Assurance and Audit

The organisation shall establish and maintain comprehensive internal assessment and audit procedures for AI systems throughout their lifecycle. This includes documented verification of controls and validation of system behavior in both controlled and real-world conditions. Internal audits must evaluate compliance with organisational policies and procedures. Internal assessment and audit activities must cover normal operations, edge cases, and stress conditions. The organisation shall maintain evidence of all audit activities, findings, and remediation efforts.

The organisation shall ensure regular independent assessments of AI systems are conducted and maintain necessary certifications. Independent assessors must have appropriate expertise and authority to evaluate compliance with regulatory requirements and performance standards. For stand-alone high-risk AI systems, the organisation shall implement self-assessment processes to verify compliance, ensuring alignment with regulatory requirements. The organisation shall obtain and maintain required certifications, track certification status, and implement corrective actions when gaps are identified. Assessment and certification activities must be documented, including findings and evidence of remediation.

The organisation shall conduct regular testing of AI system safety and security controls, including assessment of cybersecurity measures, resilience against attacks, and ability to fail safely. Testing must verify that systems operate within defined risk tolerances and maintain effectiveness of protective controls. Validation must include both automated testing and expert review of safety measures. The organisation shall maintain documentation of all safety and security assessments, including methodology, results, and remediation of identified issues.