AI Record-Keeping for SMEs — What to Keep, How Long, and Why

The complete guide to EU AI Act record-keeping obligations for small and medium enterprises: 12 essential records, exact retention periods, a 6-step setup process, and SME proportionality rules — reviewed by a certified Gyoseishoshi who has published 100+ compliance books across 14 countries.

Quick Summary: Under the EU AI Act, every organization using AI must keep records — but the scope depends on your risk level. SMEs benefit from proportionality rules that allow simplified formats. This guide covers the 12 records you need, how long to keep each one, and a practical 6-step process to set up your system. Estimated setup time: 1–2 days for a typical SME.

Why SMEs Must Keep AI Records

Record-keeping is not optional under the EU AI Act. Articles 11, 12, 18, and 26 establish specific documentation obligations for both AI providers and deployers. Even if your organization only uses ChatGPT for drafting emails, Article 4 requires documented AI literacy measures.

Three reasons why record-keeping matters for SMEs:

1. Legal obligation. The EU AI Act imposes record-keeping requirements that apply regardless of company size. While the obligations scale with risk level, no organization is fully exempt. Deployers of high-risk AI must maintain operational logs for at least 6 months (Article 26(6)). Providers must retain technical documentation for 10 years (Article 18).

2. Audit readiness. National authorities can request your records at any time. If you cannot produce them, you face fines up to EUR 7.5 million or 1% of global turnover for providing incomplete information (Article 99). Having records organized before an audit request arrives is far less expensive than scrambling afterward.

3. Trust building. Organized records demonstrate to clients, partners, and regulators that your AI use is deliberate and governed. For SMEs competing against larger organizations, compliance records can be a differentiator rather than a burden.

Obligation Article Applies to Status
AI literacy documentation Art. 4 All organizations Aug 2026
Transparency records Art. 50 Deployers of GPAI Enforced
Technical documentation Art. 11 Providers of high-risk AI Dec 2027
Operational logs Art. 26(6) Deployers of high-risk AI Dec 2027
Incident reporting Art. 62 Providers of high-risk AI Dec 2027

The 12 Records Every SME Should Keep

We have organized the essential AI records into four categories. Not every SME will need all 12 — your obligations depend on whether you are a provider or deployer, and the risk level of your AI systems.

Category A — Legally Required Records
Records mandated by the EU AI Act

1. AI System Register. A complete inventory of every AI system your organization uses or provides. Include vendor name, purpose, data inputs and outputs, risk classification, and deployment date. This is the foundation of all other records. Art. 49

2. Technical Documentation. For providers of high-risk AI: 11 categories of documentation as specified in Annex IV, including system description, design specifications, training data details, testing results, and performance metrics. Must be retained for 10 years from market placing. Art. 11 Art. 18 Annex IV

3. Operational Logs. Automatically generated logs from high-risk AI systems, maintained by deployers for at least 6 months. Include timestamps, inputs, outputs, and any human override decisions. Recommended retention: 3 years for audit trail continuity. Art. 12 Art. 26(6)

4. Incident Reports. Documentation of any serious incident involving a high-risk AI system. Must be reported to national authorities within 15 days of awareness. Include system identification, incident description, corrective measures, and impact assessment. Retain evidence for at least 5 years after investigation completion. Art. 62

Category B — Governance Records
Decisions, policies, and risk assessments

5. AI Use Policy. Your organization’s rules for acceptable AI use, prohibited uses, data handling, human oversight requirements, and transparency commitments. Review annually. Recommended retention: 5 years from supersession.

6. Risk Assessments. Documented evaluation of each AI system’s potential impact on safety, rights, and operations. For high-risk AI, this includes a Fundamental Rights Impact Assessment (FRIA) per Article 27. Retain for the operational period plus 3 years. Art. 9 Art. 27

7. Governance Decisions. Records of all decisions to adopt, modify, suspend, or discontinue an AI system. Include decision rationale, risk considerations, approval authority, and effective dates. Recommended retention: 5 years.

Category C — People Records
Training, oversight, and accountability

8. AI Literacy Training Records. Documentation that staff have received AI literacy training appropriate to their role: who was trained, content covered, dates, and competency assessment results. Required under Article 4. Retain for employment duration plus 2 years. Art. 4

9. Human Oversight Records. For high-risk AI: documentation of who is designated to oversee the AI system, their qualifications, authority to override, and any override actions taken. Art. 14 Art. 26

Category D — Monitoring and Audit Records
Ongoing compliance evidence

10. Internal Audit Records. Results of periodic compliance reviews, covering record completeness, policy adherence, and system performance. Document findings, recommendations, and corrective actions. Recommended retention: 5 years.

11. Post-Market Monitoring Data. For providers: ongoing collection of performance data, user feedback, and incident patterns after deployment. Required under Article 72 for high-risk AI. Art. 72

12. Data Governance Records. Documentation of data quality measures, data sources, preprocessing steps, and bias testing applied to training and operational data. Also supports GDPR Article 30 processing records obligations. Art. 10

6 Steps to Set Up Your AI Record-Keeping System

Follow these steps to build a practical, proportionate record-keeping system. Each step includes specific guidance for SMEs.

1
Inventory Your AI Systems

Start by listing every AI tool your organization uses. This includes obvious systems like ChatGPT, Microsoft Copilot, or industry-specific AI, but also embedded AI in existing software (email spam filters, CRM lead scoring, accounting anomaly detection).

For each system, document the vendor, primary purpose, which teams use it, what data it processes, and when it was deployed.

SME Practical Tip
A spreadsheet works perfectly for most SMEs. Create columns for: System Name, Vendor, Purpose, Data Types, Users, Risk Level, and Deployment Date. Most SMEs discover 5–15 AI systems when they do a thorough inventory.
2–4 hours
2
Classify Each System by Risk Level

Map each AI system to the EU AI Act risk categories. This determines which of the 12 records you must keep for that system.

Risk Level Examples Required Records
High-risk (Annex III) HR recruitment screening, credit scoring, safety systems All 12 records
Limited-risk (Art. 50) Chatbots, AI-generated content, deepfakes Records 1, 5, 6, 7, 8, 10
Minimal-risk Spam filters, spell-check, recommendation engines Records 1, 5, 8
Key Question
Does the AI system make or assist decisions that significantly affect individuals’ rights, safety, or access to services? If yes, it is likely high-risk under Annex III.
1–2 hours
3
Create Record Templates for Each Category

Standardized templates ensure consistency and reduce the effort of ongoing record-keeping. Create one template per record type, pre-populated with your organization’s details.

Focus first on the records required for your highest-risk systems. For minimal-risk AI, a simple inventory entry plus training log is sufficient.

SME Simplification
You do not need separate software. A shared folder structure with template documents works for most SMEs. The AI Office is expected to release official templates — until then, use the record template outline in this guide.
3–4 hours
4
Assign Record Owners and Access Controls

Every record category needs an owner — someone responsible for keeping it current, complete, and accessible. For SMEs, one compliance coordinator can own multiple categories.

Set access controls so records are available to: the record owner, the AI governance lead, external auditors (when needed), and regulators upon request.

SME Practical Tip
In a company with fewer than 50 employees, the compliance coordinator, data protection officer, and AI governance lead are often the same person. This is perfectly acceptable under the proportionality principle.
1–2 hours
5
Set Retention Periods and Secure Storage

Apply the legally mandated retention periods from the table below. For records without a specific legal requirement, apply the recommended periods based on audit best practices.

Store records in a secure, backed-up location. Ensure records cannot be tampered with — version control or write-protected storage is recommended for critical documents.

Storage Requirements
Records must be: accessible within a reasonable time upon regulatory request, protected against unauthorized access and modification, backed up regularly, and stored in a format that remains readable over the retention period.
1–2 hours
6
Schedule Reviews and Updates

Record-keeping is not a one-time task. Establish review cycles to keep your records current and complete:

  • Monthly: Verify operational logs are being collected for high-risk systems
  • Quarterly: Review AI system inventory for new or retired systems
  • Annually: Update risk assessments, governance policies, and training programs
  • Immediately: After any incident, regulatory change, or significant system modification
Important
Document every review — including reviews that find no changes needed. The review itself is a compliance record that demonstrates ongoing diligence.
Ongoing: 30–60 minutes per review cycle

Record Retention Template

Use this template as a starting point for your record-keeping folder structure. Adapt it to your organization’s size and AI risk profile.

SME AI Record-Keeping Folder Structure
1. AI System Register
Master inventory spreadsheet. Update quarterly.
2. Risk Assessments
One file per AI system. Include FRIA if applicable. Update annually.
3. Policies and Governance
AI use policy, governance decisions log, and review records.
4. Training Records
AI literacy training log with dates, attendees, content, and assessment results.
5. Operational Logs
Automated logs from high-risk AI systems. Monthly archives.
6. Incident Reports
One file per incident. Include timeline, response, and resolution.
7. Vendor Assessments
Due diligence records for each AI vendor. Update at contract renewal.
8. Audit Trail
Internal audit reports, findings, and corrective actions.
9. Data Governance
Data sources, quality measures, and GDPR processing records.
10. Monitoring Reports
Post-deployment performance data and user feedback summaries.

Record Retention Periods at a Glance

# Record Type Minimum Period Recommended Legal Basis
1 Technical documentation (high-risk) 10 years 10 years Art. 18
2 Operational logs (high-risk deployer) 6 months 3 years Art. 26(6)
3 AI literacy training records Employment + 2 years Employment + 2 years Art. 4
4 Risk assessments / FRIA Operational period + 3 years Operational period + 3 years Art. 9 Art. 27
5 Incident reports and evidence Investigation + 5 years Investigation + 5 years Art. 62
6 Governance decisions 5 years Best practice
7 AI use policy 5 years from supersession Best practice
8 Internal audit records 5 years Best practice
9 Post-market monitoring data Operational period Operational period + 2 years Art. 72
10 Data governance records Processing period Processing period + 3 years Art. 10 + GDPR Art. 30
11 Vendor assessments Contract period + 3 years Best practice
12 Human oversight records Operational period Operational period + 3 years Art. 14

SME Proportionality — What You Can Simplify

The EU AI Act explicitly recognizes that SMEs should not bear the same compliance burden as large corporations. Recital 141 establishes the proportionality principle, and several provisions offer practical relief:

Simplified formats. You do not need enterprise compliance software. A well-organized folder structure with standardized templates satisfies the documentation requirements. The AI Office plans to release official SME-friendly templates.

Consolidated roles. In larger organizations, the compliance coordinator, data protection officer, and AI governance lead are separate roles. For SMEs with fewer than 50 employees, one qualified person can hold all three responsibilities. Document this appointment clearly.

Risk-based focus. You are not required to apply the same level of detail to every AI system. Focus your most detailed record-keeping on your highest-risk AI systems. Minimal-risk AI (spam filters, spell-check, basic recommendations) requires only an inventory entry and training records.

Reduced fees. SMEs may benefit from reduced conformity assessment fees when working with notified bodies.

Regulatory sandboxes. Article 62(4)(c) gives SMEs priority access to regulatory sandboxes, where you can test AI systems and develop compliance practices with regulatory guidance before full enforcement.

Cost guidance for SMEs: Initial setup typically costs EUR 5,000–25,000, with annual maintenance of EUR 3,000–15,000. These figures include staff time, templates, and basic tools. They do not include external consultancy or enterprise software, which most SMEs do not need. Using a compliance OS like ClearAI can reduce these costs significantly through automation.

Penalties for Inadequate Record-Keeping

The EU AI Act establishes tiered penalties based on the severity of the violation. Record-keeping failures typically fall under the second and third tiers:

EUR 35M / 7%
Violations of prohibited AI practices (Article 5). Not directly related to record-keeping, but a complete absence of governance records could indicate prohibited use.
EUR 15M / 3%
Failure to comply with deployer obligations (Article 26), including maintaining operational logs, conducting risk assessments, and ensuring human oversight — all of which require records.
EUR 7.5M / 1%
Providing incorrect, incomplete, or misleading information to national authorities. This directly penalizes poor record-keeping — if your records are missing or inaccurate when regulators ask for them.

For SMEs, penalties are assessed against global annual turnover percentages, which means the absolute amounts may be lower — but relative to revenue, they can be devastating. A EUR 7.5 million minimum fine for a company with EUR 10 million revenue would be 75% of annual turnover.

Frequently Asked Questions

What records must SMEs keep under the EU AI Act?
SMEs must keep records proportionate to their AI use. At minimum: an AI system inventory, risk assessments for each system, AI literacy training records (Article 4), operational logs for high-risk systems (minimum 6 months per Article 26), incident reports, and governance decisions. For high-risk AI, technical documentation per Annex IV must be retained for 10 years (Article 18).
How long must AI records be kept?
Retention periods vary by record type: technical documentation for high-risk AI must be kept for 10 years from market placing (Article 18). Operational logs require a minimum of 6 months (Article 26(6)), though 3 years is recommended. Training records should be kept for the employment period plus 2 years. Incident and audit records are recommended for 5 years.
Do the record-keeping rules apply to SMEs that only use ChatGPT?
Yes. Even if you only use general-purpose AI like ChatGPT, Article 4 requires you to document AI literacy training. Article 50 may require transparency records if AI-generated content reaches your customers. However, as a deployer of a minimal-risk system, your record-keeping burden is significantly lighter than for high-risk AI providers.
What is the penalty for not keeping proper AI records?
Failure to maintain required records can result in fines up to EUR 15 million or 3% of global annual turnover (Article 99), whichever is higher. Providing false or incomplete records to authorities carries fines up to EUR 7.5 million or 1% of turnover. SMEs may receive proportionate penalties, but non-compliance is still costly.
Can SMEs use simplified record-keeping formats?
Yes. Recital 141 of the EU AI Act explicitly permits proportionate implementation. SMEs can use simplified templates, focus on their highest-risk AI systems first, and consolidate records where practical. The AI Office is expected to release official SME-friendly templates. ISO 42001 also supports proportionate implementation based on organizational size.
What is a Fundamental Rights Impact Assessment (FRIA)?
A FRIA (Article 27) is required for deployers of high-risk AI systems. It assesses how the AI system may affect fundamental rights such as non-discrimination, privacy, and freedom of expression. The assessment must be documented, updated when the system changes, and made available to regulators. Public bodies must also publish their FRIAs.
How quickly must AI incidents be reported?
Serious incidents involving high-risk AI must be reported to the relevant national authority within 15 days of becoming aware of the incident (Article 62). The report must include the AI system identification, nature of the incident, corrective measures taken, and impact assessment. All evidence must be preserved for at least 5 years after investigation completion.
Do I need to keep records of AI training for employees?
Yes. Article 4 requires organizations to ensure staff have sufficient AI literacy. You should document: who received training, what was covered, when it occurred, and how competency was assessed. These records demonstrate compliance if audited and should be retained for the duration of employment plus 2 years.
What is the difference between provider and deployer record obligations?
Providers (who develop or place AI on the market) have extensive obligations including full technical documentation per Annex IV, quality management systems, and conformity assessments. Deployers (who use AI systems) have lighter obligations: maintaining operational logs, conducting risk assessments, ensuring human oversight, and keeping training records. Most SMEs are deployers.
How can ClearAI Trust OS help with AI record-keeping?
ClearAI Trust OS automates the daily compliance cycle: AI literacy checks, risk monitoring, evidence collection, and trust score tracking. It maintains your compliance records automatically, generates audit-ready reports, and alerts you when records need updating — so you spend minutes per day instead of hours per week on record-keeping.

Are you AI Act ready?

Take our free 3-minute assessment to find out where your organization stands.

Take Free Assessment

A NOTE FROM THE AUTHOR

“I spent more than 20 years reviewing regulatory compliance at the Hiroshima Prefectural Government. The biggest mistake I see businesses make is assuming compliance starts with paperwork. It starts with daily habits. Build the habit first, and the paperwork follows.”

— Takayuki Sawai, Gyoseishoshi (行政書士)

Start Your AI Compliance Records Today

This guide shows what records to keep. ClearAI Trust OS keeps them automatically: daily checks, evidence collection, and audit-ready reports — built for SMEs who need compliance without a compliance department.

$19/month after free period. No credit card required.