We use cookies to improve your experience and analyse site traffic.
We use cookies to improve your experience and analyse site traffic.
The Practitioners Implementation Guide spans twenty-one domains across the full lifecycle of a high-risk AI system. No single reader needs every section with equal depth. This reading guide maps each professional role to its priority sections, key focus areas, and interdependencies, ensuring compliance leads, engineers, legal advisors, DPOs, assessors, and executives engage efficiently with the material most relevant to their responsibilities.
Different readers need different sections of the guide based on their responsibilities and the decisions they need to make.
Different readers need different sections of the guide based on their responsibilities and the decisions they need to make. The guide examines eighteen interconnected domains across twenty-one sections, and reading sequentially from start to finish, while providing a complete understanding, is not how most readers will use it. The following role-based reading guide maps each role to its priority sections and key focus areas.
The AI Governance Lead carries ultimate accountability for the organisation's AI compliance programme.
The AI Governance Lead carries ultimate accountability for the organisation's AI compliance programme. Priority sections cover the introduction and scope, risk assessment, conformity assessment frameworks, certification outputs, regulator interaction, operational oversight, the delivery process, and strategic synthesis. The AI Governance Lead should pay particular attention to the residual risk acceptability threshold, non-conformity management, Declaration of Conformity liability implications, and end-of-life planning and governance.
The AI System Assessor, who conducts the discovery, classification, and AISDP compilation for each system, should prioritise the full risk assessment methodology, the Annex VI walkthrough, documentation standards, and the delivery process. Working familiarity with model selection, data governance, architecture, version control, CI/CD, and cybersecurity is needed to evaluate technical evidence during the conformity assessment.
Technical SMEs and Engineering Leads should focus on the engineering domains that produce the evidence substantiating the AISDP across model selection, data governance, system architecture, version control, CI/CD pipelines, cybersecurity, post-market monitoring, and operational oversight.
Technical SMEs and Engineering Leads should focus on the engineering domains that produce the evidence substantiating the AISDP across model selection, data governance, system architecture, version control, CI/CD pipelines, cybersecurity, post-market monitoring, and operational oversight. The CI/CD pipeline section is the most operationally immediate for engineering teams, as it describes the automation infrastructure that produces compliance evidence as a byproduct of the development workflow. The governance pipeline extends this with five compliance gates that must pass before deployment is authorised.
Key focus areas within oversight include Level 1 monitoring responsibilities, break-glass procedures, oversight interface requirements, and the technical shutdown procedures for system end-of-life.
Legal and Regulatory Advisors should prioritise sections addressing regulatory context, legal obligations, enforcement exposure, and cross-regulatory intersections across the conformity assessment and certification domains.
Legal and Regulatory Advisors should prioritise sections addressing regulatory context, legal obligations, enforcement exposure, and cross-regulatory intersections across the conformity assessment and certification domains. They should review the regulatory timeline, the Article 6(3) exception analysis, the FRIA methodology, the conformity assessment framework, the penalty structure, and serious incident reporting obligations. Additionally, they should review intellectual property risk in model selection, Declaration of Conformity liability and insurance implications, and the end-of-life regulatory basis including data lifecycle closure.
DPO Liaisons should focus on data governance, GDPR alignment, and post-market monitoring data retention requirements.
DPO Liaisons should focus on data governance, GDPR alignment, and post-market monitoring data retention requirements. Data governance and post-market monitoring provide the detailed treatment, with particular attention to GDPR alignment including lawful basis for training data processing, special category data handling under Article 10(5), third-party data governance, and PMM data retention and privacy. The FRIA and DPIA coordination section and the data lifecycle closure at end-of-life are also essential reading.
Conformity Assessment Coordinators should prioritise the conformity assessment, certification outputs, and registration sections.
Conformity Assessment Coordinators should prioritise the conformity assessment, certification outputs, and registration sections. Conformity assessment and certification outputs cover the assessment execution methodology, non-conformity register management, multi-system coordination, the registration workflow, authority engagement, and documentation finalisation at end-of-life.
The Internal Audit Assurance Lead should focus on the conformity assessment process verification, assessor independence requirements, documentation structures, and common pitfalls as an audit checklist.
Business Owners and Product Managers should focus on risk classification, reputational risk, intended purpose documentation, and human oversight design.
Business Owners and Product Managers should focus on risk classification, reputational risk, intended purpose documentation, and human oversight design. Risk classification covers the reputational risk dimension across five stakeholder categories. Business intent alignment establishes the foundation for all design decisions. Level 3 oversight responsibilities in the operational pyramid define the product management function's ongoing compliance role.
Executive Leadership, including CEO, CTO, CRO, and board members, should focus on strategic significance, the regulatory timeline, reputational risk, the escalation-without-reprisal culture, strategic synthesis, and compliance costs. The penalty framework provides the risk exposure context for budget decisions.
The CFO should start with the cost model for the quantified investment case, including staffing estimates, tooling costs, total cost tables, penalty exposure comparison, and business case structure. Declaration of Conformity liability and insurance implications in certification outputs are also essential for the CFO's risk assessment.
GPAI Integration Leads should prioritise model selection and the GPAI integration, RAG compliance, and agentic AI sections.
GPAI Integration Leads should prioritise model selection and the GPAI integration, RAG compliance, and agentic AI sections. The complete GPAI compliance architecture covers Article 25(3) information requests, compensating controls for provider opacity, RAG knowledge base governance, and grounding verification.
Agentic AI Engineers should focus on bounded autonomy and action schemas, tool-use governance, reasoning trace logging, approval gate architecture, and multi-model cascade management.
Deployers who are not also providers should use the Deployer and Operator Handbook as their primary reference, covering all eight Article 26 obligations, the deployer compliance record, FRIA methodology, oversight pyramid, and portfolio management. The handbook is self-contained and does not require other sections.
For readers tracing a specific regulatory requirement across the guide, the cross-reference index maps every cited Article, Annex, and AISDP Module to the sections that address it.
Smaller organisations may combine roles, but the responsibilities must be explicitly allocated and documented. The critical constraint is assessor independence: the person conducting conformity assessment must not be the same person who built the system.
No. The deployer handbook provides a self-contained reference covering all deployer obligations. Deployers should start with the deployer obligation map and consult cross-referenced sections only when deeper guidance is needed on specific topics.
Dual-role organisations face cumulative obligations. The provider reading paths take priority for AISDP preparation, but the deployer-specific sections on FRIA, human oversight implementation, and monitoring must also be addressed to ensure the deployer perspective is explicitly present.
Limited-risk systems primarily face transparency obligations under Article 50. The risk assessment section addresses classification methodology, and the transparency domain covers the specific documentation requirements. The full high-risk reading paths are not required.
Technical teams do not need the full legal detail, but should understand the compliance guarantees their engineering systems provide, the penalty framework that motivates the requirements, and the governance gates that their CI/CD pipelines must enforce.
Model selection, data governance, system architecture, version control, CI/CD pipelines, cybersecurity, and post-market monitoring. The CI/CD section is most operationally immediate.
Focus on data governance for GDPR alignment and post-market monitoring for data retention, with supporting reading in risk assessment for FRIA and DPIA coordination.
Regulatory context, Article 6(3) exception assessment, FRIA methodology, penalty framework across three tiers, serious incident reporting, IP risk, and Declaration of Conformity liability.
The deployer handbook provides a standalone guide covering all deployer obligations, the compliance record structure, FRIA methodology, oversight, monitoring, and incident reporting.
Strategic overview, regulatory timeline, penalty exposure, escalation culture, cost model across five categories and three organisation sizes, and the business case for compliance investment.
Prioritise the Annex VI walkthrough, documentation standards, non-conformity register management, assessor independence requirements, and multi-system coordination.