The EU AI Act is no longer an abstract policy debate. With the regulation adopted and implementation timelines now in motion, organizations building or deploying high-risk AI systems are being pushed to define what “compliance” actually looks like in operational terms.1 Many high-risk obligations are currently expected to apply from August 2026 under the EU’s published rollout, even as policy discussions on timing and simplification continue to surface.2
Inside many organizations, early preparation has centered on governance frameworks: classification methodologies, transparency wording, risk registers, policy documents, and internal procedures intended to demonstrate responsible AI development. These efforts matter. They provide the structural backbone of a compliance program.
But when market surveillance authorities or notified bodies eventually assess high-risk systems, the central question will not be whether an organization has produced documentation. The real question will be whether the organization can demonstrate that its controls were actually applied in practice.
In other words, compliance under the EU AI Act will ultimately depend on operational evidence.
For teams responsible for building and deploying AI systems, this distinction between documentation and operational evidence has immediate practical consequences. It goes directly to the heart of how regulators evaluate accountability. Policies describe intent. Evidence demonstrates execution.
This difference becomes particularly visible in the obligations surrounding data governance. Article 10 of the EU AI Act requires providers of high-risk AI systems to ensure that training, validation, and testing datasets are relevant, representative, sufficiently complete, and appropriate for the intended purpose of the system.
Those requirements cannot be satisfied through policy language alone. They require traceable records of how datasets were sourced, evaluated, prepared, and monitored throughout the lifecycle of the system.
The regulation itself reflects this emphasis. Rather than prescribing fixed technical methods, it requires providers to be able to substantiate that their development processes align with the intended purpose of the system and the generally acknowledged state of the art.
The implication is straightforward: when regulators review a high-risk system, they will expect to see the operational record behind the governance framework.
Documentation Is Necessary — But It Is Not the Evidence
In many organizations preparing for the EU AI Act, the first visible activity is documentation. Governance policies are written. Responsible AI principles are formalized. Risk management frameworks are introduced. Internal review boards are established. These steps are understandable and in many cases essential for creating organizational accountability.
Yet documentation alone does not demonstrate that an AI system has been governed responsibly. A policy can state that datasets must be representative. A procedure can require bias testing. A governance charter can describe oversight responsibilities. None of those documents, by themselves, prove that the work actually happened.
Regulators evaluating high-risk systems will look beyond the existence of governance documentation and ask a more fundamental question: what operational record exists to demonstrate that those controls were implemented during development and deployment?
This pattern is already familiar from other regulated sectors such as financial supervision and pharmaceutical quality management, where regulators routinely distinguish between written procedures and demonstrable operational records.
This is where the distinction between documentation and operational evidence becomes clear. Documentation describes how an organization intends to manage risk. Operational evidence reconstructs what actually occurred during the lifecycle of the AI system.
For high-risk systems, the operational trail may include records of dataset sourcing decisions, data cleaning and preprocessing steps, representativeness assessments, bias testing outcomes, and documented reasoning for mitigation strategies. It may also include records explaining why certain data limitations were accepted and how those limitations were reflected in the system’s residual risk profile.
If those records cannot be produced, governance frameworks begin to look superficial. The presence of a policy does not demonstrate that a dataset was examined for representativeness. A statement about fairness does not show that bias testing was performed. A risk register entry does not prove that the underlying data analysis was conducted with appropriate rigor.
This dynamic is not unique to AI regulation. In financial supervision, environmental regulation, and pharmaceutical oversight, regulators routinely distinguish between written procedures and verifiable operational records. The EU AI Act follows the same logic.
For providers of high-risk AI systems, this means that governance cannot remain purely administrative. It must generate traceable artifacts that show how decisions were made, who made them, when they were made, and what evidence informed those decisions.
Article 10 and the Dataset Evidence Trail
Among the operational obligations introduced by the EU AI Act, few are as central to high-risk systems as the data governance requirements in Article 10. The provision focuses on the quality, suitability, and governance of the datasets used to train, validate, and test AI systems. It reflects a long-standing regulatory concern: many of the risks associated with automated decision systems originate in the data itself.
Article 10 therefore does not simply ask whether data was collected lawfully. It requires providers of high-risk AI systems to establish governance practices that ensure datasets are relevant to the system’s intended purpose, sufficiently representative of the environment in which the system will operate, and appropriate in terms of quantity and quality.
The regulation also requires providers to examine potential biases in datasets and to implement appropriate mitigation measures where necessary. These obligations are tied directly to the EU AI Act’s broader focus on protecting health, safety, and fundamental rights.
The text of the regulation makes this expectation explicit. Article 10 requires that training, validation, and testing datasets be subject to appropriate data governance and management practices, including examination for possible biases and consideration of the characteristics of the population or environment in which the AI system is intended to be used.
Providers are also required to document the origin of the datasets and the processes used to prepare them. In practical terms, this means organizations must be able to reconstruct the lifecycle of the data used to develop the system.
That reconstruction often includes several layers of operational detail: how the data was collected, what filtering or cleaning procedures were applied, how representativeness was assessed, what bias testing methods were used, and how the results of those analyses influenced model development decisions.
Where limitations or gaps in the data are identified, those findings must not disappear into technical notes or internal discussions. They must be recorded as part of the governance record and considered within the organization’s broader risk management process.
These expectations are consistent with the regulatory text itself. The official regulation describes these obligations in Article 10 of the EU AI Act, which can be consulted directly through the European Union’s legal portal: EUR-Lex – Regulation (EU) 2024/1689.
In practice, this means compliance with Article 10 cannot be reduced to a checklist completed once during development. It requires the existence of operational records capable of explaining how the data used by a system was evaluated, prepared, and governed throughout its lifecycle.
The Interplay Between Articles 8, 9, and 10
The data governance obligations in Article 10 do not exist in isolation. They form part of a broader compliance architecture built across several provisions of the EU AI Act. In practice, the most important connections are with Articles 8 and 9.
Article 8 establishes the requirement for providers of high-risk AI systems to operate within a quality management framework and to produce technical documentation capable of demonstrating compliance with the regulation. That framework must reflect the intended purpose of the system and the generally acknowledged state of the art at the time the system is developed and deployed.
Article 9 introduces a continuous risk management system. Providers must identify, analyze, evaluate, and monitor risks associated with their AI systems throughout the lifecycle of the system. These risks may relate to safety, fundamental rights, discriminatory outcomes, or other forms of harm that may arise when the system is deployed in real-world environments.
Article 10 provides a crucial part of the evidence that feeds into this risk management process. Dataset governance is often the first place where potential risks become visible. If training data is incomplete, unrepresentative, or skewed toward particular population groups, those characteristics may translate directly into biased or unreliable system behavior.
When such limitations are discovered during dataset analysis, they cannot remain purely technical observations. They must be translated into governance decisions. In practice, this means that findings from dataset reviews should be recorded within the organization’s Article 9 risk management framework, including documentation of mitigation steps and any residual risks that remain.
This relationship illustrates how the EU AI Act is designed to function as an integrated system rather than a collection of isolated requirements. Article 10 generates operational evidence about the data used to build the system. Article 9 uses that evidence to evaluate and manage risk. Article 8 ensures that the overall governance framework supporting these activities is properly documented and maintained.
When regulators review a high-risk AI system, they are likely to examine these connections closely. Evidence about dataset governance should correspond to entries in the risk management process, and those entries should in turn be reflected in the technical documentation produced under the quality management framework.
If those links cannot be reconstructed, the governance structure begins to appear fragmented. A dataset analysis that identifies bias but never appears in the risk register suggests that the organization’s risk management process is incomplete. A mitigation decision recorded in technical documentation but unsupported by dataset evidence raises similar concerns.
The EU AI Act therefore expects organizations to treat dataset governance, risk management, and technical documentation as parts of a single operational record rather than separate compliance exercises.
What Regulators Will Actually Look For
Discussions about compliance often revolve around policies, governance frameworks, and formal procedures. Yet when regulatory oversight begins in earnest, the focus usually shifts quickly from policy design to operational traceability.
Market surveillance authorities responsible for enforcing the EU AI Act will not limit their assessment to high-level documentation. They will examine whether organizations can demonstrate how their AI systems were developed, evaluated, and monitored in practice.
In the context of Article 10, this means that providers of high-risk systems should expect questions that focus on reconstructing the lifecycle of the data used to build the system. Authorities may ask where the training datasets originated, how the datasets were collected or obtained, and what steps were taken to verify their relevance to the system’s intended purpose.
They may also examine how representativeness was evaluated. A dataset may appear large or technically sophisticated while still failing to reflect the population or environment in which the AI system will ultimately operate. Demonstrating representativeness therefore requires more than a description of the dataset; it requires evidence of the evaluation process used to determine whether the dataset was appropriate.
Bias analysis is another area where regulators are likely to look beyond surface-level documentation. Authorities may ask how potential biases were detected, what analytical methods were used, what mitigation steps were considered, and how decisions were made when trade-offs were unavoidable.
Where special categories of personal data were used for bias detection or mitigation, providers must also be able to explain the safeguards that were implemented and the reasoning behind those decisions. These considerations are reflected in the safeguards outlined within Article 10 and the broader legal context of data protection law.
Operational evidence becomes particularly important when organizations need to explain why certain limitations in the data were accepted. No dataset is perfect, and the regulation does not require perfection. What it requires is transparency and reasoned decision-making. If gaps or constraints were identified during development, regulators will expect to see how those issues were documented and how any resulting residual risks were managed.
In many organizations, the ability to produce these records depends on whether the development process captured them systematically. Dataset lineage records, bias testing logs, internal review notes, and decision rationales may all form part of the evidentiary trail that demonstrates responsible governance.
The EU AI Act also gives market surveillance authorities powers to request access to relevant documentation and, in certain cases, access to datasets when investigating compliance. Providers should therefore ensure dataset records and supporting materials are retrievable in a structured, timely way — including planning for secure inspection workflows where remote access is required.3
For teams responsible for operational governance, the practical challenge is not simply performing these analyses, but ensuring that the resulting evidence remains accessible and traceable over time. Systems evolve, teams change, and datasets are updated. The evidentiary record must remain coherent despite these changes.
Building Operational Evidence in Practice
The transition from documentation to operational evidence does not happen automatically. It requires organizations to treat governance activities as traceable operational processes rather than administrative obligations completed at the end of development.
In practical terms, this means embedding recordkeeping directly into the lifecycle of the AI system. When a dataset is introduced into a training pipeline, its origin, intended use, and preparation steps should already be documented as part of the development workflow. When bias testing is conducted, the methodology, results, and mitigation decisions should be recorded alongside the technical outputs rather than summarized later in a policy document.
Teams that rely on retrospective documentation often struggle when regulators request detailed explanations. Memories fade, development decisions are difficult to reconstruct, and the reasoning behind key choices may no longer be available. Operational evidence avoids this problem because the record is created at the moment the decision is made.
One of the most effective ways to achieve this is by treating governance artifacts as part of the engineering environment itself. Dataset registries, lineage tracking tools, experiment logs, and model evaluation reports can serve as a living record of how a system was built and tested. When these records are maintained consistently, they provide the traceability needed to demonstrate compliance with Article 10.
Another important step is connecting dataset-level observations with the broader risk management framework required under Article 9. When a dataset review identifies limitations in representativeness, potential bias risks, or contextual gaps, those findings should not remain isolated within technical documentation. They should feed directly into the organization’s risk management process, where they can be assessed, monitored, and revisited over time.
This connection between operational data governance and risk management is one of the central structural features of the EU AI Act. Data governance generates the evidence that allows risk management decisions to be justified. Without that evidence, risk registers risk becoming theoretical rather than operational.
Organizations should also consider how quickly they can retrieve relevant records if regulators request them. Article 74 of the regulation provides authorities with powers to access datasets and supporting documentation when investigating compliance. Preparing for this possibility requires more than storing documents in scattered repositories. It requires a structured evidence environment where datasets, testing records, and governance decisions can be retrieved efficiently.
Many organizations address this challenge by establishing centralized evidence repositories where development records, dataset documentation, evaluation reports, and governance decisions are stored in a consistent format. These repositories do not replace technical systems such as version control or experiment tracking tools. Instead, they provide a structured layer that organizes evidence in a way that can be presented during audits.
Preparing this operational evidence infrastructure early can significantly reduce compliance risk as the August 2026 enforcement milestone approaches. By the time authorities begin reviewing high-risk systems under the EU AI Act, organizations that have integrated governance into their development processes will find it far easier to demonstrate how their systems were designed and controlled.
The alternative is far more difficult. Attempting to reconstruct governance evidence after deployment is rarely successful, particularly when systems have already evolved through multiple development cycles.
Operational Evidence Will Define EU AI Act Compliance
The EU AI Act represents a structural shift in how AI systems are governed in Europe. It does not simply introduce new documentation requirements. It creates a framework where organizations must be able to demonstrate how their systems were designed, tested, and monitored in relation to the risks they pose.
This is why operational evidence sits at the center of the regulation. Technical documentation, risk registers, and governance policies remain important, but their value ultimately depends on whether they reflect real operational practice. Regulators are unlikely to focus on the existence of documents alone. They will look for the underlying records that show how decisions were made, what risks were identified, and how mitigation measures were implemented.
For high-risk AI systems, Article 10 provides one of the clearest examples of this principle in action. Data governance requirements extend far beyond the simple instruction to use high-quality datasets. Providers must be able to demonstrate how data was collected, prepared, evaluated, and monitored throughout the lifecycle of the system. This evidence forms the foundation upon which broader risk management decisions are made.
The interaction between Articles 8, 9, and 10 reinforces this approach. Article 8 establishes the overarching obligation to align development practices with the intended purpose of the system and the generally acknowledged state of the art. Article 9 requires a continuous risk management process that evaluates and mitigates risks to health, safety, and fundamental rights. Article 10 supplies the operational evidence that allows those risk management processes to be verified.
Organizations that treat these provisions as separate compliance tasks may struggle to demonstrate that their governance structures function in practice. In contrast, teams that integrate data governance, risk management, and technical documentation into a unified operational process will be far better positioned when regulatory scrutiny begins.
The timeline for this transition is now clear. High-risk obligations under the EU AI Act are expected to apply broadly from August 2026. For many organizations developing or deploying AI systems in regulated sectors, that deadline leaves limited time to establish the operational infrastructure required to produce reliable evidence.
The challenge is therefore not only legal or administrative. It is organizational. Governance activities must become embedded in everyday development workflows so that evidence is generated naturally as systems evolve.
Teams that invest early in traceability, dataset documentation, bias testing records, and structured evidence repositories will find themselves operating from a position of strength. Their compliance posture will be built on demonstrable practices rather than retrospective explanations.
Those that postpone this transition may discover that producing credible evidence under regulatory pressure is far more difficult than anticipated.
The difference between these two approaches is not the number of policies an organization can produce. It is the ability to reconstruct how a system was governed in the real world.
That distinction will increasingly define what credible AI governance looks like under the EU AI Act.
For teams working to operationalize these requirements in practice, a structured dataset governance checklist can provide a useful starting point for organizing evidence and identifying gaps in existing processes.
The Article 10 dataset governance checklist referenced in this discussion is available alongside the full breakdown of Article 10 requirements here:
EU AI Act Article 10 — Data Governance for High-Risk AI Systems
As the regulatory environment continues to evolve, organizations that treat governance as a living operational process rather than a documentation exercise will be best prepared for the responsibilities that come with deploying high-impact AI systems.
References
- European Union. (2024). Regulation (EU) 2024/1689 (Artificial Intelligence Act). EUR-Lex.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj
↩ - Reuters. (2025, July 4). EU sticks with timeline for AI rules.
https://www.reuters.com/world/europe/artificial-intelligence-rules-go-ahead-no-pause-eu-commission-says-2025-07-04/
↩ - European Union. (2024). Regulation (EU) 2024/1689 (Artificial Intelligence Act). EUR-Lex.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj
↩
Covering responsible AI, governance frameworks, policy, ethics, and global regulations shaping the future of artificial intelligence.
