What is AI conformity assessment?
AI regulation: concepts, institutions and standards
AI conformity assessment is a structured check, usually carried out before an AI system is placed on the market, put into service or approved for a sensitive use, to show that it meets specified legal or technical requirements. It is not just a model test. It combines scope setting, evidence gathering, review and attestation, and may rely on self-assessment, third-party certification, notified body review or regulatory approval, depending on the regime and the risk.
What this means
Conformity assessment answers a practical question: "what proof do we have that this AI system meets the rules that apply to it?" Those rules might come from legislation, sector regulation, procurement terms, common specifications or technical standards. The assessment then checks the system against those requirements and records the basis for the claim.
In AI, that usually means looking beyond model accuracy alone. Assessors may need to review technical documentation, testing records, data governance, human oversight measures, cybersecurity controls, logging, change management and the system's intended use.
It is also important to separate conformity assessment from nearby ideas. Risk management helps you identify and handle risk. Impact assessment helps you understand likely effects on people or society. Assurance is the broader practice of building confidence. Conformity assessment is the more formal mechanism that asks whether specified requirements have actually been met.
Why it matters
For organisations building, buying or deploying AI, conformity assessment affects launch timing, market access, procurement credibility and legal defensibility. If a regime requires proof before sale or use, leaving the evidence work until the end usually creates delay, rework and avoidable governance friction.
It also matters because AI systems are rarely static. They depend on data, operating context, human interaction and ongoing change. A conformity route forces an organisation to define what the system is, what it is supposed to do, what requirements apply, what evidence supports the claim, and what happens if the system changes later.
Done properly, conformity assessment becomes a practical coordination tool. Product, legal, engineering, security, quality, procurement and policy teams can work from one evidence spine instead of producing separate, inconsistent packets for regulators, customers and internal sign-off.
How it works
<strong>The rule, the object and the claim</strong>
Conformity assessment starts by fixing three things: the object being assessed, the requirements it must meet, and the claim to be made at the end. In AI, the object may be an AI system, a process around it, a service, a management system or a provider claim about the system. The requirements might come from statute, sector rules, procurement conditions, standards or common specifications. The final claim may be a declaration, certificate, approval or another recognised statement of conformity.
This scoping step matters because AI performance is highly context-dependent. A hiring tool, a medical device component and a synthetic media feature may all use similar underlying techniques but face very different requirements. Intended purpose, likely users, deployment setting, data sources, human oversight and change model all affect what has to be shown.
<strong>How evidence is gathered</strong>
Once the scope is clear, the assessment moves into evidence gathering. International conformity practice treats this as a mix of selection and determination activities. In plain language, that means deciding what needs to be checked and then carrying out the checks. For AI, common evidence includes technical documentation, records of testing and evaluation, data governance material, instructions for use, logging arrangements, security controls, human oversight measures, incident handling and change control.
The important point is that conformity assessment is not only a pass or fail benchmark on model performance. It often asks whether the wider sociotechnical system has been designed, documented and governed in a way that meets specified requirements. That is why voluntary frameworks such as the NIST AI RMF are useful to many teams. They do not themselves create legal compliance, but they help organisations structure governance, context mapping, measurement and risk handling in a form that can support a later conformity case.
<strong>Who carries it out</strong>
The assessor can be the supplier, the buyer, an independent third party or a regulator, depending on the scheme. Some regimes permit first-party self-assessment. Others require an independent conformity assessment body or a specially designated authority. The more sensitive the use, the more likely the route is to demand independence, competence and ongoing oversight.
This is also where common confusion starts. Certification is not the same thing as conformity assessment. Certification is one possible result of the process. A supplier's declaration can also be a valid attestation if the rules allow it. Equally, an audit is only one assessment technique. It can sit inside a conformity route, but it is not the whole mechanism.
<strong>How law and standards interact</strong>
Law usually sets the binding requirement. Standards translate that requirement into more repeatable criteria, methods and records. In some systems, following designated standards gives a presumption that the legal requirement has been met. In others, standards are useful evidence but nothing more. That distinction is commercially important.
For AI teams, this means a standard can be highly valuable without being legally decisive. Management system standards, impact assessment standards and testing frameworks can all strengthen an evidence pack. But a voluntary badge on its own does not automatically satisfy a statutory conformity route. If legislation names a specific procedure, body or document set, that route still controls.
<strong>What changes in AI-specific regulation</strong>
AI-specific rules widen the lens beyond classic product checks. They ask for evidence about data governance, transparency, human oversight, robustness, cybersecurity and the quality of the provider's management processes. They also have to deal with the fact that AI can change after first release.
A current EU example shows this clearly. Under the AI Act, most Annex III high-risk systems currently follow internal control, while certain biometric systems can require notified body involvement if harmonised standards or common specifications are not fully available, fully applied or free of restriction. The same law also lets the practical route evolve as the standardisation layer develops. Current Commission guidance says the first harmonised standards are expected in 2026, so the detailed evidence path is still becoming more concrete.
Sector regulators use similar logic even where there is no standalone AI law. In U.S. medical devices, for example, the FDA now recommends a Predetermined Change Control Plan for AI-enabled devices. The plan lets the regulator assess certain future modifications up front, so long as the manufacturer clearly documents the planned changes, the methods for developing and validating them, and the assessment of their impact.
Examples
Current EU example, high-risk biometrics. A provider planning to place an Annex III point 1 biometric system on the EU market begins by checking whether the relevant AI Act requirements can be demonstrated through the available harmonised standards or common specifications. If yes, the provider may be able to choose internal control or a notified body route. If those standards are missing, partly used or restricted, the provider must move to the notified body route, where the quality management system and technical documentation are examined externally and surveillance follows.
Sensitive deployment example. An organisation may run a structured AI system impact assessment under ISO/IEC 42005 before approving a high-stakes use. That exercise focuses on foreseeable effects on individuals, groups and society across the lifecycle. It is useful for board review, procurement and internal accountability, but it is still not the same thing as proving legal conformity, because it asks a different question.
Medical device example. A manufacturer of an AI-enabled medical device in the United States can include a Predetermined Change Control Plan in its FDA marketing submission. The filing sets out planned modifications, the methodology for developing, validating and implementing them, and the assessment of their impact. If FDA accepts the plan, the manufacturer does not need a fresh marketing submission for every change already covered by that approved PCCP.
Common misunderstandings
"Conformity assessment just means testing the model." No. Testing is only one technique inside a wider process that can also include documentation review, inspection, governance checks, attestation and surveillance.
"If we have a certificate, we are compliant everywhere." Not necessarily. A certificate only has the legal weight that the relevant regime gives it. Some laws require a specific body, route or declaration, and some certificates are only voluntary market signals.
"It is only an EU concept." No. The basic idea is older and broader than AI-specific law. It is embedded in international conformity practice and trade rules, even though the EU AI Act is one of the clearest current AI examples.
"It ends once the system launches." Usually not. Post-market monitoring, surveillance, incident handling and reassessment after substantial change are all part of the real governance picture.
"It is the same as AI assurance, impact assessment or audit." No. Those activities overlap, and they should share evidence, but they are not interchangeable and they do not answer the same governance question.
Risks and boundaries
Not every AI system is subject to a formal ex ante conformity route. Many uses are governed instead by sector law, procurement, consumer protection, data protection or voluntary standards. Leaders should not invent a legal gate where none exists, but they also should not assume that general good practice is enough where a statute requires a formal process.
A positive conformity result only speaks to the specified requirements and the quality of the evidence presented. If the scope is wrong, the documentation is weak or real-world use drifts away from the intended purpose, a passing assessment can still leave major governance problems in place.
Voluntary assurance, audits and management system certificates can be highly useful, but they are not automatically interchangeable with the legally prescribed route. This matters in public claims, buyer diligence and board reporting. "Certified" does not always mean "legally cleared".
There is also live uncertainty in regimes that depend on future technical standards. Current EU guidance says AI Act harmonised standards are still being developed and are expected to begin appearing in 2026. Until that layer is fully in place, providers should expect more judgement, less comparability and possible reliance on direct evidence against the legal text or on common specifications.
Finally, highly adaptive systems strain the idea of a one-time check. If you expect retraining, continuous learning or regular parameter updates, you need a clear policy for what counts as a planned change, what counts as a substantial modification and when reassessment is triggered.
What to do next
First, map every AI system your organisation builds, buys or deploys, and identify which of them may be subject to formal pre-use or pre-market checks.
Second, write down the exact claim you need to support. Do you need to show compliance with a law, a sector rule, a procurement term, a customer requirement or a voluntary standard? Different claims require different evidence.
Third, build one reusable evidence pack early. At minimum, capture intended purpose, system boundaries, testing records, data governance, human oversight, security controls, logging, incident processes and change control.
Fourth, decide early whether self-assessment is permitted or whether external review is likely. If an external body may be needed, treat that as a launch dependency, not as a final paperwork step.
Fifth, keep conformity assessment, assurance, audit and impact assessment distinct, but make them share documentation wherever possible. The best programmes do not duplicate evidence unless the regime truly demands it.
Finally, define what happens after release. Monitoring, update control and reassessment triggers should be agreed before the system goes live, not after the first incident or buyer query.
FAQs
Is AI conformity assessment the same as certification?
No. Certification is one possible attestation at the end of a conformity process. Some schemes rely on a supplier declaration, an approval, a registration or another formal statement instead.
Does every AI system need a conformity assessment?
No. A formal route is only required where law, sector rules, procurement conditions or a chosen scheme call for it. Many organisations still use voluntary assessment methods even where the law does not require them.
Can a company assess its own AI system?
Sometimes. Many frameworks allow first-party internal control. Others require independent third-party review or regulator involvement for certain categories of higher-risk systems.
What usually goes into the evidence file?
Typically the intended purpose, technical documentation, test and evaluation records, data governance material, human oversight arrangements, logging, security controls, incident handling and change control records.
How is conformity assessment different from an AI impact assessment?
Impact assessment asks how a system may affect people, groups or society. Conformity assessment asks whether specified requirements have been met. In sensitive uses, you may need both.
Do ISO/IEC 42001 or the NIST AI RMF prove legal compliance on their own?
No. They help organise governance and evidence, and they can strengthen a conformity case, but statutory compliance still depends on the legal regime that applies to the system.
When do you need to redo a conformity assessment?
Usually when the system changes in a way that could affect compliance, when its use context changes materially, or when the governing scheme requires surveillance, reassessment or renewed approval.
Who should own conformity assessment inside an organisation?
It should have clear executive ownership, but it cannot sit in one team alone. Product, engineering, legal, security, quality, procurement and policy teams usually all contribute pieces of the evidence and sign-off chain.
Sources
WTO Analytical Index, TBT Agreement, Annex 1 (World Trade Organization). The trade-law definition of "conformity assessment procedures" and the range of activities such procedures can include, such as testing, inspection, evaluation, verification, registration, accreditation and approval.
Conformity Assessment (International Organization for Standardization, ISO/CASCO). The broad international scope of conformity assessment, the role of specified requirements, and the fact that the object of assessment can be a product, process, service, system, claim, person or organisation.
Conformity assessment, Functional approach (International Organization for Standardization, ISO/CASCO). The reusable mechanics of conformity assessment, selection, determination, review and attestation, plus surveillance, and the distinction between declarations and certificates.
AI Risk Management Framework (National Institute of Standards and Technology). That the AI RMF is a voluntary framework for incorporating trustworthiness considerations into the design, development, use and evaluation of AI systems, and that it supports governance, mapping, measurement and management work rather than replacing legal assessment.
ISO/IEC 42005:2025 Information technology, Artificial intelligence, AI system impact assessment (International Organization for Standardization). The separate purpose of AI system impact assessment, namely identifying, evaluating and documenting effects on individuals, groups and society across the AI lifecycle.
Article 43, Conformity assessment (European Commission, AI Act Service Desk). The current EU AI Act route for high-risk AI systems, including when internal control is used, when notified body involvement is required, and when substantial modifications trigger a new assessment.
Understanding the standardisation of the AI Act (European Commission, Shaping Europe's digital future). How harmonised standards and presumption of conformity work under the AI Act, and the current status of AI Act harmonised standard development in 2026.
Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence-Enabled Device Software Functions (U.S. Food and Drug Administration). A sector-specific example of ex ante AI assessment, where FDA reviews planned AI-enabled medical device modifications, validation methods and impact assessment within a premarket submission.