How did your team prepare for the EU AI Act risk classification audit?

Our organization operates in Germany and we're preparing for the EU AI Act compliance review. We use ML models in HR screening and customer support routing — both potentially high-risk under Article 6 and Annex III. Specifically interested in peer experience on: 1. How you mapped your model inventory to the risk tiers (we found the boundary between 'limited risk' and 'high risk' quite fuzzy for support routing). 2. Documentation artifacts the auditor actually requested (model cards, training data provenance, bias testing reports, or something else?). 3. GDPR Art. 22 intersection — automated decision-making disclosures and the opt-out mechanism. Not looking for legal advice, just practical experience exchange: what surprised you during the audit, and what did you wish you had documented earlier? Jurisdiction context: EU/DE primarily, but we also process some UK data.