6. Single-System Control Plane: Compliance
Functional Documentation
1) Compliance Overview (Per System)
Purpose: Regulatory posture snapshot for one AI system (EU AI Act-oriented coverage view).
What it shows:
- Compliance score based on section completion across 8 sections.
Completion logic:
- Risks
- Data
- Guardrails
- Evaluations
- QMS
- Incidents
- Access
- Documentation
Main actions:
- Open each compliance card (Risks, Data, Guardrails, Documentation, Access, and related sections).
Export Bundlefrom header actions for conformity package export.STOP/RESUME(operational kill switch with compliance implications).
2) Risks Register
Purpose: Risk catalog with scoring and mitigation lifecycle (Article 9).
What it tracks:
- category
- scenario type
- severity / probability
- risk score
- residual risk
- owner
- review dates
- mitigation status
Main actions:
Add RiskAuto-Detect Risks(AI suggestions)Add(accept suggested risk)- Inline status selector:
Open,In Progress,Mitigated,Accepted Edit->Save ChangesMark as Reviewed
3) Data Section
Purpose: Dataset governance and control evidence (Article 10).
What it tracks:
- dataset origin / provenance
- usage type
- personal or sensitive data markers
- bias checks
- review cycle
- legal / retention / evidence metadata
Main actions:
Save Dataset(new dataset + link)- Per-row:
Edit,Save changes,Unlink,Unlink dataset
Notes:
- Non-admin roles are read-only where required.
4) Guardrails Evidence
Purpose: Security configuration represented as compliance evidence.
What it tracks:
- strict mode / failure mode
- AI audit settings
- blocking controls
- limits
- circuit breaker
- notification channels
Main actions:
Save Notification ChannelsSave Plan TierSave Service ProtectionSave AI Firewall / Security ShieldSave Circuit Breaker
Threat history evidence panel:
- Filters (risk score/type/view mode)
Export->Export CSV/Export JSONView details/Hide details
5) Evaluations
Purpose: Quality/safety evaluation system-of-record with approval gates.
What it tracks:
- criteria JSON
- result JSON
- status (
pending,running,passed,failed,approved) - evaluation type
- model/code version
- immutable final state
Main actions:
New Evaluation- In create dialog:
Add metric,Remove,Create - In evaluation detail:
Submit Results(manual JSON fallback) Approve for Production(only when status ispassed)Close
6) QMS Module
Purpose: Structured compliance workflows (Article 17).
What it tracks:
- policies
- evidence files
- change requests
Main actions:
- Tab switch:
Policies/Evidence Registry/Change Requests
Policies
Create PolicyApprove(approved policies become immutable)
Evidence
Upload EvidenceLock (WORM)(immutable evidence state)
Change requests
Create Change Request(can be linked to passed/approved evaluations)
7) Incidents
Purpose: Incident lifecycle and authority-reporting workflow (Article 73).
What it tracks:
- severity
- status
- reportability
- authority report timestamp
- root cause
- impact assessment
- linked event
- CAPA actions
Main actions:
Report Incident- Incident detail:
Save Incident Analysis Mark as Reported to Authority(reportable incidents)Mark Resolved- CAPA flow:
Add Action->Add CAPA Action
8) Documentation
Purpose: Annex IV documentation authoring and exportable evidence package.
What it tracks:
- technical documentation completeness
- risk/data readiness
- generated report dataset
Main actions:
- Open editor (
Doc editor) Generate Report/Regenerate Report DataShow Preview/Hide PreviewDownload PDF
9) Access (Compliance Controls Ownership)
Purpose: Define who is allowed to manage compliance controls and oversight.
What it tracks:
- internal operators/admins
- customer collaborators
- assignment history
Main actions:
Assign OperatorInvite & AssignRevoke access(remove assigned operator)
Important rule:
- Compliance write actions are admin-gated. Viewer/operator roles are read-only in critical modules.