Your auditor asks for the model card on the credit-scoring system deployed in Q3. The ML team points to a README in the GitHub repo: model name, accuracy metric, training date. Three sentences. The auditor marks it insufficient. Under EU AI Act Annex IV, that README needs to be a substantive technical documentation package covering nine mandatory sections, from intended purpose to post-market monitoring evaluation. The gap between what most teams produce and what AI model cards compliance standards require is not incremental. It is structural.
The documentation deficit is widespread. Industry surveys consistently show fewer than one-third of organizations have fully implemented AI governance programs. Over half lack systematic AI system inventories. Model cards sit at the center of this problem: they are the primary artifact auditors use to evaluate whether an AI system was designed, tested, and monitored responsibly. Without them, every other governance control is unverifiable.
Model cards originated as a transparency tool. Margaret Mitchell and colleagues at Google proposed them in 2019 as standardized disclosures for ML systems. The EU AI Act converted that voluntary practice into a legal obligation for high-risk systems, with penalties reaching EUR 15 million or 3% of global turnover for non-compliance [EU AI Act, Art. 99(4)]. NIST AI RMF and ISO 42001 added their own documentation expectations. Three frameworks, overlapping requirements, and no published crosswalk mapping one to the others. That crosswalk is the core of what follows.
AI model cards compliance refers to the practice of creating structured documentation artifacts that describe an AI system’s purpose, performance, limitations, training data, and risk controls. Under the EU AI Act, NIST AI RMF, and ISO 42001, model cards serve as the primary evidence package auditors use to verify governance, fairness, and regulatory conformity.
What Model Cards Are and Why They Became Mandatory
A model card is a structured disclosure document for a machine learning system. It records what the system does, how it was built, what data trained it, where it performs well, where it fails, and what risks it carries. Mitchell et al. (2019) proposed the format as an industry transparency standard. The EU AI Act made it law.
From Voluntary Transparency to Legal Requirement
The original model card framework proposed by Mitchell et al. in “Model Cards for Model Reporting” (FAccT 2019, arXiv:1810.03993) covered nine sections: Model Details, Intended Use, Factors, Metrics, Evaluation Data, Training Data, Quantitative Analyses, Ethical Considerations, and Caveats and Recommendations. Google, Hugging Face, and Meta adopted variants. The format remained voluntary, inconsistent, and rarely audited.
The EU AI Act changed the calculus. Article 11 requires providers of high-risk AI systems to draw up technical documentation before market placement. Annex IV specifies nine mandatory sections that expand the original model card concept into a full evidence package. Documentation must be retained for 10 years after the AI system is placed on the market or put into service [EU AI Act, Art. 18]. Incomplete documentation triggers penalties of EUR 15 million or 3% of global annual turnover, whichever is higher [EU AI Act, Art. 99(4)]. Providing misleading information to authorities carries a separate penalty of EUR 7.5 million or 1% of turnover [EU AI Act, Art. 99(5)].
Why Auditors Treat Model Cards as the Primary Evidence Artifact
Auditors cannot observe an AI system’s decision-making process directly. They observe documentation. The model card (or its Annex IV equivalent) is the artifact that connects design intent to deployed behavior. It answers five auditor questions simultaneously: What does this system do? What data shaped its behavior? How was it tested? What are its known limitations? Who is responsible for monitoring it?
Without a model card, auditors cannot verify bias controls, validate performance claims, trace data lineage, or confirm that risk management processes were followed. The model card is not supplementary documentation. It is the audit itself, in written form.
The audit fix. Inventory every AI system currently in production or development. For each system, determine whether a model card or equivalent documentation exists. Rate each: (1) no documentation, (2) informal README-level documentation, (3) structured model card missing regulatory fields, (4) Annex IV compliant. Any system rated below 4 that qualifies as high-risk under the EU AI Act requires remediation before August 2, 2026. Start with your AI system inventory: you cannot document what you have not catalogued.
EU AI Act Annex IV: The Nine-Section Documentation Requirement
Annex IV defines the minimum content for high-risk AI system technical documentation. Nine sections. Each maps to a specific governance requirement. Auditors evaluate completeness against this structure, not against the provider’s preferred format.
Section-by-Section Breakdown
Section 1: General description. System name, version, intended purpose, the provider’s identity, and the date of the documentation. This section also requires a description of how the AI system interacts with hardware or software that is not part of the system itself.
Section 2: Detailed description of elements and development process. The architecture, computational resources, design choices, and the development methodology, including training data sources, preprocessing decisions, data governance measures, labeling procedures, and data assumptions. For systems that continue learning after deployment, this section must describe predetermined changes and how the system was designed to meet applicable requirements throughout its lifecycle. Bias evaluation requirements derive from Article 10 (data governance) and surface here as testing metrics including potentially discriminatory impacts in Annex IV point 2(g): “description of the metrics used to measure the accuracy, robustness and cybersecurity of the high-risk AI system… as well as of potentially discriminatory impacts.”
Section 3: Detailed information about monitoring, functioning, and control. The system’s capabilities and limitations of performance, the degrees of accuracy and the foreseeable unintended outcomes, human oversight measures per Article 14, and specifications for input data.
Section 4: Description of performance metrics. The appropriateness of the performance metrics for the specific AI system: the metrics used to measure accuracy, robustness, and cybersecurity, and the rationale for their selection given the intended purpose.
Section 5: Risk management system. A description of the risk management system applied during development, including risk identification, estimation, evaluation, and the risk mitigation measures adopted, in accordance with Article 9.
Section 6: Description of relevant changes through the lifecycle. A list of the relevant changes made by the provider to the system through its lifecycle, including updates that triggered revalidation or updated risk assessments.
Section 7: List of harmonised standards applied. A list of harmonised European standards applied, in full or in part, developed by CEN-CENELEC JTC 21 under mandate from the Commission. Where no harmonised standard applies: common specifications, other relevant standards, or other technical solutions that demonstrate conformity.
Section 8: EU Declaration of Conformity. A copy of the Declaration of Conformity as required under Article 47, or a reference to it, along with links to conformity assessment procedures completed.
Section 9: Post-market monitoring evaluation system. A detailed description of the post-market monitoring evaluation system per Article 72, including the performance metrics tracked, monitoring frequency, and the processes for feeding monitoring results back into risk management.
The Documentation Depth Auditors Expect
A common failure: teams produce a 10-page model card and assume it satisfies Annex IV. It does not. Section 2 (elements and development process) alone can run dozens of pages for systems trained on large datasets. Section 3 (monitoring and control) requires human oversight documentation, not summaries. The 10-year retention requirement [EU AI Act, Art. 18] means this documentation must be version-controlled and accessible to national competent authorities on request. Static PDFs stored in a shared drive will not survive a multi-year audit cycle. Build documentation into your CI/CD pipeline with automated versioning.
The model card is no longer a one-page summary. Under Annex IV, it is a living technical documentation package that must be maintained, versioned, and retained for a decade from placement on the market. Organizations treating it as a one-time deliverable will fail their first audit. Treat AI model cards for compliance as an ongoing operational process, not a project milestone.
The audit fix. Create an Annex IV documentation template with all nine sections. For each high-risk AI system, assign a documentation owner responsible for initial creation and ongoing maintenance. Set quarterly review cycles aligned with your post-market monitoring plan. Store documentation in a version-controlled repository with audit trail capabilities. Confirm that the repository supports 10-year retention and authority access requirements.
Multi-Framework Crosswalk: Annex IV, NIST AI RMF, and ISO 42001
Most organizations subject to the EU AI Act also reference NIST AI RMF (either voluntarily or as an affirmative defense strategy) and ISO 42001 (as a certifiable management system). The documentation requirements overlap but do not align perfectly. A single model card can satisfy all three frameworks if structured against the crosswalk below.
The Crosswalk Table
| Documentation Element | EU AI Act Annex IV | NIST AI RMF | ISO 42001 |
|---|---|---|---|
| System purpose and scope | Section 1 (general description) | GOVERN 1.1, MAP 1.1 | A.2.2, A.6.1.1 |
| Architecture, design, and data governance | Section 2 (elements/development) | MAP 3.4, MAP 2.1-2.3, MEASURE 2.7 | A.6.2.4, A.7.4, A.7.5 |
| Performance and limitations | Section 3 (monitoring/control) | MEASURE 2.1-2.6 | A.6.2.6 |
| Performance metrics | Section 4 | MEASURE 1.1-1.3, MEASURE 3.2 | A.6.2.6, A.8.4 |
| Risk management | Section 5 (risk management system) | GOVERN 1.5, MAP 5.1-5.2 | A.5.2, A.5.3 |
| Lifecycle changes | Section 6 | MANAGE 1.3, MANAGE 4.1 | A.9.1, A.9.2 |
| Standards applied | Section 7 (harmonised standards) | GOVERN 1.2 | A.4.3 (context) |
| Conformity declaration | Section 8 (EU Declaration) | N/A (voluntary) | A.6.1.3 |
| Post-market monitoring | Section 9 / Art. 72 | MANAGE 1.1-1.4, MANAGE 4.1 | A.9.1, A.9.2 |
| Bias evaluation | Section 2 point 2(g) + Art. 10 | MAP 2.3, MEASURE 2.6, MANAGE 3.2 | A.7.3, A.10.3 |
| Human oversight | Section 3 (Art. 14) | GOVERN 1.3, MANAGE 2.2 | A.9.3 |
| Incident reporting | Art. 73 | MANAGE 4.2 | A.10.2 |
How to Use This Crosswalk
Build one documentation package. Tag each section with the framework references it satisfies. When an auditor requests NIST AI RMF MAP 2.1 evidence, point them to the data governance content in Section 2 of your Annex IV documentation and cite the crosswalk. When an ISO 42001 certification auditor reviews A.6.2.6 (system performance), the same testing section covers it.
The crosswalk reveals two coverage gaps. First: NIST AI RMF has no conformity declaration equivalent (Section 8). NIST is a voluntary framework; conformity declarations are a regulatory instrument. Second: the EU AI Act does not explicitly require the organizational governance documentation that ISO 42001 A.4 through A.5 demands (leadership commitment, AI policy, organizational roles). Organizations pursuing all three should layer ISO 42001 organizational governance on top of the Annex IV technical package.
The audit fix. Download or recreate this crosswalk table for your documentation team. For each high-risk AI system, build a single model card template with all 12 documentation elements. Tag each section with the applicable Annex IV section, NIST AI RMF subcategory, and ISO 42001 control reference. This unified approach reduces documentation effort significantly compared to maintaining separate artifacts for each framework.
What Auditors Actually Examine in Model Card Reviews
Documentation exists on paper. Auditors verify it against reality. The gap between what a model card claims and what the system actually does is where audit findings originate. Understanding auditor methodology protects against the most common failure modes.
The Five Auditor Tests
Test 1: Completeness. Does the documentation cover all nine Annex IV sections? Missing sections are automatic findings. Auditors use a checklist. Any blank section triggers a request for explanation and a potential non-conformity.
Test 2: Consistency. Does the model card match the deployed system? Auditors compare documented architecture to actual architecture, documented training data to actual data pipelines, and documented performance metrics to current production metrics. Version mismatches between the documentation and the live system are the most common finding.
Test 3: Traceability. Can the auditor trace a specific output back through the model card to the training data, design decisions, and risk assessments that produced it? Traceability requires version-controlled documentation linked to specific model versions, dataset versions, and test runs. A model card that describes “the model” without specifying which version applies fails this test.
Test 4: Currency. Is the documentation current? The EU AI Act requires documentation to be updated when the system undergoes substantial modification. Auditors check timestamps, version histories, and change logs. A model card last updated 18 months ago for a system retrained monthly will draw scrutiny.
Test 5: Sufficiency of evidence. Are claims supported? A model card that states “bias testing was performed” without test logs, methodologies, metrics, and results is an assertion, not evidence. Auditors expect artifacts: test reports, data quality assessments, risk registers, and evidence collection pipelines that produce verifiable records.
The Shadow AI Problem
Auditors cannot review model cards for systems they do not know exist. Industry surveys indicate that a large majority of organizations have undiscovered AI tools operating outside governance visibility. Shadow AI creates undocumented risk exposure that no model card program can address until the systems are inventoried.
The documentation obligation under the EU AI Act applies to all high-risk systems, not only those the compliance team knows about. A business unit deploying an AI-powered hiring tool without informing governance creates a compliance gap that surfaces during audit, not before. Your AI system inventory is the prerequisite to your model card program. You cannot document what you have not discovered. Run the inventory first. Then build model cards for every system that meets the high-risk threshold.
The audit fix. Before building model cards, conduct a shadow AI discovery exercise. Survey every business unit. Scan procurement records for AI vendor contracts. Review API gateway logs for undocumented AI service calls. Cross-reference against your AI system inventory. Every system discovered that lacks documentation is a compliance gap requiring immediate remediation.
Building a Compliant Model Card from Scratch
A compliant model card starts with structure, not prose. The implementation sequence matters: inventory first, classification second, documentation third, validation fourth, and ongoing maintenance fifth. Skipping steps produces documentation that looks complete but fails auditor scrutiny.
Step-by-Step Implementation
Step 1: Inventory and classify. Identify every AI system in scope. Classify each under the EU AI Act risk categories. Only high-risk systems (Annex III) require full Annex IV documentation. Limited-risk systems need transparency disclosures. Minimal-risk systems have no documentation obligation. This classification determines how much work follows.
Step 2: Assign ownership. Each model card needs a named owner: a person accountable for accuracy, currency, and completeness. Distributed ownership across data science, engineering, and compliance teams fails. Assign one owner per system with authority to request inputs from all contributing teams.
Step 3: Populate the nine Annex IV sections. Work through each section systematically. Sections 1 through 3 (general description, system elements, monitoring and control) draw from engineering documentation. Sections 4 through 5 (performance metrics, risk management) require inputs from data science and risk functions. Section 6 (lifecycle changes) requires ongoing input from engineering. Sections 7 and 8 (harmonised standards, conformity declaration) require legal and regulatory input. Section 9 (post-market monitoring) bridges engineering and compliance.
Step 4: Cross-reference against NIST and ISO 42001. Using the crosswalk table above, tag each section with the parallel framework requirements it satisfies. Fill any gaps. NIST AI RMF organizational governance (GOVERN function) and ISO 42001 management system requirements (Clauses 4 through 10) supplement the technical documentation with the organizational context auditors expect.
Step 5: Validate and version. Have an independent reviewer (internal audit, external consultant, or compliance team member not involved in development) review the model card against the five auditor tests. Version-control the documentation. Link it to the specific model version, dataset version, and deployment configuration it describes.
Ongoing Maintenance Requirements
A model card is not a deliverable. It is a living document. The EU AI Act requires updates upon substantial modification. Best practice requires updates at every model retrain, every dataset refresh, every significant configuration change, and at minimum quarterly for systems in active production.
Build model card updates into your ML pipeline. When a model is retrained, the pipeline should auto-generate updated performance metrics, data statistics, and version references. Manual documentation processes break within six months. Automated pipelines scale with your AI portfolio.
The audit fix. Create an implementation timeline: Week 1-2 for inventory and classification, Week 3-4 for ownership assignment and template creation, Week 5-12 for section-by-section population across all high-risk systems, Week 13-14 for cross-framework tagging and gap analysis, Week 15-16 for independent validation. Repeat the validation cycle quarterly. Integrate automated documentation updates into your ML pipeline by Month 6.
Model cards are the single artifact where AI governance becomes auditable. Every framework points to the same requirement: document what you built, how you tested it, and what risks remain. Organizations that treat model cards as a compliance checkbox produce documentation that fails auditor scrutiny. Organizations that treat them as operational infrastructure produce documentation that protects them. Build the crosswalk once. Maintain it as a living system. The audit will come.
Frequently Asked Questions
What is an AI model card and why do auditors require one?
An AI model card is a structured documentation artifact that describes an AI system’s purpose, architecture, training data, performance metrics, limitations, and risk controls. Auditors require model cards because they cannot observe AI decision-making directly. The model card provides the evidence trail that connects design intent to deployed behavior, enabling verification of governance, fairness, and regulatory compliance across frameworks including the EU AI Act, NIST AI RMF, and ISO 42001.
What must EU AI Act Annex IV technical documentation include?
Annex IV requires nine sections: (1) general system description, (2) detailed elements and development process including data governance and bias metrics, (3) monitoring and control specifications, (4) performance metrics, (5) risk management system, (6) lifecycle changes, (7) list of harmonised standards applied, (8) EU Declaration of Conformity, and (9) post-market monitoring evaluation system. Documentation must be retained for 10 years after the AI system is placed on the market or put into service [EU AI Act, Art. 18].
How do model cards differ from AI fact sheets?
Model cards focus on a single ML model’s technical characteristics, performance, and limitations. AI fact sheets (such as IBM’s FactSheets) cover the broader AI service or application, including deployment context, business use cases, and operational considerations. Under the EU AI Act, Annex IV technical documentation encompasses both perspectives: model-level detail (Sections 2, 4, and 5) and system-level context (Sections 1, 3, and 9). A model card alone does not satisfy Annex IV. It must be embedded within the full technical documentation package.
How do you map model card fields to NIST AI RMF requirements?
Model card fields map to NIST AI RMF through four functions. System purpose maps to GOVERN 1.1 and MAP 1.1. Data governance and architecture maps to MAP 2.1 through 2.3 and MEASURE 2.7. Performance metrics and testing map to MEASURE 1.1 through 1.3. Bias evaluation (embedded in Annex IV Section 2, point 2(g)) maps to MAP 2.3, MEASURE 2.6, and MANAGE 3.2. The crosswalk table in this article provides the complete mapping across all 12 documentation elements.
What are the penalties for incomplete AI documentation under the EU AI Act?
Non-compliance with high-risk documentation requirements triggers fines up to EUR 15 million or 3% of global annual turnover, whichever is higher [EU AI Act, Art. 99(4)]. Providing incomplete or misleading technical information to national competent authorities carries a separate penalty of EUR 7.5 million or 1% of global turnover [Art. 99(5)].
Can existing ML model documentation satisfy EU AI Act requirements?
Existing documentation rarely satisfies Annex IV in full. Most ML teams produce model cards covering a subset of the 9 required sections (typically general description, performance metrics, and intended use). Annex IV adds mandatory sections for the full development process, risk management, lifecycle changes, harmonised standards, conformity declaration, and post-market monitoring. Treat existing documentation as a starting point, then systematically fill the gaps using the Annex IV template.
How long must AI technical documentation be retained?
The EU AI Act requires technical documentation to be retained for 10 years after the AI system is placed on the market or put into service [EU AI Act, Art. 18]. For systems with ongoing substantial modifications, documentation for each version should be retained. ISO 42001 requires documented information to be retained as evidence of conformity for the period defined in the management system. NIST AI RMF does not specify retention periods but recommends documentation sufficient for ongoing risk management.
What is the difference between ISO 42001 and EU AI Act documentation requirements?
ISO 42001 is a management system standard covering organizational governance, policies, roles, and continuous improvement across the entire AI lifecycle. The EU AI Act Annex IV focuses on technical system-level documentation for individual high-risk AI systems. ISO 42001 addresses the “who governs and how” questions (Clauses 4 through 10, Annex A). Annex IV addresses the “what was built and tested” questions. Organizations need both: ISO 42001 for the governance infrastructure, Annex IV documentation for each system within that infrastructure.
Subscribe to The Authority Brief for next week’s analysis.
