EU AI Act

Evidence basics

The EU AI Act is evidence-driven. Whether or not you are compliant is decided by what you can show, not by what you can claim. This article covers what counts as evidence, what auditors actually look for, and the pitfalls mid-market companies hit most often.

What counts as evidence

Evidence under the Act is documentary. The categories most commonly required for deployers and providers are:

1. Inventory. A complete, current list of AI systems your company uses or builds. This is what your AI Tool Register is for.
2. Risk assessment records. Documents showing you assessed the risks of each AI system before adopting it.
3. Policies. Written policies governing AI use — usage, data classification, training requirements, incident response.
4. Training records. Per-person records of who completed AI literacy training, when, and on what content.
5. Decision rationale. Written records of why specific decisions were made — to approve a tool, to restrict data access, to deny a request.
6. Logs. For high-risk systems, technical logs of automatically generated events (Article 12 / 19 / 26).
7. Snapshots. Point-in-time exports of your readiness state, dated and retained.

AIRegistra’s evidence types map roughly to these: register entries (inventory), documents (policies, risk assessments, DPAs), notes (rationale and assessments), training sessions (training records), and snapshot PDFs (point-in-time export).

What auditors actually look for

In conversations with EU AI Act-experienced auditors, three questions come up consistently:

1. “Show me your AI inventory.” Auditors expect a complete list. Missing tools — the kind that show up in a billing review but not your formal inventory — are the most common audit finding. The remediation is straightforward: keep your inventory live, populated from billing imports and surveys, not just manual entry.
2. “Show me your training records for the people who use [Tool X].” Auditors will pick a tool from your inventory and ask for the matching training records. The link between tool and training is what gets caught most often. Generic “we have an AI training programme” is not enough; the training has to map to the people using each tool.
3. “Show me the rationale for [decision Y].” Auditors pick a recent decision — a tool approval, a restriction, a denial — and ask why. Decisions without written rationale are the third most common gap.

The good news: all three are tractable for mid-market companies. The work is recordkeeping, not legal philosophy.

Common pitfalls

”We have a policy, isn’t that enough?”

A policy is necessary but not sufficient. Auditors expect to see the policy plus evidence the policy is actually followed: training records, request decisions, periodic reviews. A policy with no operational evidence is treated as aspirational, not a control.

”We trained everyone last year — we’re done.”

Article 4 implies a refresher cadence. The Act does not specify one, but auditors look for evidence that training is repeated. Annual is the conservative default. A one-off training event from 18 months ago will not survive scrutiny in 2027.

”We use spreadsheets — that’s our register.”

Spreadsheets work as a register format if you maintain change history, prevent uncontrolled edits, and can produce a defensible export. Most spreadsheet-based registers fail one of those three: the spreadsheet exists but everyone overwrites everything, no history is kept, and the export is whatever Excel produces. The register itself is fine; the recordkeeping discipline around it usually is not.

”The vendor is compliant, so we are.”

Vendor compliance is not a substitute for your own. If you deploy a vendor’s AI system, you have deployer obligations regardless of how compliant the vendor’s provider obligations are. The two roles do not cancel out.

”We use it lightly so it doesn’t really count.”

Article 4 has no usage-volume threshold. A tool used by one person once a week for company work is in scope. The proportionality clause adjusts the depth of training required, not the obligation to have any.

”Free tier means it’s not a tool.”

Same answer. Free-tier AI tools used for company work are in scope. The data-leakage risk on free tiers is typically higher than paid (no enterprise DPA, sometimes data used for model training), so free-tier inventory and policy controls matter more, not less.

What to do if you have gaps

Most mid-market companies have gaps as of mid-2026. The remediation order that maximises audit defensibility:

1. Get the inventory current. Import billing, survey staff, manually add the rest. Do not let perfect be the enemy of complete.
2. Adopt the AI usage policy. Use the AI usage policy template as a starting point.
3. Run the first training session and record it. Use the training plan template.
4. Generate the first snapshot PDF. Even a sparse one is dated evidence.
5. Set the refresher cadence. Quarterly inventory review, annual training refresher, whatever fits.

Document what you cannot do yet. “Working towards X by Q3” with a written plan beats “we don’t have X” with no plan.

Where to go next

• Article 4 explained — what training has to look like.
• Role declaration — Provider, Deployer, Importer, Distributor.
• Key deadlines — when each obligation kicks in.

This is general information, not legal advice. Application to your company depends on your specific facts; consult your own counsel.

5 min read · Last updated 7 May 2026