Regulation (EU) 2024/1689 (the EU AI Act), Annex IV - technical documentation.
This document lists PEAC surfaces that can be used as supporting evidence toward the Annex IV technical-documentation points §1(a) through §5 that a provider or deployer may reference when building their technical file. The scope is narrow: every row points at a concrete PEAC artifact (spec, fixture, test, package, or generated artifact) that may help evidence a given Annex IV requirement. Every row also states explicitly what PEAC does not do for that row.
This document is not a claim that PEAC satisfies Annex IV end-to-end. It is not a substitute for the provider or deployer technical documentation. It is a mapping that helps route an Annex IV checklist to the underlying PEAC artifacts where supporting evidence exists.
Applicability context: Regulation (EU) 2024/1689 entered into force on 1 August 2024 and applies from 2 August 2026, with exceptions under Article 113. This mapping is limited to PEAC artifacts that may support Annex IV technical documentation. It does not determine whether a system is high-risk and does not determine a provider's or deployer's obligations.
- Regulation: Regulation (EU) 2024/1689 (the EU AI Act).
- Annex: Annex IV (technical documentation required by Article 11).
- Section scope: Annex IV §1(a) through §5.
- Artifact scope: PEAC surfaces that a provider or deployer can reference as supporting artifacts in their technical file.
- Non-claim: PEAC does not perform provider classification, risk-category determination, conformity assessment, post-market monitoring, or any other Article- or Annex-level duty owed by a provider or deployer. PEAC provides portable signed interaction records and verification surfaces that a technical-documentation team can consume as evidence inputs.
- Annex IV §: Annex IV section reference and short requirement phrase.
- PEAC primitive: the PEAC concept that produces the supporting evidence.
- Artifact surface: concrete file, package, spec, fixture, or API endpoint under this repository. Every non-out-of-scope row MUST include at least one outward-facing stable artifact surface (one of
docs/,specs/,contracts/,surfaces/,packages/schema/openapi/, orREPO_SURFACE_STATUS.json); internalsrc/paths may appear only as secondary links. - Verification hint: concrete path, endpoint, fixture, or CI command an evaluator runs to verify the row.
- Coverage qualifier: one of
supports,can be used as evidence toward,provides primary artifact for,provides supporting artifact for,helps evidence,out-of-scope for PEAC. - Non-claim: explicit statement of what PEAC does not do for this row; one of
PEAC does not do X,operator-owned,requires upstream attestation,evidence only; not a conformance claim. - Cross-reference: related Annex IV sections, related PEAC trust artifacts, and related ISO 42001 mapping rows; markdown links in this column must resolve.
| Annex IV § | Requirement (short) | PEAC primitive | Artifact surface | Verification hint | Coverage qualifier | Non-claim | Cross-reference |
|---|---|---|---|---|---|---|---|
| 1(a) | General description of the AI system and intended purpose | Declared-purpose claim on every record; purpose pillar classification | docs/profiles/purpose.md, docs/specs/WIRE-0.2.md |
Issue a record with declared purpose; verify the purpose claim round-trips against the schema section of docs/specs/WIRE-0.2.md. |
provides supporting artifact for | operator-owned. The provider owns the general-description text; PEAC records the purpose declared on each observed interaction that the text refers to. | ISO 42001 Annex A A.9 |
| 1(b) | Versions of relevant software or firmware and any requirement related to version update | Stability contract per public surface, package version map, release history, published OpenAPI version header | docs/STABILITY-CONTRACT.md, docs/PACKAGE_STATUS.md, CHANGELOG.md, packages/schema/openapi/verify.yaml |
Inspect info.version in packages/schema/openapi/verify.yaml; cross-check against docs/PACKAGE_STATUS.md and CHANGELOG.md. |
supports | operator-owned. PEAC publishes its own versioning discipline; the provider owns their AI system's version documentation. | |
| 1(c) | Description of the hardware on which the AI system is intended to run | out-of-scope for PEAC | - | - | out-of-scope for PEAC | PEAC does not document hardware. | |
| 1(d) | Description of the product of which the AI system is a component | out-of-scope for PEAC | - | - | out-of-scope for PEAC | PEAC does not document product composition. | |
| 1(e) | Description of all forms in which the AI system is placed on the market or put into service | out-of-scope for PEAC | - | - | out-of-scope for PEAC | PEAC does not document distribution channels. | |
| 1(f) | Description of user interface | out-of-scope for PEAC | - | - | out-of-scope for PEAC | PEAC does not document user interfaces. | |
| 1(g) | Instructions for use and installation instructions | out-of-scope for PEAC | - | - | out-of-scope for PEAC | PEAC does not produce product instructions for third-party AI systems. | |
| 2(a) | Methods and steps performed for development of the AI system | Development-surface records; verification records across tool-call, API, MCP, A2A, commerce, and cross-runtime surfaces | docs/specs/EVIDENCE-CARRIER-CONTRACT.md, docs/compatibility/core-use-case-coverage.md |
Sample records from each covered surface in docs/compatibility/core-use-case-coverage.md; verify each against the carrier contract in docs/specs/EVIDENCE-CARRIER-CONTRACT.md. |
can be used as evidence toward | evidence only; not a conformance claim. PEAC can record the observed interactions during development; the provider owns the methodology description. | ISO 42001 Clause 8.1 |
| 2(b) | Design specifications including general logic of the AI system | out-of-scope for PEAC | - | - | out-of-scope for PEAC | PEAC does not document AI system internal design. | |
| 2(c) | Description of the system architecture explaining how software components build on each other | out-of-scope for PEAC | - | - | out-of-scope for PEAC | PEAC does not document third-party AI system architecture. | |
| 2(d) | Data sheets describing training methodologies and techniques | out-of-scope for PEAC | - | - | out-of-scope for PEAC | PEAC does not produce training-data documentation. | |
| 2(e) | Assessment of human oversight measures needed | Portable signed records that support human review; back-reference via receipt_ref to the exact observed record |
docs/specs/EVIDENCE-CARRIER-CONTRACT.md, docs/HOW-IT-WORKS.md |
Extract receipt_ref per docs/specs/EVIDENCE-CARRIER-CONTRACT.md; confirm back-reference resolves to the observed record. |
helps evidence | operator-owned. PEAC records enable reviewer back-reference to the observed interaction; the provider assesses and documents the oversight measures. | |
| 2(f) | Description of predetermined changes to the AI system and its performance | Stability contract deprecation schedule, deprecation policy | docs/STABILITY-CONTRACT.md, docs/DEPRECATION_POLICY.md |
Inspect the deprecation schedule in docs/DEPRECATION_POLICY.md; cross-check against docs/STABILITY-CONTRACT.md. |
supports | operator-owned. PEAC publishes its own change-control artifacts; the provider owns the AI system's predetermined-change documentation. | |
| 2(g) | Validation and testing procedures used | Conformance suite, requirement ID index, benchmark methodology, CI verification workflows | specs/conformance/, specs/conformance/requirement-ids.json, docs/BENCHMARK-METHODOLOGY.md |
Run the conformance suite under specs/conformance/; reproduce benchmarks per docs/BENCHMARK-METHODOLOGY.md. |
provides supporting artifact for | evidence only; not a conformance claim. PEAC publishes its own conformance and benchmark discipline; the provider owns the AI system's validation and testing procedures. | ISO 42001 Clause 9.1 |
| 2(h) | Cybersecurity measures | Threat model, security operations document, JOSE hardening, SSRF prevention, signing-key custody | docs/THREAT_MODEL.md, docs/SECURITY-OPERATIONS.md, docs/specs/SECURITY-CONSIDERATIONS.md, docs/KEY-CUSTODY-AND-TENANCY.md |
Review docs/THREAT_MODEL.md threat IDs and their linked test paths; verify per-threat coverage links resolve. |
provides supporting artifact for | operator-owned. PEAC publishes its own cybersecurity artifacts; the provider owns AI system cybersecurity documentation. | |
| 3 | Detailed description of the monitoring, functioning and control of the AI system | Offline-verifiable signed interaction records; reference verifier; verifier security model spec | docs/HOSTED_VERIFY_CONTRACT.md, docs/specs/VERIFIER-SECURITY-MODEL.md, surfaces/reference-verifier/ |
Run surfaces/reference-verifier/smoke.sh against the reference deployment. |
provides supporting artifact for | operator-owned. PEAC supplies the record and verification surfaces; the provider documents the AI system's monitoring and control. | |
| 4 | Description of appropriateness of the performance metrics | Benchmark methodology, published SLO baseline stamps | docs/BENCHMARK-METHODOLOGY.md, docs/SLO.md, specs/benchmarks/ |
Reproduce benchmarks per docs/BENCHMARK-METHODOLOGY.md; compare to baseline in specs/benchmarks/. |
helps evidence | operator-owned. PEAC publishes its own engineering metrics; the provider selects and justifies the AI system's metrics. | |
| 5 | Detailed description of the risk management system in accordance with Article 9 | out-of-scope for PEAC | - | - | out-of-scope for PEAC | PEAC does not implement a risk management system. The provider builds the risk-management system and may reference PEAC records as input evidence. | ISO 42001 Clause 6.1 |
- PEAC does not produce product-level documentation, user interfaces, or installation instructions for third-party AI systems.
- PEAC does not describe training methodology, training data, or AI-system internal design.
- PEAC does not perform risk-management activities.
- PEAC does not determine provider or deployer classification or risk category.
- PEAC does not perform conformity assessment, CE marking, or post-market monitoring.