AI Model Selection for EU AI Act Compliance

Model selection under the EU AI Act acquires a compliance dimension that goes well beyond traditional performance metrics like accuracy, latency, and resource constraints. The choice of model architecture directly determines whether the organisation can satisfy requirements for transparency under Article 13, provide the explanations required for effective human oversight under Article 14, demonstrate accuracy and robustness per Article 15, and document the system to the standard required by Annex IV.

A model that achieves marginally higher accuracy at the cost of opacity may be a poor choice if the resulting system cannot produce the explanations required for oversight or the documentation required by Annex IV, which mandates describing the model architecture "in sufficient detail for a qualified technical reviewer to understand its structure and behaviour." This requirement fundamentally favours architectures that can be documented with precision.

The EU AI Act's definition of an AI system under Article 3(1) encompasses machine-based systems that infer from inputs to generate outputs such as predictions, content, recommendations, or decisions. This captures a broad range of approaches: traditional heuristic and rule-based systems, statistical models, ensemble methods, deep neural networks, foundation models, and hybrid architectures. The model selection process should evaluate the full spectrum, selecting the approach that best satisfies both the business requirements and the compliance obligations.

For traditional heuristic systems, the compliance advantage is transparency: every decision pathway is deterministic and documentable. The compliance disadvantage is that manually designed scoring models can embed designer biases without the statistical tools available to detect them. Statistical models such as logistic regression occupy a middle ground, offering transparent, interpretable parameters well-suited to domains with established regulatory expectations. Ensemble methods like gradient-boosted trees offer strong performance with SHAP values providing theoretically grounded feature attribution. Deep neural networks and foundation models achieve state-of-the-art performance on unstructured data but introduce explainability limitations and stochastic output challenges that require compensating controls.

The AISDP must document the rationale for selecting one approach over another, demonstrating that the compliance implications were assessed alongside performance. Risk assessment establishes the risk profile that shapes all subsequent model selection decisions.

Model origin risk varies materially across three categories, and the provenance of a model carries implications that the AI System Assessor must assess and document in AISDP Module 3.

Open-source models from repositories such as Hugging Face or GitHub offer accessibility and community validation but introduce several risks. Training data provenance may be unknown or poorly documented. The development process may not have included the bias testing, adversarial evaluation, or documentation records that the EU AI Act requires. Any organisation using an open-source model as a component of a high-risk system inherits these documentation gaps and must either fill them through its own due diligence or accept the resulting non-conformity risk. AISDP Module 3 must record which open-source components are incorporated, the due diligence performed on each, the licensing terms and their compatibility with the system's commercial and regulatory context, and the residual risks from provenance gaps.

Proprietary third-party models present different challenges. A commercial provider may refuse to disclose training data composition, architecture details, or fairness evaluation results, citing trade secrets. This creates an AISDP documentation gap that the organisation must address. Where vendor disclosures are insufficient, the AI System Assessor records the gaps as non-conformities, and the organisation assesses whether it can compensate through its own output-level testing and evaluation.

offer the greatest control over documentation and governance. The risk centres on process discipline: whether the development team followed documented methodology, satisfied training data governance requirements, and conducted rigorous testing. Models developed informally, during hackathons or innovation sprints, may lack the documentation infrastructure the AISDP demands.

Organisations that fine-tune a general-purpose AI model for use in a high-risk system cross the provider boundary defined in Article 25(1)(b), assuming the full set of provider obligations under Article 16 in most cases.

Article 25(1)(b) provides that a deployer becomes a provider if it places on the market a high-risk AI system under its own name or trademark, or makes a substantial modification. Fine-tuning a general-purpose foundation model for a specific high-risk application, such as adapting a general LLM for credit assessment or recruitment screening, changes the model's intended purpose from "general purpose" to a specific high-risk use case. This triggers provider status with the complete set of obligations: conformity assessment, AISDP preparation, CE marking, Declaration of Conformity, and EU database registration.

The Legal and Regulatory Advisor should assess fine-tuning against three criteria. First, does it change the model's intended purpose as documented by the gpai provider? If the provider describes the model as general-purpose text generation and the organisation fine-tunes it for medical triage, the intended purpose has changed. Second, does it alter the model's risk profile? Fine-tuning on domain-specific data may introduce new bias patterns, failure modes, or accuracy characteristics not present in the base model. Third, does it affect the model's compliance with the GPAI provider's own obligations under Articles 51 to 56? Fine-tuning may void safety evaluations or alignment testing conducted on the base model.

Training data for AI models, particularly large language models and generative systems, may include copyrighted material, and the legal landscape is evolving rapidly with litigation in multiple jurisdictions challenging the legality of training on copyrighted content without licence.

For high-risk AI systems, the AISDP must document the copyright status of training data comprehensively. This includes identifying whether the data includes copyrighted works (text, images, audio), the legal basis relied upon for processing that material (licence, consent, or the text and data mining exception under Directive (EU) 2019/790), the measures taken to identify and exclude material where rights holders have exercised opt-outs, and the procedures for responding to copyright claims.

For systems incorporating pre-trained third-party models, the organisation should obtain contractual representations regarding the copyright status of the model's training data. Where such representations are unavailable or qualified, the AI System Assessor records the risk and assesses potential regulatory and reputational impact. The risk register should distinguish between models where training data copyright is documented and verified, models where the provider asserts clean training data but cannot provide detailed evidence, and models where training data provenance is substantially unknown.

The risk register should distinguish between three tiers of copyright confidence: models where training data copyright is documented and verified through licensing agreements, models where the provider asserts clean training data but cannot provide detailed provenance evidence, and models where training data composition is substantially unknown. Each tier carries different residual risk levels that the AI System Assessor quantifies in the risk assessment. For the third tier, the risk may be sufficient to disqualify the model for high-risk applications unless the organisation can demonstrate compensating controls such as output filtering for copyrighted content patterns.

Foundation models reflect the values, cultural norms, and policy perspectives embedded in their training data and alignment processes, creating compliance risks when deployed in EU contexts that the AISDP must document.

Training data geographic bias is the most common concern. Models trained predominantly on data from a particular jurisdiction may perform poorly on EU populations. A credit scoring model trained on US financial behaviour data may not generalise to European markets with different consumer protection frameworks. A natural language processing model trained on American English may handle EU-specific legal terminology, regulatory references, or cultural contexts poorly.

Alignment and safety tuning reflects the model provider's values and regulatory environment. A model aligned primarily to US free speech norms may not meet EU expectations regarding hate speech, disinformation, or content moderation. The assessment must evaluate the model's alignment against EU legal and ethical standards and document additional fine-tuning or guardrails applied to address gaps. Behavioural benchmarking using frameworks like HELM with EU-specific thresholds, testing against the Framework Decision on combating racism and xenophobia (2008/913/JHA), and EU-specific MMLU subsets provide quantified evidence.

Foreign government influence requires evaluating the model provider's ownership structure, governance, and known government relationships, particularly for sensitive domains like law enforcement, migration, or public administration. risks arise when inference or training infrastructure is hosted outside the EU, exposing the organisation to foreign government access under domestic laws such as the US CLOUD Act or China's National Intelligence Law. The module documents these risks.

Model selection for high-risk systems should be evaluated against six compliance criteria alongside traditional performance metrics, scored on a three-level scale (strong, adequate, weak) with evidence-based justification for each score.

Documentability asks whether the architecture and decision process can be described to Annex IV standard, such that a qualified reviewer could reproduce the training process from documentation alone. Linear models have strong documentability where every parameter is a named coefficient. Transformers with billions of parameters have weaker documentability; the architecture can be described but learned representations cannot be enumerated.

Testability asks whether accuracy, robustness, and fairness can be evaluated meaningfully per Article 15. Deterministic architectures such as decision trees and linear models simplify testing. Stochastic architectures like LLMs require statistical testing frameworks and the assessment must specify the methodology needed.

Auditability asks whether individual decisions can be reconstructed from logs per Article 12. Models requiring only the input and model version for output reconstruction are strongly auditable. Models depending on runtime conditions, session state, or RAG context require more sophisticated logging.

Bias detectability asks whether fairness metrics can be computed at subgroup level and proxy variable effects identified. Models producing calibrated probability scores are more amenable to fairness analysis than those producing only ranked outputs or categorical labels. SHAP and integrated gradients enable feature attribution analysis for proxy detection.

Agentic AI systems that take actions in the world beyond producing predictions introduce a distinct set of model selection considerations that the AISDP must address, as Article 3(1) encompasses behaviour where outputs trigger real-world actions.

Action space constraints are the primary concern. The model architecture must support constraining the action space to the set of actions that are safe and within the system's intended purpose. An agentic system for a high-risk domain must have a bounded action space that can be documented, tested, and monitored. Open-ended architectures that can theoretically take any action require extensive guardrails whose effectiveness must be demonstrated in the AISDP. In frameworks like LangChain and LangGraph, this is implemented through tool definitions with Pydantic schemas that validate every tool call before execution.

Reversibility classification adds a second layer. Each permitted action is classified as reversible (can be undone programmatically), partially reversible (can be undone with effort, such as a database rollback), or irreversible (cannot be undone, such as a sent communication or physical actuator command). Irreversible actions require a human-in-the-loop checkpoint: the agent proposes, a human reviews and approves, and only then does execution proceed. Agentic AI compliance covers bounded autonomy and tool-use governance in detail.

requires the model to support logging the entire reasoning and action chain: the initial trigger, each intermediate observation and decision point, each tool call with parameters and return values, and the final outcome. This is essential for Article 12 compliance and post-incident investigation. The log is structured as JSON with a defined schema, written to append-only storage.

The choice of model architecture directly constrains the organisation's ability to satisfy Article 13 transparency and Article 14 human oversight requirements, and explainability properties must be assessed during selection rather than retrofitted after development.

Intrinsic explainability is provided by architectures where the decision process is transparent by construction: linear models expose coefficients, decision trees expose branching logic, rule-based systems expose rules. Post-hoc methods (SHAP, LIME, attention maps, counterfactual explanations) approximate reasoning after the fact with known limitations in fidelity and stability.

Three distinct audiences require different explanation formats. Operators need explanations enabling independent judgement; SHAP values decomposing predictions into per-feature contributions serve this well, with TreeExplainer providing exact, fast computation for tree-based models. Affected persons need plain-language explanations answering "why was this decision made"; Alibi Explain's counterfactual explanations are particularly useful, answering "what would need to be different for the outcome to change." Auditors need explanations consistent with documented system design, revealing whether the model actually behaves as described in the AISDP.

Model selection for a high-risk AI system is a compliance-significant decision that requires a defined governance process documented in the AISDP, not discretion left to individual data scientists.

The governance process involves multiple roles. The Technical SME proposes candidate architectures, evaluates them against the six compliance criteria, and recommends a selection. The AI Governance Lead reviews the recommendation against risk assessment findings. Legal counsel reviews intellectual property and GPAI provider implications. For commercially significant choices, the Business Owner is consulted. The AI Governance Lead approves the final selection. A formal objection mechanism allows any stakeholder to challenge the choice; objections are documented, discussed, and resolved with the resolution recorded.

The weighted decision matrix provides the evaluation structure. Each of the six criteria is scored for every candidate model, with weights reflecting the system's risk profile. Scoring must be evidence-based: "documentability: strong" means a qualified reviewer could reproduce training from documentation alone. Weights are documented and approved before evaluation begins.

Model cards following the Mitchell et al. (2019) format capture the standardised documentation output: intended use, disaggregated performance results, known limitations, training data summary, and ethical considerations. Google's Model Cards Toolkit automates generation from evaluation metrics, producing structured documents for AISDP Module 3.

in the system architecture, not only the primary decision model. Many high-risk systems incorporate multiple components: embedding models for retrieval or similarity, re-ranking models, classification heads for routing, and auxiliary models for monitoring or safety. Each influences outputs and carries its own risk profile. A primary decision model warrants full evaluation against all six criteria. An embedding model in a warrants focused assessment covering provenance, linguistic performance, known biases, and version pinning. An auxiliary safety classifier warrants documentation of accuracy, failure modes, and consequences for the primary system's compliance profile.