Use: complete at the concept/requirements stage of the AI System Life Cycle Process, before significant build. Owner: product owner with CTO + General Counsel. Frameworks: ISO/IEC 42001 A.6.2.2; EU AI Act Annex IV (high-risk technical documentation).
Replace every {{var}} placeholder. For a high-risk (Annex III) system this document seeds the EU AI Act Annex IV technical file maintained in the AI Model Registry.
1. Purpose & scope
- System / feature name: {{feature_name}}
- Intended purpose: {{intended_purpose}}
- Intended users & deployment context: {{intended_users}}
- Out-of-scope / prohibited uses: {{out_of_scope_uses}}
2. Classification & obligations
- EU AI Act tier + Annex III high-risk screen: {{eu_ai_act_tier}} (mandatory)
- Applicable AI laws: {{applicable_ai_laws}} — see the Legal & Regulatory Register
- Provider vs deployer role: {{provider_deployer_role}}
3. Functional requirements
- Inputs: {{inputs}}
- Outputs: {{outputs}}
- Performance targets: {{performance_targets}}
- Human oversight requirement: {{human_oversight_requirement}}
4. Data requirements (A.7)
- Training/fine-tune data: {{training_data}} (or “inference-only; see upstream model card”)
- Data quality & representativeness: {{data_quality}}
- Deidentification requirement: {{deidentification_requirement}}
5. Non-functional & risk requirements
- Robustness / safety: {{robustness_safety}}
- Security: {{security_requirement}}
- Privacy: {{privacy_requirement}}
- Transparency: {{transparency_requirement}}
- Accessibility / fairness constraints: {{accessibility_fairness}}
6. Acceptance criteria
- Validation gates (link the planned AI System Evaluation): {{validation_gates}}
- Bias-audit requirement (high-risk): {{bias_audit_requirement}}
7. Approvals
- Requirements approved by: {{approved_by}} — {{approval_date}}
- DPIA/FRIA triggered: {{dpia_triggered}}
Variables
| Variable | Description |
|---|---|
{{feature_name}} | System / feature name |
{{intended_purpose}} | Intended purpose (the specific task and outcome) |
{{intended_users}} | Intended users and deployment context (who uses it, where, for what decision) |
{{out_of_scope_uses}} | Out-of-scope / prohibited uses |
{{eu_ai_act_tier}} | EU AI Act tier + Annex III high-risk screen result and rationale |
{{applicable_ai_laws}} | Applicable AI laws (NYC LL144 / state AI / Colorado AI Act / SB 942 / SB 1001 / etc.) |
{{provider_deployer_role}} | Provider vs deployer role |
{{inputs}} | Inputs (data categories, sources, format) |
{{outputs}} | Outputs (predictions / rankings / generated content; format) |
{{performance_targets}} | Performance targets (accuracy / task metrics + thresholds) |
{{human_oversight_requirement}} | Where a human must review/override |
{{training_data}} | Training/fine-tune data (dataset card link; provenance; licensing) |
{{data_quality}} | Data quality and representativeness (requirements; bias-examination plan) |
{{deidentification_requirement}} | Deidentification Standard stage / parameters |
{{robustness_safety}} | Robustness / safety (edge cases, failure handling) |
{{security_requirement}} | Security requirement (per Secure Development Policy; threat model) |
{{privacy_requirement}} | Privacy requirement (minimization; DPIA/FRIA trigger) |
{{transparency_requirement}} | AI-interaction / AI-content disclosure requirements |
{{accessibility_fairness}} | Accessibility / fairness constraints |
{{validation_gates}} | Criteria that must pass before deployment |
{{bias_audit_requirement}} | Whether an independent audit is required before AEDT deployment (Y/N) |
{{approved_by}} | Requirements approver(s) — product owner / AI review group |
{{approval_date}} | Date of approval |
{{dpia_triggered}} | Whether DPIA/FRIA is triggered (Y/N; link) |