AI Compliance

Checklist, impact assessment, report and AI governance policy for companies

AI Compliance: Checklist, Impact Assessment, Report, and AI Governance Policy for Companies

If your company develops, implements, deploys, or resells artificial intelligence systems, AI compliance is no longer an option: you must demonstrate conformity. In this article, we bring together the four operational pillars of an AI compliance program: the checklist, the AI impact assessment, reporting, and the AI governance policy.

Why AI Compliance Affects the Entire Value Chain

The AI Act (EU Reg. 2024/1689) distributes obligations along the entire supply chain:

  • Provider – who develops the system

  • Deployer – who uses the system

  • Importers and distributors – who place on the market or resell

The role you play determines the scope of your obligations—but no link in the chain is exempt. A reseller that places its own brand on a third‑party AI system, for example, may assume the provider’s obligations.

For this reason, AI compliance must be designed “by design”: identify your role, classify the risk of your systems, and build a management system consistent with ISO/IEC 42001, which requires determining the context, stakeholders, and scope of the AI management system.

The AI Compliance Checklist: The Starting Point

A well‑constructed AI Act / ISO 42001 checklist turns abstract obligations into verifiable checks. The minimum areas to cover are:

  • AI Inventory – census of AI systems in use or under development

  • Risk Classification – prohibited practices, high risk, limited risk, minimal risk

  • Roles – identification of the role played for each system

  • Data Quality – provenance and quality of training, validation and test data

  • Documentation – technical documentation and event logs

  • Human Oversight – supervision and override mechanisms

  • Transparency – information to end users

  • Training – AI literacy of personnel (Art. 4 AI Act)

  • Supplier Management – contracts and obligations towards partners

  • Incident Management – incident response and notification plan

The checklist is not a one‑off compliance task: it must be reviewed at planned intervals and upon any significant change—exactly as required by the logic of management systems.

The 4 Pillars of AI Compliance

A structured AI compliance system rests on four operational pillars:

PillarDescriptionDocumentary Output
1. ChecklistPunctual verification of regulatory compliance: system inventory, risk classification, roles, governanceCompleted and updated checklist
2. AI Impact AssessmentEvaluation of potential consequences on individuals and society: fairness, transparency, safety, social impactsDocumented and retained assessment
3. ReportDocumentation for internal, authority and stakeholder use: reviews, audits, notifications, communicationsRegister, SoA, incident notifications
4. AI Governance PolicyStrategic document formally adopted by top management: principles, roles, permitted/prohibited usesAI Policy signed by management

AI Impact Assessment: Evaluate Before Implementing

The AI impact assessment is the substantive core of compliance. ISO/IEC 42001 (clause 6.1.4) requires a formal and documented process to identify and evaluate the potential consequences of AI systems on individuals, groups, and society—considering intended use and reasonably foreseeable misuse.

An effective assessment evaluates:

  • Fairness and bias – in data and outputs

  • Transparency and explainability – how decisions are made

  • Security and data protection – linked to DPIA (Art. 35 GDPR)

  • Safeguarding of people – protection of fundamental rights

  • Social and environmental impacts – wide‑ranging side effects

Crucially, the assessment results must feed into design choices and risk evaluation. It must not remain a static document.

Report and Documented Information: Demonstrating Compliance

Without evidence, compliance does not exist. The reporting system must cover three directions:

Internal:

  • Management reviews

  • Internal audit results

  • System performance monitoring

  • Non‑conformity and corrective action register

Towards authorities:

  • Technical documentation

  • Registration of high‑risk systems

  • Notification of serious incidents within legal deadlines

Towards stakeholders:

  • Information to users

  • Channels for reporting negative impacts

  • Incident communication

The Statement of Applicability (SoA) required by ISO 42001 is the key document that ties everything together: every included or excluded control must be justified and consistent with the risk assessment.

The AI Governance Policy: The Framework That Holds Everything Together

The AI policy is the strategic document that top management must formally adopt. An effective policy defines:

  • The principles guiding all AI activities: human oversight, transparency, security, robustness

  • Roles, responsibilities, and authority – who approves, who monitors, who is accountable

  • Permitted and prohibited uses of AI systems, including generative AI tools adopted by employees

  • The integration with other corporate policies: privacy, information security, quality

  • The exception management process

  • The periodic review arrangements

Governance is not bureaucracy; it is what enables the company to innovate quickly while knowing where the boundaries are.

Frequently Asked Questions on AI Compliance

What is the difference between the AI Act and ISO/IEC 42001?

The AI Act is the European regulation (law) that imposes obligations on providers, deployers, and distributors. ISO/IEC 42001 is the international standard that provides the framework for implementing an AI management system compliant with regulations. ISO 42001 is the practical tool for complying with the AI Act.

Who must carry out an AI Impact Assessment?

Everyone: providers developing AI systems, deployers implementing and using them, and distributors reselling them. The depth of the assessment varies according to the risk level of the system. High‑risk systems require a more detailed assessment (including FRIA – Fundamental Rights Impact Assessment).

Can I delegate AI compliance to an external consultant?

A consultant can help you build the system, but the responsibility for compliance remains yours. The AI policy must be signed by top management, reviews must be conducted internally, and monitoring must be continuous. The consultant is a facilitator, not a lifeline.

How often should the AI compliance checklist be reviewed?

At least once a year, or whenever there is a significant change: new AI system, modification of training data, change of suppliers, incidents, or user feedback. The review must be documented.

LexBlast supports you with your AI Compliance Program

LexBlast IP & IT Attorneys® supports companies that develop, implement, distribute, and resell AI systems with a multidisciplinary legal‑engineering approach.

Our services include:

  • AI Act and ISO/IEC 42001 compliance assessment

  • Implementation of structured management systems

  • Drafting of AI governance policies

  • AI impact assessment and FRIA

  • AI literacy training for your team

Contact us for a preliminary evaluation of your AI compliance level and discover how we can help you.

Contact us to request an initial consultation

Fill out the form and we will contact you as soon as possible.

We collaborate with

Some of the collaborations of Lex Blast IP & IT Attorneys professionals