Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Guide

Preparing for an AI supervisory audit: which documentation to have ready

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

In an audit a supervisor first requests your documentation. Those with technical documentation, risk management, logging, a declaration of conformity and governance in order pass the test. This guide summarises what to have ready.

Short answer: In a supervisory audit it is not so much your system that is tested as your file. The supervisor first requests your technical documentation, your risk management, your logs, your declaration of conformity and your governance. Those who have these documents ready and up to date pass; those who must reconstruct them afterwards get stuck. So prepare the file before the audit, not after.

What a supervisor requests first

For high-risk systems the AI Act prescribes exactly which documentation must be available. In practice a supervisor usually asks for:

  • Technical documentation (Annex IV): purpose, design, data specifications, tested behaviour and known limitations of the system.
  • Risk management system: how you identify, assess and mitigate risks across the lifecycle.
  • Data governance: provenance, quality and representativeness of training and test data.
  • Log files: automatic recording of events to ensure traceability.
  • EU declaration of conformity and CE marking where applicable.
  • Human oversight and instructions for use for the deployer.

Documentation is an ongoing process

The mistake organisations make is treating documentation as a one-off project. The AI Act requires documentation to stay current: with every substantial change to the system, the file must follow. An audit can take place years after deployment, so version control and a demonstrable update routine are crucial. A file that does not match the system in production is a red flag.

Split the roles: provider versus deployer

Not all documentation rests with the same party. The provider produces the technical documentation and declaration of conformity; the deployer must be able to show it uses the system according to the instructions for use, arranges human oversight and retains logs where required. In an audit this distinction becomes sharp; set out in contracts who supplies which document. Anchoring this belongs in your governance framework.

Rehearse the audit yourself

The best preparation is an internal mock audit: have someone who did not build the system request the file as if they were the supervisor. Missing documents, outdated versions and untraceable choices then surface before it really counts. What the enforcement process actually involves is covered separately.

What to do

  • Draw up a file index with all mandatory documents and the owner of each.
  • Ensure version control: documentation follows every system change.
  • Check your logging: do you record enough to trace decisions?
  • Allocate roles with suppliers: who delivers which document?
  • Run a mock audit before the supervisor calls โ€” see also national supervisors.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act); Art. 11, 12, 17-19 and Annex IV on technical documentation, logging and quality management.
  2. https://digital-strategy.ec.europa.eu/en/policies/ai-office
    European Commission; the AI Office and national supervisors can request documentation directly.

Share on LinkedIn

Read next

W

The EU declaration of conformity under the AI Act (Article 47)

The EU declaration of conformity is the written statement by which the provider itself confirms that a high-risk AI system meets the AI Act. Article 47 sets out its content, language and retention; the provider bears full responsibility for it.

W

The AI Act for developers: provider duties and documentation

If you build or fine-tune AI, you are often a provider under the AI Act โ€” the role with the heaviest obligations. This guide translates the legal text into what a developer and product team must concretely arrange: technical documentation, data quality, logging and human oversight by design.

W

The authorised representative for non-EU providers (Article 22)

A provider established outside the EU must appoint a written authorised representative in the Union before placing a high-risk AI system on the market. Article 22 makes that person the European point of contact for authorities, with its own duties and power to end the mandate.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.