EU AI Act Annex IV, as one process map
The EU AI Act Annex IV technical documentation bundle - data governance, risk management, quality management, conformity assessment, post-market monitoring - laid out as a single BPMN process map you can share with an auditor, a notified body, or your own engineering team.
Official source:
Read Regulation (EU) 2024/1689 on EUR-Lex (official)Annex IV at a glance
Annex IV of the EU AI Act enumerates the technical documentation every provider of a high-risk AI system must compile and maintain. It is not a one-off submission - it is a living evidence bundle that travels with the system through development, conformity assessment, market placement, and the post-market phase.
Most teams compile Annex IV documentation in a folder of Word files and spreadsheets. That works for a single audit pass and falls apart the moment the system evolves: the risk register drifts from the QMS, the data-governance section references a training set the engineering team has long since retired. A process map keeps the architecture in one place so each evidence category can point at the same canonical source of truth.
The Annex IV evidence categories
Six evidence categories, one conformity-assessment decision, one post-market loop.
System description
Purpose, intended deployer, version, hardware and software dependencies, and the human-oversight model - the boilerplate that situates the system before any of the substantive evidence kicks in.
Data governance
Training, validation, and test data: provenance, representativeness, bias mitigation, and how data quality is measured. The evidence here is what an auditor reads first.
Risk management system
Identification, evaluation, mitigation, and acceptance of residual risk across the AI system lifecycle. Maintained continuously, not one-off at certification time.
Quality management system
Design, development, verification, change control, and post-market monitoring as a documented QMS. Often the bridge between an AI team and an existing ISO 9001 / 27001 system.
Conformity assessment
The decision point: does the assembled evidence meet the Article 43 conformity-assessment procedure for this risk class? If yes, on to the declaration of conformity. If no, the loop is non-trivial.
Post-market monitoring
After the system is on the market, post-market monitoring feeds incident data, performance drift, and corrective actions back into the risk-management cycle. The map doesn't end at the declaration.
Annex IV documentation as a process map
Every evidence category feeds the conformity-assessment decision. Remediation loops back. Post-market monitoring keeps the cycle alive after the declaration. One diagram, edited by the people who own each piece.
EU AI Act Article 43 conformity assessment
An EU AI Act (Regulation (EU) 2024/1689) Article 43 conformity assessment process rendered as a BPMN 2.0 process map. The flow categorises the AI system's risk under Articles 6 and 7, gates on the high-risk designation, then routes to either the internal-control assessment under Annex VI (the default for most high-risk systems) or the notified-body assessment under Annex VII (for Annex III(1) biometric systems where harmonised standards are not fully applied). On pass, the provider draws up the EU declaration of conformity, affixes CE marking, and registers the system in the Article 71 EU database. On fail, the provider remediates non-conformities and the assessment is re-run.
- Categorise the AI system against Article 5 (prohibited), Articles 6-7 / Annex III (high-risk), and the GPAI rules; capture the rationale.
- If the system is not high-risk, exit to the relevant lighter-touch obligations (transparency under Article 50, GPAI under Articles 51-55) and skip Article 43.
- For a high-risk system, decide between internal-control assessment (Annex VI - default) and notified-body assessment (Annex VII - required for Annex III(1) biometric systems where harmonised standards are not applied or only partially applied).
- Run the chosen assessment: verify the quality management system (Article 17), the technical documentation (Article 11 / Annex IV), and post-market monitoring readiness (Article 72).
- If conformity is not demonstrated, log the non-conformities, remediate them with the development team, and re-run the assessment.
- On pass, draw up the EU declaration of conformity (Article 47) and affix CE marking (Article 48).
- Register the high-risk system in the EU database (Article 71) before placing it on the market or putting it into service.
Frequently asked questions
What is Annex IV of the EU AI Act?
Annex IV lists the technical documentation that providers of high-risk AI systems must compile and keep up to date. It is the evidence bundle a notified body or national authority will ask to see during a conformity assessment, and the package that travels with the system throughout its lifecycle.
When does the EU AI Act apply to high-risk AI systems?
The Act entered into force on 1 August 2024. The high-risk obligations - including the Annex IV technical documentation - apply from 2 August 2026 for stand-alone high-risk systems under Annex III. High-risk AI systems embedded in regulated products under Annex I have an extended timeline until 2 August 2027. Check the latest staged-application timetable for the system in question.
Why use a process map for Annex IV documentation?
Annex IV is six evidence categories that flow into a single conformity-assessment decision. Word-document checklists treat them as separate sections - a process map shows how they actually depend on each other, where the cycles live (risk management is continuous; conformity assessment can iterate), and where the post-market loop feeds back. Auditors read the diagram first because it answers the 'show me how it fits together' question before the detail.
Does BA Copilot draft the Annex IV documentation for us?
No. BA Copilot is the modelling layer - it makes the architecture of your Annex IV evidence visible and editable. The substantive content (data sheets, risk register, QMS evidence) is yours. The diagram gives you a shared backbone so an internal review or notified-body discussion has something concrete to walk through.
Is this the same as a "data flow diagram" for the AI Act?
Different artefact, related purpose. A data flow diagram shows how personal data moves through a system, primarily for GDPR. The Annex IV process map shows the lifecycle of the AI system itself and how each evidence category is produced, reviewed, and updated. Most teams maintain both alongside each other.
Related compliance pages
APRA CPS 230 (Australia)
Operational resilience under APRA Prudential Standard CPS 230 - the same shape applied to Australian financial entities.
HIPAA compliance processes
Catalogue of the seven HIPAA compliance processes, with breach notification featured as an editable BPMN map.
SOP template
Process-map templates for any standard operating procedure - the base pattern these compliance pages extend.
Get ready for the 2 August 2026 high-risk effective date (Annex III) - 2 August 2027 for Annex I products
Open the template, rename each evidence category to match your system, and link out to the underlying documents - one diagram that ties Annex IV together.