Skip to main content

Governance Evidence Workflows

Qarion's AI Governance workspace turns product-level EU AI Act work into an evidence trail. Use it to screen AI systems before deployment, track risk controls, run conformity assessments, monitor serious incidents, and keep dashboard-level governance views current.

Where To Work

Most evidence work starts from an AI product in the Data Catalog. Open the product, then use the Governance tab group. The AI governance tabs are available for AI product types such as ML Model, AI System, LLM Agent, AI App, Agent, and Prompt Collection.

The space dashboards give compliance teams cross-product views:

SurfaceUse it for
Product Detail > Art. 5 ScreeningProhibited-practices screening for one AI product.
Product Detail > Risk RegisterProduct-linked AI risk entries and mitigation status.
Product Detail > ConformityHigh-risk conformity assessment evidence and lifecycle actions.
Product Detail > TransparencyArticle 50 notice status for one AI product.
Product Detail > AI GovernanceProduct-level governance score, completeness, drift, evidence, runtime event counts, and review requests.
Product Detail > Training RunsTraining, fine-tuning, evaluation, and deployment evidence for one AI product.
Product Detail > Performance & SafetyAccuracy, robustness, fairness, cybersecurity, and drift metrics with attestation.
Product Detail > Tech DocsAnnex IV technical documentation, attachments, export, auto-population, and AI-assisted change log drafting.
/risk-heat-mapSpace-level aggregation of risk entries by category and tier.
/gpai-modelsSpace-level GPAI metadata completeness and systemic-risk view.
/regulatory-incidentsSpace-level Article 62 serious-incident dashboard.
/transparency-dashboardSpace-level transparency notice compliance.
/documentation-statusSpace-level AI documentation completeness.
  1. Confirm the product is modeled as an AI product and that its Model Details describe the provider role, deployment status, intended purpose, and EU AI Act fields.
  2. Run an Art. 5 prohibited-practices screening before launch or material scope changes.
  3. Create or refresh risk register entries for known risks, foreseeable misuse, mitigations, owners, and reassessment cadence.
  4. Record training runs, evaluation history, deployed-run evidence, and performance and safety metrics on the product evidence tabs.
  5. For high-risk systems, create a conformity assessment and attach evidence references to the Article 9-15 checklist.
  6. For GPAI models, confirm the GPAI source fields are complete enough for the dashboard score.
  7. Maintain transparency notices and technical documentation alongside conformity evidence.
  8. Use the dashboards to monitor risk distribution, missing documentation, GPAI metadata gaps, transparency gaps, and regulatory incident deadlines.

See AI Product Evidence for the Training Runs, Performance & Safety, AI Governance, and Tech Docs tabs.

Art. 5 Screening

Use Product Detail > Governance > Art. 5 Screening to create a draft questionnaire. If no responses are supplied, Qarion creates the default Article 5 questionnaire.

Each question accepts one of these answers:

AnswerMeaning
yesThe product may match the prohibited-practice signal for that article.
noThe signal does not apply based on the current evidence.
naThe question is not applicable to this product.
unansweredThe screening is incomplete and cannot be submitted.

Submitting a screening evaluates the saved responses. Any yes answer produces a prohibited outcome, sets the screening status to flagged, and records the flagged article references. If every question is answered with no or na, the outcome is cleared and the status becomes cleared.

Flagged screenings can receive a governance override only with a justification. Treat an override as an auditable exception decision, not as removal of the underlying risk signal.

Risk Register

Use Product Detail > Governance > Risk Register for product-linked AI risks and /risk-heat-map for the space-level view.

Risk entries capture:

  • Category: bias, privacy, safety, security, transparency, environmental, fundamental_rights, or other.
  • Severity, likelihood, and impact scores from 1 to 5.
  • Status: open, mitigating, accepted, or closed.
  • Linked product IDs, misuse scenarios, mitigations, residual-risk details, owner, and reassessment cadence.

Qarion computes the risk score from severity, likelihood, and impact, then derives the risk tier:

TierScore threshold
unacceptable80 or higher
high50 or higher
limited25 or higher
minimalBelow 25

The heat map aggregates risk counts by category and tier, and shows total, open, mitigating, accepted, and closed counts for the space.

Conformity Assessment

Use Product Detail > Governance > Conformity for high-risk conformity evidence. New assessments start in draft status and include the default checklist for:

  • Art. 9 Risk Management System
  • Art. 10 Data Governance
  • Art. 11 Technical Documentation
  • Art. 12 Logging Capabilities
  • Art. 13 Transparency
  • Art. 14 Human Oversight
  • Art. 15 Accuracy, Robustness, Cybersecurity

Assessment types are:

TypeUse it for
selfInternal Annex VI self-assessment.
third_partyAnnex VII notified-body assessment.
dualCombined internal and third-party assessment path.

While an assessment is draft or in_review, update checklist item status, notes, evidence references, notified-body details, validity dates, and reassessment reason. Submit moves a draft assessment to in_review. Review outcomes are pass, fail, or conditional; pass and conditional outcomes move the assessment to passed, while fail returns it to draft for remediation.

You can generate a draft EU Declaration of Conformity after the assessment is no longer draft. CE marking can be applied only after the assessment reaches passed.

Regulatory Incidents

Use /regulatory-incidents for the Article 62 dashboard and issue detail pages for ticket-level follow-ups and reports.

The dashboard counts issue tickets that have a regulatory classification other than none. It shows:

  • Open classified incidents.
  • Overdue classified incidents with a deadline in the past.
  • Classified incidents approaching their deadline within seven days.
  • Resolved or closed classified incidents.
  • A breakdown by regulatory classification.

Supported current serious-incident classifications include health_safety, infrastructure, and fundamental_rights. Legacy classifications such as severe, high, and medium may also appear in older tickets.

For a classified incident, use follow-up entries to record authority contact, reference numbers, and investigation updates. The structured report combines ticket details, linked AI system metadata, root cause, corrective actions, reporter/assignee details, and follow-up history. The PDF export renders the same report for submission outside Qarion.

Operating Practices

  • Re-run Art. 5 screening after material purpose, audience, data, deployment, or jurisdiction changes.
  • Keep risk entries linked to affected products so the heat map and product detail view stay aligned.
  • Keep training runs, deployed-run status, performance metrics, safety metrics, and technical documentation aligned with conformity evidence.
  • Use evidence references that auditors can resolve, such as document IDs, analysis links, issue IDs, repository paths, or attachment IDs.
  • Create a new conformity assessment for completed assessments that need reassessment; completed assessments are intentionally not editable.
  • Keep regulatory classifications and deadlines on issue tickets current, because dashboard counts are derived from ticket fields.

Troubleshooting

SymptomWhat to check
An AI governance tab is missingConfirm the catalog item is an AI product type and the required feature flag is enabled for the space.
Art. 5 screening will not submitEvery question must be answered with yes, no, or na.
Screening override is unavailableOverrides are only accepted for flagged screenings and require a justification.
Risk heat map is emptyCreate risk register entries in the current space and link them to products when product context matters.
Product governance score looks lowUse the AI Governance tab to identify incomplete owner, purpose, risk, data dependency, evaluation, policy, monitoring, or review checks.
Conformity checklist cannot be editedOnly draft and in_review assessments are editable.
CE marking action is unavailableThe assessment must have a passed review outcome first.
Regulatory dashboard counts look incompleteConfirm issue tickets have a regulatory classification and deadline, and are in the expected space.

Developer References