EU AI Act Article 5 prohibited practices: how are teams documenting their negative-scope analysis?

The AI Act Article 5 lists prohibited AI practices (subliminal manipulation, social scoring by private actors, real-time remote biometric identification in public spaces, etc.). For compliance audits, how are you documenting that your AI systems explicitly DO NOT fall into these categories? Are you maintaining a formal negative-scope register, or is this handled through DPIA annexes? Looking for practical approaches — especially for SaaS products that use ML for fraud detection or content moderation, where the line between 'legitimate analysis' and 'social scoring' can be uncomfortably thin.