v2.4.0 | Report Errata
docs resources docs resources

Gap Assessment Approach For systems already in production, the AI System Assessor examines each AISDP module and identifies what documentation exists, what is missing, what testing has been performed, what is needed, what governance controls are in place, and what is absent. The gap assessment produces a remediation plan with priorities, owners, and timelines. The gap assessment is the first step in brownfield compliance and determines the scope of the retrofit effort. Key outputs

  • Per-module gap identification
  • Remediation plan with priorities and timelines
  • First step in brownfield compliance

Documentation Reconstruction Principles Where documentation was not created during development, it must be reconstructed from available artefacts. Training data characteristics may be derived from statistical analysis of the deployed model’s behaviour. Architecture details may be extracted from the codebase. Design decisions may be recovered through interviews with the development team. The AISDP should clearly indicate where documentation has been reconstructed, not generated contemporaneously. Transparency about reconstruction is more credible to a competent authority than retroactive documentation claiming to be original. Key outputs

  • Reconstruction from available artefacts
  • Statistical analysis, code extraction, team interviews
  • Clear labelling of reconstructed documentation

Retrofit Phases (A: Critical, B: Documentation, C: Infrastructure) Three retrofit phases for brownfield systems. Phase A (critical gaps): human oversight controls, serious incident reporting capability, basic PMM; addresses the highest compliance risk first. Phase B (documentation gaps): assemble the AISDP from existing and reconstructed artefacts; version control established from the current state forward. Phase C (infrastructure gaps): version control extension, CI/CD pipeline compliance gates, monitoring infrastructure build-out. The phased plan is documented and approved by the AI Governance Lead with milestones demonstrating progress toward full compliance. Key outputs

  • Three retrofit phases prioritised by compliance risk
  • Phase A addresses immediate safety and reporting gaps
  • Milestones demonstrating progress

August 2026 Milestone Requirement The full high-risk AI system framework applies from 2 August 2026. Organisations must reach at least Level 4 (Operational) in the compliance maturity model by this date: conformity assessments completed, Declarations of Conformity signed, high-risk systems registered in the EU database, PMM producing data, operators trained, and incident response in place. Systems operating after this date without conformity assessment are in breach of the AI Act. Key outputs

  • 2 August 2026 application date
  • Level 4 maturity target
  • Post-deadline operation without conformity assessment is non-compliant
On This Page