Compliance accountability does not belong to everyone equally. EAB structures AI governance around four distinct roles — each with defined responsibilities, actions, and a place in the decision chain.
When every governance action is owned by a named role, the audit trail is not a reconstruction. It is a record of decisions made by accountable people.
“Compliance documentation that lists no names — no owner, no approver, no person who made the call — is not a compliance record. It is a document. EAB creates a record: who did what, when, under which legal version, and with what documented authority.”
Each role has a defined entry point and exit condition. No step is skipped. No approval is assumed.
The Business Operator initiates the governance process — registering the AI system, describing its business purpose, and providing the operational context the screening process requires. When the technical record needs clarification, the operator responds to documented questions.
The AI System Owner takes over from the operator to complete the structured technical documentation — architecture, training data, testing methodology, and the technical characteristics that determine risk classification. They submit the record for AI Act screening when complete.
The Supervisor reviews the full governance record — business context, technical documentation, screening result, risk classification, and obligation matrix. They approve, reject with documented reasons, or return the record to the operator or owner. Every decision is recorded in the audit trail.
The Auditor (Enterprise) has full read-only visibility into the governance record — approved systems, evidence, the complete audit trail, and obligation status. Designed for internal auditors, external assurance reviewers, and supervisory authorities. No modification capability.
The Business Operator is the accountable link between the AI system and its business purpose. They know what the system does, who uses it, and what business function it supports.
The Business Operator registers the AI system in EAB and provides the structured business intake — operational purpose, deployment context, affected persons, and the business justification for using the system. This context feeds directly into the AI Act screening process and becomes part of the governance record.
When the AI System Owner has questions about the operational context, or when a Supervisor returns the record for rework, the Business Operator responds. They are accountable for the accuracy of the business context — not the technical details, but the operational reality of how the system is used.
The Business Operator does not require technical AI expertise. Their contribution is operational: what the system does, where it is deployed, and what business decision or function it is used to support.
Business Operator: workspace & workflow →The AI System Owner is the technical accountable person. They are responsible for the accuracy of the structured technical documentation the EU AI Act requires.
The AI System Owner completes the guided technical documentation — system architecture, training data sources, testing methodology, performance metrics, human oversight mechanisms, and the technical characteristics that determine risk classification under the EU AI Act. This is the record the Act requires for high-risk systems to be placed on the market or put into service.
When technical questions require operational context that only the Business Operator can provide, the AI System Owner returns the record with a documented question. This creates a governed exchange — not an informal conversation, but a structured dialogue recorded in the audit trail.
The AI System Owner is named in the governance record as the technical accountable person. Their completion of the technical documentation is an act of accountability — not form-filling, but structured attestation of the system’s technical characteristics.
AI System Owner: workspace & workflow →The Supervisor is the governance gatekeeper. No AI system enters the approved state without Supervisor review and explicit decision.
The Supervisor reviews the complete governance record assembled by the Business Operator and AI System Owner — business context, technical documentation, AI Act screening result, risk classification, and obligation matrix. They are not reviewing a summary or a dashboard indicator. They are reviewing a structured governance record.
The Supervisor can approve the record, reject it with documented reasons, or return it to either the Business Operator or the AI System Owner with specific questions. Each of these actions is a governance event — recorded, timestamped, and permanently attributed in the audit trail.
At audit time, the Supervisor’s decisions are visible to regulators and auditors: what was reviewed, what decision was made, when, and under which version of the legal source the decision was anchored. The Supervisor’s role is the difference between a compliance record and a compliance claim.
Supervisor: workspace & workflow →The Auditor role provides structured assurance access without modification capability. Designed for internal auditors, external reviewers, and supervisory authorities.
The Auditor has a read-only workspace with complete visibility into the governance record — all registered AI systems, their risk classification, obligation status, evidence artefacts, approval history, and the full audit trail. They can see everything the governance process has produced, but cannot modify, approve, or interact with any record.
The Auditor workspace is designed for assurance use cases: internal audit functions reviewing AI governance maturity, external auditors performing ISO or regulatory assurance engagements, or supervisory authorities requesting structured evidence of EU AI Act compliance. It produces structured exports suitable for formal submission.
The separation between governance roles and auditor access is structural in EAB — not a permission setting that can be toggled. Auditors do not participate in the governance process. They review its output. This structural separation is itself a governance control.
Auditor: workspace & workflow →Role-based workflow is available from Professional. Auditor access is Enterprise only.
EU-hosted · Anchored to CELEX 32024R1689
Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.
