardless of whether any specific trigger has fired. This ensures governance does not become stale even in stable environments.
Section 08
Limitations & Feedback
ORIENT v1.0 is designed for transparency about what it does and does not do.
Not legal advice
ORIENT produces normative governance recommendations, not legal opinions. Findings should be reviewed by qualified legal or compliance counsel before regulatory submissions.
Not a certification
An ORIENT assessment does not constitute certification of compliance with EU AI Act, ISO 42001, or any other standard. It is a structured assessment input.
Context-neutral (V1)
Version 1.0 applies uniform weights across all sectors. Healthcare, HR, and financial contexts may require adjusted profiles. Sector-specific weight profiles are planned for V2.
Normative, not statistical
Weights reflect regulatory priority signals — not empirical data from incidents. The model is transparent about this. Weights will be calibrated against real usage data in V3.
Apply the methodology
Start Your ORIENT Assessment
Classify your AI system's risk, assess governance maturity, and generate an activation report.
Open Generator