Why must “not applicable” be documented in AI compliance?
A missing obligation and a documented non-applicability are fundamentally different governance states. An empty field means the obligation was never reviewed. A documented "not applicable" means a responsible person reviewed the obligation, determined it does not apply to this specific system, and recorded the justification.
Auditors treat these very differently: an empty field is a compliance gap; a documented exclusion is a governed decision with attribution and rationale.
Key points
- Non-applicability must be a documented decision, not a default state. Every obligation that does not apply requires a reviewed justification.
- The justification must identify who made the determination, on what basis, and when it was reviewed.
- A blanket "not applicable" across multiple obligations without individual reasoning is not defensible.
- Non-applicability can change when the system, its use, or the legal context changes — re-screening must re-evaluate prior exclusions.
Why it matters
Many organizations treat empty fields as implicit non-applicability. This creates a structural governance weakness. When an auditor asks why a specific obligation was not addressed, the organization must be able to show that the obligation was reviewed, not simply overlooked. The difference between an oversight and a governed exclusion is the documentation.
How EAB approaches this
EAB's Applicability Documentation requires a structured review for every obligation marked as not applicable. The reviewer must provide a justification, and the determination is stored with attribution and timestamp. Evidence Readiness distinguishes between missing evidence and documented non-applicability as separate governance states.