Governance Evidence Workflows
Qarion's AI Governance workspace turns product-level EU AI Act work into an evidence trail. Use it to screen AI systems before deployment, track risk controls, run conformity assessments, monitor serious incidents, and keep dashboard-level governance views current.
Where To Work
Most evidence work starts from an AI product in the Data Catalog. Open the product, then use the Governance tab group. The AI governance tabs are available for AI product types such as ML Model, AI System, LLM Agent, AI App, Agent, and Prompt Collection.
The space dashboards give compliance teams cross-product views:
| Surface | Use it for |
|---|---|
| Product Detail > Art. 5 Screening | Prohibited-practices screening for one AI product. |
| Product Detail > Risk Register | Product-linked AI risk entries and mitigation status. |
| Product Detail > Conformity | High-risk conformity assessment evidence and lifecycle actions. |
| Product Detail > Transparency | Article 50 notice status for one AI product. |
| Product Detail > AI Governance | Product-level governance score, completeness, drift, evidence, runtime event counts, and review requests. |
| Product Detail > Training Runs | Training, fine-tuning, evaluation, and deployment evidence for one AI product. |
| Product Detail > Performance & Safety | Accuracy, robustness, fairness, cybersecurity, and drift metrics with attestation. |
| Product Detail > Tech Docs | Annex IV technical documentation, attachments, export, auto-population, and AI-assisted change log drafting. |
/risk-heat-map | Space-level aggregation of risk entries by category and tier. |
/gpai-models | Space-level GPAI metadata completeness and systemic-risk view. |
/regulatory-incidents | Space-level Article 62 serious-incident dashboard. |
/transparency-dashboard | Space-level transparency notice compliance. |
/documentation-status | Space-level AI documentation completeness. |
Recommended Sequence
- Confirm the product is modeled as an AI product and that its Model Details describe the provider role, deployment status, intended purpose, and EU AI Act fields.
- Run an Art. 5 prohibited-practices screening before launch or material scope changes.
- Create or refresh risk register entries for known risks, foreseeable misuse, mitigations, owners, and reassessment cadence.
- Record training runs, evaluation history, deployed-run evidence, and performance and safety metrics on the product evidence tabs.
- For high-risk systems, create a conformity assessment and attach evidence references to the Article 9-15 checklist.
- For GPAI models, confirm the GPAI source fields are complete enough for the dashboard score.
- Maintain transparency notices and technical documentation alongside conformity evidence.
- Use the dashboards to monitor risk distribution, missing documentation, GPAI metadata gaps, transparency gaps, and regulatory incident deadlines.
See AI Product Evidence for the Training Runs, Performance & Safety, AI Governance, and Tech Docs tabs.
Art. 5 Screening
Use Product Detail > Governance > Art. 5 Screening to create a draft questionnaire. If no responses are supplied, Qarion creates the default Article 5 questionnaire.
Each question accepts one of these answers:
| Answer | Meaning |
|---|---|
yes | The product may match the prohibited-practice signal for that article. |
no | The signal does not apply based on the current evidence. |
na | The question is not applicable to this product. |
unanswered | The screening is incomplete and cannot be submitted. |
Submitting a screening evaluates the saved responses. Any yes answer produces a prohibited outcome, sets the screening status to flagged, and records the flagged article references. If every question is answered with no or na, the outcome is cleared and the status becomes cleared.
Flagged screenings can receive a governance override only with a justification. Treat an override as an auditable exception decision, not as removal of the underlying risk signal.
Risk Register
Use Product Detail > Governance > Risk Register for product-linked AI risks and /risk-heat-map for the space-level view.
Risk entries capture:
- Category:
bias,privacy,safety,security,transparency,environmental,fundamental_rights, orother. - Severity, likelihood, and impact scores from 1 to 5.
- Status:
open,mitigating,accepted, orclosed. - Linked product IDs, misuse scenarios, mitigations, residual-risk details, owner, and reassessment cadence.
Qarion computes the risk score from severity, likelihood, and impact, then derives the risk tier:
| Tier | Score threshold |
|---|---|
unacceptable | 80 or higher |
high | 50 or higher |
limited | 25 or higher |
minimal | Below 25 |
The heat map aggregates risk counts by category and tier, and shows total, open, mitigating, accepted, and closed counts for the space.
Conformity Assessment
Use Product Detail > Governance > Conformity for high-risk conformity evidence. New assessments start in draft status and include the default checklist for:
- Art. 9 Risk Management System
- Art. 10 Data Governance
- Art. 11 Technical Documentation
- Art. 12 Logging Capabilities
- Art. 13 Transparency
- Art. 14 Human Oversight
- Art. 15 Accuracy, Robustness, Cybersecurity
Assessment types are:
| Type | Use it for |
|---|---|
self | Internal Annex VI self-assessment. |
third_party | Annex VII notified-body assessment. |
dual | Combined internal and third-party assessment path. |
While an assessment is draft or in_review, update checklist item status, notes, evidence references, notified-body details, validity dates, and reassessment reason. Submit moves a draft assessment to in_review. Review outcomes are pass, fail, or conditional; pass and conditional outcomes move the assessment to passed, while fail returns it to draft for remediation.
You can generate a draft EU Declaration of Conformity after the assessment is no longer draft. CE marking can be applied only after the assessment reaches passed.
Regulatory Incidents
Use /regulatory-incidents for the Article 62 dashboard and issue detail pages for ticket-level follow-ups and reports.
The dashboard counts issue tickets that have a regulatory classification other than none. It shows:
- Open classified incidents.
- Overdue classified incidents with a deadline in the past.
- Classified incidents approaching their deadline within seven days.
- Resolved or closed classified incidents.
- A breakdown by regulatory classification.
Supported current serious-incident classifications include health_safety, infrastructure, and fundamental_rights. Legacy classifications such as severe, high, and medium may also appear in older tickets.
For a classified incident, use follow-up entries to record authority contact, reference numbers, and investigation updates. The structured report combines ticket details, linked AI system metadata, root cause, corrective actions, reporter/assignee details, and follow-up history. The PDF export renders the same report for submission outside Qarion.
Operating Practices
- Re-run Art. 5 screening after material purpose, audience, data, deployment, or jurisdiction changes.
- Keep risk entries linked to affected products so the heat map and product detail view stay aligned.
- Keep training runs, deployed-run status, performance metrics, safety metrics, and technical documentation aligned with conformity evidence.
- Use evidence references that auditors can resolve, such as document IDs, analysis links, issue IDs, repository paths, or attachment IDs.
- Create a new conformity assessment for completed assessments that need reassessment; completed assessments are intentionally not editable.
- Keep regulatory classifications and deadlines on issue tickets current, because dashboard counts are derived from ticket fields.
Troubleshooting
| Symptom | What to check |
|---|---|
| An AI governance tab is missing | Confirm the catalog item is an AI product type and the required feature flag is enabled for the space. |
| Art. 5 screening will not submit | Every question must be answered with yes, no, or na. |
| Screening override is unavailable | Overrides are only accepted for flagged screenings and require a justification. |
| Risk heat map is empty | Create risk register entries in the current space and link them to products when product context matters. |
| Product governance score looks low | Use the AI Governance tab to identify incomplete owner, purpose, risk, data dependency, evaluation, policy, monitoring, or review checks. |
| Conformity checklist cannot be edited | Only draft and in_review assessments are editable. |
| CE marking action is unavailable | The assessment must have a passed review outcome first. |
| Regulatory dashboard counts look incomplete | Confirm issue tickets have a regulatory classification and deadline, and are in the expected space. |