v2.4.0 | Report Errata
docs governance docs governance

Continuous Assessment & CI/CD as Continuous Checking

The internal conformity assessment under Annex VI is often understood as a point-in-time exercise. The ongoing obligations under Articles 9, 18, and 72 require a more sustained approach. The continuous assessment model operates on three cadences.

Monthly automated checks verify technical compliance: monitoring systems operational, evidence artefacts current, PMM metric thresholds unbreached, non-conformities within remediation deadlines. The engineering team automates these checks (Airflow or GitHub Actions scripts querying the monitoring infrastructure, evidence repository, and non-conformity register) and produces a structured report. Quarterly governance reviews bring the AI Governance Lead, technical leads, and DPO Liaison together to review monthly reports, assess the overall compliance posture, and make governance decisions. Annual formal reassessment repeats the full Annex VI assessment on the updated AISDP and evidence pack.

Trigger-based assessment supplements the calendar: a substantial modification, a serious incident, a regulatory enforcement action, new harmonised standards, or a material deployment context change triggers an unscheduled assessment of the affected areas.

Key outputs

  • Three-cadence continuous assessment (monthly automated, quarterly governance, annual formal)
  • Automated compliance checking via Airflow or GitHub Actions
  • Trigger-based unscheduled assessment
  • Sustained conformity assurance between formal assessment cycles

GRC Platforms, Evidence Repos, NC Tracking, Currency Monitoring

Organisations with larger AI portfolios invest in tooling that supports structured assessment. The tooling landscape spans four categories.

Compliance management platforms (OneTrust, ServiceNow GRC, Archer, IBM OpenPages) or AI-specific platforms (Credo AI, Holistic AI, Monitaur) host the assessment checklist, track non-conformities, manage evidence registers, and generate assessment reports. Key requirements include structured checklist management with Article-level traceability, non-conformity tracking with severity classification and remediation workflow, evidence register with metadata tagging and expiry monitoring, and role-based access control with audit trail.

Evidence repositories (Git-based for code and configuration, SharePoint or Confluence for narrative documentation, S3/Azure Blob/GCS for large binary artefacts) enforce immutability for submitted evidence and retain artefacts for the ten-year period. Non-conformity tracking (Jira with custom workflows, ServiceNow) enforces the remediation workflow. Currency monitoring (scheduled scripts comparing evidence register dates against freshness requirements) generates gap reports for overdue artefacts.

For smaller organisations, a Confluence or SharePoint space with structured templates, a Jira project for non-conformity tracking, and scheduled scripts for automated checks is viable, though it scales poorly.

Key outputs

  • Platform selection guidance (general GRC vs. AI-specific)
  • Evidence repository with immutability and ten-year retention
  • Non-conformity workflow automation
  • Automated currency monitoring with gap reports
On This Page