Evidence Currency — 60-Day Maximum & Staleness Tracking
Evidence artefacts have a freshness requirement: each artefact in the evidence register specifies how frequently the responsible role must refresh it. Model evaluation reports are refreshed with every model update; PMM reports monthly; penetration test reports annually. Evidence that has exceeded its freshness window is stale and cannot support a conformity claim.
A scheduled script (running monthly via Airflow or GitHub Actions) scans the evidence register, compares each artefact’s last-updated date against its freshness requirement, and generates a gap report listing overdue artefacts. The gap report is sent to the AI Governance Lead and the responsible team members. Overdue artefacts are treated as non-conformities and tracked in the Non-Conformity Register.
As a general rule, no evidence artefact relied upon in the conformity assessment should be more than 60 days old at the point the Declaration of Conformity is signed. Evidence older than 60 days raises the question of whether the documentation reflects the system’s current state. The Conformity Assessment Coordinator confirms evidence currency as part of the pre-signature checklist.
Key outputs
- Per-artefact freshness requirements in the evidence register
- Automated monthly staleness scanning (Airflow, GitHub Actions)
- 60-day maximum currency at Declaration signing
- Overdue artefacts tracked as non-conformities
Evidence Register
The evidence register catalogues every artefact reviewed during the assessment, with its location, version, date, and the assessment finding it supports. It serves as the bridge between the assessment findings and the underlying proof. Each entry records the artefact identifier (a unique reference), the AISDP module it supports, the EU AI Act Article it demonstrates compliance with, the artefact’s current version and location, the date it was last updated, and the freshness requirement.
The register is maintained as a structured dataset in Airtable, a Notion database, a SharePoint list, or a YAML file in the documentation repository. Free-form text in a document is insufficient; the register must be queryable so that an assessor can identify all evidence supporting a specific Article, all evidence owned by a specific role, or all evidence that is overdue for refresh.
The register distinguishes between system-specific evidence and shared evidence (where the organisation operates multiple high-risk systems). Shared evidence artefacts are assessed once and referenced by each system’s register with clear version references.
Key outputs
- Structured evidence register with per-artefact metadata
- AISDP module and Article traceability per entry
- Queryable format (Airtable, Notion, SharePoint, YAML)
- Distinction between system-specific and shared evidence
Assessment Checklist — Per Art. 8–15 Sub-Requirement
The assessment checklist maps every requirement of Articles 8 through 15, Article 17, and Annex IV to specific questions, evidence expectations, and pass/fail criteria. The checklist must be granular; a single line item such as “Article 10 compliance” is insufficient. Each sub-requirement of Article 10 (relevance, representativeness, freedom from errors, completeness, statistical properties, bias detection measures, special category data processing) is a separate checklist item with its own evidence requirement.
The checklist is prepared before the assessment begins as part of the Assessment Plan. During the assessment, the assessor works through each item, recording the evidence examined, the determination (conformant, non-conformant, partially conformant), and any observations. Partially conformant items include an explanation of what is present and what is missing.
The completed checklist is a core assessment artefact. An assessor or competent authority reviewing the assessment should be able to work through the checklist and understand, for each requirement, what evidence was examined and what conclusion was reached.
Key outputs
- Granular per-sub-requirement checklist (Articles 8–15, 17, Annex IV)
- Per-item evidence expectations and pass/fail criteria
- Completed checklist with determinations and observations
- Core assessment artefact retained for ten years