10 min read

EU AI Act Article 11 — what technical documentation auditors will demand

Article 11 + Annex IV define the technical documentation set every high-risk AI system provider must maintain. This guide walks the seven required sections, what each looks like in practice, and the AIBOM CycloneDX format that satisfies it machine-readably.

Article 11 says: 'The technical documentation of a high-risk AI system shall be drawn up before that system is placed on the market and shall be kept up to date.' Annex IV elaborates the required sections.

What it is

Article 11 + Annex IV require seven documentation sections: (1) general description, (2) detailed description of elements + development process, (3) monitoring + functioning + control, (4) risk management system, (5) lifecycle changes, (6) harmonised standards applied, (7) declaration of conformity. The AIBOM (CycloneDX 1.6 with AI extensions) is the recommended machine-readable form for sections 1-3 + 6.

Vulnerable example

# Annex IV documentation — INCOMPLETE
## Section 1
- Intended purpose: "credit scoring"
- Provider: My Startup
# MISSING: data subject categories, geographic scope, version,
# system architecture, lifecycle of training data.
# MISSING: Sections 2-7 entirely.
# Auditor: rejects, requests full Annex IV scope.

Fixed example

# Annex IV technical documentation — full scope
## Section 1: General description
- Intended purpose: "Binary credit-approval classifier"
- Provider: My Startup, Inc.; EU rep: ABC Legal GmbH
- Geographic scope: EU + EEA
- Data subject categories: retail loan applicants 18-75
- Version: 2.1.0 (2026-04-15)
## Section 2: Elements + development
- Architecture: BERT-base fine-tuned
- Training methodology: see model card
- Validation: 80/10/10 + 5-fold cross-validation
## Section 3: Monitoring + control
- Post-market monitoring per Art 61: monthly drift report
- Human oversight per Art 14: see /docs/oversight-design
## Section 4: Risk management
- ISO 31000-aligned RM process
- Residual-risk sign-off: CTO (2026-04-XX)
## Section 5: Lifecycle changes
- See /CHANGELOG.md + Article 43(4) substantial-change tracker
## Section 6: Harmonised standards applied
- ISO/IEC 23053:2022, 42001:2023, CycloneDX 1.6 AIBOM
## Section 7: Declaration of conformity
- See /compliance/dec-of-conformity-2026.pdf

How Securie catches it

Securie findingmedium
apps/web/app/api/route.ts:22

EU AI Act Article 11

Securie's `crates/production-ready/src/cert_artifact.rs` exports `CertArtifact + CertSummary + CertificationStatus` types — each Annex IV section is a per-control evidence record. The 50-control checklist in `crates/production-ready/src/controls.rs::CONTROLS` maps onto Article 11 sections. /app/certify renders + /api/production-ready/[slug] issues signed bundles. Combined with `crates/sbom`'s AIBOM emission, every release ships the full evidence set automatically.

Suggested fix — ready as a PR
# Annex IV technical documentation — full scope
## Section 1: General description
- Intended purpose: "Binary credit-approval classifier"
- Provider: My Startup, Inc.; EU rep: ABC Legal GmbH
- Geographic scope: EU + EEA
- Data subject categories: retail loan applicants 18-75
- Version: 2.1.0 (2026-04-15)
## Section 2: Elements + development
- Architecture: BERT-base fine-tuned
- Training methodology: see model card
- Validation: 80/10/10 + 5-fold cross-validation
## Section 3: Monitoring + control
- Post-market monitoring per Art 61: monthly drift report
- Human oversight per Art 14: see /docs/oversight-design
## Section 4: Risk management
- ISO 31000-aligned RM process
- Residual-risk sign-off: CTO (2026-04-XX)
## Section 5: Lifecycle changes
- See /CHANGELOG.md + Article 43(4) substantial-change tracker
## Section 6: Harmonised standards applied
- ISO/IEC 23053:2022, 42001:2023, CycloneDX 1.6 AIBOM
## Section 7: Declaration of conformity
- See /compliance/dec-of-conformity-2026.pdf
Catch this in my repo →Securie scans every PR · ships the fix as a one-click merge · free during early access

Checklist

  • Section 1 populated with intended purpose + EU representative + geographic scope
  • Section 2 cites training methodology + validation + bias-detection
  • Section 3 describes post-market monitoring + incident logging + human oversight
  • Section 4 ISO 31000-aligned + residual-risk sign-off
  • Section 5 substantial-change tracker per Article 43(4)
  • Section 6 names ISO/IEC 23053, 42001, CycloneDX
  • Section 7 declaration signed + dated + auditor-reviewable
  • All sections cross-link to AIBOM CycloneDX file

FAQ

Do I need a Notified Body assessment, or can I self-assess?

Annex VI allows self-assessment for some high-risk systems; Annex VII requires Notified Body for biometric + remote biometric ID. Most credit / employment / education systems can self-assess if harmonised standards are applied — but documentation must still pass Article 11 + Annex IV scrutiny.

What's the difference between AIBOM and Article 11 documentation?

Article 11 is the legal requirement; AIBOM is the recommended machine-readable form. AIBOM (CycloneDX 1.6) covers sections 1, 2, 3 + 6 cleanly. Sections 4 (risk-management), 5 (lifecycle), 7 (declaration) need additional human-readable docs.

Can I publish my Article 11 documentation publicly?

Most providers don't — sections 2 + 4 contain confidential model + risk details. Auditor receives full set under NDA; public-facing equivalent is the model card + transparency report.

Share:XHacker NewsRedditLinkedIn

Related guides

Guide
EU AI Act for AI-built apps — what to ship before August 2026

The EU AI Act's second enforcement wave lands August 2026. If your product uses a large language model — directly or via a wrapper — here is what you need to publish, document, and do before the deadline.

Guide
EU AI Act compliance for startups — the August 2 2026 deadline

EU AI Act high-risk Annex III enforcement begins Aug 2 2026. Article 11 + Annex IV technical documentation is functionally an AIBOM mandate. This guide walks the in-scope test, the documentation requirements, and the AIBOM template + Securie crates that produce the evidence.

Guide
Supabase RLS misconfiguration — detect, exploit, and fix

Row-Level-Security bypass is the most common data leak in vibe-coded apps. Here is exactly how it happens, how attackers find it, and how to fix it in Next.js + Supabase with one policy update.

Guide
Broken Object-Level Authorization (BOLA) in Next.js apps

BOLA is the top item on the OWASP API Security Top 10 for a reason — every AI coding assistant introduces it by default. Learn what it looks like in Next.js, how to exploit it, and how to fix it.