Can authorities access AI source code during an inspection?

Yes. Article 74(4) grants market surveillance authorities access to source code where necessary for assessing compliance. Providers can request confidentiality protections, but cannot refuse access on trade secret grounds alone.

How much notice do authorities give before an AI inspection?

Notice periods vary by jurisdiction and inspection type. Routine inspections typically provide 2-4 weeks notice. Inspections triggered by serious incidents or complaints may occur with minimal or no advance notice.

What penalties can result from an AI inspection?

Penalties range from corrective action orders to market withdrawal and fines up to EUR 35 million or 7% of global turnover for the most serious violations under Article 99 of the EU AI Act.

Should we proactively engage with regulators before an inspection?

Proactive engagement through regulatory sandbox participation, voluntary consultations, and industry dialogues builds a constructive relationship and demonstrates good faith. It does not prevent inspections but may influence their scope and tone.

How should multinational companies prepare when multiple authorities might inspect?

Maintain a centralized compliance record set that satisfies the strictest applicable requirements. Designate jurisdiction-specific contacts. The EU AI Act's market surveillance coordination mechanism (Art. 74) means authorities may share information across borders.

Quick answer

Regulatory authorities inspecting AI systems focus on conformity documentation, risk management evidence, incident records, data governance practices, and human oversight implementation. Under the EU AI Act Articles 74-76, market surveillance authorities have broad powers including system access, document requests, and corrective action orders.

Updated June 2026 · MmowW AI Compliance

Regulatory Inspection Preparation for AI: What Authorities Look For

Authority Powers Under the EU AI Act

Articles 74 through 76 of the EU AI Act grant market surveillance authorities extensive inspection powers for AI systems. Understanding these powers is essential for preparation.

Access to the AI system, including its source code, documentation, training data, and logs (Art. 74(4))
Request for technical documentation, test results, and conformity assessment records
Power to require demonstrations of the AI system's functioning
Authority to interview relevant personnel
Power to order corrective actions, withdrawal from the market, or recall (Art. 76)
Ability to impose administrative fines up to EUR 35 million or 7% of global turnover (Art. 99)

Common Inspection Triggers

Trigger	Likelihood	Preparation Priority
Serious incident report (Art. 62)	High	Immediate readiness required
Complaint from affected person	High	Immediate readiness required
Routine market surveillance program	Medium	Ongoing readiness
Sector-wide thematic review	Medium	Ongoing readiness
Media coverage or public concern	Low-Medium	Rapid response capability
Cross-border referral from another authority	Low	Ongoing readiness

What Authorities Examine

1. Conformity Assessment Records

Inspectors verify that conformity assessment was completed before market placement and that documentation per Annex IV is complete and current. Common deficiency: assessments completed but not updated after system modifications.

2. Risk Management System

Authorities examine the risk management process per Article 9 for completeness (all reasonably foreseeable risks identified), effectiveness (mitigation measures demonstrably reduce risk), and currency (updated based on operational experience and post-market monitoring data).

3. Data Governance

Article 10 compliance is assessed through examination of training data documentation, bias assessment records, data quality measures, and data protection safeguards. Inspectors may request evidence of data provenance and preprocessing methodology.

4. Human Oversight Implementation

Authorities verify that Article 14 human oversight measures are not merely designed but actually operational. This includes operator training records, override logs, and escalation decision documentation.

5. Incident History

All serious incidents and the organization's response are reviewed. Inspectors assess whether incidents were reported within required timescales (Art. 62), root causes were investigated, and corrective actions were implemented effectively.

Documentation Readiness Checklist

Technical documentation per Annex IV, current and version-controlled
Conformity assessment records including any notified body certificates
EU Declaration of Conformity per Article 47
Risk management records per Article 9
Quality management system documentation per Article 17
Post-market monitoring plan and records per Article 72
Incident reports and corrective action records
Automatic log records per Article 12
Operator training records
Data governance documentation per Article 10

Response Protocol

Upon Receiving an Inspection Notice

Notify legal counsel and the AI governance lead immediately
Assemble the inspection response team
Gather all documentation listed in the inspection notice
Brief relevant personnel on their roles and the scope of the inspection
Prepare a secure workspace for inspectors with access controls

During the Inspection

Cooperate fully with inspectors while protecting legitimate confidentiality interests. Article 78 permits providers to identify confidential business information and trade secrets, but this does not override the authority's right to access information needed for its assessment. Designate a single point of contact to coordinate all information requests.

Post-Inspection Actions

If the authority issues findings, respond within the prescribed timeframe. Develop a corrective action plan that addresses root causes rather than symptoms. Document all corrective actions and their verification. Failing to address inspection findings can escalate to formal enforcement proceedings under Article 76.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.