Before comparing individual products, you need to know which of these you are actually shopping for. Most confusion in this market comes from buyers in category 1 trying to evaluate vendors built for category 4.
| Category | Who it's for | Typical price | Time to first artifact |
|---|---|---|---|
| SDK Developer SDKs | AI-native startups (10–200 ppl). You ship code, your team is technical, you want compliance to "just be a library." | €49–€999/mo | Same day |
| DFY Done-for-you audits | Pre-revenue or pre-Series A teams that don't want infra now. They need a one-time PDF for a specific buyer. | €199–€5,000 one-time | 24–72 hours |
| GRC Enterprise AI governance platforms | Banks, insurers, public sector, large enterprises with a dedicated GRC team and SOC 2 / ISO 27001 already in place. | €30k–€250k/yr | 4–12 weeks rollout |
| CON Specialised legal consultancies | High-risk Annex III deployments (medical, hiring, credit, biometric) where a written legal opinion is required. | €8k–€60k engagement | 2–8 weeks |
This category barely existed in 2024. It has grown because AI startups realised that AI Act compliance is mostly about logging the right thing about every model call and turning those logs into a document. That is a software problem, not a consulting problem.
anthropic, openai, cohere, ollama client in three lines.This category is for the team that doesn't have time to install anything before next Monday's vendor review meeting. You send your model list, use cases, and a basic system description. A specialist returns a 12–25 page Article 26 deployer report mapped to your stack within 48–72 hours.
Pricing in 2026 ranges from €199 (single project, AI-native) to €5,000+ for multi-product audits at Series A startups with 20+ models in production. The €199 tier is a recent emergence — it works because the underlying SDK has automated 80% of the evidence collection, leaving the human work to be the reasoning, the framing, and the final PDF.
This is the path you take if any of the following are true:
This is the established category — vendors like Credo AI, Holistic AI, Fairly AI, and IBM watsonx.governance were built before the AI Act for the GRC teams of banks and insurers. They cover model risk management, bias testing, lineage, and full enterprise audit trails.
They are excellent at what they do. They are also over-engineered for a 50-person AI startup. The implementation usually requires a dedicated risk team, an integration project of 4–12 weeks, and pricing that starts at €30k/year and quickly hits six figures.
Use this category if:
If you are deploying AI in Annex III high-risk areas — medical decision support, recruitment screening, credit scoring, biometric identification, education access — you will, at some point, need a written legal opinion. No SDK and no platform replaces the named lawyer who signs off on whether your specific use case is high-risk and what your obligations are.
The leading independent EU AI Act consultants in 2026 (publicly visible) include researchers like Lukasz Olejnik (cyber-policy advisor, EU Council expert), Nathalie Smuha (KU Leuven, ex-AI HLEG), and a handful of boutique firms in Brussels, Paris, and Berlin. Engagements typically run €8k–€60k for a defined scope.
You almost always need this in addition to tooling, not instead of it. The lawyer answers "are you high-risk?"; the SDK + audit produces the evidence that proves you are managing the obligations.
Before you book a €8k–€60k engagement, walk through the EU AI Act high-risk classification decision tree. Most B2B SaaS teams discover they are not Annex III high-risk once they apply Article 6(3) and look at the actual sub-paragraphs with worked examples — and a one-page classification memo built from that analysis, signed by the CTO, is often what procurement actually wanted.
Run this 60-second decision flow:
| Your situation | What you should buy first |
|---|---|
| Procurement asked, deal closes in <2 weeks, no internal compliance person. | Done-for-you audit (€199–€2k). Worry about long-term tooling after the deal closes. |
| You ship code, you have technical staff, you expect this question to repeat. | SDK at developer tier (€49–€149/mo). Add monitoring tier when usage grows. |
| You operate in healthcare, recruitment, credit, or biometrics. | Specialist legal consultation first, then SDK + DFY for the documentation layer. |
| You are a regulated bank/insurer/public body with 20+ models. | Enterprise GRC platform. Don't try to bootstrap with category 1. |
| Mixed: you have one immediate deal AND you want long-term tooling. | SDK install + DFY for the urgent one. Same vendor if possible — same evidence powers both. |
I run auditai. Here is the honest positioning so you can decide if it is for you.
auditai is built for category 1 (SDK) and category 2 (done-for-you). If you are a 10–200-person B2B AI startup using Anthropic, OpenAI, or open-source models, and you want compliance to be a Python library plus a €199 done-for-you fallback, that is exactly what we build. pip install auditai-sdk, three lines of code, an Article 26 PDF on demand.
auditai is not for you if:
Send your model list and use case. €199, 48-hour delivery, ready for procurement.
Start the managed audit →Article 26 deployer obligations applied from August 2025 (the eleven duties, the FRIA trigger and the deployer trap most B2B SaaS falls into are walked through in the deep-dive). The Omnibus 2026 amendments adjusted timelines for some prohibited-use cases but did not delay the deployer regime that procurement teams reference today. Enforcement is starting at the national level (CNIL in France, AEPD in Spain, BfDI in Germany).
If you sell into the EU or process EU users' data through your AI system, the obligations apply regardless of where you are based. Several US-headquartered AI startups are now generating Article 26 records to satisfy their European enterprise buyers.
You can, and several teams have. The procurement teams I have seen reject these are looking for two specific signals: a real audit trail of model calls (not a generic narrative) and a named methodology (not a hallucinated reference). A 6-page LLM-written PDF rarely passes.