Five phases, one procedure: AI consulting with the Sakızlı model
A good recommendation does not begin with a fast answer, but with a procedure that keeps uncertainty visible. The Sakızlı five-phase consulting model gives AI consulting that procedure — and puts contractual, legal and regulatory questions at its centre.

AI can create pace in an advisory engagement: it sorts material, drafts variants and makes gaps visible. But that alone is not yet responsible advice. As soon as an AI deployment has consequences for people, contracts or resources, you need a path on which a request does not simply turn into a plausible-sounding answer, but into a traceable process — with clear stations, clear results and clear responsibilities.
That is exactly what the Sakızlı five-phase consulting model is built for. It extends the existing Sakızlı model — which engages in detail with ethical questions and governance principles — and deliberately widens the focus to contractual, legal and regulatory questions in the context of AI deployments. The result is a hands-on guide for AI consultants that tackles these challenges systematically and across disciplines: ethics and governance remain in view, while the legal frameworks move to the centre. Organisations thereby not only minimise legal risk — they also seize opportunities in an AI environment that keeps evolving.
Phase 1: Preparation and anamnesis
The first phase lays the foundation — and it starts not with technology but with clarifying goals: which contractual and regulatory objectives should the AI deployment achieve? Ensure compliance, secure liability, optimise data protection — and which laws and directives actually govern that? In practice: GDPR and the EU AI Act almost always, plus, depending on the project, eIDAS, the DSA and DMA, copyright and media law, criminal-law aspects, commercial and contract law, and liability questions from product liability to tortious liability. Aligning with human-rights standards and ethical guidelines belongs here too — for instance, to rule out discrimination or intrusions into privacy from the outset.
Then comes the anamnesis in the narrower sense: gathering information. It captures the technological context — the AI technologies, algorithms, data sources and interfaces in use — reviews existing contracts, licence and cooperation agreements, and draws on external opinions, regulatory guidelines and industry standards such as ISO norms. The phase ends with defined parameters: a project plan with milestones and budget, a stakeholder map of internal actors (legal, compliance, IT security) and external experts (specialist lawyers, data-protection advisers) — and a catalogue of measures with contingency plans should the analysis reveal critical legal gaps. Everything is documented transparently, with cross-references to specific GDPR articles or sections of the EU AI Act.
Phase 2: Analysis and problem definition
Now the status quo is examined systematically. The needs analysis uncovers gaps in existing contractual arrangements and legal uncertainties: are the data-processing operations GDPR-compliant? Are copyright and media-law provisions observed? Where are there criminal-law risks from misuse, where unclear liability rules for AI-based decisions? An assumption stays visible as an assumption; an observation does not become a fact just because it has been repeated often.
The central tool is the SWOT analysis: strengths such as existing compliance mechanisms, weaknesses such as unclear responsibilities in the event of data-protection breaches, opportunities such as competitive advantage from proactively adapting to upcoming regulation, risks such as fines for violations of the GDPR or the EU AI Act. Prioritisation follows: an urgency matrix rates each question by impact and likelihood, so that critical areas — data-protection breaches, liability questions — are addressed first. The result is an analysis report that serves as the basis for phase 3, plus a monitoring mechanism that detects changes in the legal situation early.
Phase 3: Consulting and solution development
Only now is it time for proposals — and they get concrete. At the heart of this phase is tailored contract design: precise liability clauses that cover product liability and tortious liability and define responsibilities clearly; data-protection and compliance clauses on processing, data-subject rights and reporting duties under the GDPR, eIDAS and the EU AI Act; provisions to protect copyrights and trade secrets, so that neither content nor internal knowledge is disclosed unintentionally. This is complemented by a risk-management framework with contingency and escalation plans for unexpected legal challenges.
Methodologically, the phase relies on proven practices: standardised checklists covering all relevant fields of law, interactive workshops and case studies in which solutions are tested against concrete scenarios, and benchmarking against industry standards. Decisive is interdisciplinary collaboration — lawyers, data-protection officers, IT-security experts and management work in regular coordination rounds towards a shared target picture, including KPIs that make progress measurable. No single discipline decides alone; that is precisely what makes the solutions durable.
Phase 4: Implementation and documentation
A recommendation does not become safe by being thorough — but by making clear who is responsible for each step. The action plan breaks implementation into work packages — from contract revision to introducing new compliance processes — assigns each package owners, deadlines and resources, and provides escalation plans for delays or compliance breaches. Budget and staffing are planned explicitly, so that external checks such as GDPR-conformity opinions are covered too.
In parallel runs the documentation: a central project dashboard, minutes of all decisions, and every contract adjustment recorded with its specific legal basis — as evidence for future audits and towards regulators. The communication strategy closes the phase: internally through training, guides and FAQ documents that familiarise staff with the new arrangements; externally through transparent reports that strengthen the trust of partners and authorities.
Phase 5: Evaluation and follow-up
Handover does not end the engagement. Regular evaluation cycles — quarterly or half-yearly — check whether the new contractual arrangements and compliance measures are working. Measurement is against defined KPIs: number of data-protection incidents, update rate of contract clauses, results of internal and external audits. Feedback from legal, compliance, IT security and external assessors flows into detailed evaluation reports that are archived in an audit-proof way.
The second component is dynamic updating: if the legal situation changes — an update to the EU AI Act, new requirements from the DSA or DMA — the model is adjusted immediately; contracts and internal policies are revised on the basis of the evaluation results, and lessons learned are documented. In the long run, a continuous monitoring system with a dashboard and regular follow-up appointments ensures that compliance does not stay a project state but becomes an operating state. This phase does not make the advice perfect — it makes it correctable.
| Phase | Guiding question | Result |
|---|---|---|
| 1 · Anamnesis | Which goals, contracts and laws govern the deployment? | Project frame, stakeholder map, legal inventory |
| 2 · Analysis | Where are gaps, risks and opportunities — and what first? | SWOT, urgency matrix, analysis report |
| 3 · Solution | Which arrangements hold — legally, technically, operationally? | Contract clauses, risk framework, measures |
| 4 · Implementation | Who implements what by when — and how is it evidenced? | Action plan, documentation, communication |
| 5 · Evaluation | Does it still work — even as the legal situation changes? | Reviews, KPIs, updated model |
The model in action: a case from practice
What this looks like concretely is shown by an example from the full version of the model: Alex Meier, a self-employed influencer, wants to optimise his Instagram strategy with an AI solution built on RunwyML — trend analysis, content optimisation, better engagement rates. Budget: 15,000 euros, project duration: three months. In phase 1 the goals are made measurable (engagement up 15 percent within six months, at least three relevant content themes per month) and the budget is split: around 6,000 euros for external legal and data-protection advice, 4,000 euros for the technical integration, 2,000 euros for training, 3,000 euros as a buffer.
The analysis in phase 2 sets the priorities: first comes GDPR-compliant processing of personal data — comments, likes, follower interactions. Then come clear liability rules for the case of faulty AI predictions and adherence to Instagram's terms of use for the API connection. Broader copyright questions remain secondary as long as only publicly accessible content is used. Phase 3 translates this into tailored contract clauses and control mechanisms, phase 4 implements them with clear responsibilities, and phase 5 monitors, via an audit cycle, whether the solution stays compliant even when Instagram changes its terms or the EU changes its regulation.
The example also shows a core principle of the model: only the legal questions that actually apply to the scenario are included. The project idea determines the depth of the work — a sole trader with a 15,000-euro budget does not need a corporate compliance apparatus, but very much needs sound data-protection and liability foundations. It is precisely this proportionality that makes the model workable for small projects too.
# CONSULTING ROUTE · 5 PHASES
**1 · Preparation & anamnesis**
Capture goals, contracts, legal frameworks (GDPR, EU AI Act, eIDAS) …
**2 · Analysis & problem definition**
Name the gaps · SWOT · urgency matrix …
**3 · Consulting & solution development**
Contract clauses · risk mitigation · expert network …
**4 · Implementation & documentation**
Action plan · audit trail · communication …
**5 · Evaluation & follow-up**
Reviews · KPIs · dynamic updating …The Sakızlı five-phase consulting model replaces neither legal judgement nor professional responsibility. What it does is something more modest and, at the same time, decisive: it gives the engagement a procedure on which it stays visible what was checked, what is open and who decides. AI accelerates every single station — but the order, the results and the responsibility stay human. That is exactly why the model is designed to be interdisciplinary: law, data protection, IT security and management share a procedure, not just a goal.
Worksheet: Lead a case through five phases
Choose one concrete AI advisory case — ideally a real one. Lead it once, completely, through all five phases and record, per phase, only what the next decision genuinely needs. Allow 30 to 45 minutes.
Anamnesis. Note the measurable goal of the AI deployment and the three to five legal frameworks that actually apply here (almost always the GDPR and the EU AI Act).
Analysis. Draft a short SWOT and name the single highest-priority question — measured by impact times likelihood.
Solution. Sketch one concrete contract clause or measure that addresses exactly that priority — liability, data protection or IP.
Implementation. Assign the measure an owner, a deadline and the legal basis the documentation will reference.
Evaluation. Define one KPI and one review date at which you check whether the measure still holds after a change in the legal situation.
All materials to download — the topic overview and the worksheet:
● Members only
Read the full article and download all files with a membership.
Unlock full article + downloads → Subscribe0 comments
No comments yet — be the first.