Brownfield compliance need not be achieved in a single effort. A phased approach may be appropriate, structured in three phases. Phase A addresses critical gaps: human oversight controls, serious incident reporting capability, and basic PMM. These are the capabilities whose absence creates the greatest immediate compliance and safety risk. Phase B addresses documentation gaps: assembling the AISDP from existing and reconstructed artefacts, conducting the gap assessment remediation, and establishing the evidence register. Phase C addresses infrastructure gaps: establishing version control, extending the CI/CD pipeline, and building the monitoring infrastructure.

The phased plan is documented and approved by the AI Governance Lead, with milestones that demonstrate progress toward full compliance. The August 2026 deadline for high-risk system obligations provides the outer boundary. The AI Governance Lead should set interim milestones that create accountability and prevent a last-minute compliance rush.

Phase A should be achievable within three months for most systems. Phases B and C vary depending on the system’s existing documentation and infrastructure maturity.

Key outputs

• Three-phase brownfield compliance plan (critical, documentation, infrastructure)
• AI Governance Lead approval with milestones
• August 2026 outer boundary for high-risk obligations
• All 12 modules addressed across the three phases