Evidence Pack

An evidence pack is a structured, verifiable collection of documentation, execution logs, approval records, and integrity artifacts that together demonstrate an AI system's compliance with regulatory requirements. Unlike static documentation that describes intended processes, an evidence pack contains proof that those processes actually executed—audit trails showing human approvals occurred, logs demonstrating policy enforcement, and checksums enabling independent verification that records have not been tampered with.

The EU AI Act requires not just that organizations implement compliance measures, but that they can demonstrate implementation to market surveillance authorities and auditors. Article 18 requires providers to keep documentation and logs at the disposal of national competent authorities for ten years. Article 26 requires deployers to keep automatically generated logs. Throughout the regulation, the emphasis is on provable, documented compliance rather than mere assertions. When auditors arrive—whether internal auditors conducting readiness assessments, external auditors performing certification reviews, or market surveillance authorities conducting enforcement investigations—they ask for evidence. Can you prove your risk management system operates? Show me the audit trail. Can you demonstrate human oversight functions? Show me the approval records. Can you verify these records have not been altered? Show me the integrity proofs.

A comprehensive evidence pack typically includes: Annex IV technical documentation (the required documentation for high-risk systems), audit trails (chronological records of system operations, decisions, and human interactions), approval records (evidence of human oversight actions including approvals, rejections, escalations, and overrides), monitoring reports (performance metrics, drift detection results, and incident records), and integrity artifacts (manifests listing all included files with cryptographic checksums enabling verification).

The key distinction between compliance documentation and an evidence pack is verifiability. An evidence pack includes integrity verification mechanisms—manifests with cryptographic hashes, timestamps from trusted sources, append-only storage proofs—that allow auditors to independently confirm that evidence has not been modified after the fact.