EN
HomeAI Compliance › Audit readiness

FMA · RTR · DSB · evidence

Audit readiness: AI governance that can really be reviewed

Auditable AI governance does not emerge when an authority sends a request. It comes from complete inventories, clear roles, current evidence and rehearsed reporting paths.

The misunderstanding: governance on paper

Many organisations start AI compliance with policies, training evidence and an initial inventory. That is necessary, but not sufficient. The decisive question is whether the described processes actually work: is the inventory updated, are responsible persons trained, and can logs, decisions and controls be reconstructed?

Authority landscape in Austria

BodyRelevance for financial institutions
FMASector-specific supervisor for banks, insurers and investment firms; AI governance may become relevant through existing supervisory and risk-management obligations.
RTR AI Service DeskInformation hub and service desk for the AI Act. The final national allocation of responsibilities should be checked against the current implementation framework.
DSBData protection authority for personal data, DPIA, data-subject rights and data breaches.
OeNBRelevant in reporting and stability contexts, although not a general AI market surveillance authority.

What must be reviewable

For deployers of high-risk AI systems, Art. 26 EU AI Act, sectoral supervisory obligations, GDPR, DORA and labour-law requirements sit next to each other. Audit readiness is therefore not one document, but a robust chain of evidence.

  • complete AI inventory including vendor AI, GPAI tools and shadow AI
  • risk classification and role allocation for each system
  • Art. 26 gap analysis for high-risk systems
  • FRIA for the specific cases covered, especially Annex III 5(b) and 5(c)
  • logging, log retention and human oversight
  • authority contacts, escalation paths and reporting routes for the AI Act, GDPR, DORA and NISG 2026

Internal and external dimension

Internal dimension

Documentation must be current, findable and operationally reliable. Roles should be visible in processes, tickets, approvals and controls, not only in slide decks.

External dimension

The institution should know which body is relevant for which incident or request. This includes the FMA, DSB, the national AI Act responsibility after implementation, CERT.at or the cybersecurity authority, and internal first contacts.

Audit-readiness checklist

  • AI inventory complete and assigned to owners
  • risk classification documented and approved
  • human oversight named, trained and demonstrably active
  • logs and decision bases reconstructable
  • FRIA and DPIA duties assessed separately but coordinated
  • reporting processes for AI Act, GDPR, DORA and NISG 2026 include timelines
  • ArbVG review documented for employee data and control systems

Would you like to know where your institution stands?

We can discuss your specific situation and prioritise the next steps towards auditable AI governance.

Request an initial conversation

Sources

Notice: This page describes organisational audit readiness and does not replace legal advice or official guidance. National AI Act responsibilities should be checked against the current implementation framework. Status: June 2026.