Toward Deterministic Compliance Scoring for AI Tools: A Formally-Analysed Multiplicative Severity Model under the EU AI Act and GDPR

Organisations deploying AI tools must decide, often in real time, whether a given tool may be used under the EU AI Act and the GDPR. Existing methodologies are qualitative and produce reports rather than machine-actionable decisions. This working paper develops a deterministic severity model that maps a set of boolean compliance properties of an AI tool — each tied to a specific provision of EU law — to a single numerical score and a discrete system action (allow, notice, approval, block). We motivate a multiplicative rather than additive aggregation on the grounds that compliance failures compound, analyse structural properties of the resulting function (determinism, monotonicity over a compliance lattice, and absolute priority of prohibited classifications), and report an automated check of these properties using an SMT solver. We characterise the model's behaviour across its input space and position it against existing governance frameworks and quantitative risk approaches. We treat the weighting and thresholds, the absence of empirical validation against real tools, and the handling of the prohibited case in the solver encoding as open items for the full version.