EU AI Act Annex IV dossier
Report skene-selfhost-openai-full-art10-rerun · generated 2026-04-30T05:04:14.647Z
System identity
1.4.0toolkit version
internal_onlytransfer class
noneredaction status
cases: _source_inputs/cases.json
baseline: _source_inputs/baseline
new: _source_inputs/new
Operational constraints and intended-use assumptions
Declared intended use is not stored in the evaluator output and must be added by the operator.
- intended purpose statement
- system boundary description
- deployment context
1baseline assumptions present
1new assumptions present
0cases missing assumption state
Optional modules
Article 50 request state is recorded even when the module is not included in this package.
out_of_scopeArticle 50 state
builderdecision source
noneverification mode
Article 50 was declared out of scope by the operator; no Article 50 verification was run.
Package completion
This section reflects the builder draft and evidence register supplied by the operator. Customer-facing clause status is reduced when the package still records draft-only or missing legal records.
handoff readyclosing verdict
providerprimary role
high_risk_providerpackage path
ready_for_handoffpackage readiness
approved_for_handoffapproval status
8 / 8referenced records
8referenced legal artifacts
0unresolved records
builder draft:
supplemental/eu-package-input.json
package owner:
Skene compliance test owner
approver:
Skene test approver - compliance lead
approval date/scope:
2026-04-30 / Skene self-hosted customer-ready validation package
Required legal sections are complete, applicable legal records are referenced, and package approval is recorded for handoff. Use the package for reviewer, procurement, or counsel handoff and keep the referenced records current.
Blocking items:
Clause coverage
| clause | title | toolkit status | completion tier | package record | evidence refs | missing required |
|---|
Art_9 |
Risk management system |
evidence covered |
technical evidence collected |
— |
5 |
0 |
Art_10 |
Data governance and data quality |
evidence covered |
technical evidence collected |
— |
9 |
0 |
Art_11 |
Technical documentation |
evidence covered |
— |
referenced compliance/eu-ai-act-annex-iv.json
|
4 |
0 |
Annex_IV |
Technical documentation dossier structure |
evidence covered |
— |
referenced compliance/eu-ai-act-annex-iv.json
|
3 |
0 |
Art_12 |
Record-keeping and logging |
evidence covered |
technical evidence collected |
— |
3 |
0 |
Art_13 |
Transparency and instructions for use |
evidence covered |
technical evidence collected |
— |
6 |
0 |
Art_17 |
Quality management system |
evidence covered |
— |
referenced compliance/article-17-qms-lite.json
|
6 |
0 |
Art_14 |
Human oversight |
evidence covered |
technical evidence collected |
— |
3 |
0 |
Art_15 |
Accuracy, robustness, and cybersecurity |
evidence covered |
technical evidence collected |
— |
5 |
0 |
Art_72 |
Post-market monitoring |
evidence covered |
technical evidence collected |
— |
3 |
0 |
Art_73 |
Serious incident reporting |
evidence covered |
awaiting operator |
— |
4 |
0 |
Art_16 |
Provider obligations |
evidence covered |
awaiting operator |
— |
4 |
0 |
Art_18 |
Documentation keeping |
evidence covered |
— |
referenced compliance/evidence-index.json
|
4 |
0 |
Art_19 |
Automatically generated logs |
evidence covered |
— |
referenced archive/retention-controls.json
|
3 |
0 |
Art_20 |
Corrective actions and duty of information |
evidence covered |
— |
referenced compliance/release-review.json
|
4 |
0 |
Art_21 |
Cooperation with competent authorities |
evidence covered |
— |
referenced compliance/eu-ai-act-reviewer.md
|
4 |
0 |
Art_22 |
Authorised representatives |
evidence covered |
awaiting operator |
— |
3 |
0 |
Art_26 |
Obligations of deployers of high-risk AI systems |
evidence covered |
awaiting operator |
— |
4 |
0 |
Art_27 |
Fundamental rights impact assessment for deployers |
evidence covered |
awaiting operator |
— |
3 |
0 |
Art_43 |
Conformity assessment |
evidence covered |
— |
referenced compliance/article-43-conformity-assessment.json
|
4 |
0 |
Art_47 |
EU declaration of conformity |
evidence covered |
— |
referenced compliance/article-47-declaration-of-conformity.json
|
3 |
0 |
Art_48 |
CE marking |
evidence covered |
outside toolkit scope |
— |
3 |
0 |
Art_49 |
Registration |
evidence covered |
outside toolkit scope |
— |
3 |
0 |
Annex_V |
Declaration content |
evidence covered |
— |
referenced compliance/article-47-declaration-of-conformity.json
|
3 |
0 |
24evidence covered
0evidence partial
0evidence missing
7technical evidence collected
5awaiting operator
2outside toolkit scope
Toolkit status describes evidence coverage, not legal completion. Remaining work ownership counts covered clauses only.
Risk controls and residual risk
1risk low
0risk medium
0risk high
0require approval
- Operator-owned risk governance still sits outside the evaluator.
- Annex III classification and legal interpretation still require counsel.
- Deployer-facing oversight procedures, staffing, escalation rules, and operating playbooks remain operator-authored.
- Sector-specific validation thresholds, production robustness targets, cybersecurity controls, and acceptance criteria remain provider-owned.
Article 13 instructions for use scaffold
This export is a technical scaffold. Operator-authored deployer instructions are still required.
1executed cases
healthyexecution quality
0approval-required cases
0blocking cases
Required operator inputs:
- intended purpose statement for deployers
- known limitations and acceptable operating conditions
- human oversight and escalation instructions
- monitoring and maintenance contact path
Known limitations:
- Operator-authored intended-use, deployer-facing instructions, and operating constraints remain required.
- Human oversight procedures for deployers still require operator-authored narrative.
Article 9 risk register scaffold
6total entries
0block entries
6review entries
0monitor entries
| risk id | title | severity | status | description |
|---|
coverage-gap-art-9-1 |
Residual Article 9 governance gap |
medium |
review |
Operator-owned risk governance still sits outside the evaluator. |
coverage-gap-art-9-2 |
Residual Article 9 governance gap |
medium |
review |
Annex III classification and legal interpretation still require counsel. |
monitoring-gap-1 |
Monitoring residual gap |
medium |
review |
Trend ingest disabled for this run. |
monitoring-gap-2 |
Monitoring residual gap |
medium |
review |
Trend ingest was disabled for this run, so the monitoring window is not refreshed with the current release. |
monitoring-gap-3 |
Monitoring residual gap |
medium |
review |
No matching historical runs are available for this monitoring scope. |
monitoring-gap-4 |
Monitoring residual gap |
medium |
review |
No prior run is available to compute change-over-time deltas. |
Operator inputs still required:
- likelihood and severity rationale owned by the operator
- control owner and target review date for each open risk
- residual-risk acceptance rationale for any accepted risk
- provider decision linkage for block or review risks
Article 72 monitoring plan scaffold
This export is a technical monitoring-plan scaffold. Owners still need to complete cadence, retention, and authority/customer escalation workflow details.
no_matching_historymonitoring status
0runs in window
0approval cases
0blocking cases
Operator inputs still required:
- named monitoring owner and backup owner
- monitoring cadence and SLA by deployment context
- incident, customer, and authority notification workflow
- retention period and archive location for monitoring artifacts
- corrective-action and rollback authority for repeated drift or blocking findings
Escalation rules:
- execution-quality-degraded: Execution quality is degraded in the current evidence bundle. -> block
- blocking-case-present: One or more cases recommend blocking operation. -> block
- approval-review-queue: Approval-required cases remain open for the current run. -> review
- monitoring-drift: Future monitoring reviews should escalate when drift is detected versus prior runs. -> review
- history-not-current: Monitoring history is incomplete or stale and should be restored before the bundle is treated as current monitoring evidence. -> review
Article 17 QMS scaffold
This export is a technical quality-management scaffold. Operator-owned procedures, approvals, training, and communications still need to be authored outside the evaluator.
healthyexecution quality
0approval-required cases
0blocking cases
no_matching_historymonitoring status
6process areas
Management review triggers:
- One or more cases recommend blocking operation or require human approval.
- Execution quality is degraded or any case is marked block.
- Monitoring drift is detected or monitoring history becomes stale.
- Deployment context, target market, or intended use changes materially.
- Residual compliance gaps change, expand, or lose a named owner.
Operator inputs still required:
- named quality management owner and document approver
- written change-management procedure and approval workflow
- incident, complaint, and corrective-action handling workflow
- document-control, retention, and versioning policy
- training, competency, and supplier-management responsibilities
- authority and customer communication procedure for material issues
Article 73 serious-incident pack
This export is a technical incident-triage scaffold. Human review is still required to determine whether Article 73 reporting applies.
monitormachine triage
0incident triggers
0high+critical signals
readytechnical evidence status
Current assessment rationale:
- No machine trigger currently suggests a serious-incident review path from this bundle alone.
Operator inputs still required:
- named serious-incident owner and escalation backup
- human determination of whether the event meets Article 73 serious-incident threshold
- authority, customer, and internal notification routing by jurisdiction
- incident impact assessment and affected-person analysis
- reporting deadline calculation and external communications approver
Human oversight
0approval required
0blocked cases
0review queue
| case | title | gate | reviewer action | rationale |
|---|
| No review queue items. |
Logging and traceability
29manifest items
1case artifact rows
- Provider logging-retention periods, production log controls, and system-specific logging scope remain provider-owned.
Accuracy, robustness, and cybersecurity
healthyexecution quality
0cases with new signals
0highlighted cases
Technical evidence review
readytechnical evidence status
0approval-required cases
0blocking cases
- Runtime checks passed, no blocking or approval-required cases are open, and execution quality is healthy.
| id | check | status | summary |
|---|
execution_quality |
Execution quality is healthy |
pass |
Execution quality is healthy. |
blocking_cases |
No cases are blocked |
pass |
No cases are marked block. |
approval_cases |
Approval-required cases are cleared |
pass |
No additional approval queue is present. |
evidence_pack_integrity |
Evidence pack is self-contained and portable |
pass |
Evidence pack is self-contained, portable, and has no missing assets. |
package_closing_gate |
Package closing gate is handoff-ready |
pass |
handoff ready (ready_for_handoff, 9/9 completed section(s), 8/8 referenced records, 8 referenced legal artifact(s)). |
residual_compliance_gaps |
Residual provider-side gaps stay visible |
review |
26 residual gap(s) remain documented in the bundle. |
Post-market monitoring
no_matching_historymonitoring status
0runs in window
0monitored cases
0drift signals
scope: agent_model · current run in history:
false
| report | date | executed cases | approval | block | high+critical signals |
|---|
| No historical monitoring rows available. |
| case | title | gate | runs observed | approval/block runs | flagged because |
|---|
| No monitored case watchlist items in this bundle. |
- Trend ingest disabled for this run.
- Trend ingest was disabled for this run, so the monitoring window is not refreshed with the current release.
- No matching historical runs are available for this monitoring scope.
- No prior run is available to compute change-over-time deltas.
Your completion checklist
Items below are operator-owned or provider-owned completion work. The toolkit has collected its evidence for every clause where it can.
Operator / provider completion checklist
technical evidence collected
- Art_9: Operator-owned risk governance still sits outside the evaluator.
- Art_9: Annex III classification and legal interpretation still require counsel.
- Art_10: Dataset provenance, representativeness review, bias review, and preparation records remain provider-authored legal inputs.
- Art_12: Provider logging-retention periods, production log controls, and system-specific logging scope remain provider-owned.
- Art_13: Operator-authored intended-use, deployer-facing instructions, and operating constraints remain required.
- Art_13: Human oversight procedures for deployers still require operator-authored narrative.
- Art_14: Deployer-facing oversight procedures, staffing, escalation rules, and operating playbooks remain operator-authored.
- Art_15: Sector-specific validation thresholds, production robustness targets, cybersecurity controls, and acceptance criteria remain provider-owned.
- Art_72: Recurring monitoring cadence, escalation workflow, and regulator-facing reporting remain operator responsibilities.
awaiting operator
- Art_73: Provider-owned incident classification, authority notification timing, and production escalation records remain required.
- Art_16: Provider-owned records for Section 2 compliance, declaration, marking, registration, and authority-facing obligations remain required.
- Art_22: For providers established outside the Union, the written mandate and named authorised representative record remain required.
- Art_26: The deployer-owned operating record, instructions-of-use alignment, oversight assignment, log handling, and authority or provider notifications remain required where Article 26 applies.
- Art_27: The deployer-owned FRIA, updates, consultation path, and any linked impact-assessment records remain required where Article 27 applies.
outside toolkit scope
- Art_48: The provider-owned CE marking record, including digital or physical placement and notified-body identification where applicable, remains required.
- Art_49: The provider-owned EU database or national registration record remains required where Article 49 applies.
other open items
- Art_11: Annex IV technical documentation is referenced in the package record, but document completeness, currency, and final operator approval still need to be maintained outside the evaluator for Art_11.
- Annex_IV: Annex IV technical documentation is referenced in the package record, but document completeness, currency, and final operator approval still need to be maintained outside the evaluator for Annex_IV.
- Art_17: Article 17 QMS record is referenced in the package record, but document completeness, currency, and final operator approval still need to be maintained outside the evaluator for Art_17.
- Art_18: Article 18 documentation-keeping record is referenced in the package record, but document completeness, currency, and final operator approval still need to be maintained outside the evaluator for Art_18.
- Art_19: Article 19 automatic-log retention record is referenced in the package record, but document completeness, currency, and final operator approval still need to be maintained outside the evaluator for Art_19.
- Art_20: Article 20 corrective-action and duty-of-information record is referenced in the package record, but document completeness, currency, and final operator approval still need to be maintained outside the evaluator for Art_20.
- Art_21: Article 21 authority-cooperation record is referenced in the package record, but document completeness, currency, and final operator approval still need to be maintained outside the evaluator for Art_21.
- Art_43: Article 43 conformity assessment record is referenced in the package record, but document completeness, currency, and final operator approval still need to be maintained outside the evaluator for Art_43.
- Art_47: Article 47 declaration of conformity is referenced in the package record, but document completeness, currency, and final operator approval still need to be maintained outside the evaluator for Art_47.
- Annex_V: Annex V declaration support record is referenced in the package record, but document completeness, currency, and final operator approval still need to be maintained outside the evaluator for Annex_V.
Evidence index summary
24 clauses · 29 manifest-backed artifacts indexed