# EU AI Act SME Governance Checklist

Use this as an operating checklist before legal review. It is not legal advice.

## AI Inventory

| System | Vendor/owner | Purpose | Users | Data | Output use | Risk rating |
| --- | --- | --- | --- | --- | --- | --- |
| | | | Internal / customer / public | Public / internal / confidential / restricted | Draft / recommendation / action / decision | Low / limited / possible high-risk |

## Role Classification

- Buyer of an AI tool.
- Deployer of an AI system inside the business.
- Provider placing an AI system on the market.
- Unsure: escalate to legal/security.

## Minimum Controls

- Named owner.
- Approved use boundary.
- Data rule.
- Human oversight rule.
- Disclosure rule.
- Logging and recordkeeping rule.
- Vendor evidence collected.
- Stop condition documented.

## High-Risk Escalation Triggers

Escalate before launch if the use case touches:

- Employment or worker management.
- Education or vocational training.
- Credit, insurance, or access to essential services.
- Healthcare or medical triage.
- Law enforcement, migration, asylum, or border control.
- Critical infrastructure.
- Biometrics, emotion recognition, or sensitive categorization.
- Decisions that materially affect rights, opportunities, or access.

## Vendor Evidence

- Training opt-out or data-use terms.
- Data processing location.
- Retention controls.
- Subprocessor list.
- Security documentation.
- Admin controls and audit logs.
- AI Act/GDPR documentation.
- Change notification process.

## Review Cadence

- Inventory review owner:
- Review frequency:
- Last review:
- Open risks:
- Next action: