Scope
Annex IV lists required documentation: general description, detailed design, monitoring functioning, risk management, lifecycle changes, standards applied, EU declaration of conformity, post-market monitoring plan.
The full Annex IV breaks into twelve sections. General description names the system, intended purpose, and provider; detailed elements describes architecture, datasets, computational resources, and software dependencies; functioning section covers monitoring metrics and human oversight; risk management section documents the Article 9 process; change management lists predetermined changes that don’t trigger reassessment; standards section names harmonized standards or alternatives; performance section provides accuracy, robustness, and cybersecurity test results; misuse section enumerates foreseeable misuse and mitigations.
What Auditors Look For
Traceability from requirements to implementation to testing. Evidence that risk assessment happened iteratively. Proof of human oversight design. Records of incidents and responses. Version-controlled history.
Specific artifacts national authorities have requested in early enforcement actions: dated risk-register entries showing iteration, model cards aligned to Annex IV section 2(c), data sheets per dataset (training, validation, test), evaluation reports with confidence intervals not just point estimates, oversight-training attendance records, and a change log linking each model version to a risk reassessment. Missing dates and version IDs are the most common audit findings.
Tooling
Most orgs use a mix: compliance management platform (OneTrust, TrustArc), in-house documentation in Confluence/Notion, audit trail from MLOps (W&B, MLflow), source control for code and configs.
A minimum viable stack: Git for code, prompts, and configs with signed commits; MLflow or Weights & Biases for experiment lineage; a governance hub (OneTrust AI Governance, Credo AI, or Holistic AI) for the registry, risk register, and FRIA workflow; Confluence or Notion for narrative documentation linked back from the registry. Avoid pure-PDF documentation — auditors increasingly request machine-readable artifacts they can diff version-over-version.
Start-Now Advice
Don’t wait for the August deadline. Documentation is easier captured as built than reconstructed. If a system is in scope and undocumented, put a compliance engineer on it this quarter, not next.
Reconstruction projects routinely cost 3-5x what build-time documentation costs. The hardest artifact to recreate is dataset provenance — if your training data flowed through three pipelines and a contractor’s laptop, getting an Annex IV-grade data sheet may be impossible. Prioritize new systems for documented-by-default; for legacy systems, choose between full reconstruction, retirement, or rebuild on documented foundations.
Implementation Sequence
Week 1: stand up registry, list every AI system. Week 2-3: classify against Annex III, narrow to high-risk. Week 4-6: complete Annex IV sections 1-4 for each high-risk system (description, elements, monitoring, risk management). Week 7-9: performance and oversight evidence. Week 10-12: post-market monitoring plan, declaration of conformity, EU database registration.
What to Do This Week
Pick your highest-priority high-risk system and produce a one-page Annex IV table-of-contents identifying owner and current evidence for each of the twelve sections.
