We use cookies to improve your experience and analyse site traffic.
We use cookies to improve your experience and analyse site traffic.
Module 9 requires comprehensive cybersecurity documentation that should be generated as an automated byproduct of the security programme. An evidence pipeline operating on continuous and periodic cadences collects, tags, and stores artefacts from CI pipelines, testing, monitoring, and incident response. Currency tracking and gap analysis ensure evidence remains fresh for conformity assessment.
Module 9 of the AISDP requires comprehensive cybersecurity documentation, and generating this evidence should be an automated byproduct of the security programme rather than a manual documentation exercise.
Module 9 of the aisdp requires comprehensive cybersecurity documentation, and generating this evidence should be an automated byproduct of the security programme rather than a manual documentation exercise. The security toolchain should produce structured, machine-readable outputs that can be collected and catalogued automatically. Vulnerability scan results, penetration test findings, SAST and DAST reports, infrastructure compliance scan results, access control configurations, and encryption settings should all be exportable in structured formats. A compliance evidence pipeline collects these outputs on a scheduled basis, timestamps them, and stores them in the evidence pack repository.
The Conformity Assessment Coordinator tags each evidence artefact with the AISDP module and Article it supports. A vulnerability scan result supports Module 9 under Article 15(4). An access control configuration supports Module 9 under Article 15(5). A penetration test report supports Module 9 generally. This tagging enables the evidence register to be maintained with minimal manual effort.
Module 9 evidence must be current. A penetration test report from eighteen months ago does not demonstrate current compliance. The evidence collection pipeline tracks the age of each artefact and generates alerts when artefacts approach their expiry as defined by the testing programme's schedule. An automated comparison of the required evidence catalogue against available artefacts identifies gaps, flagging missing or expired evidence to the Conformity Assessment Coordinator. This gap analysis runs at least monthly and before any conformity assessment activity.
The evidence generation pipeline operates on two cadences to capture different types of cybersecurity evidence.
The evidence generation pipeline operates on two cadences to capture different types of cybersecurity evidence. Continuous collection captures evidence generated during normal operations: CI pipeline reports including validation gate results, static analysis results, and vulnerability scan results; deployment ledger entries; monitoring alert records; incident reports; and configuration change logs. Each artefact is tagged with metadata covering the system identifier, the AISDP module it supports, the evidence type, the generation timestamp, and the retention requirement. The tagged artefacts are stored in the central evidence repository.
Periodic collection captures evidence that requires active generation rather than passive collection. Penetration test reports are generated annually. Adversarial ML test reports are generated annually or after model modifications. Threat model reviews are conducted annually. Vulnerability remediation status reports are produced quarterly. Supply chain risk assessments are conducted annually. Scheduled jobs using Airflow, GitHub Actions, or calendar-triggered scripts prompt the responsible team to generate and upload each periodic artefact, and alert the governance team if an artefact is overdue.
The evidence repository should be read-only for all users except designated evidence administrators. Deletion and modification of evidence records requires multi-party approval with all such actions logged. Retention policies enforce the ten-year retention requirement under Article 18 with automated alerts before any evidence reaches its retention expiry.
Credo AI provides a commercial platform that automates much of the evidence collection process, mapping collected evidence to specific regulatory requirements including the EU AI Act and highlighting gaps.
Credo AI provides a commercial platform that automates much of the evidence collection process, mapping collected evidence to specific regulatory requirements including the EU AI Act and highlighting gaps. For organisations preferring open-source tooling, a Git-based evidence repository provides version-controlled, auditable evidence storage. Each evidence artefact is stored as a file organised by AISDP module and evidence type, with a metadata file in YAML or JSON capturing the tagging information. Pull requests for new evidence are reviewed by the AI Governance Lead or delegate, ensuring submitted evidence meets the requirement it claims to address.
For organisations using procedural approaches, evidence collection can be entirely manual. An evidence collection checklist lists every required artefact organised by AISDP module with the responsible person and collection frequency. After each pipeline run, release, or periodic review, the responsible person collects relevant artefacts and stores them with appropriate metadata. A monthly evidence completeness check reviews the register for gaps. Manual collection is prone to omission, especially for artefacts generated during routine pipeline runs.
Yes, using a checklist and monthly completeness checks, but manual collection is prone to omission. Currency tracking can be automated with a simple date-comparison script at near-zero cost.
Credo AI maps evidence to EU AI Act articles and generates gap reports. For open-source alternatives, a Git-based repository with YAML metadata files provides version-controlled, auditable storage.
The gap is flagged as a non-conformity in the register. Monthly automated scans detect staleness proactively, generating gap reports sent to the AI Governance Lead and responsible team members.