Auditability & Evidence

Why must “not applicable” be documented in AI compliance?

A missing obligation and a documented non-applicability are fundamentally different governance states. An empty field means the obligation was never reviewed. A documented "not applicable" means a responsible person reviewed the obligation, determined it does not apply to this specific system, and recorded the justification.

Auditors treat these very differently: an empty field is a compliance gap; a documented exclusion is a governed decision with attribution and rationale.

Key points

  • Non-applicability must be a documented decision, not a default state. Every obligation that does not apply requires a reviewed justification.
  • The justification must identify who made the determination, on what basis, and when it was reviewed.
  • A blanket "not applicable" across multiple obligations without individual reasoning is not defensible.
  • Non-applicability can change when the system, its use, or the legal context changes — re-screening must re-evaluate prior exclusions.

Why it matters

Many organizations treat empty fields as implicit non-applicability. This creates a structural governance weakness. When an auditor asks why a specific obligation was not addressed, the organization must be able to show that the obligation was reviewed, not simply overlooked. The difference between an oversight and a governed exclusion is the documentation.

How EAB approaches this

EAB's Applicability Documentation requires a structured review for every obligation marked as not applicable. The reviewer must provide a justification, and the determination is stored with attribution and timestamp. Evidence Readiness distinguishes between missing evidence and documented non-applicability as separate governance states.

Get in Touch
Request More Information

Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.