| Clause | Requirement | Framework mapping | Evidence |
|---|---|---|---|
| §4.1–4.4 | Context, interested parties, scope, AIMS | Strategy (L1) + AI Actor Classification | Policy document, scope statement, AI Actor Register |
| §5.1–5.3 | Leadership, policy, roles & responsibilities | Strategy (L1) + People (L3) RACI | Signed policy, RACI matrix, board resolution |
| §6.1.2 | AI risk assessment process | GRC (S1) Risk & Impact Assessments | ART-06 Risk Acceptance Record |
| §6.1.4 | AI impact assessment (societal, ethical) | Ethics (L2) FRIA + GRC (S1) | DPIA/FRIA report |
| §6.1.5 | Supply chain AI risk | Supply Chain (S3) | ART-07 Supplier Assurance Pack |
| §7.2–7.3 | Competence, awareness, communication | People (L3) AI Literacy + Academies | Training records, competence assessments |
| §8.4 | Data for AI systems | Knowledge (L6) + Synthetic Data Gov. | ART-02 Dataset Datasheet |
| §8.5 | Information security for AI | Security (S2) + Multi-Agent Orchestration | Red team reports, adversarial test results |
| §8.6 | AI system operation | User (L4) + Production (L5) | ART-01 System Card, ART-03 Eval Plan, ART-05 Agent Declaration |
| §9.1 | Monitoring, measurement, evaluation | Observability (S4) + PMM System | ART-04 Ongoing Evaluation Cadence |
| §9.2 | Internal audit | GRC (S1) Evidence Factory | Audit logs, audit report |
| §10.1–10.3 | Nonconformity, corrective action, improvement | Security (S2) IR + GRC (S1) | ART-08 AI Incident Report |
| Function | Outcome | Framework mapping | Evidence |
|---|---|---|---|
| GOVERN 1 | Policies, processes, procedures established | Strategy (L1) + GRC (S1) Policy-as-Code | Governance corpus, risk appetite statement |
| GOVERN 2 | Accountability structures and culture | Strategy (L1) Executive Accountability + People (L3) | RACI, board resolution, capability records |
| GOVERN 3 | Workforce AI risk management culture | People (L3) AI Champions + Ethics (L2) RAI Board | Training records, review board minutes |
| GOVERN 5 | Third-party risk governance | Supply Chain (S3) | ART-07 Supplier Assurance Pack |
| GOVERN 6 | AI risk management policies | GRC (S1) + Ethics (L2) + Legal Register | Policy register, norms documentation, legal register |
| MAP 1 | Context established and understood | Strategy (L1) + GRC (S1) AI System Inventory | System inventory, AI Actor Register |
| MAP 2 | Categorisation of AI risks | Ethics (L2) Fairness Metrics Registry | Metric selection rationale (signed by RAI Board) |
| MAP 3 | AI benefits and risks mapped | GRC (S1) Risk & Impact Assessments | DPIA/FRIA report |
| MAP 5 | Likelihood and severity evaluated | GRC (S1) + Ethics (L2) + Strategy (L1) Risk Appetite | ART-06 Risk Acceptance Record |
| MEASURE 1 | Risk measurement approaches | Ethics (L2) Fairness Metrics + Observability (S4) | ART-03 Evaluation Plan, ART-04 Cadence Report |
| MEASURE 2 | AI systems evaluated for risk | Observability (S4) + Production (L5) Release Gates | ART-03 Release criteria results |
| MEASURE 4 | Post-deployment risk monitored | Observability (S4) Drift + HITL + PMM System | ART-04 Ongoing Evaluation |
| MANAGE 1 | Risks prioritised and treated | GRC (S1) + Security (S2) Controls | Risk register, treatment plans |
| MANAGE 4 | Incidents and errors reported | Security (S2) IR + People (L3) Training | ART-08 AI Incident Report |
| AI 600-1 Agentic | Autonomous action, tool use, multi-step reasoning | User (L4) ART-05 + S2 Multi-Agent + Agentic Pack | ART-05 Agent Control Declaration |
| AI 600-1 MS-2.5-005 | Verify RAG data provenance and grounding | Knowledge (L6) Context Injection + Data Lineage | RAG permission config, lineage graph |
| AI 600-1 MG-3.1-003 | Re-assess model risks after RAG implementation | GRC (S1) Lifecycle Workflow + Observability (S4) | ART-03 refresh post-RAG deployment |
| AI 600-1 MG-3.2-002 | Document RAG adaptations and configurations | Production (L5) Prompt & RAG Governance | RAG configuration documentation |
| Article | Obligation | Applies to | Framework mapping | Evidence |
|---|---|---|---|---|
| Art. 3(1), 3(63) | AI system and GPAI model definitions | All actors | Strategy (L1) AI Actor Classification | AI Actor Register with operator role per system |
| Art. 9 | Risk management system for high-risk AI | Provider | GRC (S1) + Ethics (L2) + Observability (S4) | ART-06 Risk Acceptance + ART-04 Cadence |
| Art. 9(2)(c); Art. 72 | Post-market monitoring system | Provider | Observability (S4) PMM System | ART-04 Cadence Report, PMM plan |
| Art. 10 | Data and data governance | Provider | Knowledge (L6) + Synthetic Data Gov. | ART-02 Dataset Datasheet |
| Art. 11 + Annex IV | Technical documentation | Provider | GRC (S1) Evidence Factory + Production (L5) | ART-01 System Card + documentation set |
| Art. 12 | Record-keeping and logging | Provider | GRC (S1) Evidence Factory | Audit logs, evidence chain |
| Art. 14 | Human oversight measures | Provider + Deployer | Observability (S4) HITL + User (L4) ART-05 | ART-05 with human oversight pattern field |
| Art. 15 | Accuracy, robustness, cybersecurity | Provider | Security (S2) + Observability (S4) + Production (L5) | Red team reports, ART-03 Eval Plan |
| Art. 17 | Quality management system | Provider | ISO 42001 AIMS (full PDCA) | Full AIMS evidence set |
| Art. 25–28 | Value chain obligations | All value chain actors | Supply Chain (S3) + Strategy (L1) AI Actor Classification | ART-07 + value chain obligation matrix |
| Art. 26 | Deployer obligations — monitoring, reporting | Deployer | People (L3) + Observability (S4) | ART-04 + People RACI + PMM plan |
| Art. 27 | Fundamental rights impact assessment | Public bodies + certain deployers | Ethics (L2) FRIA + GRC (S1) | FRIA report with DPO + RAI Board sign-off |
| Art. 49 | EU database registration | Provider + Deployer | GRC (S1) AI System Inventory | Registration confirmation |
| Art. 50 | Transparency — AI interaction disclosure | Provider + Deployer | User (L4) Art. 50 Disclosure | Disclosure mechanism evidence |
| Art. 51–56 | GPAI model obligations | GPAI provider | Supply Chain (S3) + GPAI Code of Practice | ART-07 + GPAI compliance documentation |
| Art. 73 | Serious incident reporting (15 days) | Provider + Deployer | Security (S2) IR + Observability (S4) PMM | ART-08 AI Incident Report |
| Art. 86 | Right to explanation for AI decisions | Deployer | Ethics (L2) Contestability & Recourse | Contestability mechanism documentation |
| Art. 95 | GPAI transparency (model cards) | GPAI provider | Supply Chain (S3) + ART-01 | ART-01 (requested from vendor) |