EU AI Act
Last updated: Dec 15, 2025 · 8 min
GPAI + foundation model obligations (orientation)
Provider vs deployer considerations, what to ask vendors for, and what evidence to keep.
Orientation only. Not legal advice.
Who this matters for
Teams building on, providing, or deploying general-purpose AI models.
What you’ll leave with
A due diligence and evidence checklist you can use immediately.
Provider vs deployer (fast)
- Providers focus on documentation, transparency, and model-level controls.
- Deployers focus on vendor due diligence, safe integration, and operational evidence.
- If you fine-tune, package, or rebrand a model, your role may shift—document your reasoning.
What to request from vendors
- Model card and intended use/limitations
- Change logs and versioning policy
- Evaluation results relevant to your domain
- Guidance for disclosures and safe integration
- Audit/log export capabilities and retention guarantees
Evidence you keep
- Vendor documentation snapshots (time-stamped)
- Integration design notes + policy gate definitions
- Monitoring outcomes (sampling, near-misses, incidents)
- Override/approval records for high-stakes actions
Next step: artifacts
Compliance work gets funded when the output is forwardable. Use the starter templates to convert obligations into controls and evidence.
Govern · Measure · Prove
Need a defensible evidence path?
KLA Digital turns obligations into controls, controls into measurements, and measurements into exportable evidence.