the difference between saying you have governance and being able to prove it when someone with authority asks.
A documented artifact demonstrating that a control is in place and effective. Evidence is produced by operational layers and collected by the Evidence Factory. Without an evidence definition, a control is an aspiration, not a governance instrument. Evidence transforms policy statements into verifiable governance by anchoring each control to a concrete, auditable artifact.
Why It Matters
Every AI governance framework in existence makes the same implicit assumption: that controls are documented, tested, and provable. The EU AI Act requires it. ISO/IEC 42001 requires it. NIST AI RMF requires it. Yet most organisations treat evidence as an afterthought — something to produce when the auditor arrives, rather than something generated continuously as a byproduct of operational governance.
The structural problem is not that organisations lack policies. Most enterprises have extensive policy libraries. The problem is that policies describe intent. Evidence proves execution. A bias testing policy that has never produced a test result is not governance. It is aspiration with a document management system.
When a regulator, auditor, or supervisory board asks “show me the evidence,” they are asking a specific question: can you demonstrate that this control was executed, by whom, when, with what result, and where the artifact is stored? If the answer involves sending someone to search through SharePoint, the evidence programme has failed before the conversation started.
The Stress Test
An auditor requests evidence that your organisation’s high-risk AI system has been tested for discriminatory output, as required under Article 10 of the EU AI Act. Your compliance team produces the bias testing policy, approved by the board eighteen months ago. The auditor notes the policy. Then asks for the test results. The test schedule. The test methodology. The names of the testers. The threshold definitions. The remediation records when tests failed.
Your team searches for thirty minutes. They find a spreadsheet from a pilot phase, last updated fourteen months ago, with three rows of data and no owner. The auditor writes: “No evidence of ongoing bias testing. Policy exists but is not operationalised.” The finding is not that you lack governance. The finding is that you cannot prove you have governance. In regulatory terms, those are the same thing.
In the Wild
Between 2019 and 2024, multiple European Data Protection Authorities issued findings against organisations that had data protection impact assessments (DPIAs) on file but could not produce evidence that the assessments had been reviewed, updated, or acted upon after initial creation. The Dutch Autoriteit Persoonsgegevens and the French CNIL both cited “paper DPIAs” — documents that existed in policy libraries but had never been operationalised into the processing activities they were meant to govern.
The document existed. The evidence that anyone acted on it did not. Regulators have learned to ask for the second thing.
The Federal Reserve’s SR 11-7 guidance on model risk management requires banks to maintain evidence of independent model validation. In multiple supervisory examinations between 2021 and 2023, examiners found that institutions had validation policies but lacked the evidence trail: no records of challenger model results, no documentation of validation scope decisions, and no sign-off artifacts linking validation outcomes to deployment approvals.
The OCC’s Comptroller’s Handbook on Model Risk Management explicitly states that “the absence of documentation is itself a finding,” regardless of whether the validation was actually performed.
If you did the work but did not capture the evidence, the regulatory outcome is identical to not doing the work.
The FDA’s framework for AI/ML-based Software as a Medical Device (SaMD) requires a Predetermined Change Control Plan (PCCP) with evidence that modifications to AI models have been tested, validated, and approved before deployment. In 2024 advisory letters, the FDA flagged multiple AI diagnostic tool vendors for lacking version-controlled evidence that model updates had undergone the documented validation process — even when the vendors asserted the testing had occurred.
The FDA does not accept “we tested it” as evidence. It accepts the test protocol, the test data, the test results, the reviewer signature, and the version hash of the model that was tested.
How to Govern It
Evidence is not a reporting exercise. It is an architectural decision about how governance operates.
Within the AI Control Index, evidence governance is centred on Shield S1 (GRC) but requires contribution from every operational layer:
- GRC (S1) — Maintains the Evidence Factory: a centralised repository that collects, indexes, and retains all evidence artifacts. Every control in the framework has an evidence definition specifying what artifact must be produced and where it is stored.
- Operational Layers (L1–L6) — Evidence is produced by operational layers as a byproduct of control execution. When a gate is passed, the gate produces its evidence. When a test is run, the test produces its results. Evidence generation is not a separate activity; it is embedded in the control itself.
- Mandatory Artifacts (ART-01 through ART-08) — The framework defines eight mandatory artifacts that collectively form the minimum evidence base for any AI system under governance. These are not optional documentation; they are required outputs.
- Maturity Levels — At Level 1 (Ad Hoc), evidence does not exist. At Level 2 (Defined), evidence definitions exist but collection is manual. At Level 3 (Managed), evidence is collected systematically with traceability. At Level 4 (Optimised), evidence generation is automated and continuously validated.
- Post-Market Monitoring — Evidence is not a point-in-time snapshot. The framework requires ongoing evidence generation throughout the AI system lifecycle, including post-deployment monitoring evidence, incident response records, and periodic re-evaluation results.
When It's Relevant
Every AI system under governance. Without exception. Evidence is the mechanism by which governance transitions from stated intention to demonstrable practice. An organisation without an evidence programme does not have a governance programme; it has a documentation programme.
Evidence requirements are particularly acute when:
- The AI system is classified as high-risk under the EU AI Act and subject to conformity assessment
- An external audit or regulatory examination is scheduled or anticipated
- The organisation is operating in a regulated sector (financial services, healthcare, government)
- Multiple teams contribute to the AI lifecycle and evidence is produced across organisational boundaries
- An incident has occurred and the organisation must demonstrate that pre-existing controls were in place and operational
Related Terms
References
- [1] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union, L series. Articles 9, 11, 17, 61.
- [2] ISO/IEC (2023) ISO/IEC 42001:2023 — Artificial intelligence — Management system. International Organization for Standardization. Clause 7.5 (Documented Information), Clause 9.2 (Internal Audit).
- [3] Board of Governors of the Federal Reserve System (2011) SR 11-7: Guidance on Model Risk Management. Federal Reserve, Washington, D.C. Section IV (Model Validation).
- [4] NIST (2023) Artificial Intelligence Risk Management Framework (AI RMF 1.0). National Institute of Standards and Technology, U.S. Department of Commerce. GOVERN function, MAP function.
- [5] Office of the Comptroller of the Currency (2021) Comptroller’s Handbook: Model Risk Management. OCC, U.S. Department of the Treasury.
- [6] Raji, I.D., Smart, A., White, R.N., Mitchell, M., Gebru, T., Hutchinson, B., Smith-Loud, J., Theron, D. and Barnes, P. (2020) ‘Closing the AI Accountability Gap: Defining an End-to-End Framework for Internal Algorithmic Auditing’, Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency (FAT*), pp. 33–44.
- [7] FDA (2021) Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan. U.S. Food and Drug Administration. Predetermined Change Control Plan framework.
AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0
By Jeroen Janssen, Apparens