K0NSULT // ai-truth/procedury · EN
k0nsult.cloud / ai-truth / procedury · EN

Processes and procedures — AI Act readiness

A hub of compliance procedures for AI systems in public administration and business. Each procedure is described as a step-by-step process, with its legal basis and evidentiary status. Operational material, not a legal conclusion.

A procedure without an evidentiary trace does not exist.

Six related processes form a coherent readiness pathway: from system inventory, through risk classification and impact assessment, to human oversight, auditability and redress. The binding rule: claim ≤ proof — we do not assert more than we can demonstrate.

Evidentiary statuses: LIVE confirmed by evidence · DATA based on a documented dataset · SOON in preparation. No proof = GAP, not a fact. Status of the procedure set: DATA.

1AI system registration DATA

Objective: a complete register of AI systems used in the organisation, with an assigned owner and description. Basis: EU AI Act 2024/1689 (operator roles, transparency).

  1. Inventory — identify all AI systems and components (including chatbots, models embedded in third-party tools, automations).
  2. System description — purpose, input/output data, provider, version, environment.
  3. Owner designation — the person/unit responsible in substantive and organisational terms.
  4. Register entry — a single AI systems register with an identifier, date and status.
  5. Review cycle — set the frequency of entry updates and the triggers (new version, new risk).

GAP when: a system operates “in the shadows” without an entry, has no assigned owner, or is not versioned.

2AI Act risk classification DATA

Objective: assign the system to a risk category under EU AI Act 2024/1689 and select the appropriate obligations.

  1. Prohibition test — check whether the use case falls within prohibited practices (e.g. social scoring, manipulation, impermissible biometric identification). If so — STOP.
  2. High-risk test — does the system affect decisions concerning persons (access to services, employment, benefits, law enforcement, critical infrastructure)? → high-risk.
  3. Limited-risk test — does the system interact with a person or generate content (chatbot, deepfake)? → transparency obligation.
  4. Remaining — a minimal-risk system: voluntary good practices.
  5. Classification documentation — record the criterion, rationale and date; link to the register (proc. 1).

Criteria: the category follows from the use case, not from the technology. High-risk classification triggers obligations on risk management, data, logs and human oversight.

3Risk assessment and DPIA DATA

Objective: assessment of the impact on the rights and freedoms of persons. Basis: GDPR Art. 35 (DPIA) and the accountability principle.

  1. Threshold test — may the processing result in high risk (profiling, evaluation, large-scale data, monitoring)? If so — a DPIA is required.
  2. Description of operations — purpose, scope, context and nature of the processing, categories of data and persons.
  3. Necessity and proportionality assessment — whether the AI is necessary and adequate to the purpose.
  4. Risk identification — erroneous decision, discrimination, lack of explainability, data leakage.
  5. Mitigation measures — technical and organisational (including human oversight — proc. 4).
  6. Consultation and approval — involvement of the DPO; where necessary, consultation with the supervisory authority.

GAP when: there is no DPIA for a high-risk system, or a DPIA without identification of mitigation measures.

4Human oversight DATA

Objective: ensuring effective human control over the system. Basis: AI Act (human oversight), the Code of Administrative Procedure (KPA) (limiting the automation of rulings). More: /human-oversight.

  1. Control points — designate the moments at which a person approves, corrects or rejects an output.
  2. Approval gates — no action with legal effect occurs without the operator's approval.
  3. Kill-switch — a mechanism for the immediate suspension of the system and the procedure for its use.
  4. The claim ≤ proof rule — the system may not assert more than it demonstrates with evidence.
  5. Operator competence — training and authorisation of the person exercising oversight.
  6. Intervention register — a log of every approval, correction and stop (linked to proc. 5).

GAP when: a decision concerning a person is taken fully automatically without an approval gate or without a functioning kill-switch.

5Chain of evidence / auditability DATA

Objective: a complete, verifiable trail of the actions of the system and operators. Related: /audytowalnosc, /evidence-index.

  1. Action logging — logs of inputs, outputs, model decisions and human interventions.
  2. Versioning — versions of the model, data, prompts and configuration; linked to the event.
  3. Integrity — protection of logs against modification (immutability, time stamps).
  4. Retention — a retention period consistent with the GDPR and with AI Act requirements for high-risk systems.
  5. Evidence indexing — proof-packs linked to the system in the evidence index.
  6. Reproducibility — the ability to reconstruct how and on what basis a given output was reached.

GAP when: there are no logs, the logs are modifiable, or the output is not linked to the model/data version.

6Appeal pathway / redress DATA

Objective: securing a person's right to an explanation and a pathway for contesting an output. Basis: GDPR (transparency, accountability), KPA, AI Act (transparency).

  1. Right to an explanation — providing understandable information about the role of AI in a given output.
  2. Appeal channel — a clear pathway for the person concerned to contest the output.
  3. Human review — re-assessment under operator oversight (proc. 4).
  4. Establishing responsibility — on the basis of the chain of evidence (proc. 5), without attributing fault without proof.
  5. Case register — a record of appeals, rulings and lessons learned.
  6. Feedback loop — the lessons feed system correction and the update of the risk assessment (proc. 3).

Rule: responsibility is established from evidence. No proof of fault = GAP, not a presumption of fault.

Legal bases DATA

Source: dataset ranking_jst_kas.json (key podstawy_prawne). The state of the acts is to be verified as at the date of use.

Act / basisRelevance for the auditURL
EU AI Act 2024/1689 Horizontal framework for AI systems; operator roles, risks, prohibitions, high-risk systems, transparency. eur-lex.europa.eu/eli/reg/2024/1689
Draft Polish Act on artificial intelligence systems (UC71) National draft supporting the application of EU Regulation 2024/1689; state to be verified as at the date of use. gov.pl/web/premier — draft AI act
GDPR Lawfulness, fairness, transparency, data minimisation, accountability, security; key for AI prompts and logs. eur-lex.europa.eu — CELEX 32016R0679
Ministry of Digital Affairs guide for public administration Practical guidance on deploying AI in public offices; guidance, not certification. ai.gov.pl — guide for public administration
KAS IT plan 2024-2028 Source for KAS e-services, including the e-Tax Office chatbot. gov.pl/web/kas — e-services deployment plans
Act on municipal / county / regional self-government Organisational basis for the ordinances of heads of offices and the tasks of local government units (JST). isap.sejm.gov.pl
Code of Administrative Procedure (KPA) Limiting the automation of rulings; AI as support should not replace the authority in decisions. isap.sejm.gov.pl
Act on KAS / Tax Ordinance Basis for the operation of tax authorities; with AI, an assessment of data processing and profiling is needed. isap.sejm.gov.pl

Related

Disclaimer. This material is informational, operational and research in nature. It does not constitute certification, it is not the opinion of a notified body and it is not a legal conclusion (not a certification · not a notified body · not a legal conclusion). The procedures require adaptation to the specific context of the organisation and legal verification. Details: /legal/not-certification.