The Assurance Engagement
Vesta Medical's complaint-summarization AI is six weeks from EU launch. The conformity assessment lands on your desk.
Six modules in, you've learned how AI risks get classified, how regulatory crosswalks turn frameworks into operating controls, where platform-native and overlay controls each cover ground, what proactive-safety habits look like, and how prompt-injection threats map to defenses. Now you sit in the chair facing the auditor. Vesta Medical's complaint-summarization assistant is six weeks from a launch into the EU market. Marcus has committed the date to the board. A notified-body conformity assessor — the auditor — has arrived for the readiness review. Devon is the program owner being audited. Sarah, Priya, and Mike are the operators whose work is the evidence. You answer the auditor's questions in real time. Five nodes. Each one is a discipline test: does the evidence exist before the question, or are you constructing it after? Pick the path you can defend.
The auditor opens the engagement with a deceptively simple question. "Six months ago you classified Sarah's complaint-summarization use case under the EU AI Act. Walk me through the current classification." You know what's underneath the question: Sarah's scope has expanded. What started as low-volume internal triage now feeds MDR-touching submissions, and volume has roughly tripled. The risk-tier classification on file says "limited risk, internal use only." Devon is across the table; Sarah is one floor down at her desk.