Scope
Annex IV lists required documentation: general description, detailed design, monitoring functioning, risk management, lifecycle changes, standards applied, EU declaration of conformity, post-market monitoring plan.
What Auditors Look For
Traceability from requirements to implementation to testing. Evidence that risk assessment happened iteratively. Proof of human oversight design. Records of incidents and responses. Version-controlled history.
Tooling
Most orgs use a mix: compliance management platform (OneTrust, TrustArc), in-house documentation in Confluence/Notion, audit trail from MLOps (W&B, MLflow), source control for code and configs.
Start-Now Advice
Don’t wait for the August deadline. Documentation is easier captured as built than reconstructed. If a system is in scope and undocumented, put a compliance engineer on it this quarter, not next.