Documentation according to the AI Regulation: What is required and how companies implement it

November 5, 2025

Categories:

Article by Marcus Belke, AI Regulation

Marcus Belke

CEO of 2B Advice GmbH, driving innovation in privacy compliance and risk management and leading the development of Ailance, the next-generation compliance platform.

The AI Regulation obliges companies to provide every AI system with a complete technical Documentation from the training data to the risk assessments. However, the documentation requirement does not just mean control, but also provides the decisive lever for traceability and quality. Those who document their AI understand it and can also take responsibility for it. This is exactly what the AI Regulation requires: Transparency over the entire AI life cycle.

A practical example: Bias detection through Documentation

In an AI project at a medium-sized company, the importance of the documentation requirement became particularly clear. The company used an application scoring model that helped the HR department to prioritize CVs. The system worked reliably; until, as part of the technical Documentation It was noticed that neither the training data nor the decision logic were sufficiently described.

In the course of implementing the requirements from Article 11 and Annex IV a Model map created: It was recorded which data was trained, which metrics assessed performance and who was responsible for the model. This structured preparation led to a surprising finding: the model favored applicants from certain regions, a distorted training set was the cause.

Only through the mandatory Documentation noticed this bias. The company corrected the data basis, introduced regular bias tests and defined a re-audit interval.

Today, the HR department knows exactly who is in charge of the model, when it was last checked and what limits apply.

The lesson from this case: Documentation is not an end in itself. It is the moment when responsibility becomes visible.

Mandatory content for Documentation according to the AI Regulation

The AI Regulation requires all AI systems to have a structured technical Documentationwhich can be checked at any time and is up-to-date. It must contain at least the following points:

1. system description and purpose

The system description forms the starting point for the technical Documentation. It should provide comprehensive explanations,

what goal the AI system is pursuing,
in which organizational and technical environment it is used and
what tasks it performs.

This includes a clear presentation of the area of application, the underlying business processes and the expected results.

Equally important is the description of the responsible organizational unit and the designated model owners who are responsible for operation, monitoring and maintenance.

It should also be stated for which user groups or roles the system is designed and which requirements are necessary for safe use. These may be training measures or a minimum level of technical understanding.

2. data and training basics

The data basis of the AI system must also be described in detail. This includes a description of the sources from which the training and input data originate, as well as an assessment of their origin and quality. The types of data used, whether they come from internal or external sources and the criteria used to select them should be clearly documented.

Measures for pre-processing, cleaning and Anonymization to be explained. In particular, it must be documented how personal or sensitive data is protected and how distortion-free training conditions are ensured.

Furthermore, the legal framework conditions for the use of data must be outlined. This includes, for example, existing rights of use, licenses or contractual agreements that legitimize the use of the data.

3. model architecture and performance features

This section describes the technical structure of the model and its performance in practical use. It should be explained which model type is used and which version or training methodology was used. Possible examples are neural networks, decision trees or statistical models.

Details of the algorithms, frameworks and parameters used are also included in this section in order to make the structure and functionality of the model comprehensible. The central performance metrics such as accuracy, F1 score or bias indicators, including the underlying data sets, are then explained.

Finally, it should be documented which evaluation results are available, which limits and known limitations the model has and in which scenarios its reliability was tested particularly critically. This description forms the basis for subsequent audits and serves to ensure technical traceability throughout the entire life cycle of the system.

4. Transparency and traceability

It must also be documented how the decision-making processes of the AI system are made comprehensible for internal and external stakeholders. The aim is to Transparency about how the system works, its decision-making logic and its limitations so that users and inspectors can understand how the results are obtained. This includes a comprehensible description of the algorithmic decision paths, the input data used and the underlying models.

Possible uncertainties, risks of error and assumptions on which the system is based should also be disclosed.

A central component is the explanation of the planned human oversight, i.e. the description of where and how human intervention or controls are planned in order to prevent wrong decisions and ensure confidence in the results.

5. robustness, safety and maintenance

The aim is to ensure the stability and reliability of the model throughout its entire life cycle. This includes the Documentation all technical and organizational measures to prevent manipulation, unauthorized access or data falsification.

The mechanisms for recognizing "model drift", the gradual change in model performance due to new data or environmental conditions, should also be explained.

Procedures for monitoring and continuous surveillance are also described, including the definition of alarm and escalation processes in the event of deviations.

Finally, it should be shown how regular re-audits and maintenance cycles are planned in order to ensure that the system is up-to-date and functional. It should also be documented which methods are used to track changes (versioning and change logs) in order to Transparency to ensure that the system can be adapted and optimized.

6. Compliance and governance

This section describes the organizational and regulatory requirements that form the legal framework for the use and monitoring of AI systems. It serves to make the embedding of the model in existing compliance structures comprehensible and to show how risks are systematically identified and addressed. In particular, this includes linking it to risk analyses and data protection impact assessments, which ensure that Data protection and ethical principles are taken into account in all phases of model operation.

In addition, the approval processes and responsibilities should be explained in detail, i.e. it should be shown who checks, who approves and who monitors compliance with guidelines. Equally relevant is evidence of training, assignment of responsibilities and regular reviews to ensure that both specialist and compliance teams are continuously trained. This makes it clear that governance is not a one-off process, but an integral part of the entire AI lifecycle.

These points are set out in Article 11 of the AI Regulation and form the basis of every approval or audit check.

Testing & Audit: Documentation ready for proof

A good technical Documentation does not just arise at the end, but accompanies the entire life cycle of an AI model.

With a governance tool such as Ailance AI governance these requirements can be implemented automatically.

Inventory
All AI use cases are recorded in a central AI inventory with information on purpose, data, risks, responsible parties and status. This makes it clear at all times which systems exist and what phase they are in.

Create model maps
For each model a Model map created. This is a technical profile with core fields on data, version, performance, bias and governance. Missing information blocks the release until the card is complete. This is how the Documentation automatically becomes an entry requirement.

Integrate workflows and proofs
Risk-based workflows control how deeply checks are carried out. If a model contains personal data, a Data protection impact assessment started. Approvals, escalations and re-audits are carried out in the system and are time-stamped and documented with a complete audit trail.

Automatic logs and updates
As soon as data, code or parameters change, a partial release is triggered. Dashboards show where checks are pending. This keeps the Documentation always up to date.

Example: In the Ailance dashboard, a Compliance Officer can see at a glance which models are classified as high-risk, when the last bias test took place and which approvals are outstanding. This data can be exported directly as an audit report, audit-proof and without manual rework.

Conclusion: A technical Documentation in accordance with the AI Regulation is evidence, control instrument and knowledge repository all in one. Those who rely on structured model maps, central inventories and automated workflows at an early stage are double winners.

Regulatory: Verifiability and liability security
Operational: Efficiency and stable AI processes.

A good Documentation is your strongest compliance lever.

Find out now how Ailance automatically creates technical AI documentation and facilitates audits.

Marcus Belke is CEO of 2B Advice as well as a lawyer and IT expert for data protection and digital Compliance. He writes regularly about AI governance, GDPR compliance and risk management. You can find out more about him on his Author profile page.