What that means in practice is that regulatory bodies across Europe will begin examining whether organisations deploying high-risk AI systems can do one specific thing: prove that they know what their systems decided, why they decided it, and demonstrate that proof on demand.

This is not a policy question. This is not a compliance checkbox. This is a forensic governance question. And most organisations are not ready for it.

Article 13 of the EU AI Act requires that organisations maintain "records of the data, processes, and decisions related to the operation of a high-risk AI system." Article 29 goes further: organisations must keep "a written log of significant events" in the system's lifecycle, including decisions on oversight and intervention.

In plain language: regulators want to walk into your organisation and ask you to reconstruct the exact information picture that existed at the moment your AI system made a material decision. They want to know what data versions were active. What search queries were performed. Which results were returned and which were not. Who in your human oversight layer reviewed the system's reasoning. What that person decided. And they want documentary evidence for all of it.

This is the retrievability test.

I frame governance readiness around four forensic requirements. Not because they are academically elegant, but because they map to what regulators will actually audit.

Where did the data come from? Can you specify, with precision, the database tables, the schema versions, and the exact timestamps of the data your system consulted? Most organisations cannot. They know their current data infrastructure. They do not maintain a time-indexed map of historical data states. When a regulator asks, "Show me the exact data versions your system accessed when it made Decision #47," the usual answer is a shrug, a detective investigation, or an embarrassed silence.

What did the system search for? What did it fail to find?

Organisations log what happened. They do not log what did not happen, the queries that returned no results, the data sources that were expected but absent, the information gaps the system encountered. Yet from a governance perspective, these gaps are often more important than the hits. If your lending AI was supposed to consult payment history and that data did not exist, you need to know that your human oversight layer understood the system was proceeding without complete information.

Who reviewed the system's reasoning?

When?

What was their documented decision?

This is where governance collapses in most organisations. You log the AI's recommendation. You may log whether it was approved or rejected. But you almost never document whether the human actually understood the system's logic. You do not record the human's reasoning for their decision. When a regulator asks, "Walk me through what your human oversight layer did to validate this decision," you are forced to reconstruct it retrospectively, which means it is no longer evidence. It is speculation..

What did the system search for? What did it fail to find?

Organisations log what happened. They do not log what did not happen, the queries that returned no results, the data sources that were expected but absent, the information gaps the system encountered. Yet from a governance perspective, these gaps are often more important than the hits. If your lending AI was supposed to consult payment history and that data did not exist, you need to know that your human oversight layer understood the system was proceeding without complete information.

I work with organisations that want to know, with precision, where they stand. The process is straightforward but demands intellectual honesty.

Phase 1: Select five material decisions. These are AI-assisted decisions from the past six months with regulatory significance, reputational risk, or financial consequence. Think: loan approvals, content moderation flags, customer churn predictions, hiring screenings.

Phase 2: Attempt reconstruction. For each decision, attempt to produce the complete information picture: the data versions, the retrieval logs, the human oversight records. This is not theoretical. You actually try to assemble the evidence. Most organisations fail here. They discover that the logs exist but in fragments. The human records exist but are informal. The data versions are not timestamped. The gap becomes visible immediately.

Phase 3: Measure the gap. The outcome is a governance address: which of the four elements are present, complete, and auditable? Which are absent or incomplete? An organisation might have strong information provenance and human observability records but weak retrieval logs. Another might have excellent AI explainability but no formal human oversight documentation. The gap defines the work.

Organisations that run this audit in May or June have time to remediate before August. Those that wait will discover in September that regulators expect answers they cannot provide.

The remediation timeline depends on the gap. A missing human observability record might require process redesign and training — two to four weeks. Weak information provenance requires data infrastructure work — three to eight weeks. The retrievability guarantee, if entirely absent, might require an architectural redesign of the governance stack.

But the diagnosis comes first. And that must happen now.

Once the gap is measured, organisations typically face a secondary choice: address the gap through process redesign and governance infrastructure build-out, or partner with a decision-level governance platform that can operationalize the four elements in real time at the decision layer.

Organisations that can pass the retrievability test will have a material competitive advantage. They will be able to say, with documentary precision, "We know what our AI decided. We know why. We can prove it." This is not a compliance statement. This is a governance statement. It is the difference between boards that think they are managing AI risk and boards that actually are.

The audit gap is what separates them.

If your organisation has deployed high-risk AI systems, run the retrievability test. Attempt to reconstruct a decision. Identify the gap. Decide whether that gap is acceptable or whether remediation is required before the August enforcement deadline.

That decision, made now, determines your regulatory posture in September.