Preparing for Regulatory Inspections

Market surveillance authorities have broad investigative powers under Article 74, and organisations should prepare for inspections proactively rather than scrambling when an inspector arrives. The organisation must maintain an inspection-ready posture at all times. This means the aisdp and evidence pack are current, not waiting for the next scheduled review. Evidence is organised and accessible so that an inspector does not need to wait for someone to locate it. Monitoring dashboards are operational and displaying current data. The human oversight interface can be demonstrated on request. Key personnel, including the AI Governance Lead, Technical SME, and Legal and Regulatory Advisor, are aware of their roles during an inspection and can be made available at short notice.

Annual inspection rehearsal exercises help identify gaps in readiness. An internal team or external consultant runs a mock inspection, replicating the real experience as closely as possible. The mock inspectors arrive with limited notice, request specific records, ask probing questions, and observe the system in use. The Conformity Assessment Coordinator times the simulation against a useful benchmark: the thirty-minute drill, where for each category of regulatory request the team must produce the requested artefact within thirty minutes. If the risk register takes two hours to locate because it is stored in a personal file that only one team member knows about, the simulation has identified a critical gap. Rehearsal findings feed into the Non-Conformity Register and the inspection readiness plan. The Conformity Assessment Coordinator documents simulation results including requests made, time to fulfil, and gaps identified as Module 10 evidence.

Mock inspectors should request specific artefacts using regulatory language, for example asking for the records required under Annex IV point 2(b) rather than asking to see the model card. They should ask probing questions about the system's design and operation, test the team's ability to explain the risk management process and fairness methodology, and request log exports for specific time ranges.

When an inspection is initiated, the AI Governance Lead should serve as the primary point of contact, coordinating the organisation's response. A designated Inspection Coordinator should manage logistics: scheduling interviews, retrieving requested documents, arranging system access, and maintaining a log of every document provided and every question asked.

The organisation should provide everything within the lawful scope of the inspection promptly and cooperatively. Obstructing or delaying an inspection carries penalties under Article 99(4). Where a request touches on commercially sensitive information beyond the regulatory scope, such as trade secrets or proprietary algorithms unrelated to the system under inspection, the Legal and Regulatory Advisor should engage with the inspectors to agree on appropriate confidentiality protections.

The Conformity Assessment Coordinator logs every document provided to the inspectors in an inspection register, including the document title, version, date, and the request it responds to. This register serves as the organisation's record of the inspection and may be needed if the authority's findings are subsequently disputed.

Following an inspection, the authority may issue findings, recommendations, or corrective action requirements. The Conformity Assessment Coordinator enters each finding into the Non-Conformity Register, assigned to a responsible person, and remediated within the required timeline. The remediation evidence is documented and, where the authority requests confirmation, submitted to the authority.

Inspection findings may also reveal systemic weaknesses that affect other AI systems in the organisation's portfolio. The AI Governance Lead should assess whether the findings indicate organisation-wide gaps, such as a common deficiency in the data governance documentation across multiple systems or a shared infrastructure vulnerability, and if so initiate a broader remediation programme rather than treating each finding as an isolated system-specific issue. This cross-system analysis is particularly important for organisations with multiple high-risk AI systems that share common infrastructure, data sources, or governance processes.

Regulatory inspection readiness is ultimately the operational test of whether the compliance infrastructure actually works under pressure. The technical controls, the evidence repository, and the documentation may all be in excellent condition, yet the organisation may fail an inspection because the team cannot locate the right artefacts quickly enough, the access credentials for the evidence systems have expired, or the team members who understand the system are unavailable. The rehearsal process is designed to expose these operational gaps before they matter in a real inspection.

The Conformity Assessment Coordinator creates and maintains a regulatory access profile proactively. A pre-configured IAM role provides read-only access to the evidence repository containing all AISDP modules, assessment records, and non-conformity registers; the monitoring dashboards showing current and historical compliance metrics; the logging infrastructure enabling log queries for specific time ranges and inference identifiers; the model registry with model metadata, provenance records, and evaluation results; and the AISDP documentation in current and historical versions.

Access to proprietary source code, commercial contracts, employee personal data, and other information that is not compliance-relevant should be excluded from the regulatory access profile. The Legal and Regulatory Advisor tests the role monthly by activating it and confirming that all expected access works and that no access has been inadvertently revoked by infrastructure changes. Security credentials are stored in a secure location accessible to designated compliance personnel even if the technical team is unavailable, ensuring that a weekend inspection does not fail because the only person who knows the password is on holiday.

For organisations without dedicated IAM tooling, the regulatory access profile can be implemented procedurally. The Legal and Regulatory Advisor documents the access requirements for a regulatory inspector, specifying which systems, which data categories, which dashboards, and read-only access only. This profile is configured manually in the cloud IAM console. The Conformity Assessment Coordinator tests the profile quarterly by activating it and verifying access. A regulatory inspection pack document should list the access credentials, system URLs, and contact details for the inspection support team, stored securely but accessible to the compliance team without requiring engineering support.

Establishing clear, professional communication channels with competent authorities before they are needed in a crisis is a governance best practice. Organisations should introduce themselves to the relevant competent authorities early in the compliance process, providing a brief overview of their AI portfolio, their compliance approach, and their contact points. This is particularly valuable in member states where the competent authority is newly established and still developing its operational procedures. Early engagement builds a relationship of constructive cooperation.

For serious incident communication, the protocol should pre-define the communication channel covering email, dedicated reporting portal, or phone for urgent initial notifications; the format using the Commission's draft template adapted to national requirements; the signatory authority typically the AI Governance Lead or an authorised delegate; and the follow-up schedule covering supplementary reports, investigation updates, and corrective action confirmations.

For serious incident communication under Article 73, the protocol should also pre-define the language requirements, as some member states require notifications in the national language. Translation arrangements should be in place before an incident occurs, not negotiated during a crisis. The Legal and Regulatory Advisor coordinates multi-jurisdiction notifications where an incident affects systems deployed across several member states, ensuring that each authority receives a consistent account of the incident through the correct channel within the correct timeline.

Some member states may require periodic compliance reporting beyond the minimum mandated by the AI Act. The Conformity Assessment Coordinator should maintain a register of jurisdiction-specific reporting obligations and ensure that routine reports are submitted on schedule. The framework provides the complete approach to multi-jurisdiction engagement and authority landscape assessment.