Checklist · 8 min read
EU AI Act Checklist: 38 Controls for 2026
A practical, deployer-focused checklist for the EU AI Act. Use it as the starting point for your internal control library, then automate evidence collection with Awan Agent.
1. Risk classification
- Classify each AI system: prohibited, high-risk, limited-risk or minimal-risk.
- Document the intended purpose and context of use for every model.
- Maintain a written risk justification reviewed at least annually.
2. Data governance
- Training, validation and test datasets are relevant, representative and bias-checked.
- Personal data is processed under a valid GDPR lawful basis.
- Data sources, lineage and known limitations are documented.
3. Transparency & disclosure
- Users are informed when they are interacting with an AI system.
- AI-generated content is labelled where required (e.g. deepfakes).
- Model cards include capabilities, limitations and performance metrics.
4. Human oversight
- Designated human operators can interpret system output and override decisions.
- Operators receive training on the system's behaviour and known failure modes.
- Stop-and-rollback procedures are documented and tested.
5. Post-market monitoring
- Logging of inputs, outputs and incidents is enabled and retained.
- Serious incidents reported to the relevant authority within 15 days.
- Quarterly review of metrics, drift and user complaints.