Training documentation for EU AI Act compliance

The three artefacts auditors ask for

1. The training programme itself. Content, objectives, target audience, and a version identifier you can point back to. When the programme changes materially, the version changes.
2. The assessment instrument. A defined set of questions, a scoring rule, and a pass threshold. The same set of answers should always produce the same outcome.
3. Per-person completion records. Who took the assessment, on what date, against which version of the content, and the result.

Properties that make records hold up

• Append-only. Completion records should not be silently editable after the fact. If a correction is needed, it becomes a new row, not a quiet overwrite.
• Server-issued. Outcomes are decided by the system that scored the assessment, not by whichever client happened to be open in the browser.
• Independently verifiable. An auditor or counterparty should be able to confirm a record without going through the certificate holder.
• Retained. Aligned with your wider HR and compliance retention policy, so the records remain available for the lifetime of the obligation.

Common documentation mistakes

• Tracking attendance only, with no evidence of understanding.
• Records living in a spreadsheet anyone can rewrite.
• No version on the training content, so "what did they learn?" is unanswerable a year later.
• Certificates that cannot be verified without contacting the holder.