AI governance evidence for DPOs and AI governance officers

The EU AI Act's Article 9 requires a documented risk management system for high-risk AI: identify foreseeable risks, evaluate and mitigate them, test before deployment, and monitor after. Each step requires a record. Without a structured tool, DPOs are producing these records manually — in Word documents, spreadsheets, and email threads.

ISO/IEC 42001's clauses 6 and 8 require per-system risk assessment, control planning, impact assessment, and operational records. The standard does not prescribe a specific format — but an auditor will expect a structured, versioned document for each AI system in scope.

For every AI system assessed through Drel, the output maps directly to regulatory evidence requirements:

• Risk register (ISO 42001 clause 6.1.2, EU AI Act Article 9). AI-specific risks identified for the system — not generic, but specific to the architecture, tools, and data flows you described.
• Control plan (ISO 42001 clause 6.1.3). Required controls mapped from the risk register, with implementation status and evidence links.
• Technical documentation support (EU AI Act Article 11). The structured intake captures system description, design specifications, data flows, and tool definitions in a format that supports Article 11 requirements.
• Clearance decision (ISO 42001 clause 8). The operational record with disposition, conditions, and re-assessment triggers that defines when the system must be reviewed again.
• Sign-off record. Who reviewed, when, on what version, with what conditions — the governance trail your auditor will ask to see.

If your organisation uses a General-Purpose AI model (GPT-4, Claude, Gemini) as the base of an application, your deployer obligations under Article 9 apply to the application — not just the model provider. Drel reviews the application layer: the integration code, retrieval pipeline, tool surface, and deployment context that you own and are responsible for.

The EU AI Act requires maintaining an inventory of AI systems and re-assessing them when they change. Drel's dashboard gives you portfolio-level visibility across all assessed systems, with named re-assessment triggers that fire when a model changes, a new tool is added, or a scope expansion occurs.

You can see which systems have open re-assessment triggers, which clearances are conditional, and which have blockers that must be resolved before the system is cleared for the next lifecycle gate — all from a single view.