Is a pre-deployment checklist legally required under the EU AI Act?

The EU AI Act does not prescribe a specific checklist format, but Articles 9, 11, 16, and 17 collectively require systematic verification of compliance before market placement. A checklist is the standard operational method for demonstrating this verification.

How far in advance should pre-deployment checks begin?

Allow at least 6 to 12 weeks before planned deployment for high-risk systems. Documentation gaps and failed technical tests frequently require remediation time that cannot be compressed without quality compromises.

Who should own the pre-deployment checklist process?

The AI governance function or quality management team should own the process. Individual checklist items are completed by subject matter experts, but centralized tracking ensures nothing is missed.

Should the checklist differ for updates versus new deployments?

Yes. Substantial modifications to an AI system require re-evaluation under Article 43, but the scope may be narrower than an initial assessment. The checklist should include a change impact analysis to determine which items require re-verification.

What evidence should be retained from the pre-deployment process?

Retain the completed checklist, all test results, sign-off records, identified issues and their resolutions, and version information for the system being deployed. This evidence supports conformity assessment and regulatory inspections.

Quick answer

A pre-deployment AI checklist is a structured verification protocol covering regulatory compliance, technical validation, documentation completeness, risk mitigation, and human oversight readiness that must be completed before an AI system enters production.

Updated June 2026 · MmowW AI Compliance

Pre-Deployment AI Checklist: Final Verification Before Going Live

Why Pre-Deployment Verification Matters

Deploying an AI system without structured final checks exposes organizations to regulatory penalties, operational failures, and harm to affected individuals. The EU AI Act (Regulation 2024/1689) Article 9 mandates that risk management systems operate throughout the AI lifecycle, and Article 16(a) explicitly requires providers to ensure compliance before placing systems on the market. A pre-deployment checklist is the operational instrument that satisfies these obligations.

Unlike traditional software deployments, AI systems carry unique risks: model drift, training data bias, opacity of decision-making, and potential for discriminatory outcomes. Each of these requires specific verification steps that standard software QA does not cover.

Regulatory Compliance Verification

Before deployment, confirm the system's regulatory classification and ensure all applicable requirements are met.

Confirm risk classification under the EU AI Act (prohibited, high-risk, limited risk, or minimal risk) per Article 6 and Annex III
Verify conformity assessment completion per Article 43 (self-assessment or notified body review)
Ensure CE marking readiness for systems entering the EU market per Article 48
Confirm registration in the EU AI database per Article 49
Verify GDPR compliance for systems processing personal data, including Data Protection Impact Assessment per GDPR Article 35
Check sector-specific requirements (e.g., MDR 2017/745 for medical devices, MiFID II for financial AI)

Technical Validation Checklist

Category	Check Item	Standard/Reference
Performance	Accuracy metrics meet documented thresholds	EU AI Act Art. 15; ISO/IEC 22989
Robustness	Adversarial testing completed	EU AI Act Art. 15(4); NIST AI RMF
Bias	Fairness metrics across protected groups	EU AI Act Art. 10(2)(f); ISO/IEC TR 24027
Data quality	Training/validation/test data documented	EU AI Act Art. 10; ISO/IEC 5259
Security	Vulnerability assessment completed	EU AI Act Art. 15(5); ISO/IEC 27001
Logging	Automatic event logging operational	EU AI Act Art. 12

Documentation Completeness

Article 11 of the EU AI Act requires technical documentation to be drawn up before the system is placed on the market. Verify the following documents exist and are current.

Technical documentation per Annex IV (system description, design specifications, development methodology, data governance measures)
Instructions for use per Article 13 (capabilities, limitations, intended purpose, human oversight measures)
Risk management documentation per Article 9 (identified risks, mitigation measures, residual risk assessment)
Quality management system documentation per Article 17
Data governance records including training data provenance, preprocessing steps, and labeling methodology

Human Oversight Readiness

Article 14 requires that high-risk AI systems be designed to allow effective human oversight. Before deployment, verify that oversight mechanisms are operational, not merely designed.

Human-in-the-loop or human-on-the-loop controls tested with actual operators
Override and shutdown mechanisms functional and documented
Operators trained on system capabilities, limitations, and override procedures
Escalation pathways defined and tested
Automation bias mitigation measures in place

Operational Readiness

Monitoring Infrastructure

Confirm that post-market monitoring systems per Article 72 are operational before deployment, not after. This includes performance monitoring dashboards, drift detection alerts, incident reporting channels, and feedback collection mechanisms.

Incident Response

Verify that the incident response plan specifically addresses AI-related scenarios: unexpected outputs, bias detection in production, data pipeline failures, and adversarial attacks. Article 62 requires serious incident reporting to national authorities within defined timescales.

Stakeholder Sign-Off Protocol

Pre-deployment sign-off should involve multiple organizational functions.

Role	Verification Responsibility
AI/ML Engineering	Technical performance and robustness
Legal/Compliance	Regulatory classification and documentation
Data Protection Officer	GDPR compliance and DPIA completion
Risk Management	Residual risk acceptance
Business Owner	Intended purpose alignment and operational readiness
Quality Management	QMS integration and audit trail completeness

Common Pre-Deployment Failures

Organizations frequently deploy AI systems with incomplete bias testing, undocumented model limitations, untrained operators, or missing incident response procedures. Each of these represents a compliance gap under the EU AI Act. The checklist approach forces systematic verification rather than relying on individual judgment about readiness.

Maintain a versioned checklist that evolves with regulatory changes and organizational learning from prior deployments. Each completed checklist becomes part of the conformity assessment record.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.