Critical NC — Definition & Effect
A critical non-conformity indicates a fundamental failure to meet a requirement that could result in serious harm, a violation of fundamental rights, or a material misstatement in the Declaration of Conformity. The system cannot be placed on the market or continue in service until the non-conformity is resolved.
Remediation must begin immediately and be verified by the assessor before the assessment can conclude. The Declaration of Conformity cannot be signed while any critical non-conformity remains open. Examples include a complete absence of human oversight capability for a system requiring it, fabricated or falsified evidence, a fundamental rights impact assessment that was never conducted, or a risk register that does not exist.
Critical non-conformities are rare when the pre-assessment readiness review ('s evidence currency checks) is conducted properly. Their identification during the formal assessment typically indicates that the readiness review was either not conducted or was not sufficiently rigorous.
Key outputs
- Blocks Declaration of Conformity and market placement
- Immediate remediation with assessor verification required
- Root cause analysis mandatory
- Non-Conformity Register documentation
Major NC — Definition & Effect
A major non-conformity indicates a significant gap that weakens the compliance posture without presenting an immediate risk of serious harm. The system may proceed to market with a documented remediation plan and a defined deadline, typically 30 to 90 days. Remediation must be verified by the assessor, and the AISDP must be updated to reflect the corrected state.
Examples include fairness testing that omits a relevant protected characteristic, a PMM plan that defines metrics but has no alerting thresholds, cybersecurity testing conducted more than eighteen months ago, a risk register that exists but has not been reviewed since the initial assessment, or an Instructions for Use document that does not adequately communicate known limitations.
The Conformity Assessment Coordinator tracks each major non-conformity to closure. The assessment conclusion may read “conformity demonstrated subject to remediation of [N] major non-conformities,” with the remediation plan and deadlines appended to the Assessment Report.
Key outputs
- Documented remediation plan with 30–90 day deadline
- Assessor verification of remediation required
- Permits market placement with conditions
- Non-Conformity Register documentation
Minor NC — Definition & Effect
A minor non-conformity is a documentation deficiency or minor inconsistency that does not affect the system’s substantive compliance. Remediation is recorded and tracked, with a deadline of up to six months. Minor non-conformities do not block the Declaration of Conformity or prevent market placement.
Examples include typographical errors in the AISDP, a cross-reference that points to the wrong evidence artefact, a minor version discrepancy between the AISDP and the evidence register, or an organisational chart that does not reflect a recent personnel change. These findings are individually trivial, but an accumulation of minor non-conformities may signal a broader documentation discipline problem.
The Conformity Assessment Coordinator reviews minor non-conformities at each assessment cycle. A pattern of recurring minor non-conformities in the same area (for example, persistent cross-reference errors in Module 4) may warrant escalation to a major non-conformity if the pattern suggests a systemic documentation management failure.
Key outputs
- Up to six-month remediation window
- Does not block Declaration of Conformity
- Pattern analysis for escalation to major
- Non-Conformity Register documentation
Remediation Workflow
Each non-conformity follows a seven-step workflow. Identification and logging by the assessor. Assignment to the responsible person by the Conformity Assessment Coordinator. Root cause analysis to ensure remediation addresses the underlying cause. Remediation action by the responsible person. Evidence of remediation as documented proof. Verification by the assessor confirming the remediation is effective and complete. Closure, with the non-conformity marked as resolved in the register with the closure date and verification evidence.
The workflow is consistent regardless of severity; the urgency and scrutiny applied vary by classification. Critical non-conformities require immediate action with escalation to the AI Governance Lead. Major non-conformities follow the defined timeline with regular progress tracking. Minor non-conformities are tracked to closure at the next assessment cycle.
Non-conformities that remain open beyond their deadline require escalation to the AI Governance Lead with a documented justification for the delay and a revised timeline. Jira or ServiceNow with pre-configured non-conformity workflows support this process, though a spreadsheet-based register is adequate for smaller portfolios.
Key outputs
- Seven-step workflow (log, assign, root cause, remediate, evidence, verify, close)
- Severity-appropriate urgency and scrutiny
- Escalation for overdue non-conformities
- Non-Conformity Register documentation
Root Cause Analysis for Critical & Major
Root cause analysis is mandatory for critical and major non-conformities. The analysis ensures that remediation addresses the underlying cause rather than the symptom. A fairness testing gap (the symptom) might have a root cause in the test plan’s scope definition process, in the assessor’s competence framework, or in the data availability for the omitted characteristic.
The root cause analysis is documented alongside the non-conformity entry. It records the symptom (the non-conformity as identified), the investigation method (five-whys analysis, fishbone diagram, or structured review), the root cause identified, the corrective action (addressing the root cause), and the preventive action (preventing recurrence). The preventive action may affect the QMS, the assessment methodology, or the organisation’s training programme.
Root cause analysis for critical non-conformities should involve the AI Governance Lead, as the root cause may indicate a governance failure rather than a technical one. A critical non-conformity caused by fabricated evidence, for instance, has a root cause in the organisation’s integrity culture, not in a technical process.
Key outputs
- Mandatory root cause analysis for critical and major NCs
- Documented investigation method and findings
- Corrective and preventive actions
- AI Governance Lead involvement for critical NCs