The Compliance Matrix

A compliance matrix is the operational core of your compliance program. It maps every regulatory obligation to a specific control, a specific evidence source, and a specific owner. When an auditor asks "how do you satisfy Article 9 of the EU AI Act," the answer is a row in the matrix — not a scramble through email archives and shared drives.

1. Column 1: Regulatory Requirement The specific obligation, cited to the source. "EU AI Act, Article 9: Risk Management System — High-risk AI systems shall establish, implement, document, and maintain a risk management system." Specificity matters. "We need to manage risk" is not a requirement. The article citation is.
2. Column 2: Control The process, policy, or system that satisfies the requirement. "Quarterly risk assessment conducted for all high-risk AI deployments using the standardized risk assessment template." The control must be specific enough to verify — "we manage risk" is not a control. A documented, repeatable process with a cadence is.
3. Column 3: Evidence The artifact that proves the control is operating. "Completed risk assessment reports stored in the compliance repository, timestamped and signed by the review owner." Evidence must be contemporaneous — created at the time the control operates, not reconstructed later.
4. Column 4: Owner The person or role responsible for maintaining the control and producing the evidence. Ownership without a name is not ownership. "The compliance team" is not an owner. "The compliance lead, reviewed by the engagement manager" is an owner with accountability.