v2.4.0 | Report Errata
docs governance docs governance

Readiness Capability — AISDP Retrieval & Drills

The organisation maintains an “inspection-ready” posture at all times. The AISDP and evidence pack are current. Evidence is organised and accessible; an inspector should not need to wait for someone to locate it. Monitoring dashboards are operational and displaying current data. The human oversight interface can be demonstrated on request.

Annual rehearsal exercises (the “30-minute drill”) test whether the team can produce each category of requested artefact within 30 minutes. Mock inspectors request specific artefacts using regulatory language (for example, “please provide the records required under Annex IV point 2(b)”), ask probing questions, and test the team’s ability to explain the risk management process and fairness methodology.

A pre-configured IAM role (“regulatory-inspector”) provides read-only access to the evidence repository, monitoring dashboards, logging infrastructure, model registry, and AISDP documentation. Proprietary source code, commercial contracts, and unrelated information are excluded. The Legal and Regulatory Advisor tests the role monthly.

Key outputs

  • Inspection-ready posture maintained continuously
  • Annual 30-minute drill with mock inspectors
  • Pre-configured regulatory access IAM role
  • Drill results documented as Module 10 evidence

During Inspection — Spokesperson, SME, Access, Logging

When an inspection is initiated, the AI Governance Lead serves as primary point of contact. A designated Inspection Coordinator manages logistics: scheduling interviews, retrieving documents, arranging system access, maintaining a log of every document provided and every question asked. The inspection log serves as the organisation’s record of the inspection.

The organisation provides everything within the lawful scope of the inspection promptly and cooperatively. Obstructing or delaying carries penalties under Article 99(5). Where a request touches on commercially sensitive information beyond the regulatory scope, the Legal and Regulatory Advisor engages with inspectors to agree confidentiality protections.

Key personnel (AI Governance Lead, Technical SME, Legal and Regulatory Advisor) are available at short notice. Their roles during inspection are predefined: the AI Governance Lead addresses governance and strategic questions, the Technical SME addresses technical architecture and testing questions, and the Legal and Regulatory Advisor addresses regulatory interpretation and data protection questions.

Key outputs

  • AI Governance Lead as primary contact, Inspection Coordinator for logistics
  • Inspection log of all documents provided and questions asked
  • Predefined roles for key personnel
  • Module 10 AISDP evidence

Post-Inspection Actions

Following an inspection, the authority may issue findings, recommendations, or corrective action requirements. The Conformity Assessment Coordinator enters each finding into the Non-Conformity Register, assigns a responsible person, and tracks remediation within the required timeline. Remediation evidence is documented and, where the authority requests confirmation, submitted.

Inspection findings may reveal systemic weaknesses affecting other systems in the portfolio. The AI Governance Lead assesses whether findings indicate organisation-wide gaps and, if so, initiates a broader remediation programme. A finding about inadequate evidence currency for one system, for example, may indicate a process weakness affecting all systems.

The post-inspection record (findings received, remediation actions, evidence of closure, authority confirmation) is retained as Module 10 evidence for the ten-year period.

Key outputs

  • Inspection findings entered into Non-Conformity Register
  • Cross-portfolio systemic weakness assessment
  • Post-inspection record retained for ten years
  • Module 10 AISDP evidence

Dual Readiness (NIS2 & AI Act)

Organisations subject to both the AI Act and NIS2 may face inspections from different authorities under different legal bases. The inspection readiness framework should accommodate both regimes. The regulatory access IAM role includes both AI Act evidence (AISDP, assessment records, monitoring dashboards) and NIS2 evidence (security policies, incident logs, vulnerability management records, supply chain documentation).

The cross-regulatory mapping tables demonstrate how controls satisfy both regimes simultaneously. During an AI Act inspection, the organisation can show that its cybersecurity controls also satisfy NIS2 requirements; during a NIS2 audit, the organisation can show that its AI-specific security measures are part of a comprehensive programme.

The 30-minute drill should include NIS2-specific requests alongside AI Act requests, testing the team’s ability to serve both regulatory audiences from the same evidence infrastructure.

Key outputs

  • Dual-regime inspection readiness (AI Act and NIS2)
  • Shared regulatory access IAM role covering both regimes
  • Cross-regulatory mapping tables as dual-purpose evidence
  • Module 9 and Module 10 AISDP documentation
On This Page