GDPR Art. 22 automated decision audits: how did your team document the logic chain for a black-box ML scoring model?

We're preparing for a supervisory authority audit on an ML-based credit scoring pipeline that falls under GDPR Art. 22 (automated individual decision-making with legal or similarly significant effects). The model is an XGBoost ensemble with 200+ features, and the question is: how do you demonstrate "meaningful information about the logic involved" when the model itself is too complex for a simple feature-weight explanation? Our current approach: 1. SHAP-based feature importance reports per decision cluster (grouped by score ranges) 2. A plain-language decision-tree approximation that mirrors the model's top-level splits (accuracy loss ~3%, acceptable for explanation purposes) 3. Data lineage documentation showing what inputs feed into the scoring pipeline, with purpose limitation mappings We're operating under EU/DE jurisdiction and have already documented the Art. 22 safeguards (right to human intervention, right to contest). What we're less confident about is whether the supervisory authority will accept the SHAP + approximation approach, or if they expect something more rigorous. Has anyone here gone through a similar Art. 22 audit? What level of model explainability did your authority actually require in practice? Not looking for legal advice — just exchanging operational experience on what worked and what got pushed back on.