TRACE Phase 5

Evidence

Maintain audit trails, manage certification, and govern regulatory interactions. A regulator, auditor, or notified body that requests demonstration of compliance will evaluate the organisation on the basis of the evidence it can produce, not on the basis of the governance it claims to practise. Compliance without evidence is indistinguishable from non-compliance.

Core Activities

From governance to proof

Four capabilities that ensure every governance action across the TRACE lifecycle is captured, preserved, and presentable to any stakeholder.

Audit Trail Architecture

EU AI Act Art. 12, 18GDPR Art. 5(2)ISO 42001 Clause 9.1

The audit trail is the evidentiary backbone of TRACE. It captures records generated by every other phase and preserves them in tamper-evident form supporting internal audit, external assessment, and regulatory investigation. Compliance without evidence is indistinguishable from non-compliance.

Scope: Triage records (applicability determinations), Rating records (classifications, obligations, gaps), Architecture records (design decisions), Control records (monitoring, oversight, incidents), and system behaviour logs per Art. 12
Art. 12 automatic logging: period of use, reference database, input data matches, identification of natural persons involved in verification
Integrity protection: cryptographic hashing, append-only storage, digital timestamping via trusted authorities, write-once media — proportionate to system risk classification
Log aggregation and correlation: centralised collection from all governance systems, normalised schema, correlation queries to reconstruct complete governance history per system or event
Chain of custody: who created each record, transmission and storage path, access history, transformations applied — supporting admissibility and credibility of evidence

Conformity Assessment and Certification

EU AI Act Annex VI & VIIISO 42001ISO 27001SOC 2

Conformity assessment is mandatory for high-risk AI systems before market placement. The EU AI Act provides two pathways: internal control (Annex VI, Module A) where the provider self-assesses, and quality management system assessment with technical documentation review (Annex VII, Module H) involving a notified body.

Internal control (Module A): provider verifies QMS compliance with Art. 17, examines technical documentation against Chapter III Section 2, verifies design process and post-market monitoring consistency — then draws up EU Declaration of Conformity and affixes CE marking
Third-party assessment (Module H): mandatory for biometric identification (Annex III point 1) and critical infrastructure AI (Annex III point 6a) unless harmonised standards fully applied — notified body assesses QMS and technical documentation
Preparation sequence: completeness review, self-assessment against requirements using Obligation Register, pre-audit remediation, mock assessment, Declaration and CE marking
ISO 42001: Stage 1 (documentation review), Stage 2 (implementation audit), annual surveillance, 3-year recertification — leverages same evidence base as EU AI Act conformity assessment
Multi-certification coordination: ISO 27001 first (foundational security), then ISO 42001 (AI management extending existing infrastructure), then SOC 2 (cloud service assurance), with EU AI Act conformity assessment in parallel

Regulatory Interaction Management

EU AI Act Art. 57-59GDPR Art. 36NIS2

Organisations deploying AI in regulated environments will interact with regulators — proactively through sandboxes and consultations, or reactively through investigations and information requests. Effective management of these interactions is a governance discipline in its own right.

Proactive engagement: AI regulatory sandboxes (Art. 57-59), public consultations on delegated acts, standards development (CEN/CENELEC working groups), industry associations
Market surveillance (Chapter VIII): authorities may request technical documentation, automatic logs, source code (under specific safeguards), conduct compliance testing, and require corrective actions
GDPR supervisory authority: Art. 36 prior consultation for high residual risk, data subject complaint handling, investigations, enforcement notices
NIS2: ex ante supervision for essential entities (regular audits, ad hoc inspections), ex post supervision for important entities triggered by non-compliance evidence
Communication protocols: designated regulatory liaison, legal counsel review on all outgoing communications, incoming communication logging and routing, response templates for common request types

Third-Party Assurance and Transparency

EU AI Act Art. 71, 50GDPR Art. 13-14

Governance credibility extends beyond regulators. Deployers, affected persons, civil society, and the public have legitimate interests in understanding AI governance. The EU AI Act requires high-risk AI system registration in the EU database before market placement, and transparency obligations apply to deployers informing individuals subject to AI decisions.

EU Database (Art. 71): provider registration with system description, intended purpose, conformity status — publicly accessible for most high-risk categories, deployers must also register their use
Transparency reporting: governance framework summaries, aggregate fairness audit results, incident statistics, maturity trajectory — building stakeholder trust
Supply chain assurance: instructions for use (Art. 13), technical documentation extracts for deployers, contractual compliance warranties — generated from the same evidence architecture
Affected persons communication (Art. 50(4), GDPR Art. 13-14): plain language summaries, visual explanations, structured disclosure formats explaining AI system operation accessibly
Voluntary assurance: algorithmic impact assessments beyond DPIAs, third-party algorithmic audits, responsible AI initiatives, model cards and system cards

Conformity Assessment

Five-step preparation process

A structured process for preparing EU AI Act conformity assessment, whether internal (Module A) or third-party (Module H).

Completeness Review

Verify all required documentation: Annex IV technical documentation, Annex V QMS, risk management records, data governance records, testing records, post-market monitoring plan, and all TRACE phase artefacts.

Self-Assessment Against Requirements

Walk through every Chapter III Section 2 requirement and verify with documented evidence. The Obligation Register and Compliance Gap Register from the Rate phase serve as the checklist.

Pre-Audit Remediation

Close remaining gaps identified in self-assessment. Ensure all documentation is current and consistent across the unified documentation architecture.

Mock Assessment

For organisations preparing for third-party assessment, conduct a mock assessment using external or independent internal auditors to identify weaknesses before formal assessment.

Declaration and Marking

Upon successful assessment, prepare the EU Declaration of Conformity (Art. 47) and affix the CE marking (Art. 48). Register in the EU Database for High-Risk AI Systems (Art. 71).

Retention Policy

Cross-framework retention requirements

Retention periods vary across frameworks. The audit trail policy must satisfy the longest applicable period for each record type.

10-Year Audit Trail Retention

EU AI Act Art. 12

Article 12 requires automatic logging events to be retained for at least the lifetime of the high-risk AI system, or as required by sector-specific law — typically a minimum of 10 years.

10-Year Documentation Retention

EU AI Act Art. 18

Article 18 requires Annex IV technical documentation, post-market monitoring plans, and quality management system records to be kept for at least 10 years after the system is placed on the market.

Personal Data Minimisation

GDPR

GDPR Article 5(1)(e) requires personal data to be kept no longer than necessary for the purposes for which it was processed. Reconcile with AI Act long-retention requirements via pseudonymisation or aggregation.

Sector-Specific Requirements

ISO 42001 / 27001

Sector-specific regulations (DORA, MiFID II, MDR) layer additional retention requirements on top of the AI Act baseline. Map your applicable sectoral requirements alongside Article 12 logging duties to determine the effective minimum retention period.

Artefacts

Evidence phase outputs

Six categories of deliverable that provide the evidentiary foundation for audit, certification, regulatory interaction, and stakeholder assurance.

Audit Trail System Design

Log sources, aggregation architecture, integrity protection mechanisms, retention policy, and access controls for the governance audit trail.

Conformity Assessment Package

Complete documentation for the applicable assessment pathway — Annex IV technical documentation, QMS documentation, testing records, risk management records.

EU Declaration of Conformity

Formal written declaration per Article 47 covering system identification, applicable requirements, and compliance statement, with CE marking records.

ISO Certification Records

Certificates, Stage 1 and Stage 2 audit reports, surveillance audit reports, nonconformity records, and corrective action evidence.

Regulatory Correspondence Register

Complete chronological record of all communications with market surveillance authorities, supervisory authorities, and notified bodies.

Supply Chain Assurance Packages

Documentation packages for downstream deployers — instructions for use, relevant technical documentation extracts, and compliance warranties.

Prove Your Compliance

Tamper-evident audit trails, conformity assessment readiness, and structured regulatory interaction management — evidence that exists before it's requested.

Request Access Talk to Us