Back to Blog
Checklist

Annex IV Documentation: Your Complete Checklist

January 10, 20265 min read

Annex IV Documentation: Your Complete Checklist

Every high-risk AI system placed on the EU market must have Annex IV technical documentation prepared before deployment. This is the document regulators will request first. Here is a complete checklist you can work through today.

How to Use This Checklist

Go through each item. If you cannot answer yes to a checkbox, that is a compliance gap. High-risk AI providers that cannot produce this documentation on request face fines up to €15 million or 3% of global turnover.

---

Section 1: General Description

  • [ ] The intended purpose of the AI system is documented in writing
  • [ ] The specific deployment context and conditions of use are described
  • [ ] The version number or identifier of the system is recorded
  • [ ] The system's role (autonomous decision-maker vs. decision-support) is stated
  • [ ] Interactions with other hardware, software, or AI systems are described
  • [ ] The natural persons or categories of persons the system affects are identified
  • ---

    Section 2: System Architecture and Development

  • [ ] The model type is documented (neural network, decision tree, transformer, ensemble, etc.)
  • [ ] The number of parameters or model size is recorded
  • [ ] Key design choices and their rationale are explained
  • [ ] Computational resources used in training and deployment are listed
  • [ ] Training methodology is described (supervised, unsupervised, reinforcement learning, fine-tuning)
  • [ ] Software dependencies and versions are listed
  • [ ] Hardware requirements for deployment are specified
  • ---

    Section 3: Training Data

  • [ ] Data sources are listed with their origin and acquisition method
  • [ ] Data governance practices are documented (labelling, cleaning, validation process)
  • [ ] Dataset size (number of samples, features) is recorded
  • [ ] Demographic coverage of the training data is documented
  • [ ] Known limitations or gaps in the training data are stated
  • [ ] Data augmentation techniques, if used, are described
  • [ ] Data retention and deletion policies are referenced
  • ---

    Section 4: Validation and Testing

  • [ ] Performance metrics used (accuracy, F1, AUC, etc.) are defined and justified
  • [ ] Test results are documented with specific numbers, not just "good performance"
  • [ ] Results are broken down by relevant subgroups (gender, age, ethnicity where applicable)
  • [ ] Known performance limitations are explicitly stated
  • [ ] Bias and fairness assessment results are included
  • [ ] Steps taken to address identified bias issues are documented
  • [ ] Out-of-distribution or edge case performance is assessed
  • ---

    Section 5: Human Oversight (Article 14)

  • [ ] The human oversight mechanism is described in detail
  • [ ] Who has oversight responsibility is named (role or team)
  • [ ] How humans can monitor AI outputs in real time is documented
  • [ ] The process for humans to override or reject AI decisions is described
  • [ ] The process to halt or shut down the system is documented
  • [ ] Training provided to human overseers is described
  • ---

    Section 6: Monitoring and Logging (Article 12)

  • [ ] What data the system logs automatically is specified
  • [ ] Log retention period is documented
  • [ ] How logs can be accessed for audit purposes is described
  • [ ] Alerting mechanisms for anomalous outputs are described
  • [ ] The process for investigating and responding to incidents is documented
  • ---

    Section 7: Risk Assessment

  • [ ] Foreseeable risks to health, safety, and fundamental rights are identified
  • [ ] Risk mitigation measures for each identified risk are documented
  • [ ] Residual risks and why they are acceptable are stated
  • [ ] Risks specific to vulnerable groups (children, elderly, people with disabilities) are assessed
  • ---

    Section 8: Changes and Versioning

  • [ ] A log of significant changes to the system exists
  • [ ] The criteria for what constitutes a "significant change" requiring re-assessment are defined
  • [ ] Each logged change includes: what changed, when, why, and impact on compliance
  • ---

    Section 9: Conformity Assessment

  • [ ] The applicable EU AI Act articles and annexes are identified
  • [ ] Whether self-assessment or third-party audit applies is determined
  • [ ] The conformity assessment has been completed (or is scheduled)
  • [ ] EU Declaration of Conformity is signed and dated
  • ---

    Common Gaps

    After reviewing hundreds of compliance assessments, these are the most frequently missing items:

    Subgroup performance data — Regulators specifically look for this. "Our model is 94% accurate" is not enough. "Our model is 94% accurate overall, 91% for women, 96% for men, 89% for applicants over 50" is what is needed.

    Specific names for oversight roles — "A human reviews outputs" is not acceptable. The role title, team, and escalation path must be named.

    Change log — Most teams track code changes in git but do not have a compliance-specific change log that assesses the impact of model updates on risk level.

    Data source documentation — "We used publicly available data" does not satisfy Article 10. The specific datasets, their provenance, and governance must be stated.

    ---

    Generate It Faster

    Completing this checklist from scratch takes the average ML team 2–4 weeks. Guardia AI's Annex IV Generator walks you through each section with structured questions and generates the document automatically.

    Generate my Annex IV documentation →