Introduction
The EU AI Act requires companies using AI systems to document their governance practices. When selling to enterprise buyers, procurement teams will ask specific questions about your AI usage, risk classifications, and compliance approach.
This guide explains what buyers typically ask for and how to structure your Evidence Pack to provide complete, accurate answers.
What Procurement Teams Ask
Procurement teams evaluating AI vendors typically ask questions in these categories:
Common Question Categories
- • AI Inventory: What AI systems do you use? How are they classified?
- • Risk Assessment: How do you classify AI risk? What is your rationale?
- • Data Handling: What data do your AI systems process? How is it protected?
- • Governance: Who is responsible for AI governance? What controls are in place?
- • Monitoring: How do you monitor AI systems? What metrics do you track?
- • Compliance: How do you ensure compliance with EU AI Act requirements?
Structuring Your Evidence Pack
Your Evidence Pack should be organized to answer procurement questions directly. Each section should be clear, complete, and exportable.
Executive Summary
Start with an executive summary that provides a high-level overview of your AI governance approach. This helps procurement teams understand your overall strategy.
What to include: Overview of AI systems, governance structure, risk classification approach, and key highlights.
AI Systems Inventory
Provide a complete register of all AI systems. Include third-party tools and shadow usage. For each system, document:
- System name and purpose
- Type (third-party, internal, or both)
- Risk classification
- Data types processed
- Owner and accountability
Risk Classification Rationale
Document how you classify AI systems by risk level. Align classifications with EU AI Act categories:
- Prohibited AI systems
- High-risk AI systems
- Limited-risk AI systems
- Minimal-risk AI systems
For each classification, provide clear rationale explaining why the system falls into that category.
What to Export as Evidence
When responding to procurement questions, you should be able to export and share specific sections of your Evidence Pack:
Exportable Sections
- • Complete Evidence Pack PDF: Full documentation for comprehensive reviews
- • AI Systems Inventory: Standalone register for inventory questions
- • Risk Classification Summary: Risk classifications with rationale
- • Ownership Documentation: Accountability structures and sign-offs
- • Monitoring Plan: Ongoing monitoring processes and metrics
Best Practices
Be Complete
Include all AI systems, including third-party tools and shadow usage. Incomplete inventories raise red flags with procurement teams.
Document Rationale
Don't just classify systems by risk level. Explain why each classification is appropriate. This demonstrates thoughtful governance.
Keep It Current
Update your Evidence Pack regularly. Stale documentation undermines trust. Maintain a change log showing updates.
Make It Exportable
Ensure your Evidence Pack can be exported as PDF and shared via link. Procurement teams need to review documentation easily.
Checklist
- ✓ Complete AI systems inventory including third-party tools
- ✓ Risk classifications with documented rationale
- ✓ Ownership and accountability structures
- ✓ Monitoring plan with review cadences
- ✓ Change log showing updates
- ✓ Exportable PDF format
- ✓ Shareable link for stakeholders
- ✓ Regular updates and maintenance