EU AI Act Article 9 risk management: how are teams structuring their documentation for high-risk classification workflows?

Jurisdiction: EU, DE Our team is rolling out a risk management system aligned with Article 9 of the EU AI Act. The documentation burden for high-risk AI classification is significant — you need lifecycle tracking, data governance records, human oversight specs, and accuracy/robustness metrics all traceable to individual model versions. How have you structured your risk documentation? Are you using a single consolidated register (like an AI asset inventory) or spreading it across multiple systems? Specifically interested in how you handle: - Classification decisions: how do you document why something IS or IS NOT high-risk? - Post-market monitoring integration: how do risk docs feed into your incident reporting? - Version control: one doc per model iteration, or a living document with change history? We're mid-way through a SOC 2 Type II audit simultaneously, so trying to align both frameworks without duplicating effort. Would love to hear from practitioners who've navigated this overlap.