Checklist, impact assessment, report and AI governance policy for companies
If your company develops, implements, deploys, or resells artificial intelligence systems, AI compliance is no longer an option: you must demonstrate conformity. In this article, we bring together the four operational pillars of an AI compliance program: the checklist, the AI impact assessment, reporting, and the AI governance policy.
The AI Act (EU Reg. 2024/1689) distributes obligations along the entire supply chain:
Provider – who develops the system
Deployer – who uses the system
Importers and distributors – who place on the market or resell
The role you play determines the scope of your obligations—but no link in the chain is exempt. A reseller that places its own brand on a third‑party AI system, for example, may assume the provider’s obligations.
For this reason, AI compliance must be designed “by design”: identify your role, classify the risk of your systems, and build a management system consistent with ISO/IEC 42001, which requires determining the context, stakeholders, and scope of the AI management system.
A well‑constructed AI Act / ISO 42001 checklist turns abstract obligations into verifiable checks. The minimum areas to cover are:
AI Inventory – census of AI systems in use or under development
Risk Classification – prohibited practices, high risk, limited risk, minimal risk
Roles – identification of the role played for each system
Data Quality – provenance and quality of training, validation and test data
Documentation – technical documentation and event logs
Human Oversight – supervision and override mechanisms
Transparency – information to end users
Training – AI literacy of personnel (Art. 4 AI Act)
Supplier Management – contracts and obligations towards partners
Incident Management – incident response and notification plan
The checklist is not a one‑off compliance task: it must be reviewed at planned intervals and upon any significant change—exactly as required by the logic of management systems.
A structured AI compliance system rests on four operational pillars:
| Pillar | Description | Documentary Output |
|---|---|---|
| 1. Checklist | Punctual verification of regulatory compliance: system inventory, risk classification, roles, governance | Completed and updated checklist |
| 2. AI Impact Assessment | Evaluation of potential consequences on individuals and society: fairness, transparency, safety, social impacts | Documented and retained assessment |
| 3. Report | Documentation for internal, authority and stakeholder use: reviews, audits, notifications, communications | Register, SoA, incident notifications |
| 4. AI Governance Policy | Strategic document formally adopted by top management: principles, roles, permitted/prohibited uses | AI Policy signed by management |
The AI impact assessment is the substantive core of compliance. ISO/IEC 42001 (clause 6.1.4) requires a formal and documented process to identify and evaluate the potential consequences of AI systems on individuals, groups, and society—considering intended use and reasonably foreseeable misuse.
An effective assessment evaluates:
Fairness and bias – in data and outputs
Transparency and explainability – how decisions are made
Security and data protection – linked to DPIA (Art. 35 GDPR)
Safeguarding of people – protection of fundamental rights
Social and environmental impacts – wide‑ranging side effects
Crucially, the assessment results must feed into design choices and risk evaluation. It must not remain a static document.
Without evidence, compliance does not exist. The reporting system must cover three directions:
Internal:
Management reviews
Internal audit results
System performance monitoring
Non‑conformity and corrective action register
Towards authorities:
Technical documentation
Registration of high‑risk systems
Notification of serious incidents within legal deadlines
Towards stakeholders:
Information to users
Channels for reporting negative impacts
Incident communication
The Statement of Applicability (SoA) required by ISO 42001 is the key document that ties everything together: every included or excluded control must be justified and consistent with the risk assessment.
The AI policy is the strategic document that top management must formally adopt. An effective policy defines:
The principles guiding all AI activities: human oversight, transparency, security, robustness
Roles, responsibilities, and authority – who approves, who monitors, who is accountable
Permitted and prohibited uses of AI systems, including generative AI tools adopted by employees
The integration with other corporate policies: privacy, information security, quality
The exception management process
The periodic review arrangements
Governance is not bureaucracy; it is what enables the company to innovate quickly while knowing where the boundaries are.
The AI Act is the European regulation (law) that imposes obligations on providers, deployers, and distributors. ISO/IEC 42001 is the international standard that provides the framework for implementing an AI management system compliant with regulations. ISO 42001 is the practical tool for complying with the AI Act.
Everyone: providers developing AI systems, deployers implementing and using them, and distributors reselling them. The depth of the assessment varies according to the risk level of the system. High‑risk systems require a more detailed assessment (including FRIA – Fundamental Rights Impact Assessment).
A consultant can help you build the system, but the responsibility for compliance remains yours. The AI policy must be signed by top management, reviews must be conducted internally, and monitoring must be continuous. The consultant is a facilitator, not a lifeline.
At least once a year, or whenever there is a significant change: new AI system, modification of training data, change of suppliers, incidents, or user feedback. The review must be documented.
LexBlast IP & IT Attorneys® supports companies that develop, implement, distribute, and resell AI systems with a multidisciplinary legal‑engineering approach.
Our services include:
AI Act and ISO/IEC 42001 compliance assessment
Implementation of structured management systems
Drafting of AI governance policies
AI impact assessment and FRIA
AI literacy training for your team
Contact us for a preliminary evaluation of your AI compliance level and discover how we can help you.
Fill out the form and we will contact you as soon as possible.