STD-AI-004

AI Technical Documentation Standard

Create and maintain comprehensive technical documentation per EU AI Act Annex IV.

Standards LibrarySTD-AI-004

Controls

Compliant

In Progress

Not Started

Overall Progress

40%

Controls

2 controls defined in this standard

TDC-001highIn Progress

System Design Documentation

Document AI system design and architecture comprehensively

45%

TDC-002highIn Progress

Training and Validation Documentation

Document training methodology and validation approach

35%

Implementation Guidance

Detailed guidance for implementing this standard

AI Technical Documentation Standard

Document Type: Standard
Standard ID: STD-AI-004
Standard Title: AI Technical Documentation Standard
Version: 1.0
Effective Date: 2025-08-01
Next Review Date: 2026-08-01
Review Frequency: Annually or upon regulatory change
Parent Policy: POL-AI-001 - Artificial Intelligence Policy
Owner: Chief Technology Officer
Approved By: AI Governance Committee Chair
Status: Draft
Classification: Internal Use Only

Document History
Objective
Scope and Applicability
Control Standard
Supporting Procedures
Compliance
Roles and Responsibilities
Exceptions
Enforcement
Key Performance Indicators (KPIs)
Training Requirements
Definitions
Link with AI Act and ISO42001

DOCUMENT HISTORY

Version	Date	Author	Changes	Approval Date	Approved By
0.1	2025-06-25	David Lee, Chief Technology Officer	Initial draft	-	-
0.2	2025-07-10	David Lee, Chief Technology Officer	Added Annex IV details	-	-
0.3	2025-07-23	David Lee, Chief Technology Officer	Incorporated legal feedback	-	-
1.0	2025-08-01	David Lee, Chief Technology Officer	Final version approved - GRC restructured	2025-07-25	Jane Doe, AI Governance Committee Chair

OBJECTIVE

This standard defines requirements for creating and maintaining comprehensive technical documentation for high-risk AI systems in compliance with EU AI Act Article 11 and Annex IV.

Primary Goals:

Create complete technical documentation per Annex IV for all high-risk AI systems
Keep technical documentation current and accurate throughout AI system lifecycle
Store documentation securely and make available to competent authorities per Article 18 and Article 21
Ensure all technical documentation is reviewed and approved before use

SCOPE AND APPLICABILITY

2.1 Mandatory Applicability

This standard is mandatory for:

All high-risk AI systems (EU AI Act Article 11)
All lifecycle phases requiring documentation

2.2 Recommended Applicability

This standard is recommended for:

All AI systems for best practices
Limited-risk and minimal-risk AI systems (voluntary)

2.3 Documentation Types Covered

Technical documentation (Annex IV)
Design documentation
Development documentation
Testing documentation
Deployment documentation
Maintenance documentation

2.4 Out of Scope

General software documentation (covered by software development standards)
Non-AI system documentation (covered by other documentation standards)
Documentation outside EU AI Act scope

CONTROL STANDARD

Control DOC-001: Documentation Completeness

Control ID: DOC-001
Control Name: Annex IV Documentation Completeness
Control Type: Preventive
Control Frequency: Per high-risk AI system, after substantial modifications
Risk Level: High

Control Objective

Create complete technical documentation per Annex IV for all high-risk AI systems to demonstrate compliance with EU AI Act requirements and enable conformity assessment, in compliance with EU AI Act Article 11 and Annex IV.

Control Requirements

CR-001.1: Annex IV Mandatory Elements

Technical documentation must contain all Annex IV required elements.

Annex IV Checklist (Mandatory Elements):

#	Annex IV Element	Required Content	Section
1	General description	Intended purpose, provider info, versions	Section 1
2	Intended purpose details	Use cases, users, settings	Section 1.1
3	Provider information	Name, contact, authorized rep	Section 1.2
4	Instructions for use	Complete user instructions	Section 1.2
5	System versions	Software/firmware versions, update requirements	Section 1.3
6	Development methods	Methods, steps, design specs	Section 2.1
7	System architecture	Architecture diagrams, components	Section 2.1
8	Computational resources	Resources used for development	Section 2.1
9	Data requirements	Training/validation/testing data specs	Section 2.2
10	Training methodologies	Techniques, parameters, approaches	Section 2.2
11	Data provenance	Data sources, collection methods	Section 2.2
12	Human oversight measures	Oversight design and implementation	Section 2.3
13	Output interpretation	Technical measures for interpretation	Section 2.3
14	Validation procedures	Validation approach and methods	Section 3.1
15	Testing procedures	Testing approach and methods	Section 3.1
16	Performance metrics	Accuracy, robustness, cybersecurity metrics	Section 3.1
17	Test results	Complete test reports	Section 3.1
18	Risk management documentation	Risk management system docs	Section 3.2
19	Lifecycle changes	Changes made through lifecycle	Section 3.2
20	Technical specifications	Hardware, software, network requirements	Section 3.3
21	EU Declaration of Conformity	Copy of declaration	Section 4.1
22	Conformity assessment procedure	Procedure followed (Annex VI or VII)	Section 4.1
23	Notified body details	Identification (if applicable)	Section 4.1
24	Harmonized standards	Standards applied	Section 4.2
25	Common specifications	Specs applied (if no harmonized standards)	Section 4.2
26	Post-market monitoring plan	Detailed description of post-deployment evaluation system and monitoring plan per Article 72 and Article 72(3)	Section 4.3

Mandatory Actions:

Use Annex IV template (TMPL-AI-DOC-001)
Complete all mandatory sections
Obtain technical reviews
Verify completeness against checklist
Obtain CTO approval
Block deployment if documentation incomplete

Evidence Required:

Complete technical documentation package
Annex IV completeness checklist (completed)
Review records
Approval signatures

Audit Verification:

Verify 100% of Annex IV elements completed
Confirm completeness checklist verified
Check technical reviews completed
Validate CTO approval obtained
Verify deployment blocked if incomplete

Control DOC-002: Documentation Quality

Control ID: DOC-002
Control Name: Technical Documentation Quality Assurance
Control Type: Preventive
Control Frequency: Per documentation package
Risk Level: Medium

Control Objective

Ensure technical documentation is clear, comprehensive, and accurate to enable effective use, support conformity assessment, and demonstrate compliance with EU AI Act requirements.

Control Requirements

CR-002.1: Quality Criteria Verification

Technical documentation must meet all quality criteria before approval.

Quality Criteria:

Criterion	Requirement	Verification Method	Target
Clarity	Written in clear, understandable language	Readability review (Flesch-Kincaid ≥60)	≥60
Accuracy	Technically accurate and up-to-date	Technical peer review	100% accurate
Completeness	All required information included	Completeness check against Annex IV	100% complete
Consistency	Consistent terminology and formatting	Consistency review	100% consistent
Traceability	Clear references and cross-links	Traceability audit	All claims traceable
Verifiability	Claims supported by evidence	Evidence verification	100% verifiable

Mandatory Actions:

Conduct technical peer review
Verify accuracy of technical details
Check consistency across sections
Validate all claims with evidence
Obtain quality approval
Block approval if quality criteria not met

Evidence Required:

Peer review records
Quality checklist (completed)
Accuracy verification records
Consistency review records
Traceability audit records
Evidence verification records
Approval records

Audit Verification:

Verify peer review conducted
Confirm all quality criteria met
Check evidence supports all claims
Validate quality approval obtained

Control DOC-003: Documentation Templates

Control ID: DOC-003
Control Name: Standardized Documentation Templates
Control Type: Preventive
Control Frequency: Continuous use, annual review
Risk Level: Low

Control Objective

Use standardized templates aligned with Annex IV structure to ensure consistent, complete documentation across all high-risk AI systems and facilitate compliance verification.

Control Requirements

CR-003.1: Template Management and Enforcement

Maintain and enforce use of standardized Annex IV documentation templates.

Template Requirements:

Follows Annex IV section structure exactly
Includes all mandatory elements
Provides guidance for each section
Enables consistent documentation
Supports version control
Includes quality checklists

Mandatory Actions:

Maintain Annex IV documentation template (TMPL-AI-DOC-001)
Update template with regulatory changes
Train staff on template use
Enforce template usage (mandatory for high-risk AI)
Review template effectiveness annually
Version control template changes

Evidence Required:

Annex IV Documentation Template (TMPL-AI-DOC-001)
Template version history
Template usage records
Training records
Annual template reviews
Template update approvals

Audit Verification:

Verify template exists and is current
Confirm template follows Annex IV structure
Check template usage enforced
Validate annual template review completed

Control DOC-004: Documentation Updates

Control ID: DOC-004
Control Name: Technical Documentation Update Management
Control Type: Preventive
Control Frequency: As triggered by changes
Risk Level: Medium

Control Objective

Update technical documentation when changes occur to AI system to maintain accuracy and compliance throughout the AI system lifecycle, ensuring documentation reflects current system state.

Control Requirements

CR-004.1: Change-Driven Documentation Updates

Update technical documentation promptly when changes occur.

Update Triggers:

Substantial modifications to AI system
Changes to intended purpose
Changes to deployment context
New test results
Risk management changes
Conformity assessment updates
Regulatory requirement changes

Mandatory Actions:

Monitor for update triggers
Assess documentation impact
Update affected sections
Maintain version history
Obtain approval for updates
Communicate changes to stakeholders
Update within 30 days of change

Update Impact Assessment:

Change Type	Documentation Sections Affected	Update Priority	Approval Required
Substantial modification	All sections potentially	High	CTO + AI Governance Committee
Intended purpose change	Section 1.1, 2.2, 3.2	High	CTO + AI Governance Committee
Deployment context change	Section 1.1, 3.3	Medium	AI System Owner
New test results	Section 3.1	Medium	Technical Lead
Risk management changes	Section 3.2	Medium	AI System Owner
Regulatory changes	All sections potentially	High	CTO + Legal

Evidence Required:

Change log
Updated documentation (versioned)
Impact assessments
Approval records
Stakeholder communications
Update completion records

Audit Verification:

Verify documentation updated within 30 days of changes
Confirm all affected sections updated
Check impact assessment completed
Validate approval obtained
Verify version history maintained

Control DOC-005: Version Control

Control ID: DOC-005
Control Name: Documentation Version Control
Control Type: Detective
Control Frequency: Per documentation update
Risk Level: Medium

Control Objective

Maintain comprehensive version control for all technical documentation to enable traceability, support audits, and ensure ability to retrieve historical versions for compliance and troubleshooting.

Control Requirements

CR-005.1: Version Control System Implementation

Implement and maintain version control for all technical documentation.

Version Control Requirements:

Unique version number for each revision
Version history log
Change description for each version
Author and date for each version
Approval status tracking
Ability to retrieve previous versions
10-year retention of all versions

Versioning Scheme:

Version Type	Format	Use Case	Example
Major version	X.0	Substantial modifications, major changes	2.0
Minor version	X.Y	Updates, corrections, clarifications	1.5
Draft versions	X.Y-DRAFT	Work in progress	1.3-DRAFT

Mandatory Actions:

Assign version numbers systematically
Document changes in version log
Store all versions securely
Enable version retrieval
Track approval status
Maintain 10-year retention
Archive old versions per retention policy

Version Log Requirements:

Field	Description	Mandatory
Version Number	Unique version identifier	YES
Date	Version date	YES
Author	Person who created version	YES
Change Description	What changed in this version	YES
Sections Affected	Which documentation sections changed	YES
Approval Status	Approved/Pending/Rejected	YES
Approver	Person who approved (if approved)	If approved

Evidence Required:

Version control log
All documentation versions (stored)
Change descriptions
Approval tracking records
Version retrieval capability verification

Audit Verification:

Verify version control implemented for all documentation
Confirm version numbers assigned systematically
Check version history complete
Validate ability to retrieve previous versions
Verify 10-year retention maintained

Control DOC-006: Annual Documentation Review

Control ID: DOC-006
Control Name: Annual Technical Documentation Review
Control Type: Detective
Control Frequency: Annually
Risk Level: Medium

Control Objective

Review all technical documentation annually for currency and accuracy to ensure documentation remains current, accurate, and compliant with evolving regulations and system changes.

Control Requirements

CR-006.1: Comprehensive Annual Review

Conduct annual review of all technical documentation for each high-risk AI system.

Review Scope:

Review each Annex IV section
Verify accuracy against current system
Update outdated information
Confirm compliance with current regulations
Check completeness
Validate quality criteria still met

Mandatory Actions:

Schedule annual reviews (within 12 months of last review)
Review each Annex IV section systematically
Verify accuracy against current system
Update outdated information
Confirm compliance with current regulations
Document review results
Obtain approval
Update documentation if needed

Annual Review Checklist:

Section	Review Items	Status
Section 1: General Description	Intended purpose current? Provider info accurate? Versions correct?	☐
Section 2: Development	Methods current? Architecture accurate? Data requirements current?	☐
Section 3: Monitoring	Test results current? Risk management current? Specifications accurate?	☐
Section 4: Conformity	Declaration current? Standards current?	☐
Overall	Completeness? Quality? Compliance?	☐

Evidence Required:

Annual review schedule
Review checklists (completed)
Review findings
Updates made (if any)
Approval records
Review completion certificates

Audit Verification:

Verify annual reviews scheduled and completed
Confirm all sections reviewed
Check outdated information updated
Validate compliance verified
Verify approval obtained

Control DOC-007: Secure Storage

Control ID: DOC-007
Control Name: Technical Documentation Secure Storage
Control Type: Preventive
Control Frequency: Continuous
Risk Level: High

Control Objective

Store technical documentation securely with appropriate access controls to protect sensitive information, ensure availability, and comply with retention requirements per EU AI Act Article 18.

Control Requirements

CR-007.1: Secure Storage Implementation

Implement secure storage for all technical documentation.

Storage Requirements:

Secure document management system
Access controls (role-based)
Encryption at rest and in transit
Backup and disaster recovery
Audit trail of access
Retention for 10 years (Article 18)
Geographic restrictions (if applicable)

Mandatory Actions:

Store documentation in approved system
Configure access controls
Enable encryption (at rest and in transit)
Implement backup procedures (daily backups)
Log all access
Enforce retention policy (10 years)
Test disaster recovery annually

Security Controls:

Control	Requirement	Implementation
Access Control	Role-based access control	Document management system RBAC
Encryption at Rest	AES-256 or equivalent	Storage encryption
Encryption in Transit	TLS 1.3 or equivalent	HTTPS for all access
Backup	Daily automated backups	Backup system with 30-day retention
Disaster Recovery	RTO < 24 hours, RPO < 24 hours	DR plan and testing
Audit Trail	Log all access and modifications	Access logs with 10-year retention
Retention	10 years minimum	Automated retention policy

Evidence Required:

Document management system records
Access control configuration
Encryption verification records
Backup logs
Disaster recovery test results
Access audit trail
Retention compliance records

Audit Verification:

Verify secure storage implemented
Confirm access controls configured
Check encryption enabled
Validate backup procedures operational
Verify audit trail logging
Check 10-year retention enforced

Control DOC-008: Access Management

Control ID: DOC-008
Control Name: Technical Documentation Access Control
Control Type: Preventive
Control Frequency: Continuous, quarterly reviews
Risk Level: Medium

Control Objective

Provide appropriate access to technical documentation per Article 18 and Article 21 to enable authorized access while protecting sensitive information and ensuring regulatory compliance.

Control Requirements

CR-008.1: Role-Based Access Control

Implement and manage role-based access control for technical documentation.

Access Levels:

Role	Access Level	Justification	Approval Required
AI System Owner	Full read/write	Responsible for documentation	Automatic
Technical Team	Read/write (assigned sections)	Create and update documentation	AI System Owner
AI Governance Committee	Read	Oversight and approval	Automatic
Internal Audit	Read	Audit and compliance verification	Audit Manager
Competent Authorities	Read (upon request)	Regulatory oversight (Article 18, Article 21)	Legal + CTO
Notified Bodies	Read (during assessment)	Conformity assessment	CTO

Mandatory Actions:

Define access roles and permissions
Grant access based on role
Review access quarterly
Revoke access when no longer needed
Log all access requests
Respond to authority requests within 5 days
Document all access grants/revocations

Access Review Process:

Generate access report quarterly
Review access for each user
Verify access still needed
Revoke unnecessary access
Document review results
Report to AI Governance Committee

Evidence Required:

Access control matrix
Access grant/revoke records
Quarterly access reviews
Access logs
Authority request responses
Access review reports

Audit Verification:

Verify access controls implemented
Confirm access granted based on roles
Check quarterly access reviews completed
Validate unnecessary access revoked
Verify access logs maintained
Check authority requests responded within 5 days

Control DOC-009: Documentation Availability

Control ID: DOC-009
Control Name: Authority Request Response and Documentation Availability
Control Type: Preventive
Control Frequency: As requested
Risk Level: High

Control Objective

Ensure technical documentation is available to competent authorities upon request per Article 18 (retention at disposal of authorities) and Article 21 (cooperation with competent authorities) to enable regulatory oversight and demonstrate compliance.

Control Requirements

CR-009.1: Authority Request Response

Respond promptly and completely to competent authority requests for technical documentation.

Response Requirements:

Acknowledge request within 1 business day
Provide complete documentation package within 5 business days
Ensure documentation in required language (if specified)
Coordinate through legal team
Track all requests and responses
Maintain request log

Mandatory Actions:

Maintain documentation in accessible format
Respond to authority requests promptly
Provide complete documentation package
Track all requests and responses
Ensure language requirements met
Coordinate with legal team
Document all interactions

Authority Request Process:

Receive request from competent authority
Acknowledge within 1 business day
Notify Legal and CTO
Prepare complete documentation package
Review for completeness
Provide to authority within 5 business days
Document request and response
Follow up if needed

Evidence Required:

Authority request log
Response records
Documentation packages provided
Response time tracking
Language compliance verification
Legal coordination records

Audit Verification:

Verify requests acknowledged within 1 business day
Confirm documentation provided within 5 business days
Check complete documentation packages provided
Validate language requirements met
Verify all requests tracked

Control DOC-010: Documentation Review and Approval

Control ID: DOC-010
Control Name: Technical Documentation Review and Approval Process
Control Type: Preventive
Control Frequency: Per documentation package/update
Risk Level: High

Control Objective

Ensure all technical documentation is reviewed and approved before use to verify quality, accuracy, completeness, and regulatory compliance.

Control Requirements

CR-010.1: Multi-Stage Review and Approval

Conduct technical, legal, and compliance reviews before final approval.

Review Stages:

Stage 1: Technical Review

Technical accuracy
Completeness per Annex IV
Consistency with system design
Clarity and understandability
Evidence support for claims
Compliance with technical standards

Stage 2: Legal and Compliance Review

Annex IV compliance
EU AI Act compliance
GDPR compliance (if personal data)
Intellectual property considerations
Contractual obligations
Export control (if applicable)

Stage 3: Final Approval

Route for appropriate approvals
Obtain all required signatures
Document approval date
Communicate approval status
Archive approved version

Approval Hierarchy:

Documentation Type	Approver	Authority	Timeframe
Initial Documentation	CTO + AI Governance Committee	Full approval	< 10 business days
Major Updates	CTO + AI Governance Committee	Full approval	< 10 business days
Minor Updates	AI System Owner + Technical Lead	Delegated approval	< 5 business days
Corrections	Technical Lead	Delegated approval	< 3 business days

Mandatory Actions:

Assign qualified technical reviewers
Conduct detailed technical review
Document findings
Address all findings
Obtain reviewer sign-off
Submit to legal review
Address legal findings
Obtain legal approval
Route for appropriate approvals
Obtain all required signatures
Block use until approved

Evidence Required:

Technical review checklist
Review findings log
Resolution records
Reviewer sign-off
Legal review records
Compliance verification
Legal approval
Approval records
Signature log
Approval workflow tracking

Audit Verification:

Verify technical review conducted
Confirm legal review completed
Check all findings addressed
Validate all required approvals obtained
Verify documentation not used until approved

SUPPORTING PROCEDURES

This standard is implemented through the following detailed procedures:

Procedure PROC-AI-DOC-001: Technical Documentation Creation Procedure

Purpose: Define step-by-step process for creating Annex IV documentation
Owner: Chief Technology Officer
Implements: Controls DOC-001, DOC-002, DOC-003

Procedure Steps:

Initiate documentation creation
Use Annex IV template - Control DOC-003
Complete all mandatory sections - Control DOC-001
Conduct technical review - Control DOC-002
Address review findings
Obtain quality approval
Submit for legal review
Obtain final approval - Control DOC-010
Store documentation securely - Control DOC-007

Outputs:

Complete technical documentation package
Review records
Approval records
Stored documentation

Procedure PROC-AI-DOC-002: Documentation Maintenance Procedure

Purpose: Define process for updating and maintaining documentation
Owner: Chief Technology Officer
Implements: Controls DOC-004, DOC-005, DOC-006

Procedure Steps:

Monitor for update triggers - Control DOC-004
Assess documentation impact
Update affected sections
Assign version number - Control DOC-005
Document changes in version log
Conduct annual review - Control DOC-006
Obtain approval for updates
Store updated version securely

Outputs:

Updated documentation
Version log
Change descriptions
Approval records

Procedure PROC-AI-DOC-003: Documentation Review and Approval Procedure

Purpose: Define process for reviewing and approving documentation
Owner: Chief Technology Officer
Implements: Control DOC-010

Procedure Steps:

Assign technical reviewers
Conduct technical review
Document findings
Address findings
Obtain technical sign-off
Submit to legal review
Address legal findings
Obtain legal approval
Route for final approval
Obtain all required signatures
Archive approved version

Outputs:

Review records
Approval records
Approved documentation

COMPLIANCE

5.1 Compliance Monitoring

Monitoring Approach: Continuous automated monitoring supplemented by monthly manual reviews and quarterly comprehensive audits.

Compliance Metrics:

Metric	Target	Measurement Method	Frequency	Owner
Documentation Completeness	100%	% of high-risk AI with complete Annex IV documentation	Monthly	Chief Technology Officer
Documentation Currency	100%	% of documentation current (< 1 year old)	Monthly	Chief Technology Officer
Review Completion	100%	% of annual reviews completed on time	Quarterly	Chief Technology Officer
Authority Response Time	< 5 days	Average days to respond to authority requests	Per request	Legal
Approval Cycle Time	< 10 days	Average days from submission to approval	Monthly	Chief Technology Officer
Version Control Compliance	100%	% of documentation with proper version control	Monthly	Chief Technology Officer
Access Control Compliance	100%	% of documentation with proper access controls	Monthly	IT Security

Monitoring Tools:

Documentation Dashboard
Compliance Reports
Access Logs
Version Control System
Monthly compliance reports
Quarterly AI Governance Committee reviews

5.2 Internal Audit Requirements

Audit Frequency: Annually (minimum)

Audit Scope:

Documentation completeness per Annex IV
Documentation quality
Documentation currency
Version control implementation
Secure storage implementation
Access control effectiveness
Authority request response
Review and approval process
Controls effectiveness (DOC-001 through DOC-010)

Audit Activities:

Review 100% of high-risk AI documentation for completeness
Sample 20% of documentation for detailed quality review
Test version control system
Verify secure storage implementation
Test access controls
Review authority request responses
Interview key personnel
Test documentation retrieval

Audit Outputs:

Annual Technical Documentation Audit Report
Findings and recommendations
Corrective action plans for deficiencies

5.3 External Audit / Regulatory Inspection

Preparation:

Maintain audit-ready documentation at all times
Designate Chief Technology Officer and Legal as regulatory liaisons
Prepare standard response procedures for authority requests

Provide to Auditors/Regulators:

Technical documentation packages (sample or all)
Documentation templates
Version control logs
Access control records
Authority request logs
Review and approval records
Documentation procedures
Internal audit reports
Evidence of controls execution

Authority Request Response:

Acknowledge request within 1 business day
Provide requested documentation within 5 business days
Coordinate through Legal and Chief Technology Officer
Document all interactions with authorities

ROLES AND RESPONSIBILITIES

6.1 RACI Matrix

Activity	Chief Technology Officer	AI System Owner	Technical Lead	Technical Documentation Team	Legal & Compliance	AI Governance Committee	IT Security
Documentation Creation	R/A	A	R	R	C	I	I
Documentation Quality	R	A	R	R	C	I	I
Template Management	R/A	I	C	C	I	I	I
Documentation Updates	R	A	R	R	C	I	I
Version Control	R	A	C	R	I	I	I
Annual Review	R	A	R	C	C	I	I
Secure Storage	R	I	I	I	I	I	R/A
Access Management	R	A	I	I	C	I	R
Authority Requests	R	I	I	I	R	I	I
Review and Approval	R/A	A	R	C	R	A	I

RACI Legend:

R = Responsible (does the work)
A = Accountable (ultimately answerable)
C = Consulted (provides input)
I = Informed (kept up-to-date)

6.2 Role Descriptions

Chief Technology Officer

Primary Responsibility: Oversees technical documentation framework, ensures compliance
Key Activities:
- Establishes documentation framework
- Maintains documentation templates
- Approves documentation
- Reports documentation metrics
- Coordinates with authorities
Required Competencies: EU AI Act Article 11, Annex IV, technical documentation, project management

AI System Owner

Primary Responsibility: Accountable for documentation completeness and accuracy
Key Activities:
- Ensures documentation created
- Approves documentation content
- Coordinates documentation updates
- Participates in reviews
Required Competencies: AI system knowledge, documentation requirements

Technical Lead

Primary Responsibility: Creates and maintains technical content
Key Activities:
- Creates technical documentation
- Conducts technical reviews
- Updates documentation
- Maintains version control
Required Competencies: Technical writing, AI system technical knowledge, Annex IV

Technical Documentation Team

Primary Responsibility: Supports documentation creation and maintenance
Key Activities:
- Supports documentation creation
- Maintains templates
- Conducts quality reviews
- Manages version control
Required Competencies: Technical writing, documentation management

Legal & Compliance

Primary Responsibility: Reviews for regulatory compliance
Key Activities:
- Reviews documentation for compliance
- Manages authority requests
- Advises on regulatory requirements
Required Competencies: EU AI Act legal expertise, regulatory compliance

AI Governance Committee

Primary Responsibility: Approves documentation
Key Activities:
- Approves initial documentation
- Approves major updates
- Reviews documentation metrics
Authority: Final approval for initial and major documentation

IT Security

Primary Responsibility: Implements secure storage and access controls
Key Activities:
- Implements secure storage
- Configures access controls
- Manages encryption
- Implements backup and DR
Required Competencies: Information security, document management systems

EXCEPTIONS

7.1 Exception Philosophy

Technical documentation is a critical regulatory compliance activity for high-risk AI systems. Exceptions are granted restrictively and only where compensating controls adequately mitigate risks.

7.2 Allowed Exceptions

The following exceptions may be granted with proper justification and approval:

Exception Type	Justification Required	Maximum Duration	Approval Authority	Compensating Controls
Extended Documentation Creation Timeline	Resource constraints prevent timely creation	30 days	CTO + AI Governance Committee	Interim documentation; Accelerated plan
Deferred Minor Section Update	Minor section update can wait	60 days	AI System Owner	Document deferral rationale; Schedule update
Simplified Documentation (Minimal-Risk AI)	AI system clearly minimal-risk	Permanent	CTO	Document simplified rationale; Annual re-confirmation

7.3 Prohibited Exceptions

The following exceptions cannot be granted under any circumstances:

❌ Skipping Annex IV documentation for high-risk AI - Mandatory per Article 11, no exceptions
❌ Deploying without complete documentation - Regulatory violation, legal liability
❌ Skipping technical review - Required for quality assurance
❌ Skipping legal review - Required for compliance verification
❌ Operating without secure storage - Required for data protection
❌ Ignoring authority requests - Required per Article 18 and Article 21

7.4 Exception Request Process

Step 1: Submit Exception Request

Complete Exception Request Form (FORM-AI-EXCEPTION-001)
Include business justification
Propose compensating controls
Specify duration requested
Attach risk assessment

Step 2: Risk Assessment

Chief Technology Officer assesses risk of granting exception
Evaluates adequacy of compensating controls
Documents residual risk

Step 3: Approval

Route to appropriate approval authority based on exception type
CTO approval: Minor exceptions
CTO + AI Governance Committee: Significant exceptions
AI Governance Committee: Critical exceptions

Step 4: Documentation and Monitoring

Document exception in Exception Register
Assign exception owner
Set review date
Monitor compensating controls
Report exceptions quarterly to AI Governance Committee

Step 5: Exception Review and Closure

Review exception at specified review date
Assess if exception still needed
Close exception when normal documentation completed
Document lessons learned

ENFORCEMENT

8.1 Non-Compliance Consequences

Violation	Severity	Consequence	Remediation Required
High-risk AI without Annex IV documentation	Critical	Immediate suspension until documentation completed	Complete documentation within 30 business days; Root cause analysis
Deploying with incomplete documentation	Critical	Immediate halt deployment; Compliance gap assessment	Complete missing sections; Re-approve; Re-deploy
Missing annual review	High	Escalation to AI Governance Committee; Freeze on new features	Complete review within 10 business days
Late authority request response	High	Written warning; Escalation to management	Respond immediately; Process improvement plan
Missing version control	Medium	Written warning	Implement version control within 5 business days
Incomplete documentation sections	Medium	Written warning	Complete sections within 10 business days

8.2 Escalation Procedures

Level 1: Chief Technology Officer

Minor procedural violations
Documentation deficiencies
Timeline delays < 5 days
Action: Written warning, corrective action required

Level 2: Chief Technology Officer + AI Governance Committee

Repeated violations
Missing documentation
Quality issues
Action: Formal review, corrective action plan, management notification

Level 3: AI Governance Committee

High-risk AI without documentation
Critical compliance failures
Regulatory violations
Action: Immediate AI system suspension, investigation, disciplinary action

Level 4: Executive Management + Legal

Potential regulatory enforcement action
Significant legal liability
Reputational risk
Action: Executive crisis management, legal strategy, regulatory engagement

8.3 Immediate Escalation Triggers

Escalate immediately to AI Governance Committee + Legal if:

⚠️ High-risk AI system operating without Annex IV documentation
⚠️ Authority request not responded to within 5 days
⚠️ Regulatory inquiry or inspection related to documentation
⚠️ Documentation breach or unauthorized access
⚠️ Critical documentation quality issues identified

8.4 Disciplinary Actions

Individuals responsible for documentation violations may be subject to:

Verbal or written warning
Mandatory retraining
Performance improvement plan
Reassignment of responsibilities
Suspension (with pay during investigation)
Termination (for egregious violations, e.g., knowingly deploying without documentation)

Factors Considered:

Intent (knowing violation vs. honest mistake)
Severity of violation
Impact (actual or potential)
Cooperation with remediation
Prior violation history

KEY PERFORMANCE INDICATORS (KPIs)

9.1 Technical Documentation KPIs

KPI ID	KPI Name	Definition	Target	Measurement Method	Frequency	Owner	Reporting To
KPI-DOC-001	Documentation Completeness	% of high-risk AI with complete Annex IV documentation	100%	(# high-risk AI with complete docs / # high-risk AI) × 100	Monthly	Chief Technology Officer	AI Governance Committee
KPI-DOC-002	Documentation Currency	% of documentation current (< 1 year old)	100%	(# current docs / # total docs) × 100	Monthly	Chief Technology Officer	Management
KPI-DOC-003	Review Completion	% of annual reviews completed on time	100%	(# reviews on time / # scheduled reviews) × 100	Quarterly	Chief Technology Officer	AI Governance Committee
KPI-DOC-004	Authority Response Time	Average days to respond to authority requests	< 5 days	Σ (response date - request date) / # requests	Per request	Legal	Executive Management
KPI-DOC-005	Approval Cycle Time	Average days from submission to approval	< 10 days	Σ (approval date - submission date) / # submissions	Monthly	Chief Technology Officer	Management
KPI-DOC-006	Documentation Quality Score	Average quality score across all documentation	≥ 90%	Composite score from quality criteria	Quarterly	Chief Technology Officer	AI Governance Committee
KPI-DOC-007	Version Control Compliance	% of documentation with proper version control	100%	(# docs with version control / # total docs) × 100	Monthly	Chief Technology Officer	Management
KPI-DOC-008	Update Timeliness	% of documentation updates completed within 30 days	100%	(# updates within 30 days / # total updates) × 100	Monthly	Chief Technology Officer	Management
KPI-DOC-009	Access Control Compliance	% of documentation with proper access controls	100%	(# docs with access controls / # total docs) × 100	Monthly	IT Security	Chief Technology Officer
KPI-DOC-010	Template Usage	% of documentation using standardized templates	100%	(# docs using templates / # total docs) × 100	Monthly	Chief Technology Officer	Management

9.2 KPI Dashboards and Reporting

Real-Time Dashboard (Chief Technology Officer access)

Current documentation completeness
Documentation currency status
Pending reviews
Authority requests
Approval workflows

Monthly Management Report

KPI-DOC-001, 002, 005, 007, 008, 009, 010
Trend analysis (vs. previous month)
Issues and risks
Planned actions

Quarterly AI Governance Committee Report

All KPIs
Documentation completeness status
Review completion status
Quality assessment results
Internal audit findings (if conducted)
Exception register review

Annual Executive Report

Full-year KPI performance
Documentation maturity assessment
Strategic recommendations
Regulatory outlook

9.3 KPI Thresholds and Alerts

KPI	Green (Good)	Yellow (Warning)	Red (Critical)	Alert Action
Documentation Completeness	100%	95-99%	< 95%	Red: Immediate escalation to AI Governance Committee Chair
Documentation Currency	100%	90-99%	< 90%	Red: Escalate to AI Governance Committee
Review Completion	100%	90-99%	< 90%	Yellow: Accelerate reviews; Red: Freeze new AI deployments
Authority Response Time	< 5 days	5-7 days	> 7 days	Red: Immediate escalation to Executive Management + Legal
Approval Cycle Time	< 10 days	10-15 days	> 15 days	Red: Escalate to AI Governance Committee

TRAINING REQUIREMENTS

10.1 Training Program Overview

All personnel involved in technical documentation must complete role-specific training to ensure competency in Annex IV requirements, technical writing, and documentation procedures.

10.2 Role-Based Training Requirements

Role	Training Course	Duration	Content	Frequency	Assessment Required
Chief Technology Officer	Documentation Management Expert Training	12 hours	EU AI Act Article 11; Annex IV; Documentation management; Quality assurance; Authority requests	Initial + annually	Yes - Written exam (≥90%)
Technical Leads	Technical Documentation Creation	16 hours	Annex IV structure; Technical writing; Quality criteria; Review process	Initial + annually	Yes - Practical documentation exercise
Technical Documentation Team	Documentation Support Training	12 hours	Template usage; Quality review; Version control; Documentation tools	Initial + annually	Yes - Practical exercise
AI System Owners	Documentation Overview	4 hours	Documentation requirements; Responsibilities; Approval process	At onboarding + annually	Yes - Knowledge check (≥80%)
Legal & Compliance	Documentation Compliance Review	6 hours	Annex IV compliance; EU AI Act Article 11; Authority requests; Legal considerations	Initial + annually	Yes - Written exam (≥90%)
All AI Development Staff	Documentation Awareness	2 hours	Documentation basics; When documentation needed; Quality awareness	At onboarding + annually	Yes - Knowledge check (≥80%)

10.3 Training Content by Topic

Annex IV Requirements

Complete Annex IV structure
Mandatory elements
Section-by-section guidance
Completeness criteria
Quality requirements

Technical Writing

Clarity and understandability
Technical accuracy
Consistency
Traceability
Evidence support

Documentation Management

Template usage
Version control
Update management
Review process
Approval workflow

Regulatory Compliance

EU AI Act Article 11
Annex IV requirements
Authority requests and cooperation (Article 18, Article 21)
Retention requirements (Article 18)

10.4 Training Delivery Methods

Initial Training:

Instructor-led classroom or virtual training
Includes interactive exercises and case studies
Hands-on practice with documentation templates
Group discussions of complex scenarios

Annual Refresher:

E-learning modules for core content review
Live update sessions for regulatory changes
Case study reviews of recent documentation
Knowledge assessment

On-the-Job Training:

Mentoring for new documentation staff
Job shadowing during documentation creation
Supervised documentation for first 3 AI systems

Just-in-Time Training:

Quick reference guides and job aids
Video tutorials on specific topics
Help desk support from experienced documentation staff

10.5 Training Effectiveness Measurement

Assessment Methods:

Written exams for knowledge retention
Practical exercises for skill application
On-the-job observations for competency validation
Feedback surveys for training quality

Competency Validation:

Technical Leads: Must create complete Annex IV documentation for 1 sample AI system with 100% completeness before independent documentation
All staff: Must pass knowledge assessments with minimum required scores

Training Metrics:

Metric	Target	Frequency
Training completion rate	100%	Quarterly
Assessment pass rate (first attempt)	≥ 90%	Per training
Training effectiveness score (survey)	≥ 4.0/5.0	Per training
Time to competency (Technical Leads)	< 30 days	Per person

10.6 Training Records

Records Maintained:

Training attendance records
Assessment scores
Competency validations
Refresher training completion
Individual training transcripts

Retention: 10 years (to align with EU AI Act documentation retention)

Access: HR, Chief Technology Officer, Internal Audit, Competent Authorities (upon request)

DEFINITIONS

Term	Definition	Source
Technical Documentation	Documentation demonstrating AI system compliance with EU AI Act requirements (Annex IV)	EU AI Act Article 11, Annex IV
Annex IV	Technical documentation structure and contents required for high-risk AI systems	EU AI Act Annex IV
Substantial Modification	Change to an AI system after its placing on the market or putting into service which affects the compliance of the AI system with the requirements of the EU AI Act or results in a modification to the intended purpose	EU AI Act Article 3(23)
Version Control	Systematic tracking of documentation versions with change history	This Standard
Documentation Package	Complete set of technical documentation for an AI system	This Standard
Competent Authority	National authority designated to supervise application of EU AI Act	EU AI Act Article 3(48)
Notified Body	Conformity assessment body notified under EU AI Act	EU AI Act Article 3(22)
EU Declaration of Conformity	Declaration by provider that AI system conforms to EU AI Act requirements	EU AI Act Article 47
Harmonized Standard	European standard adopted by European standardization organizations	EU AI Act Article 3(27)
Common Specification	Technical specification adopted by Commission when no harmonized standards exist	EU AI Act Article 3(28)

LINK WITH AI ACT AND ISO42001

12.1 EU AI Act Regulatory Mapping

This standard implements the following EU AI Act requirements:

EU AI Act Provision	Article/Annex	Requirement Summary	Implemented By (Controls)
Technical Documentation	Article 11	Technical documentation required for high-risk AI	All controls (DOC-001 through DOC-010)
Annex IV Contents	Annex IV	Detailed structure and contents of technical documentation	DOC-001
Documentation Updates	Article 11	Documentation must be kept up-to-date	DOC-004, DOC-006
Record-Keeping	Article 18	Documentation retention for 10 years	DOC-007
Documentation Availability	Article 18, Article 21	Keep documentation at disposal of authorities for 10 years (Art. 18); cooperate with competent authorities and provide documentation upon reasoned request (Art. 21)	DOC-008, DOC-009

12.2 ISO/IEC 42001:2023 Alignment

This standard aligns with ISO/IEC 42001:2023 as follows:

ISO 42001 Clause	Requirement	Implementation in This Standard
Clause 7.5: Documented information	Maintain documented information	All controls (DOC-001 through DOC-010)
Clause 7.5.2: Creating and updating	Create and update documented information	DOC-001, DOC-002, DOC-004
Clause 7.5.3: Control of documented information	Control documented information	DOC-005, DOC-007, DOC-008
Clause 9.2: Internal audit	Conduct internal audits	Compliance Section 5.2
Clause 9.3: Management review	Conduct management reviews	DOC-006, DOC-010

12.3 Relationship to Other Standards

This technical documentation standard integrates with other AI Act standards:

Related Standard	Integration Point	Rationale
STD-AI-001: Classification	Classification determines if documentation required	High-risk AI requires Annex IV documentation
STD-AI-002: Risk Management	Risk management documentation included in Annex IV Section 3.2	Risk management outputs feed into technical documentation
STD-AI-003: Data Governance	Data requirements documented in Annex IV Section 2.2	Data governance outputs feed into technical documentation
STD-AI-010: Conformity Assessment	Conformity assessment documentation included in Annex IV Section 4	Conformity assessment outputs feed into technical documentation

12.4 References and Related Documents

EU AI Act (Regulation (EU) 2024/1689):

Article 11: Technical Documentation
Annex IV: Technical Documentation Contents
Article 18: Record-Keeping Obligations (documentation retention, at disposal of authorities)
Article 21: Cooperation with Competent Authorities (provide documentation upon reasoned request)

ISO/IEC Standards:

ISO/IEC 42001:2023: Information technology — Artificial intelligence — Management system
ISO/IEC 23894:2023: Information technology — Artificial intelligence — Guidance on risk management

Internal Documents:

POL-AI-001: Artificial Intelligence Policy (parent policy)
STD-AI-001: AI System Classification Standard
STD-AI-002: AI Risk Management Standard
STD-AI-003: AI Data Governance Standard
PROC-AI-DOC-001, -002, -003: Documentation procedures

APPROVAL AND AUTHORIZATION

Role	Name	Title	Signature	Date
Prepared By	David Lee	Chief Technology Officer	_________________	________
Reviewed By	Michael Brown	Chief Legal Officer	_________________	________
Reviewed By	Sarah Johnson	AI Act Program Manager	_________________	________
Reviewed By	Jane Doe	Chief Strategy & Risk Officer	_________________	________
Approved By	Jane Doe	AI Governance Committee Chair	_________________	________

Effective Date: 2025-08-01
Next Review Date: 2026-08-01
Review Frequency: Annually or upon regulatory change

END OF STANDARD STD-AI-004

This standard is a living document. Feedback and improvement suggestions should be directed to the Chief Technology Officer.

Standard Details

Standard ID

STD-AI-004

Version

1.0

Status

draft

Owner

CTO

Effective Date

2025-08-01

Applicability

High-risk AI systems

EU AI Act References

Article 11Annex IV

ISO 42001 Mapping

Clause 7.5

Related Resources

Implementation Guides EU AI Act Full Text

Data Governance

Logging & Records

AI Technical Documentation Standard

AI Technical Documentation Standard

TABLE OF CONTENTS

DOCUMENT HISTORY

OBJECTIVE

SCOPE AND APPLICABILITY

2.1 Mandatory Applicability

2.2 Recommended Applicability

2.3 Documentation Types Covered

2.4 Out of Scope

CONTROL STANDARD

Control DOC-001: Documentation Completeness

Control Objective

Control Requirements

Control DOC-002: Documentation Quality

Control Objective

Control Requirements

Control DOC-003: Documentation Templates

Control Objective

Control Requirements

Control DOC-004: Documentation Updates

Control Objective

Control Requirements

Control DOC-005: Version Control

Control Objective

Control Requirements

Control DOC-006: Annual Documentation Review

Control Objective

Control Requirements

Control DOC-007: Secure Storage

Control Objective

Control Requirements

Control DOC-008: Access Management

Control Objective

Control Requirements

Control DOC-009: Documentation Availability

Control Objective

Control Requirements

Control DOC-010: Documentation Review and Approval

Control Objective

Control Requirements

SUPPORTING PROCEDURES

Procedure PROC-AI-DOC-001: Technical Documentation Creation Procedure

Procedure PROC-AI-DOC-002: Documentation Maintenance Procedure

Procedure PROC-AI-DOC-003: Documentation Review and Approval Procedure

COMPLIANCE

5.1 Compliance Monitoring

5.2 Internal Audit Requirements

5.3 External Audit / Regulatory Inspection

ROLES AND RESPONSIBILITIES

6.1 RACI Matrix

6.2 Role Descriptions

EXCEPTIONS

7.1 Exception Philosophy

7.2 Allowed Exceptions

7.3 Prohibited Exceptions

7.4 Exception Request Process

ENFORCEMENT

8.1 Non-Compliance Consequences

8.2 Escalation Procedures

8.3 Immediate Escalation Triggers

8.4 Disciplinary Actions

KEY PERFORMANCE INDICATORS (KPIs)

9.1 Technical Documentation KPIs

9.2 KPI Dashboards and Reporting

9.3 KPI Thresholds and Alerts

TRAINING REQUIREMENTS

10.1 Training Program Overview

10.2 Role-Based Training Requirements

10.3 Training Content by Topic

10.4 Training Delivery Methods

10.5 Training Effectiveness Measurement

10.6 Training Records

DEFINITIONS

LINK WITH AI ACT AND ISO42001

12.1 EU AI Act Regulatory Mapping

12.2 ISO/IEC 42001:2023 Alignment

12.3 Relationship to Other Standards

12.4 References and Related Documents

APPROVAL AND AUTHORIZATION