v2.4.0 | Report Errata
docs development docs development

Open-source models are frequently developed without the governance structures that the EU AI Act expects for high-risk system components. The development process may lack formal version control discipline, structured experiment tracking, documented evaluation methodology, or bias and fairness testing across protected characteristic subgroups. These governance gaps create inherited risk that the downstream provider must assess and mitigate.

The AI System Assessor should examine the open-source model’s available documentation, including model cards, dataset descriptions, evaluation reports, and community discussion, to identify which governance practices were followed and which were absent. Common gaps include the absence of disaggregated performance metrics across demographic subgroups, no adversarial robustness evaluation, incomplete documentation of hyperparameter selection rationale, and no formal change management process between model versions.

Each identified gap becomes a risk register entry. The downstream provider must determine whether the gap can be compensated through the organisation’s own evaluation and testing, or whether it represents a non-conformity risk that cannot be adequately mitigated. A model with no published fairness evaluation, for example, requires the downstream provider to conduct comprehensive bias testing against the deployment population; the cost and feasibility of this testing should factor into the model selection decision.

The risk assessment should distinguish between gaps that are inherent to the open-source development model (and therefore predictable and manageable) and gaps that indicate poor development practices (and therefore signal higher inherent risk). A model from a well-maintained repository with active community review and published evaluation methodology presents a different risk profile from a model uploaded without documentation by an unknown contributor.

Key outputs

  • Development governance gap assessment per open-source component
  • Risk register entries for identified gaps
  • Compensating evaluation plan
On This Page