Annex III of the EU AI Act lists domains where AI is presumed high-risk — employment, credit, education, law enforcement, critical infrastructure, and more. If your AI system falls in scope, governance must be provable, not aspirational.
Before deployment
- Risk management system — iterative identification and mitigation of known and reasonably foreseeable risks
- Data governance — training, validation, and testing data relevance, representativeness, and bias examination
- Technical documentation — architecture, capabilities, limitations, and intended purpose
- Record-keeping design — automatic logging of events for traceability
- Human oversight — ability to interpret output, disregard, or override; interface design for meaningful review
- Accuracy & robustness — metrics, adversarial testing, and cybersecurity measures
At deployment
- Conformity assessment completed (internal control or notified body, depending on system type)
- CE marking and EU declaration of conformity where applicable
- Registration in the EU database for high-risk systems
- Deploy tied to an approved policy version with explicit tool and data boundaries
After deployment
- Post-market monitoring plan executed; incidents reported within required timelines
- Logs retained and available for authority requests
- Material changes trigger re-assessment before re-deployment
- Runtime violations investigated with root-cause tied back to policy gaps
Operationalizing the checklist
Spreadsheets fail at step three. High-risk governance needs workflow: engineering submits intake, GRC reviews structured assessment output, compliance tests produce artifacts, and authorization links a specific policy to a specific environment. openRegal encodes this as Gate → Assess → Prove → Enforce — so checklist items become system states, not slide deck promises.