AIG-034 Customer and Deployer Obligations Communication
Description
Where the organisation provides an AI system that is deployed or operated by a customer, the organisation provides deployers with: instructions for use, known limitations and performance characteristics, guidance on appropriate human oversight measures, notification of any model updates or material changes, and the information necessary for deployers to fulfil their regulatory obligations (e.g. EU AI Act deployer obligations, GDPR DPIA). Instructions for use are provided in written form, kept current, and versioned.
Rationale
SaaS AI providers bear upstream responsibility for enabling their customers to govern the AI systems they deploy; incomplete instructions create downstream governance failures and regulatory exposure for both parties.
Framework Mappings (7)
| EU-AI-Art.13.2 | Transparency — Instructions for Use | full |
| EU-AI-Art.13.3 | Transparency — Mandatory Content of Instructions for Use | full |
| EU-AI-Art.26.1 | Deployer Obligations — Use in Accordance with Instructions | partial |
| EU-AI-Art.26.8 | Deployer Obligations — GDPR Data Protection Impact Assessment Support | partial |
| A.10.4 | Customers | full |
| A.8.2 | System documentation and information for users | full |
| A.8.5 | Information for interested parties | full |
Evidence (2)
Versioned instructions for use provided to customer deployers, covering system limitations, human oversight guidance, model update notifications, and information necessary for deployers to fulfil their regulatory obligations.
Example: Instructions for Use — AI Contract Analysis API v3.1 (developer documentation portal, published 2026-01-15): known limitations section, recommended human oversight implementation patterns, EU AI Act deployer obligations checklist, DPIA information pack, and model update changelog v3.0 to v3.1
Test: Request the instructions for use provided to customers for each AI system. Verify: (1) instructions cover known limitations and performance characteristics, (2) human oversight guidance is included with concrete implementation recommendations, (3) information required for GDPR DPIA is provided, (4) model update notifications are issued to deployers when material changes occur (check changelog and notification records), (5) instructions are version-controlled and the current version is accessible to customers.
Model update notification records demonstrating that deployers were notified of material model changes within the committed timeframe, prior to or concurrent with the change taking effect.
Example: Email/Webhook notification log for AI Contract Analysis API model update v3.1 (2026-01-14): 843 customer accounts notified via API changelog webhook, notification sent 7 days before deployment; 12 accounts without webhook received email notification — all within committed 7-day advance notice period
Test: Request notification records for the two most recent material model updates. Verify: (1) notification was sent to all deployers before or concurrent with the model change, (2) notification lead time meets the committed period in the supply chain agreement, (3) notification content includes the nature of the change, impact on performance characteristics, and any action required by the deployer, (4) delivery is confirmed for all customer accounts.
Questions (2)
Where your organisation provides an AI system deployed by customers, do you provide customers with written instructions for use covering limitations, oversight guidance, and their regulatory obligations?
SaaS AI providers bear upstream responsibility for enabling customers to govern the AI systems they deploy. Incomplete instructions create downstream governance failures and regulatory exposure for both parties under the EU AI Act.
Which of the following are included in the instructions for use you provide to customer deployers?
All six elements are expected for AI systems deployed in regulated enterprise contexts. Missing DPIA information packs and EU AI Act deployer obligation checklists are the most common gaps — they shift compliance burden onto customers who may lack the technical context to fulfil it.