Scope & actors

The EU AI Act governs the placing on the EU market, putting into service, and operation of AI systems. High-risk systems include those used in safety-critical domains, regulated products, and specified use-cases. Providers (developers or those placing the system on the market) bear design-time duties; Deployers (operators/users) bear run-time duties. Distributors/importers inherit obligations proportionate to control.

Risk management system (RMS)

• Identify reasonably foreseeable misuse; characterise hazards/harms; map affected cohorts and contexts.
• Plan risk controls by design: data curation, model constraints, guardrails, operational controls, and human oversight.
• Define KPIs, tolerances and monitoring processes; encode escalation/runbooks; keep a living risk file.
• Iterate RMS on evidence from evaluation, deployment feedback and post-market surveillance.

Data governance

• Provenance, licensing and lawful basis; data minimisation and purpose limitation; representativeness and quality controls.
• Bias management: cohort analysis, synthetic balancing, harmful proxy detection; pre/post-deployment equity metrics.
• Privacy: DSR handling, redaction, differential privacy where applicable, and secure MLOps pipelines.

Technical documentation

• System description, intended purpose/use, limitations, risk controls and operating conditions.
• Data lineage; model cards; training/eval datasets; metrics and thresholds; explainability methods.
• Deployment architecture; dependency BOM; security design; update policy; rollback strategy.

Logging & traceability

• Capture inputs/outputs, prompts, features, decisions, explanations (where feasible), model/feature store versions.
• Maintain event trails for threshold breaches, overrides, hand-offs, outages and user complaints.

Human oversight

• Define when/how oversight intervenes: pre-authorization, warnings, two-person rules, and mandatory review gates.
• Ensure effective override: stop, rollback, downgrade modes; clear UI cues; training; operator competency records.

Performance, robustness & security

• Qualification and acceptance: target metrics per purpose/cohort/environment; stress and adversarial testing.
• Hardening: input validation, content filters, prompt hygiene, rate-limits, sandboxing, signed artifacts, SCA.
• Secure MLOps: SBOM/SLSA, attestations, policy-gated CI/CD, key management, model watermarking where relevant.

Conformity assessment & CE marking

• Choose the applicable route (internal control, NB involvement, sectoral regulations); compile technical file.
• Demonstrate RMS, governance, testing outcomes, and residual risk justifications; affix CE marking prior to placement.

Post-market monitoring & incidents

• Run KPIs/thresholds; detect drift, bias and misuse; triage incidents; collect evidence bundles; notify authorities where mandated.
• Feed CAPA and change control; update documentation and user instructions.

Provider vs Deployer – responsibilities

• Provider: RMS, documentation, conformity, CE, instructions, post-market plan, security design.
• Deployer: operate per instructions, ensure qualified staff, human oversight, logs, incident reporting.

Evidence pack & audit readiness

• Risk file, model cards, data sheets, evaluation reports, approval minutes, deployment manifests, audit logs.
• Incident & CAPA registers; training records; user communications; versioned user instructions.

Implementation checklist

• RMS defined; hazards/harms & misuse mapped; controls designed; residual risk justified.
• Data governance operational; documentation complete; oversight & security embedded.
• Conformity route selected; CE plan ready; PMM live; evidence library maintained.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 05 Nov 2025 • This page is general guidance, not legal advice.