The table of contents is public because the structure is the standard. The annotated walkthrough and the redacted example below unlock with three fields. A PDF copy lands in your inbox the same way.
One page: scope, risk tier, control posture, residual gaps and recommended next quarter.
Every system in scope, owner, purpose, data sources, model provenance, vendors and update cadence.
Written justification for the assigned EU AI Act tier per system, with Article and Annex references.
Architecture, model lineage, training data summary, performance and intended use, structured per Annex IV.
Data contracts, owners, quality measures, lineage diagrams and the controls behind each (Article 10).
Versioned evaluation harness, results, accuracy and robustness measures, with reproducibility instructions.
Named reviewers, training, decision rights, escalation paths and override evidence (Article 14).
Event schema, retention, drift and bias thresholds, alerting routes and corrective-action playbook (Articles 12 and 72).
Article 8 to 27 control checklist with evidence references and notified-body engagement plan where required.
Per-control mapping to NIST AI RMF, ISO/IEC 42001 and, where relevant, SR 11-7 and PRA SS1/23.
Definitions, triage, containment, regulator notification (Article 73) and post-incident review template.
Triggers for re-classification, version control, quarterly attestation and the named partner who signs.