EU AI Act Governance Playbook - Enterprise Risk Assessment

EU AI Act Controls

Assessment Tracks

Core Assessment Tools

18+

Compliance Frameworks

Program Overview

This playbook provides comprehensive guidance for Enterprise Risk Management professionals conducting technical risk assessments of AI systems to ensure compliance with the EU AI Act, ISO 42001, and NIST AI Risk Management Framework.

                    Who This Is For:
                    Enterprise AI Risk Assessors, Compliance Officers, Risk Management Professionals, AI Governance Teams. Note: This guide assumes you are NOT a Tenant Administrator and will need to request infrastructure resources from IT.
                

Target Industries: Fintech, Financial Services, Industrial sectors - particularly organizations deploying high-risk AI systems as defined by EU AI Act Annex III.

Two Assessment Tracks

Aspect	Azure AI Solutions Full Governance Track	Copilot Studio Fast-Track Governance
Use Cases	Custom agentic AI, in-house LLMs/SLMs, complex ML models, high-risk classification systems	Low-code agentic AI, Copilot agents, business automation, conversational AI
Infrastructure	Dedicated Azure subscription, OpenAI Service, ML Workspace, GPU compute, Purview, extensive tooling	Copilot Studio license, Power Platform environment, minimal additional infrastructure
Setup Time	2-4 weeks (full infrastructure provisioning)	3-5 days (primarily licensing and access)
Monthly Cost	$3,700 - $8,600 (Azure services + tools)	$800 - $2,500 (licenses + limited tools)
Tool Complexity	18+ specialized tools (Garak, PyRIT, MLflow, Evidently, etc.)	6-8 essential tools (simplified testing suite)
Security Testing	Full adversarial testing, custom red teaming, deep penetration testing	Managed security testing, built-in safeguards validation, configuration review
Data Governance	Azure Purview, custom lineage mapping, extensive PII scanning	Power Platform DLP, built-in compliance features, connector governance
EU Control Coverage	All 25 controls with deep technical validation	All 25 controls with configuration-based validation
Best For	Custom AI development, high-risk systems, complex architectures, advanced ML	Business users building copilots, low-code solutions, rapid deployment, managed services

Assessment Program Objectives

Compliance Verification

Validate adherence to all 25 EU AI Act control requirements (Articles 9-67) with documented evidence for conformity assessment.
Risk Identification & Mitigation

Identify technical risks across security, privacy, bias, performance, and safety domains. Develop mitigation strategies.
Continuous Monitoring

Establish production monitoring for drift detection, performance degradation, security threats, and incident response.
Documentation & Reporting

Generate comprehensive assessment reports, model cards, risk registers, and conformity declarations for regulatory submission.

Regulatory Framework Alignment

EU AI Act (Regulation 2024/1689)

Primary regulatory framework. Covers risk management (Art. 9), data governance (Art. 10), transparency (Art. 13), human oversight (Art. 14), accuracy/robustness (Art. 15), and conformity assessment (Art. 43-48).

High-Risk Systems: Annex III | 10-Year Log Retention: Art. 12 | €35M Max Penalties

ISO/IEC 42001:2023

AI Management System standard. Provides framework for responsible development and use of AI systems. Covers risk assessment (6.1), lifecycle management (8.2), and monitoring (9.1).

Certification Body Audits | Management System Requirements

NIST AI Risk Management Framework

US framework with international adoption. Four core functions: GOVERN, MAP, MEASURE, MANAGE. Provides risk assessment methodology and control mapping.

Voluntary Framework | Industry Best Practices

Getting Started

Choose Your Assessment Track: Navigate to "Azure AI Assessment" for comprehensive infrastructure-based assessments of custom AI solutions, or "Copilot Studio Assessment" for fast-track governance of low-code agentic AI built in Microsoft Copilot Studio.

Reference Materials: Visit the "Summary & Reference" section for detailed EU AI Act control catalog, complete technical resource inventory, and risk assessment methodology.

Assessment Scope Definition

Identify AI Systems in Scope

Azure OpenAI Deployments: GPT-4, GPT-3.5-turbo, custom fine-tuned models
Azure ML Models: Classification, regression, clustering models
Agentic Systems: LangChain agents, AutoGPT, custom agent frameworks
Custom LLMs/SLMs: Self-hosted or Azure-deployed language models
Classify AI Systems by EU Risk Tier

High-Risk (Annex III): Credit scoring, employment decisions, critical infrastructure, law enforcement, biometric identification
Limited-Risk: Chatbots with transparency obligations
Minimal-Risk: Spam filters, inventory management
Map Stakeholders

Approvers: Azure Platform Team, IT Infrastructure, Security Team, Compliance Officer, Budget Approvers
Collaborators: Model developers, data scientists, business owners, legal counsel
Governance: AI Ethics Board, Risk Committee, Audit Team

Budget & Resource Planning

Resource Category	Monthly Cost Estimate	Justification
Azure OpenAI (Testing)	$500 - $1,500	Security testing requires 1000+ adversarial queries per assessment (EU-07)
Azure ML Workspace + Compute	$1,000 - $2,000	Model versioning, experiment tracking, conformity assessment (EU-03, EU-09)
GPU VM (Adversarial Testing)	$300 - $500	Adversarial robustness testing required by EU Article 15
Azure Storage (WORM, 10-year)	$100 - $200	Immutable log storage mandated by EU Article 12
Azure Purview	$500 - $800	Data governance and lineage tracking (EU-02, EU-10)
Application Insights + Monitor	$600 - $1,300	Comprehensive logging and 10-year retention (EU-04, EU-08)
LangSmith (Agentic AI)	$500 - $2,000	Agent tracing required for EU-04, EU-06, EU-17 compliance
Total	$3,500 - $8,300/month	Regulatory compliance program

Program Timeline

Timeframe	Activities	Deliverables
Week 1	Submit IT infrastructure request, secure budget approval, workstation setup	Approved IT ticket, budget confirmation
Weeks 2-3	IT provisions Azure resources, install local tools, configure authentication	Access credentials, tool installations complete
Week 4	Test connectivity, run first security scans, configure monitoring	First Garak scan, MLflow operational
Month 2+	Monthly assessments, quarterly compliance reviews, continuous monitoring	Assessment reports, EU control evidence

Priority 1: Critical Resources

Submit these requests immediately - 2-3 week lead time required. See Planning phase for complete details.

Key Infrastructure Requests: Azure testing subscription/RG, Azure OpenAI Service, Azure ML Workspace, Service Principal, Assessment VM, Azure Storage (WORM), Azure Purview, Application Insights, Azure Monitor Logs, Network/VPN access.

Essential Software

Install while waiting for Azure infrastructure provisioning.

Azure CLI - Authentication and resource management
Python 3.10+ - Create virtual environment for assessment tools
Visual Studio Code - Script development and notebooks
Git - Version control
Docker Desktop (optional) - Containerized tools

Week 1: Critical Tools

Garak - pip install garak (LLM vulnerability scanner)
PyRIT - pip install pyrit (Microsoft red teaming)
MLflow - pip install mlflow azureml-mlflow (experiment tracking)
DeepEval - pip install deepeval (LLM testing)
Evidently - pip install evidently (drift detection)
LangSmith - Sign up at smith.langchain.com (agentic AI tracing)

Week 2-3: Additional Tools

Fairlearn - pip install fairlearn (bias testing)
Presidio - pip install presidio-analyzer presidio-anonymizer (PII detection)
SHAP & LIME - pip install shap lime (explainability)
Azure SDKs - pip install azure-ai-ml azure-identity azure-storage-blob

Configuration Checklist

Authenticate Azure CLI: az login
Verify Azure OpenAI endpoint access and list deployments
Connect to Azure ML Workspace and access model registry
Access Azure Purview catalog and review data lineage
Verify WORM storage configuration (10-year retention)
Access Application Insights and Azure Monitor Logs
Set up LangSmith project for agentic AI tracing
Store all credentials in .env file (never commit to Git)

Monthly Assessment Workflow

Week 1: Discovery & Security Testing

Query Azure ML model registry for systems to assess
Run Garak security scan on all Azure OpenAI deployments
Execute PyRIT red team campaign on high-risk models
Test agentic systems for tool access control violations

Week 2: Performance & Bias Testing

DeepEval hallucination testing for LLMs
Agent reasoning validation using LangSmith traces
Fairness testing on classification models (Fairlearn)
Performance metrics validation in MLflow

Week 3: Privacy & Explainability

Presidio PII scanning on training data and outputs
Azure Purview data lineage audit
SHAP/LIME explainability analysis
Evidently drift detection on production data

Week 4: Documentation & Reporting

Update model cards and technical documentation
Compile evidence for all 25 EU AI Act controls
Generate assessment report with risk ratings
Log findings in Azure DevOps, present to stakeholders

Copilot Studio Assessment Overview

                    When to Use This Track:
                    Use the Copilot Studio assessment track when evaluating conversational AI agents built in Microsoft Copilot Studio (formerly Power Virtual Agents), including custom copilots, business automation agents, and customer service bots.
                

Microsoft Copilot Studio is a low-code platform for building conversational AI agents. Unlike custom Azure AI solutions, Copilot Studio provides managed services with built-in security, compliance features, and governance capabilities that simplify the assessment process.

Key Differences from Azure AI Track

Assessment Area	Azure AI (Custom Solutions)	Copilot Studio (Managed Platform)
Infrastructure Setup	Dedicated subscription, OpenAI service, ML workspace, GPU compute, Purview	Copilot Studio license, Power Platform environment, minimal add-ons
Security Testing	Custom red teaming with Garak, PyRIT; adversarial attack generation	Configuration review, built-in content filter validation, connector security
Data Governance	Azure Purview for full lineage mapping, custom PII scanning	Power Platform DLP policies, built-in data connectors with pre-configured governance
Monitoring	Custom MLflow, Evidently dashboards, Application Insights configuration	Built-in Copilot Studio analytics, Power Platform Center of Excellence toolkit
Explainability	SHAP, LIME analysis, custom reasoning traces	Built-in conversation transcripts, topic analysis, automated summaries
Logging	Custom Azure Monitor configuration, 10-year retention setup	Dataverse for Teams with retention policies, built-in audit logs

EU AI Act Compliance in Copilot Studio

All 25 EU AI Act controls still apply, but implementation differs:

Managed Security (EU-07, EU-18)

Microsoft manages underlying infrastructure security. Assessment focuses on configuration validation rather than penetration testing.

Built-in DLP (EU-15, EU-21)

Power Platform DLP policies automatically prevent PII exposure through connectors. Assess policy configuration rather than building custom scanning.

Transparency by Design (EU-05, EU-13)

Copilot Studio includes built-in transparency features (system messages, AI disclosure). Validate configuration and user-facing documentation.

Simplified Monitoring (EU-09)

Built-in analytics dashboard provides conversation metrics, user satisfaction, topic performance. Less custom tooling required.

Assessment Scope: What to Evaluate

Copilot Configuration

Authentication settings, generative AI features enabled, topic design, entities and variables, fallback behavior, escalation paths
Data Connectors & Integrations

Power Automate flows, SharePoint connections, Dynamics 365 integrations, custom connectors, API permissions, OAuth scopes
Content & Knowledge Sources

SharePoint sites indexed, generative answers configuration, citation requirements, content freshness, data classification
Security & Access Controls

DLP policies applied, authentication requirements, role-based access, environment security, connector governance
User Experience & Transparency

AI disclosure messages, system instructions visible to users, conversation handoff to humans, error handling, user feedback collection

Required Licenses & Access

Copilot Studio License

Request from IT: Copilot Studio license ($200/user/month or consumption-based)
Access Level: At minimum "User" role to test copilots; "Admin" role preferred for full configuration review
Environment: Access to Production environment where copilots are deployed
Justification: Required to review copilot configuration, test conversations, access analytics (EU-01, EU-03)
Power Platform Admin Center Access

Request from IT: Power Platform Administrator or Environment Admin role
Purpose: Review DLP policies, environment settings, connector governance, audit logs
Justification: Required for EU-02 (Data Governance), EU-15 (Data Confidentiality) validation
Dataverse for Teams Access

Request from IT: Read access to Dataverse tables storing conversation logs
Purpose: Access conversation history, user interactions, copilot performance metrics
Justification: Required for EU-04 (Record Keeping), EU-08 (Automatic Logging)
Microsoft Purview (Optional)

Request from IT: Purview Compliance Portal access for DLP policy management
Purpose: Review sensitivity labels, DLP rules, compliance reports
Priority: Optional but recommended for enterprise deployments

Workstation Setup (Simplified)

Tool	Purpose	Installation
Web Browser	Access Copilot Studio portal, Power Platform Admin Center	Microsoft Edge or Chrome (latest version)
Power Platform CLI	Automate environment queries, export copilot configurations	Download from: aka.ms/PowerPlatformCLI
Excel / Power BI	Analyze conversation data, create compliance dashboards	Part of Microsoft 365
Python (Optional)	Script automated testing, analyze exported data	python.org - Only if automation needed
Presidio (Optional)	Validate PII detection in conversations	pip install presidio-analyzer
CoE Toolkit (Optional)	Power Platform Center of Excellence analytics	Install from PowerApps solution gallery

No Azure Infrastructure Required: Unlike Azure AI track, Copilot Studio assessments do not require dedicated Azure subscriptions, GPU VMs, or custom ML workspaces. All infrastructure is managed by Microsoft.

Cost Comparison

Component	Azure AI Track Cost	Copilot Studio Track Cost
Licenses	N/A	$200-600/month (Copilot Studio)
Azure Infrastructure	$3,000-6,500/month	$0 (managed service)
Assessment Tools	$500-2,000/month (LangSmith, etc.)	$200-500/month (minimal tooling)
Storage & Logging	$600-1,300/month	$100-200/month (Dataverse storage)
Total	$4,100-9,800/month	$500-1,300/month

                    85-90% Cost Reduction: Copilot Studio's managed service model significantly reduces infrastructure costs while maintaining EU AI Act compliance through built-in governance features.
                

Setup Timeline

Day	Activities	Deliverables
Day 1	Request Copilot Studio license and Power Platform admin access	IT ticket submitted
Day 2-3	Receive access, install Power Platform CLI, browser setup	Access confirmed, basic tools ready
Day 4	Review copilot inventory, identify assessment targets	Copilot inventory spreadsheet
Day 5	Conduct first configuration review, test sample conversations	Initial assessment findings
Week 2+	Complete assessments, document EU controls, generate reports	Compliance documentation

Phase 1: Configuration Review

Access Copilot Studio Portal

Navigate to copilotstudio.microsoft.com → Sign in with corporate credentials → Select environment (Production) → View all copilots
Review Authentication Settings EU-06, EU-14

Check: Authentication required? No authentication allows anonymous access
Validate: OAuth configuration for Teams, web channel security
Document: Who can access the copilot, how identity is verified
Evidence: Screenshot of authentication configuration
Audit Generative AI Configuration EU-07, EU-20

Settings → AI Capabilities: Is "Generative answers" enabled?
Content Moderation: What content filtering level is set? (Low/Medium/High)
Citation Requirement: Are citations enabled for generated responses?
Model Version: Which GPT model is configured? Document model name
Evidence: Export configuration as JSON
Review Knowledge Sources EU-02, EU-10

Check: Which SharePoint sites or URLs are indexed?
Data Classification: Are knowledge sources properly labeled (Public/Internal/Confidential)?
Refresh Schedule: How often is content re-indexed?
Consent: Do you have authorization to use this data for AI?
Evidence: List of knowledge sources with classification labels
Validate Topics & Conversation Design EU-17

Review: All topics, trigger phrases, conversation flows
Check: Are escalation paths to humans defined?
Validate: Error handling and fallback topics configured
Test: Out-of-scope queries properly handled
Evidence: Topic list export, flow diagrams

Phase 2: Security & Data Governance Testing

Power Platform DLP Policy Review EU-15, EU-21

Navigate to: Power Platform Admin Center → Policies → Data policies
Check: Which DLP policies apply to copilot environment?
Connector Classification: Business | Non-business | Blocked
High-Risk Connectors: Ensure SQL, SharePoint, external APIs have proper governance
Evidence: DLP policy export, connector classification list
Test Conversation for PII Handling EU-15

Manual Test: Start conversation, provide fake PII (SSN, credit card, phone number)
Observe: Does copilot refuse to process? Store? Display PII?
DLP Validation: Confirm DLP policy blocks PII in Power Automate flows
Optional Tool: Use Presidio to scan conversation logs for PII leakage
Evidence: Test conversation transcripts, DLP block notifications
Review Power Automate Flow Security EU-06, EU-18

Identify Flows: List all Power Automate flows triggered by copilot
Connector Permissions: What data sources can flows access?
Approval Gates: Are there human approval steps for high-risk actions?
Error Handling: What happens if flow fails?
Evidence: Flow diagrams, connection references, permission matrix
Audit Dataverse Data Access EU-04, EU-21

Check: Which Dataverse tables does copilot read/write?
Role-Based Access: Are security roles properly configured?
Field-Level Security: Is PII protected at field level?
Retention: How long are conversation logs retained?
Evidence: Security role assignments, table permissions, retention policies

Phase 3: Performance & User Experience Testing

Conversational Testing EU-07

Test Scenarios: Create 20-30 test conversations covering: in-scope topics, out-of-scope queries, ambiguous requests, multi-turn conversations, error conditions
Accuracy Assessment: Did copilot provide correct answers? Rate each response (Correct/Incorrect/Partially Correct)
Hallucination Check: Did copilot invent information not in knowledge sources?
Evidence: Test conversation logs with accuracy ratings
Review Built-in Analytics EU-09

Navigate to: Copilot Studio → Analytics tab
Metrics to Document: Total conversations, resolution rate, escalation rate, CSAT scores, topic performance
Trend Analysis: Compare last 7/30/90 days - is performance degrading?
Evidence: Analytics dashboard screenshots, exported metrics
Transparency Validation EU-05, EU-13

Check Welcome Message: Does it disclose "You're talking to an AI"?
System Messages: Are limitations clearly communicated?
Citations: For generative answers, are sources cited?
Handoff Message: Is human escalation clearly explained?
Evidence: Screenshots of disclosure messages

Phase 4: Logging & Auditability

Access Conversation Logs EU-04, EU-08

Method 1: Copilot Studio → Analytics → Conversations (last 30 days)
Method 2: Dataverse → ConversationTranscript table (long-term storage)
Verify: Full conversation history captured (inputs, outputs, timestamps, user IDs)
Retention: Confirm 10-year retention policy configured in Dataverse
Evidence: Sample conversation transcript with metadata
Audit Log Review EU-06

Power Platform Admin Center: Analytics → Audit logs
Filter: Copilot-related activities (edits, publishes, permission changes)
Validate: Who modified copilot configuration? When?
Evidence: Audit log export showing configuration changes
Export Compliance Data EU-23

Export Copilot: Settings → Export (saves as .zip with all topics and settings)
Export Conversations: Analytics → Export to Excel (last 30 days)
Export DLP Policies: Power Platform Admin Center → Export
Storage: Save to secure location with version control
Evidence: Exported files with timestamp for audit trail

Copilot Studio Testing Checklist

Test Category	Tests Performed	Pass/Fail Criteria	Evidence
Authentication	Verify auth required, test unauthorized access	PASS: Auth required and enforced	Config screenshot, test log
Content Filtering	Test harmful prompts, inappropriate content	PASS: Content blocked by filters	Test conversation transcripts
PII Handling	Submit PII, check DLP enforcement	PASS: PII not stored or exposed	DLP block notifications
Accuracy	20 test conversations, rate responses	PASS: >85% accurate responses	Test results spreadsheet
Transparency	Check AI disclosure, citations	PASS: All disclosure present	Screenshots of messages
Logging	Verify conversation capture, retention	PASS: All logs captured, 10-year retention	Sample logs, retention policy

Simplified Compliance: Built-in vs. Custom

Key Advantage: Many EU AI Act requirements are satisfied through Copilot Studio's built-in features rather than custom tooling. This section maps each control to the appropriate validation method.

EU Control	Azure AI Approach	Copilot Studio Approach	Complexity
EU-01 Risk Management	Custom risk register in Azure DevOps, quarterly reviews	Risk register in SharePoint/Excel, review copilot analytics for incidents	Same
EU-02 Data Governance	Azure Purview for lineage, custom PII scans	Document SharePoint sources, verify DLP policies, sensitivity labels	Simpler
EU-03 Documentation	Model Cards Toolkit, Azure ML registry	Export copilot configuration, document topics and flows	Simpler
EU-04 Record Keeping	Azure Monitor, Application Insights, WORM storage	Dataverse conversation logs with retention policy	Simpler
EU-05 Transparency	Custom disclosure implementation	Built-in system messages, configure welcome message	Much Simpler
EU-06 Human Oversight	Custom Logic Apps approval workflows, LangSmith tracing	Escalation topic design, Power Automate approval flows	Simpler
EU-07 Accuracy & Security	Garak, PyRIT, adversarial testing, custom performance tests	Manual conversation testing, validate content filters, review analytics	Moderately Simpler
EU-15 Data Confidentiality	Presidio scanning, Purview DLP, custom encryption checks	Power Platform DLP validation, test PII handling	Much Simpler
EU-16 Bias Mitigation	Fairlearn, AIF360, custom fairness audits	Review conversation analytics by user demographics (if captured)	Similar
EU-17 Explainability	SHAP, LIME, LangSmith reasoning traces	Conversation transcripts show topic flows, citations enabled	Simpler
EU-20 Generative AI Transparency	Custom watermarking, training data documentation	Citation feature enabled, document knowledge sources	Simpler

Evidence Collection for Copilot Studio

For each EU control, collect the following evidence:

Configuration Exports EU-03, EU-11

Export copilot as .zip file (includes all topics, entities, variables). Store with version control. Documents technical configuration for conformity assessment.

Conversation Transcripts EU-04, EU-08

Export sample conversations from Analytics dashboard. Redact PII. Demonstrates logging completeness and conversation quality.

DLP Policy Documentation EU-15

Export DLP policies from Power Platform Admin Center. Screenshot connector classifications. Proves data governance controls.

Analytics Reports EU-09

Monthly snapshots of copilot analytics (resolution rate, CSAT, volume). Track trends over time. Supports post-market monitoring.

Test Results EU-07

Document accuracy testing (20+ conversations), security testing (PII handling), content filter validation. Store in SharePoint with timestamps.

Audit Logs EU-06, EU-23

Export Power Platform audit logs showing copilot modifications. Demonstrates change management and human oversight.

Copilot Studio Assessment Report Template

Report Structure: Create a standardized assessment report for each copilot evaluated.

Report Sections:

Executive Summary - Copilot name, risk tier, overall compliance rating, key findings
Copilot Overview - Purpose, users, channels (Teams/Web/etc.), knowledge sources, integrations
Configuration Review - Authentication, generative AI settings, DLP policies applied
Security Testing Results - PII handling tests, content filter validation, connector security
Performance Assessment - Accuracy testing results, analytics review, user satisfaction scores
EU Control Compliance - Status for all 25 controls with evidence references
Findings & Recommendations - Issues identified, remediation steps, priority levels
Evidence Appendix - Links to stored evidence (exports, screenshots, test logs)

How to Use This Catalog

Purpose: This catalog provides detailed information for each of the 25 EU AI Act controls that must be validated during AI system assessments. Use this as your compliance checklist and evidence mapping guide.

EU-01 Article 9

Risk Management Process

Purpose / Risk Mitigated: Identify, analyze, and mitigate risks during development and operation of AI systems.

Operational Implementation

Maintain documented risk register; evaluate each use case via AI risk taxonomy; re-assess quarterly. Include likelihood, impact, detectability scores.

Evidence Required

Risk register (Excel/DevOps), impact assessments, mitigation action plans, quarterly review reports

EU-02 Article 10

Data Governance & Data Quality Controls

Purpose / Risk Mitigated: Ensure training and input data are relevant, representative, and error-free to prevent discriminatory outcomes.

Operational Implementation

Apply data lineage tracking (Azure Purview); conduct data audits and quality checks; label dataset sources and licenses; document data collection methodology

Evidence Required

Dataset inventory, data quality reports, lineage diagrams, source documentation, consent records

EU-03 Article 11, Annex IV

Technical Documentation & Model Card

Purpose / Risk Mitigated: Provide documentation for transparency and auditability of AI system design and capabilities.

Operational Implementation

Maintain system card + model card; include intended purpose, architecture, limitations, performance metrics, training procedure, validation results

Evidence Required

Technical documentation, model cards, architecture diagrams, change logs, version history

EU-04 Article 12, Article 19

Record Keeping & Logging

Purpose / Risk Mitigated: Enable traceability of agent decisions and tool actions for post-incident analysis and regulatory inspection.

Operational Implementation

Log inputs, prompts, tool calls, decisions, outputs, approvals, outcomes in immutable format (Azure Monitor, Dataverse). Minimum 10-year retention for high-risk systems

Evidence Required

Tamper-evident logs (WORM storage), hash verifications, log retention policies, sample log exports

EU-05 Article 13, Article 52

Transparency & Disclosure

Purpose / Risk Mitigated: Inform users that they interact with AI and describe system capabilities to prevent deception.

Operational Implementation

Provide user-facing disclosure banners ("You are interacting with AI"); publish "Agent System Card" with capabilities and limitations

Evidence Required

Transparency statement, system card copy, website/app disclosure screenshots, user notification logs

EU-06 Article 14

Human Oversight

Purpose / Risk Mitigated: Guarantee meaningful human control over automated decisions, especially high-risk actions.

Operational Implementation

Define "human-in-loop" and "human-on-loop" approval gates per action type; dual approvals for high-risk decisions; kill-switch capability

Evidence Required

Oversight policy document, approval logs with timestamps, training materials for human reviewers, escalation workflows

EU-07 Article 15

Accuracy, Robustness, and Cybersecurity

Purpose / Risk Mitigated: Ensure reliable outputs and protection against manipulation, attacks, and security breaches.

Operational Implementation

Evaluate model accuracy ≥95% on defined test set; run adversarial and jailbreak tests monthly (Garak, PyRIT); secure APIs with mTLS; implement content filtering

Evidence Required

Performance test results (accuracy, precision, recall), red-team logs, adversarial robustness scores, penetration test reports, security scan outputs

EU-08 Article 12, Article 19

Automatic Logging of Decisions & Actions

Purpose / Risk Mitigated: Provide continuous audit trail for post-incident analysis and regulatory inspection.

Operational Implementation

Implement telemetry pipeline capturing every tool-call and user interaction (Application Insights, LangSmith). Automatic, no manual intervention required

Evidence Required

Structured JSON logs, retention policy documentation (≥10 years), sample traces showing complete decision chains

EU-09 Article 61-62

Post-Market Monitoring System

Purpose / Risk Mitigated: Detect risks emerging during deployment through continuous performance monitoring.

Operational Implementation

Establish monitoring pipeline (drift detection, incidents, user complaints); triage via risk dashboard; monthly reviews; alert on performance degradation

Evidence Required

Monitoring plan document, incident register, escalation logs, monthly monitoring reports, drift detection alerts

EU-10 Article 65-67

Corrective Action Procedure

Purpose / Risk Mitigated: Rapidly mitigate non-conformities and safety issues when identified.

Operational Implementation

Maintain "kill-switch" capability; define retraining workflow triggers; report corrective actions to compliance officer within defined SLA

Evidence Required

Corrective action reports with timestamps, root-cause analysis documents, retraining justifications, kill-switch activation logs

EU-11 Article 48, Annex V

Provider Declaration of Conformity

Purpose / Risk Mitigated: Certify compliance of system before market deployment via formal declaration.

Operational Implementation

Draft Declaration referencing control evidence and CE mark process; legal review required; signed by authorized representative

Evidence Required

Signed Declaration of Conformity document, supporting test summary, CE mark documentation (if applicable)

EU-12 Article 51, Annex VIII

Registration in EU AI Database

Purpose / Risk Mitigated: Register high-risk systems before deployment for regulatory visibility.

Operational Implementation

Submit registration form via Commission database with conformity reference; update annually or upon significant changes

Evidence Required

Database entry receipt, registration confirmation number, annual renewal tracking

EU-13 Article 11(2), Annex IV

Instructions for Use

Purpose / Risk Mitigated: Supply clear operational guidance to deployers and users.

Operational Implementation

Publish usage manual including inputs, risks, monitoring requirements, maintenance intervals, troubleshooting guides

Evidence Required

"Instructions for Use" PDF/document, version control, distribution logs showing who received instructions

EU-14 Article 13(3)

Information Provision to Users

Purpose / Risk Mitigated: Provide clear user documentation on limitations and accuracy.

Operational Implementation

Include accuracy scores, performance ranges, known failure modes in user-facing documentation; create FAQ

Evidence Required

User documentation package, FAQ, training content, user acceptance testing records

EU-15 Article 10(5), GDPR Article 25

Data Access & Confidentiality Safeguards

Purpose / Risk Mitigated: Ensure data confidentiality in processing, prevent unauthorized access and PII exposure.

Operational Implementation

Apply encryption (at rest and in transit), DLP policies, sensitivity labeling, access controls (Azure Purview, MIP). Regular PII scanning (Presidio)

Evidence Required

Data protection logs, DLP configurations, encryption certificates, PII scan results, access control matrices

EU-16 Recital 44, Annex IV(2)(b)

Bias & Discrimination Mitigation

Purpose / Risk Mitigated: Prevent bias in datasets and model behavior that could lead to discriminatory outcomes.

Operational Implementation

Run fairness audits using Fairlearn/AIF360 quarterly; test demographic parity, equalized odds; maintain mitigation records; 80% rule compliance

Evidence Required

Fairness audit reports, demographic parity metrics, bias remediation logs, group-level performance comparisons

EU-17 Article 13(2)

Explainability & Justification of Outputs

Purpose / Risk Mitigated: Ensure users can interpret reasoning behind AI decisions for transparency and contestability.

Operational Implementation

Require models to produce traceable reasoning/citations; measure interpretability scores; use SHAP/LIME for explanations; LangSmith for agent traces

Evidence Required

Explainability evaluation results, feature importance rankings, local explanation samples, agent reasoning traces

EU-18 Article 15(2), Annex IV(2)(h)

Security of Model and Supply Chain

Purpose / Risk Mitigated: Protect models from adversarial manipulation and ensure supply chain integrity.

Operational Implementation

Generate SBOM/ML-BOM for models; verify SLSA level; patch CVEs in ML libraries; track model provenance

Evidence Required

Software Bill of Materials (SBOM), vulnerability scan reports, patch management logs, supply chain verification documents

EU-19 Article 5, Annex I

Prohibited Practices Exclusion

Purpose / Risk Mitigated: Verify system does not use subliminal, manipulative, or social scoring functions prohibited by EU law.

Operational Implementation

Conduct red-team tests for manipulation techniques; document absence of banned features; legal review of use case

Evidence Required

Compliance checklist, red team test logs, legal opinion confirming no prohibited practices

EU-20 Article 52(1-3) GPAI

Generative AI Transparency & Copyright Attribution

Purpose / Risk Mitigated: For GPAI: disclose content origin, watermark outputs, list training data sources for copyright compliance.

Operational Implementation

Embed watermark using C2PA standard; publish data summary statement listing training sources; detect AI-generated content

Evidence Required

Watermark verification logs, data summary document, copyright compliance attestation, training data manifest

EU-21 Article 10(5), GDPR Article 12-23

User Data Rights Management

Purpose / Risk Mitigated: Respect rights of data subjects (access, deletion, correction) per GDPR.

Operational Implementation

Implement data access, deletion, and correction channels; respond to DSAR within 30 days; maintain request logs

Evidence Required

Data subject request logs, response time metrics, deletion verification reports, process documentation

EU-22 Article 14(4)

Human Competence & Training

Purpose / Risk Mitigated: Ensure staff understand oversight responsibilities and can effectively monitor AI systems.

Operational Implementation

Provide training and attestation to human reviewers; define competency requirements; annual refresher courses

Evidence Required

Training logs with attendance records, competency assessment results, annual attestation forms

EU AI Act Governance Readiness Playbook

EU AI Act Governance Assessment Program

Azure AI Phase 1: Planning & Preparation

Azure AI Phase 2: IT Infrastructure Request

Azure AI Phase 3: Workstation Setup

Azure AI Phase 4: Tool Installation

Azure AI Phase 5: Azure Configuration

Azure AI Phase 6: Assessment Execution

Copilot Studio Fast-Track Governance Introduction

Copilot Studio Setup Requirements

Copilot Studio Assessment Process

Copilot Studio EU AI Act Compliance Mapping

EU AI Act Control Catalog