Annex IV technical documentation
Generate the full Annex IV technical file — nine sections, mapped 1:1 to the EU AI Act requirements, derived from the cryptographic evidence Aira already holds.
Annex IV of Regulation (EU) 2024/1689 lists the contents of the "technical documentation" that every provider of a high-risk AI system must prepare and keep up to date (referenced by Article 11). It's longer and broader than the Article 12 event log — it describes the system itself: how it's built, how it's monitored, and how the provider asserts conformity.
Aira generates the Annex IV file from the same audit data used for Article 12 and Article 9, plus registered agents, policies, signing keys, behavioral baselines, drift alerts, and settlement commitments.
Generate
from aira import Aira, FRAMEWORK_ANNEX_IV
client = Aira(api_key="aira_live_...")
report = client.create_compliance_report(
framework=FRAMEWORK_ANNEX_IV,
period_start="2026-01-01T00:00:00Z",
period_end="2026-12-31T23:59:59Z",
)
pdf = client.download_compliance_report(report.id)
open("annex-iv.pdf", "wb").write(pdf)import { Aira, FRAMEWORK_ANNEX_IV } from "aira-sdk";
const aira = new Aira({ apiKey: "aira_live_..." });
const report = await aira.createComplianceReport({
framework: FRAMEWORK_ANNEX_IV,
periodStart: "2026-01-01T00:00:00Z",
periodEnd: "2026-12-31T23:59:59Z",
});
const pdf = await aira.downloadComplianceReport(report.id);curl -X POST https://api.airaproof.com/api/v1/compliance/reports \
-H "Authorization: Bearer $AIRA_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"framework": "eu_ai_act_annex_iv",
"period_start": "2026-01-01T00:00:00Z",
"period_end": "2026-12-31T23:59:59Z"
}'Generation runs inline — the PDF is ready by the time the POST returns. The report id is also returned; hand it to the download endpoint to stream the PDF bytes. Same rate limits, signing, and content-hash headers as every other compliance report.
Section map — where each Annex IV sub-section comes from
| Section | Annex IV requirement | Aira source |
|---|---|---|
| 1. General description | Provider, intended purpose, registered AI systems | Organization + RegisteredAgent rows + observed agents during the period |
| 2. Elements and development | Architecture, data requirements, human oversight | Static description + Policy catalogue (mode, decision, approvers) |
| 3. Capabilities & limitations | Performance metrics, foreseeable unintended outcomes | Period counters: AgentAction + PolicyEvaluation grouped by status, mode, decision |
| 4. Risk management (Article 9) | Risk register, mitigation measures | Cross-reference — points the reader at a separately-generated Article 9 report |
| 5. Lifecycle changes | Predetermined changes, key rotation | SigningKey rows (algorithm, status, valid_from) + prose about the JWKS rotation process |
| 6. Standards applied | Harmonised standards + conformity procedure | Static list (Ed25519, RFC 3161, RFC 7519, RFC 8785, RFC 8615, ISO/IEC 42001:2023) + the exact Articles Aira's output maps to |
| 7. EU declaration of conformity | Provider's attestation | Rendered from Organization.name + the report's generated_at — sealed by the report's Ed25519 signature |
| 8. Post-market monitoring | Monitoring system + observed incidents | AgentBehavioralBaseline (active) + AgentDriftAlert in period + ReceiptSettlement in period |
| 9. Conformity assessment record | Evidence of conformity with Chapter III §2 | Top-level counters: receipts signed, evaluations signed, evaluations by decision |
Each section's data is also surfaced in report.report_metadata.sections:
the dashboard reads it directly, and anyone consuming the JSON form
can skip the PDF.
Retention
The report row retains its PDF bytes, signature, and metadata for
10 years (retention_requirement_years: 10). That matches
Article 18's obligation on providers to keep technical documentation
for 10 years after the AI system is placed on the market or put into
service. Article 12 reports retain for 6 years (the shorter log
retention window) — Annex IV reports are the long-haul document.
Verifying
The PDF is signed by Aira's Ed25519 key just like any other report — the verify endpoint works unchanged:
curl https://api.airaproof.com/api/v1/compliance/reports/{id}/verify \
-H "Authorization: Bearer $AIRA_API_KEY"Returns { valid, checks: { content_hash_matches, signature_valid }, ... }.
The descriptor that was signed includes every counter in
report_metadata, so a regulator checking the PDF can cross-read
the verify response and confirm the section-level claims match what
Aira has on record.
Pairing with other outputs
Annex IV is the descriptive document. It points at — but doesn't embed — the per-action evidence:
- Article 12 report — one row per receipt in the period, Annex VII field mapping. Generate alongside the Annex IV file so regulators can drill into any individual action.
- Article 9 report — the dedicated risk register. Section 4 of Annex IV references it explicitly.
- Compliance bundles — if a regulator wants to re-verify every receipt themselves, a bundle is the Merkle-rooted export they can audit offline.
- Article 6 explanations — generate on demand for any single action a data subject requests transparency on.
The Annex IV file is designed to be the top-level document a provider hands a notified body or a market surveillance authority. Everything underneath is one call away.
EU AI Act — Article 6 (right to explanation)
Article 6 right-to-explanation — generate a per-action explanation that walks every policy decision, approval, and receipt in human-readable form, with a signed JSON envelope the data subject can re-verify.
Article 6 explanation envelope
Independently verify a saved Article 6 explanation JSON — offline against the JWKS, or via the public verify endpoint.