Automating Lifecycle Compliance: A Continuous Assessment Framework for High-Risk and GPAI Obligations in the EU AI Act

The EU AI Act specifies legal obligations for both providers of high-risk AI systems and providers of general-purpose AI (GPAI) models with systemic risk potential. Satisfying these obligations at scale requires an automated framework that can operationalize the Act’s key operational compliance clauses, risk management (Art. 9), technical documentation (Art. 11), quality management (Art. 17), conformity assessment (Art. 43), EU Declaration of Conformity (Art. 47), and post-market monitoring (Art. 72), as well as capability monitoring and transparency duties for GPAI providers (Arts. 53 & 55). We introduce Continuous Auditing-Based Conformity Assessment (CABCA), a framework that translates legal requirements into actionable, machine-readable metrics and continuously updated conformity declarations. CABCA first uses a Scoping process to define a formal Conformity Specification, which is then translated into a machine-readable Operationalization Specification containing quality dimensions, traceable risks, measurable controls, and automated evaluation pipelines. These components collectively support the assessment of both system-level risks in high-risk domains and model-level risks from GPAI deployment.
Once configured, the CABCA pipeline (i) gathers operational and behavioral data, (ii) evaluates capability and risk thresholds against declared objectives, and (iii) produces a continuously valid declaration of conformity or model compliance statement.
By integrating system-level conformity obligations and GPAI-specific oversight requirements into a single, continuous workflow, CABCA provides a scalable path to bring and keep high-risk AI systems and GPAI models into maintaining compliance throughout the model lifecycle.