the eight documents you need to produce. not “should.” need. the regulator will ask for them by number.
A numbered, required document (ART-01 through ART-08) that an organisation must produce when implementing the framework. Covers system cards, datasheets, evaluation plans, cadence reports, agent declarations, risk records, supplier packs, and incident reports. These are not recommendations. They are the minimum documentation required to demonstrate that an AI system is under governance.
Why It Matters
AI governance frameworks are full of principles, guidelines, and recommendations. Mandatory Artifacts are none of those things. They are the specific, numbered documents that an organisation must produce to demonstrate governance. The distinction matters because principles can be acknowledged without being operationalised. An artifact either exists or it does not.
The eight Mandatory Artifacts form the minimum evidence base for any AI system under governance. Together, they answer the questions that regulators, auditors, and supervisory boards will ask: What is this system? What data does it use? How was it tested? What are the risks? Who controls the agents? Which suppliers are involved? What happens when something goes wrong? How is it performing?
Each artifact has a number (ART-01 through ART-08), a defined scope, and a responsible layer within the AI Control Index. This numbering is deliberate: when a regulator asks for ART-06 (Risk & Impact Record), everyone in the organisation should know exactly what document is being requested, where it is stored, and who owns it. Ambiguity in artifact identification is itself a governance failure.
The Stress Test
Your organisation is deploying an AI-powered recruitment screening tool. The compliance team has approved the project and documented the privacy impact assessment. Engineering has built and deployed the model. HR is using it to filter candidates. Six months in, a rejected candidate files a complaint with the data protection authority, alleging discriminatory screening.
The authority requests your documentation. You produce the privacy impact assessment (close to ART-06). They ask for the system card (ART-01) — you do not have one. The evaluation plan (ART-03) — it was discussed but never formalised. The data and model datasheet (ART-02) — engineering has internal notes but nothing structured. The incident report template (ART-08) — you are now creating one in real time, for this complaint.
You deployed a high-risk AI system with one of eight required artifacts. The gap is not documentation. The gap is that governance was treated as a milestone, not a production system.
In the Wild
Article 11 of the EU AI Act requires providers of high-risk AI systems to draw up technical documentation “before that system is placed on the market or put into service” and to keep it up to date. Annex IV specifies the minimum contents: general description, detailed development methodology, design specifications, monitoring and functioning description, risk management documentation, and standards applied. These are not guidelines — they are legal requirements with enforcement provisions.
The AI Control Index Mandatory Artifacts are designed to map to and exceed these requirements, providing a structured approach to producing the documentation the Act demands.
The EU AI Act does not ask whether you have governance. It asks for the documents that prove it. By number. In advance.
A European hospital deployed an AI-assisted diagnostic tool for radiology screening. When a cluster of missed findings was identified through clinical review, the hospital attempted to investigate whether the model had degraded. No evaluation plan (equivalent to ART-03) existed. The model had been validated once during procurement, with no ongoing evaluation schedule, no performance thresholds, and no defined process for what happens when accuracy drops below acceptable levels.
The hospital could not determine whether the cluster represented a statistical anomaly or a systematic failure because the evaluation framework to answer that question had never been created.
The model had been tested once. It had been running for fourteen months. Those are not the same thing.
As enterprises deploy autonomous AI agents — systems that can take actions, call tools, and make decisions without human approval for each step — the absence of agent control declarations (ART-05) becomes a critical gap. Multiple organisations discovered in 2025 that their AI agents had been granted permissions exceeding their intended scope, including database write access, email sending capabilities, and external API calls, with no documented boundary defining what the agent was authorised to do.
If you cannot produce a document stating what your AI agent is allowed to do, you also cannot demonstrate what it is not allowed to do. The regulator will notice.
How to Govern It
Mandatory Artifacts are not a documentation exercise. They are the governance surface that makes every other control auditable.
The eight Mandatory Artifacts and their governance ownership:
- ART-01: AI System Card — The identity document of the AI system. Describes purpose, scope, risk classification, stakeholders, and lifecycle stage. Owned by GRC (S1).
- ART-02: Data & Model Datasheet — Documents training data provenance, model architecture, known limitations, and performance characteristics. Owned by AI Engineering (L5).
- ART-03: Evaluation & Testing Plan — Defines what will be tested, how, when, by whom, and what thresholds constitute pass or fail. Owned by AI Engineering (L5) with input from Ethics & Fairness (L2).
- ART-04: Cadence Report — Periodic governance report summarising system performance, incidents, control effectiveness, and maturity progression. Owned by GRC (S1).
- ART-05: Agent Control Declaration — Documents the boundaries, permissions, escalation rules, and human oversight requirements for autonomous AI agents. Owned by Applications & Agents (L4).
- ART-06: Risk & Impact Record — The living risk register for the AI system, including identified risks, mitigations, residual risk, and impact assessments. Owned by GRC (S1).
- ART-07: Supplier & Third-Party Pack — Documents third-party AI components, their risk profiles, contractual controls, and due diligence evidence. Owned by GRC (S1) with input from Procurement.
- ART-08: Incident Report — Structured record of AI incidents including root cause analysis, impact assessment, remediation actions, and lessons learned. Owned by GRC (S1) with input from all operational layers.
All eight artifacts are deposited in the Evidence Factory and form the core of the audit-ready evidence chain.
When It's Relevant
Every AI system under governance. The eight Mandatory Artifacts are the minimum documentation set. For high-risk systems, all eight apply. For lower-risk systems, the framework allows proportional application, but the decision to exclude an artifact must itself be documented and justified.
Mandatory Artifacts are most critical when:
- An AI system is classified as high-risk under the EU AI Act and requires conformity assessment
- The organisation is deploying autonomous AI agents that require boundary documentation (ART-05)
- Third-party AI components are integrated, requiring supplier governance documentation (ART-07)
- An incident occurs and a structured response record is needed (ART-08)
- A regulatory examination or external audit is anticipated
Related Terms
References
- [1] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union, L series. Article 11 (Technical Documentation), Annex IV (Technical Documentation Requirements).
- [2] Mitchell, M., Wu, S., Zaldivar, A., Barnes, P., Vasserman, L., Hutchinson, B., Spitzer, E., Raji, I.D. and Gebru, T. (2019) ‘Model Cards for Model Reporting’, Proceedings of the Conference on Fairness, Accountability, and Transparency (FAT*), pp. 220–229.
- [3] Gebru, T., Morgenstern, J., Vecchione, B., Vaughan, J.W., Wallach, H., Daumé III, H. and Crawford, K. (2021) ‘Datasheets for Datasets’, Communications of the ACM, 64(12), pp. 86–92.
- [4] ISO/IEC (2023) ISO/IEC 42001:2023 — Artificial intelligence — Management system. International Organization for Standardization. Clause 7.5 (Documented Information).
- [5] NIST (2023) Artificial Intelligence Risk Management Framework (AI RMF 1.0). National Institute of Standards and Technology, U.S. Department of Commerce.
- [6] Raji, I.D., Smart, A., White, R.N., Mitchell, M., Gebru, T., Hutchinson, B., Smith-Loud, J., Theron, D. and Barnes, P. (2020) ‘Closing the AI Accountability Gap: Defining an End-to-End Framework for Internal Algorithmic Auditing’, Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency (FAT*), pp. 33–44.
- [7] European Commission (2024) Implementing Regulation on AI System Documentation Templates. Draft guidance on technical documentation requirements under the AI Act.
AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0
By Jeroen Janssen, Apparens