How do you document AI use in a way that complies with the AI Act?

Why work with us:
– AI expertise
– We know everything there is to know about telephony

To document AI use in accordance with the AI Act, you must maintain a technical file for each AI system that describes its purpose, risk class, operation, and responsibilities. The level of detail required in this documentation depends on your system’s risk class: high-risk AI requires a complete technical file and registration in an EU database, while AI with limited risk is subject to less stringent transparency requirements. In this article, we answer the most frequently asked questions about AI governance and documentation, so you know exactly what your organization needs to do.

Which AI systems are you required to document under the AI Act?

Under the AI Act, you are required to document your system as soon as you offer or deploy an AI system classified as high-risk, or when you use a system subject to the transparency requirements for limited risk. The majority of current AI applications fall into the minimal-risk or no-risk category and remain unregulated, but you must be able to demonstrate which category your system belongs to.

The law distinguishes between four risk levels. Prohibited AI (unacceptable risk) simply may not be used. High-risk AI requires extensive documentation and a conformity assessment. Low-risk AI is subject to less stringent transparency requirements, such as the obligation to inform users that they are interacting with an AI system. Minimal-risk AI is largely exempt from documentation requirements.

High-risk AI is defined in two categories. First, systems that serve as safety components of products covered by European harmonization legislation and require a third-party conformity assessment. Second, systems that fall under one of the eight domains listed in Annex III:

  • Biometrics
  • Critical Infrastructure
  • Education and Vocational Training
  • Employment and Human Resources Management
  • Access to essential services (such as creditworthiness or emergency calls)
  • Law Enforcement
  • Migration and Border Control
  • The Administration of Justice and Democratic Processes

Important: Systems that perform profiling of natural persons are always high-risk, regardless of the domain. A system that performs only a narrow procedural or preparatory task and does not pose a significant risk to fundamental rights may fall outside the high-risk category, but only if you provide substantiated documentation to support this.

What exactly must be included in AI Act-compliant documentation?

AI Act-compliant documentation for high-risk systems must include, at a minimum, a technical file containing a description of the system and its intended purpose, a risk analysis, information about the training data and the system’s operation, and a description of the human oversight measures. For low-risk systems, a more concise transparency documentation is sufficient.

For high-risk AI, the AI Act requires the following elements to be included in the technical dossier:

  • General description: What does the system do, what is its intended use, and who are the end users?
  • Risk Class Justification: Why does the system fall into the high-risk category—or why doesn’t it?
  • Technical specifications: architecture, algorithms, training data, and performance metrics
  • Risk Management System: What risks have been identified, and what measures have been taken?
  • Human oversight: How and by whom is the system monitored?
  • Declaration of Conformity: a statement that the system meets the requirements
  • Registration: enrollment in the EU database for high-risk systems

Documentation must be retained for ten years after the system is placed on the market or put into service. This also applies to importers, who are required to verify that the conformity assessment has been conducted and that the CE marking is present before introducing a system.

How does documentation differ for AI providers and users?

Providers of AI systems bear the heaviest documentation obligations: they must prepare the complete technical file, conduct the conformity assessment, and register the system. Users (referred to as “deployers” in the AI Act) have a lighter obligation, but are required to use the system in accordance with the provider’s instructions and to report incidents.

In practice, the distinction isn’t always clear-cut. An organization that purchases a standard AI tool from an external vendor is a deployer. But as soon as you customize that tool, put your own name on it, or change its intended purpose in such a way that the system becomes high-risk, you yourself become a provider, with all the associated obligations.

Deployers are subject to the following obligations, among others, when using high-risk AI:

  • Use the system only for its intended purpose as described by the provider
  • Ensure human supervision by qualified staff
  • Report serious incidents to the market surveillance authority
  • Conduct a fundamental rights impact assessment for certain applications
  • Keep logs of usage, to the extent that you have control over it

In addition, providers outside the EU must designate an authorized representative in the EU who will comply with the obligations on their behalf.

How do you set up a practical AI registry for your organization?

To create a practical AI registry, start by taking inventory of all AI systems in your organization, classifying them by risk level, and recording the key details for each system. The registry forms the backbone of your AI governance and makes it possible to quickly demonstrate which systems you use and how you ensure compliance.

Build your registry in three steps:

  1. Take stock: Identify all AI applications, including purchased tools, features embedded in software, and internally developed systems. Don’t forget AI features in existing software, such as automatic email sorting or predictive text.
  2. Classify: Determine the risk class for each system based on the AI Act criteria. Document your reasoning so that, in the event of an audit, you can demonstrate why you classified a system as low-risk.
  3. Document: For each system, record who the provider is, what the intended use is, who is responsible within your organization, what data the system uses, and what measures are in place for human oversight.

Keep the registry up to date by linking it to your procurement process: every new AI system you purchase or implement is immediately recorded and classified. Assign an owner for each system so that responsibilities are clear. The AI Act also requires organizations to ensure AI literacy (Article 4, effective as of February 2, 2025), which means that employees who work with AI systems must have sufficient knowledge of how they operate and the risks they pose.

What tools and templates can help with AI Act documentation?

For AI Act documentation, you can use risk assessment templates from national regulators, open standards such as model cards and data sheets for datasets, and specialized compliance software solutions. The European Commission and the AI Office also publish guidelines and standard forms that serve as a starting point.

Practical tools you can use:

  • Risk Assessment Templates: The AI Office and national authorities provide templates for classifying AI systems and justifying your choice of risk class
  • Model cards: standardized documents that describe the operation, limitations, and intended uses of an AI model, originally developed by the research community
  • Data Impact Assessments: Templates for Assessing the Risks of Training Data, Including Bias and Privacy Considerations
  • Fundamental Rights Impact Assessment: This is mandatory for certain high-risk applications; the Commission is working on a standardized format
  • Compliance software: specialized platforms help you maintain your AI registry, schedule audits, and manage documentation across multiple systems

Where possible, align your AI documentation with existing information security and privacy management processes. If your organization already uses an Information Security Management System (ISMS) based on ISO 27001, you can logically integrate AI-related risks and documentation into it.

What are the consequences if your AI documentation isn’t in order?

If your AI documentation does not comply with the AI Act, you risk fines of up to 15 million euros or 3% of your global annual revenue for non-compliance with the requirements. For violations of prohibited practices, the fine can reach up to 35 million euros or 7% of annual revenue. In addition to financial penalties, you also risk reputational damage and operational shutdowns.

The penalty structure has three levels:

  • Prohibited Practices (Article 5): up to 35 million euros or 7% of global annual revenue
  • Non-compliance with other obligations: up to 15 million euros or 3% of annual revenue
  • Inaccurate or misleading information provided to authorities: up to 7.5 million euros or 1% of annual revenue

For SMEs and startups, the lower of the percentage or the fixed amount applies in each case, which offers some protection. Most of the requirements for high-risk Annex III systems take effect on August 2, 2026, so organizations still have time to get their documentation in order. Oversight of high-risk AI rests with national market surveillance authorities, which may lead to differences in priorities among Member States. In January 2026, Finland became the first Member State to grant enforcement powers to its authority.

In addition to fines, there are also indirect consequences: without demonstrable AI governance, you lose the trust of customers and partners, you can no longer legally deploy high-risk systems, and you run the risk of liability if an AI system causes harm without you being able to demonstrate that you had taken the appropriate measures.

How Pegamento Helps with AI Governance and Documentation

Setting up effective AI governance requires more than just a spreadsheet listing systems. It requires a structured approach that aligns with your existing security, quality, and compliance processes. We help organizations establish a practical AI governance structure, from assessment to documentation and monitoring.

What specifically we can do for you:

  • Identify which AI systems your organization uses, including features embedded in existing software
  • Classifying systems based on the AI Act risk criteria, with supporting documentation
  • Setting up an AI registry that aligns with your existing ISMS and ISO 27001 processes
  • Implementation of Agentic AI assistants that comply with transparency and documentation requirements, including the necessary technical documentation
  • Training employees in AI literacy in accordance with Article 4 of the AI Act

Our approach combines proven standard building blocks into a customized solution for your organization, without the need for costly custom development. Everything under one roof: from consulting and implementation to management and support. Want to know where you stand with your AI documentation and what you still need to do to meet the 2026 deadlines? Get in touch, and we’ll work together to find the best approach for your situation.

Frequently Asked Questions

As a small organization or SME, do I also have to comply with the AI Act’s documentation requirements?

Yes, the AI Act generally applies to all organizations that offer or deploy AI systems within the EU, regardless of their size. SMEs and startups do receive some protection through the fine structure (the lower of the fixed amount or the percentage of revenue applies), and the AI Office provides simplified guidelines specifically for smaller organizations. Nevertheless, even as an SME, it’s wise to start conducting a basic inventory of your AI systems now, so you won’t be caught off guard as the 2026 deadlines approach.

How do I know if an AI tool I’m purchasing from a third-party vendor is high-risk?

Actively ask the supplier about the system’s risk classification and whether a technical file and declaration of conformity are available. High-risk systems must be registered by the provider in the EU database and bear a CE marking. As a deployer, you are required to verify that the provider has fulfilled its obligations before putting the system into service—if this documentation is missing, you yourself are at risk in the event of an inspection.

What is the difference between an AI register and a technical dossier, and do I need both?

An AI register is an internal overview document of all AI systems your organization uses, including their risk class, owner, and intended use—it is your management tool for AI governance. A technical dossier is a detailed, legally required document for each high-risk system that includes its technical operation, risk analysis, and declaration of conformity. You need both: the register as the foundation for your governance structure, and the technical dossier as proof of compliance for high-risk applications.

What should I do if an AI system I’m using changes risk classes, for example, due to an update from the vendor?

As soon as a supplier implements a significant update that substantially alters the intended use or operation of the system, the risk classification may indeed change—and with it, your obligations as the deployer. Ensure that your contracts require suppliers to notify you of any changes that could affect the risk class, and update the classification in your AI registry with every material update. Integrate this into your procurement process so you don’t face any surprises later on.

How do I handle AI features that are already built into existing software, such as CRM or HR systems?

Embedded AI features in standard software are often overlooked, but they do fall under the AI Act if they support decision-making in high-risk areas such as human resources or lending. Actively identify which AI functionalities are present in your existing software packages—check with vendors if it’s unclear—and include them in your AI registry. If the vendor is the provider, verify that they have complied with their documentation obligations.

How do I ensure my AI documentation stays up to date as regulations evolve?

Designate a responsible person—for example, an AI coordinator or an existing compliance officer—who actively monitors developments related to the AI Act, including guidelines from the AI Office and updates from national regulators. Link your AI register to a fixed review cycle, at least annually or whenever there is a significant change to a system or the regulations. Subscribe to updates from the European AI Office and relevant national authorities to respond in a timely manner to new obligations or changes in interpretation.

Can employees be held personally liable if AI documentation is not in order?

The AI Act primarily targets organizations as legal entities, not individual employees. However, internal liability may arise within an organization if an employee is demonstrably negligent in complying with established procedures. Therefore, ensure a clear division of responsibilities in your AI governance—specify who is responsible for documentation, classification, and oversight—and ensure that employees are adequately trained on their obligations under Article 4 of the AI Act.

More blogs

Download the white paper here

Deepen your knowledge with Pegamento’s white papers.

Joost Schaap-Account manager Pegamento

Joost Schaap

Senoir Account Manager

When a customer contacts an organization because they have a complaint, it is crucial that the employee of the organization begin by listening carefully. What does this complaint mean for the customer and also for their own organization? How can this complaint be resolved? After listening carefully the employee needs the right information so that a solution can be offered.

This piece was written by Joost Schaap, working as an Account Manager at Pegamento.

Tim Treurniet-AI developer Pegamento

Tim Treurniet

Designer of Intelligent Systems

Real childhood heroes I never had. But in retrospect, I believe figures like Willie Carrot or Dexter’s lab may have had an influence on me. I get energy from actually making innovative and useful products myself. Nothing like seeing the effect of a project that automates a boring task, or makes a complex process suddenly accessible.

A nice bridge to my photograph is the physical aspect of my work. By working with image recognition, I am often very directly connected to the physical world and my work is more than just programming. For example, our image recognition software ensures safety on bridges, tracks players on a soccer field or uses your own smartphone to accurately measure yourself. This combination between physical and digital provides variety and extra challenge. For me, these are the main reasons for my interest and enthusiasm in what I do!

This piece was written by Tim Treurniet, employed Designer of intelligent systems at Pegamento.

Vera van der Plas-UI-UX designer

Vera van der Plas

UI/UX Designer

As a UX/UI designer, I deal daily with transforming complex data into user-friendly visualizations. All of this topped off with a digital lick of paint which should attract the visitor’s attention to take action.

One of the interesting aspects of this field I find the effects that small tweaks, both textual and visual, can have on conversion. The psychological impact that a simple background color of a CTA button has on our behavior is huge. After all, that color can determine whether or not you are going to buy that product.

What we see and how our brains process and interpret this information fascinates me. The possibilities of subconsciously pointing potential customers in your chosen direction are endless. I hope to apply my expertise more often within our solutions in the future.

This piece was written by Vera van der Plas, working as a UX/UI Designer at Pegamento.

Fouad Rahaoui-Finance Pegamento

Fouad Rahaoui

Financial Controller

A Financial Controller within a company should not only be an expert in Finance. You must also have knowledge of the latest IT developments. Because these are also moving very quickly in the world of Finance.

At Pegamento, I can learn all about the latest IT developments. Like the latest development in the field of Machine learning and deep learning.

Through these application areas, as Financial Controller, I can further automate the financial business processes within Pegamento and implement improvements for the automatic processing of financial data.

This piece was written by Fouad Rahaoui, working as a Financial Controller at Pegamento.

Ernst Vegter-Business consultant Pegamento

Ernst Vegter

Business Consultant

Hospitality is one of my deepest motivations.
Not surprisingly, of course, customer service is a common thread in my career. Aspects of hospitality is being able to connect, to facilitate but mainly to make someone feel genuinely welcome. My intuition is my greatest asset to be able to put myself in the shoes of a guest. A customer is my guest.

Fed by various senses, an image forms around the client. I listen to what is being said, watch facial expressions, taste the underlying tone and get a feel for the challenge to be addressed. An image literally forms on my retina. I have to be able to see it. If I can see it, I can create it.

In this, the trick is to pursue simplicity, give the client a warm feeling that the problem is understood, receive good advice, facilitated and carefully guided to the solution. Trust, connect and unburden.

The feeling when a guest arrives at your hotel after a long tiring journey, can sit in front of the fireplace, be handed a good glass of wine and stare carefree at the fire. My guest knows it will be okay.

This piece was written by Ernst Vegter, working as a Business Consultant at Pegamento.

Gunisch-AI developer Pegamento

Gunish Alag

AI Developer

A picture is worth a thousand words, is an expression most of us have heard. We see a lot of things around us on a daily basis and subconciously have the ability to recognize and understand them. This ability of humans to me seems bizarre.

As a computer vision developer at Pegamento that is what I do, break down complex problems and turn them into solutions using images by meticulously extracting useful data.
With the world moving forward and new technologies emerging, complicated problems which were difficult to solve a decade earlier suddenly seem possible and viable. The future is full of new challenges and I look forward to them.

This story is written by Gunish, working as an AI developer at Pegamento.

Ewold Jansen-Service engineer Pegamento

Ewold Jansen

Service & Support Engineer

Hearing the wishes a customer has or the problems a customer is facing is important in order to then be able to help them properly. In both cases, I help find the right solution.

When the customer comes to us with a desire, they don’t know what all the options are. In this I advise them to make the right choices. When problems arise, listening to them is important. For example, a problem arises from a wrong action. By communicating well in this, many problems can be solved quickly by explaining it well. Through poor communication, a small problem can become very big.

This piece was written by Ewold Jansen, working as a Service & Support Engineer at Pegamento.

Andre Glasbergen-Scrum master Pegamento

Andre Glasbergen

Scrum Master

After completing my studies, I started working as a developer at a young Pegamento with a lot of ambition and enthusiasm. In the first years I learned all about process automation, now better known as RPA. I often had to rack my brains to convert the work instruction into a logical function, with not too many If-statements, so that the robot could perform the work.

I developed further and went to work as a consultant. Listening well to the customer and supporting in the pre-sales phase of projects. Executing projects and listening suited me very well. It was a small, but logical, step to now work as a Scrum Master and Project Manager. I have been supervising projects for a few years now. Such as RPA, Cloud applications and AI, according to the Human lead agile approach, We build this with a large team of specialists.

This piece was written by André Glasbergen, working as a Scrum Master at Pegamento.

Ensar Ari-IT engineer Pegamento

Ensar Ari

IT Engineer

Good communication between customer and organization is very important. As an organization, you naturally want to be easily accessible to your customers. Either via social media channels or via the old familiar telephone. Often organizations do not know exactly how they want their telephone line set up. That is why I like to help them think along and give them ideas. I believe there is a solution to every problem. But sometimes you just need someone who looks at the situation a little differently.

This piece was written by Ensar Ari, working as an IT Engineer at Pegamento.

Nini Heerings-Chief Happiness Officer Pegamento

Nini Heerings

Chief Happiness Officer

“You get to know someone better by playing for an hour than by talking for a year.”

This quote from Plato is totally hitting home for me. That’s why I like to connect people through play. Because while playing, you are totally on, all your senses at work.
In my great role as Chief Happiness Officer, I want to do that by connecting colleagues with each other and with the organization. In a creative and playful way that suits Pegamento.

When I’m not at work, I also enjoy connecting people. I do this by organizing The Playground, where adults play games you used to play in the schoolyard, gymnasium or neighborhood playground. The pure feeling of fun, total relaxation and no thoughts of anything but playing. That feeling is the goal.

This piece was written by Nini, working as Chief Happiness Officer at Pegamento.

Ger Koedam-Communication & Marketing Pegamento

Ger Koedam

Marketing & Communications

How can I help you? That’s pretty much the first question I ask when talking to people who are curious about our services. In such a conversation, the use of senses is very important. Because not everyone is the same. One person thinks in images, while for another words are important or how something feels. For me, sight and hearing are the most beautiful senses, because both eyes and ears absorb information and can convey or process emotions.

Why hearing? Because listening is essential in contact. And it’s the key to unlocking valuable insights.

I developed this skill early on. As a child, I enjoyed radio plays on the radio, bringing the stories to life in my head.

Pim Ritmijer-Software developer Pegamento

Pim Ritmeijer

Software Developer

Programming is more than just “code knocking. For me, listening to what the customer wants and visualizing that is an important part of software development.

Actively listening to a customer to understand the customer’s full story is crucial before building a solution. When you understand a customer’s story, you can think together about a solution that truly helps the customer.

Visualizing solutions is the next step for me. What will be the route we will climb to get to a solution? What challenges are we going to face to get to the top?

Like climbing, good preparation is valuable. Even though you can’t prepare for everything, preparation helps make the application fit the client’s needs as well as possible.

What a beautiful and fascinating profession programming is.

This piece was written by Pim Ritmeijer, working as a Software Developer at Pegamento.

Denise Verhoef-Software developer Pegamento

Denise Verhoef

Software Developer

Hearing is something you do a lot of as a programmer but also thinking, for example, when you are tasked with putting together a customer need. If the customer wants a function for his application, it is important that as a programmer you think carefully about which functions are functional and which functions are not. In this way, you will put together the most functional application possible and the customer will have a good end product. Turning needs into code into functionality is something I find interesting.

I am currently doing an internship at Pegamento and studying Software Developer. I get a lot of information that you have to process and apply. The nice thing about this is that you can learn new things but also that you can experience how it works in real business. I started this training last year and knew nothing about programming beforehand. Now I can find my own way with programming and I enjoy working with it. That you can get from a blank page to a functional application through code is cool!

This piece was written by Denise Verhoef, working as a Software Developer intern at Pegamento.

Remco Pabst-Business consultant Pegamento

Remco Pabst

Computer Vision & AI Lead

Using innovative software technology for people or business to make “things” easier and smarter is really a driving force. That’s why the connection between the senses appeals to me the most. Our brains connect the senses just like a business process connects people, systems (data) and logic. They register and trigger an action, exactly how it should be in an optimal workflow. Very cool what is already possible today when we add a lot of computational power to that as well.

Hearing also means a lot. Not because I like to listen to Jazz, Soul, Deep House or Focus-like music every day AND have to be able to listen well to interpret a wish or pain point, but more because not everyone can have all the senses at their disposal. Think of him or her with a visual impairment. The fact that in close cooperation we were able to apply AI, TTS/STT technology (which is still in development) for this often underserved group of people in today’s digital world and to improve the interaction and experience with it gives me a lot of energy and meaning to what I try to do with technology; create value.

This piece was written by Remco, working as a Business Consultant at Pegamento.

Thomas de Wolf-Vision Engineer Pegamento

Thomas de Wolf

R&D Director

Once when I had to choose which study I was going to do, I had a hard time making that choice. I was interested in engineering, but what I most wanted to do was just work with a team toward a common goal.

To this day, that is still what I love doing most. The technology has become image recognition and the team the computer vision department of Pegamento. So it’s logical that in terms of sense, I end up with “seeing. By using our image recognition solutions to see things in the real world, our entire team solves relevant problems for our customers. And because of the variation in customers, the places where our solutions end up are never the same. For example, one moment I am in the control room of a bridge and the next day I am on a production line for sandwiches or between the fences of a TBS clinic.

This piece was written by Thomas de Wolf, working as a Computer Vision & AI Lead at Pegamento.

Rob Roode-Research Development

Rob Roode

Research & Development

Recognizing and automating patterns. Tasks we are constantly working on when implementing our robots at Pegamento. My 2 Drentsche Patrijshonden are hunting dogs and certainly not robots. The hunting instinct and intuition is basically in their genes. Continuing to offer new forms of training has taught them to recognize and act independently in hunting situations. Even “unsupervised,” even if I’m not around.

But when you try to teach a brain something, it also starts to see things you don’t expect. Dogs pick up on the slightest deviation in your voice or directions. To start recognizing that and correcting it again is perhaps the most complex challenge. But in our work, for the wonderful clients for whom we get to work, it often yields the most beautiful new insights!

This piece was written by Rob, founder of Pegamento and in charge of Marketing and R&D.

Serge Poppes-CEO Pegamento

Serge Poppes

CEO

Feeling. That’s the best thing Pegamento stands for. Feeling for technology in the broadest sense of the word. Not only feeling for the exciting stuff like AI, but also for the basics of communication.

The very best part of my job is selling, listening, translating and thinking about what really matters. We bring the digital transformation with a great team!
The diversity of our team, how sharp we are, but especially the wonderful things we get to make makes me feel extremely good. Hence, I intuitively chose the sense of “feeling.

Feeling gives life and differentiation!