Knowledge Base

AI Compliance Knowledge

Structured answers to the questions that compliance teams, legal departments, and AI system owners ask about EU AI Act, GDPR, and NIS2 governance. Each answer is concise, linked to the full guide, and connected to the EAB platform capability that operationalises it.

AI Act Governance
What is AI compliance screening?
AI compliance screening is the structured review that determines regulatory scope, risk classification, actor role, applicable obligations, and evidence requirements for an AI system.
How are high-risk AI systems identified under the EU AI Act?
High-risk identification requires evaluating the system's intended use against Annex III categories, considering the actor role, and documenting the classification basis as part of a governed review.
What are prohibited AI practices under Article 5?
Article 5 defines eight categories of AI practices that are prohibited outright. Every AI system must pass a prohibited-practice gate before risk classification begins.
What are actor roles under the EU AI Act?
The EU AI Act assigns obligations based on whether an organization acts as provider, deployer, importer, or distributor. Actor role determines what you must do, not just what the AI system is.
What obligations follow from AI Act risk classification?
Risk classification identifies the regulatory direction. The obligations that follow depend on the combination of risk category and actor role, spanning transparency, oversight, documentation, and evidence.
What must deployers do under the EU AI Act?
Article 26 gives deployers their own obligations: following provider instructions, assigning human oversight, managing evidence, logging use, and ensuring transparency where required.
What are general-purpose AI models (GPAI)?
GPAI models sit behind many AI tools. Most organizations are not GPAI providers but still need governance over how GPAI-based systems are used, governed, and evidenced.
What makes AI in HR and employment high-risk?
AI in recruitment, evaluation, monitoring, and worker management is one of the most consequential high-risk areas under Annex III. Governance must be use-case-specific.
Auditability & Evidence
Governance Workflow
What is named accountability in AI governance?
Named accountability means every governance decision has a specific person responsible. Attribution, ownership, and reviewability are requirements when decisions must later be reconstructed.
Why does AI compliance need approval gates?
An approval gate is not a bottleneck. It is an attribution point that structures accountability across the organization and ensures no AI system moves forward without governed review.
When must AI systems be re-screened?
When legal context, regulatory guidance, system configuration, or use case changes, the original screening decision may require renewed review. Approved once does not mean compliant forever.
What does human oversight mean under the EU AI Act?
Article 14 requires deployers to assign real oversight to named people with competence, authority, and documented intervention rights. A policy statement alone is not sufficient.
What are AI literacy obligations?
Article 4 requires providers and deployers to ensure sufficient AI literacy in their staff. What counts as literacy depends on role, and evidence of literacy must be governed.
What is post-market monitoring?
Article 72 requires that high-risk AI systems be monitored throughout their lifetime with structured plans, evidence, corrective action, and re-screening when issues arise.
Why do spreadsheets fail for AI governance?
Spreadsheets create documentation, not governance. AI governance requires responsibility, workflow, evidence, approval, audit trail, and reconstructable decisions that spreadsheets cannot structurally enforce.
How should boards read AI compliance status?
Boards are increasingly accountable for AI governance outcomes. Meaningful compliance reporting at executive level must go beyond status labels and show verifiable governance state.
GDPR and AI
NIS2 and Cybersecurity
Governance Concepts
What is an operational governance layer?
Infrastructure that enforces how compliance decisions are made, attributed, evidenced, and reconstructed — not a tool that produces documents.
What is a compliance operating system?
Integrated infrastructure that manages the full governance lifecycle across AI Act, GDPR, and NIS2 with shared evidence, unified responsibility, and one audit trail.
What is an AI governance record?
A living, structured data object connecting an AI system to its regulatory context, classifications, obligations, evidence, approvals, and decision history.
What is a structured decision record?
Captures what was decided, by whom, on what basis, with what evidence, and under which legal version — in a format that can be reconstructed at any point.
What is governance chain of custody?
The unbroken, attributed sequence of governance events connecting an AI system from registration through screening, approval, and re-screening.
What is legal-version anchoring?
Binds every governance decision to the specific version of the regulation consulted — so the decision basis remains clear as the law evolves.
What is process integrity in AI compliance?
The governance process itself is controlled, consistent, and verifiable. EAB controls process integrity — legal outcomes remain the organisation's responsibility.
What is a reconstructable decision path?
The ability to trace any AI governance decision back through every step that produced it. If it cannot be reconstructed, it cannot be defended.
What is a compliance snapshot?
An immutable point-in-time record that freezes the governance state of an AI system at the moment of decision — preserving what was known then.
What is an AI system registry?
The system of record capturing every AI system an organisation operates with its governance context, classification, obligations, and lifecycle state.
What is an obligation matrix?
Translates risk classification and actor role into concrete obligations — mapping what must be done, what evidence is required, and what the completion state is.
What is a system of record for AI compliance?
The single authoritative source for all AI governance data — inventory, classifications, obligations, evidence, approvals, and audit trail.
Why Governance Infrastructure
What is the difference between documentation and governance?
Documentation is output. Governance is system. Documentation describes what happened. Governance ensures it happened — with structure, attribution, and evidence.
AI compliance tool vs AI governance platform?
A tool helps users complete tasks. A platform controls how decisions are made, attributed, evidenced, and reconstructed across the organisation.
Why is Excel not enough for AI Act compliance?
Excel creates documentation, not governance. It cannot enforce workflow, approval gates, evidence linkage, or immutable audit trails.
Why is an AI agent not enough for AI compliance?
An agent accelerates analysis but cannot replace the governed process. Compliance requires human accountability, approval gates, and reconstructable decisions.
Why is AI compliance not a one-time assessment?
Systems change, regulations evolve, use cases shift. Each change may require re-screening, updated evidence, and renewed approval.
Why does auditability require more than documentation?
Auditability requires traceability — an unbroken, verifiable chain from system registration to current governance state, not just documents.
Why does AI governance need ownership?
Without named ownership, governance decisions cannot be attributed, reconstructed, or defended. Every system needs an owner, every decision a responsible person.
Can AI Act compliance be automated?
Processes can be structured and accelerated. Decisions cannot be automated. Human accountability remains the regulatory requirement.
Cross-Regulatory & Enterprise Governance
How do AI Act, GDPR and NIS2 governance connect?
The same AI system may touch all three frameworks. Managing them together — not in silos — eliminates duplication and closes governance gaps.
What is integrated digital compliance governance?
One operational governance layer managing AI Act, GDPR, and NIS2 with shared evidence, unified responsibility, and a single audit trail.
What is cross-regulatory evidence reuse?
A single evidence artefact serving obligations across AI Act, GDPR, and NIS2 without duplication — managed once, linked to all applicable frameworks.
What is system-centric compliance?
Governance organised around the AI system — one system, one record, all applicable obligations from all applicable regulations.
What is management accountability in AI governance?
Boards and executives are personally responsible for AI governance outcomes — not just for delegating compliance to a team.
What is shadow AI governance?
Discovering, registering, and governing AI systems used without formal oversight. You cannot govern what you do not know exists.
What is AI vendor governance?
Structured assessment and ongoing oversight of third-party AI providers — ensuring their systems meet the deployer's compliance requirements.
What is AI system lifecycle governance?
Continuous governance from registration through screening, approval, monitoring, re-screening, and retirement — not a one-time gate.
What is compliance maintenance?
The ongoing work that keeps compliance alive: evidence currency, change monitoring, re-screening, and ensuring the governance state remains valid.

From knowledge to governed execution.

EAB turns EU AI Act, GDPR, and NIS2 compliance into a structured, attributed, audit-ready governance process.

Get in Touch
Request More Information

Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.