BrianOnAI logoBrianOnAI

Resources

Tools, templates, and frameworks to lead AI adoption

EU AI Act Article 11 / Annex IV Compliance

This document provides a production-ready schema for an auditable AI inventory that satisfies the evidence requirements of Article 11 and Annex IV of the EU AI Act. It is designed to be machine-readable, append-only, and to treat Shadow AI discovery as a first-class origin rather than a separate process.

Compliance Packs

Get This Resource Free

Sign up for Explorer (free) to download this resource.

Create Free Account

Key Insights

The EU AI Act's high-risk obligations become enforceable on August 2, 2026. National Competent Authorities won't ask whether you have an AI policy. They'll ask what AI systems you operate, how data flows through them, and what controls you've applied.

Most organizations can't answer. Their AI inventory is a shared spreadsheet — and spreadsheets cannot produce change history, cannot resolve broken evidence links, and cannot be queried at audit speed.

More than 80% of workers use unapproved AI tools. Every embedded Copilot, every browser extension, every quietly-enabled vendor feature is a separate Article 11 record — not one row for the vendor.

This is the schema that closes the gap.

When the EU AI Act's high-risk obligations become enforceable on August 2, 2026,

National Competent Authorities will not ask whether your organization has an AI policy.
They will ask what AI systems you operate, how data flows through them, and what
controls you have applied.

Most organizations cannot answer. Not because they do not care — but because their AI inventory
lives in a shared spreadsheet that cannot produce change history, cannot resolve broken evidence
links, and cannot be queried at audit speed.

This document provides a production-ready schema for an auditable AI inventory that satisfies the
evidence requirements of Article 11 and Annex IV of the EU AI Act. It is designed to be
machine-readable, append-only, and to treat Shadow AI discovery as a first-class origin rather than a
separate process.

What's Inside

A 13-page production-ready reference covering:

Ten-section record schema mapped to Annex IV §1 through §6, in machine-readable YAML

Data lineage block covering vendor flow, cross-border transfer mechanism, and fine-tune dataset provenance — the section that fails most audits

Shadow AI discovery as a first-class schema origin, not a separate tracker

Five common failure modes observed in client engagements, with the specific Annex IV subsections they violate
14-week phased build plan covering discovery, classification, evidence backfill, and conformity prep

Scope boundaries — what this schema doesn't cover (U.S. state laws, ISO 42001 mappings, public model cards) and how to extend it

Related Compliance Packs resources

Ready to Get Started?

Sign up for a free Explorer account to download this resource and access more AI governance tools.

Create Free Account