AI Compliance Checklist: 7 Categories, CLI Commands, and Risk Levels

Use this checklist to assess your AI system's compliance posture across the key regulatory frameworks that affect AI teams in 2025–2026.

Each item links to the SpanForge feature or guide that addresses it.

How to use this checklist

  • Green — you have documented, auditable evidence
  • Yellow — you have a practice in place but no audit trail
  • Red — you have no coverage; this is a risk

The goal is not just doing these things—it's being able to prove you did them. Regulators don't accept "we have a process." They require signed, timestamped records.

1. Training Data Governance

(EU AI Act Article 10 · GDPR Article 5)

  • Dataset provenance documented (source, version, collection date, license)
  • PII scan completed and results recorded
  • PII redacted or excluded before training
  • Preprocessing steps logged with input/output hashes
  • Bias assessment completed and documented
  • Dataset validation report generated and signed
  • Data minimization principle applied and documented

Automated by:

spanforge validate --dataset data.jsonl --pii-check --bias-check
spanforge redact --dataset data.jsonl --output data.clean.jsonl
spanforge audit export --standard eu-ai-act-art10

Full Article 10 guide →

2. Audit Trail

(EU AI Act Article 12 · SOC 2 CC7 · GDPR Article 22)

  • Every inference logged with input hash, output hash, model version
  • Every policy decision logged with rule reference
  • Audit log is tamper-evident (signed/chained)
  • Audit log is timestamped with UTC anchoring
  • Audit log can be exported for regulator review
  • Alert routing configured for policy violations
  • Human-in-the-loop review paths are logged

Automated by:

from spanforge import sf_observe

with sf_observe.trace("inference") as trace:
    trace.log_input(prompt)
    result = model.predict(prompt)
    trace.log_output(result)
    trace.log_policy("content-policy-v2")

What is an AI audit trail? →

3. PII in Production

(GDPR · CCPA · EU AI Act Article 10)

  • PII detection running on live inputs
  • PII redaction applied before model sees data
  • PII redaction applied to model outputs before returning to users
  • Redaction events logged with field, type, and confidence
  • Data subject deletion requests supported (right to erasure)
  • Cross-border transfer restrictions respected

Automated by:

spanforge validate --realtime --pii-check

Detect PII in training data →

4. Compliance Evidence Chain

(EU AI Act Article 11 · ISO 42001 · SOC 2)

  • Compliance Evidence Certificate (CEC) generated for each release
  • CEC is cryptographically signed and verifiable
  • CEC references all upstream scan results and audit records
  • CEC export format suitable for regulator submission
  • CECs retained for minimum required period (EU AI Act: 10 years for high-risk)

Automated by:

spanforge cec generate --version 1.4.2 --output evidence.pdf
spanforge cec verify --file evidence.pdf

What is a Compliance Evidence Chain? →

5. Runtime Governance

(EU AI Act Article 9 · ISO 42001 · NIST AI RMF)

  • Policy rules defined and version-controlled
  • Policy enforcement running at inference time
  • Policy violations create alerts and logs
  • Gate pipeline blocks non-compliant outputs before delivery
  • Governance contracts enforced across teams and environments
  • Replay and simulation tested before policy changes

Automated by:

spanforge gate --policy content-policy-v2 --env production

Runtime governance guide →

6. Model Documentation

(EU AI Act Article 11 · FDA AI/ML Action Plan)

  • Model card exists with intended use, performance, limitations
  • Training data described (type, source, size, demographics)
  • Evaluation results documented with benchmark dataset
  • Known failure modes documented
  • Update and retrain procedures documented
  • Post-market monitoring plan in place

7. Incident Response

(EU AI Act Article 73 · GDPR Article 33)

  • Process for detecting AI-caused incidents
  • Escalation path defined and documented
  • GDPR 72-hour breach notification process in place
  • Serious incident reporting to EU AI Office (for high-risk systems)
  • Audit trail sufficient to reconstruct incidents

Risk level by AI Act classification

System typeRisk levelKey obligations
General-purpose (non-deployed)MinimalNone mandatory
Recommendation systemsMinimal–LimitedTransparency
CV screening, credit scoringHighFull Article 10 + 12
Biometric identificationHighRestricted + Article 10 + 12
Medical diagnosis assistanceHighFull Article 10 + 12
Prohibited use casesUnacceptableBanned

Get your compliance score

pip install spanforge

spanforge compliance check --all

SpanForge will assess your current setup against this checklist and generate a gap report.

Run your compliance check

pip install spanforge

# Assess your current compliance posture
spanforge compliance check --all

# Fix the highest-risk gaps
spanforge validate --dataset data.jsonl --pii-check --bias-check
spanforge audit export --standard eu-ai-act --format pdf

What you get: A gap report scored across all 7 categories — training data, audit trail, PII, CEC, runtime governance, model documentation, and incident response. With specific CLI commands to close each gap.

Start with training data compliance →
CLI reference →
30-second quickstart →

Continue in Learn

Detect PII in training data →
AI audit trail: track & prove decisions →
EU AI Act Article 10 compliance guide →
What is a Compliance Evidence Chain? →

Ready to instrument your AI pipeline?

Try the 30-second quickstartSee the compliance checklistView on GitHub