Sofema Aviation (SA) considers the impact of AI in relation to Compliance Auditing
In the 2026 regulatory landscape, EASA compliance auditing is undergoing its most radical transformation since the shift from prescriptive rules to performance-based oversight.
As an auditor, your focus should move away from purely checking “what” was done to investigating “how” (If a machine decided it should be done) and whether the human remained in control of that decision.
The future of auditing is defined by a number of regulations and source documents including EASA AI Roadmap 2.0, Regulation (EU) 2024/1689 (EU AI Act), and the forthcoming NPA 2025-07.
The Strategic Blueprint: EASA AI Roadmap 2.0
The Roadmap 2.0 serves as the conceptual anchor for all future audits. It establishes a human-centric philosophy: AI must augment human performance, not replace it.
- For an auditor, this means verifying that your organization has mapped its AI tools to the correct Level of Automation:
- Level 1 (Human Augmentation): The AI provides cognitive assistance (e.g., highlighting a potential crack in a blade image), but the human makes the final decision.
- Level 2 (Human-AI Collaboration): The human and AI work as a team, with the AI potentially initiating actions that the human must actively monitor or override.
- Level 3 (Limited Autonomy): The AI makes decisions that are only reviewed after the fact—a level EASA is approaching with extreme caution, likely not seeing full implementation in safety-critical systems for years.
The Legal “Hard Law”: EU AI Act (Regulation (EU) 2024/1689)
While EASA provides the technical standards, the EU AI Act provides the legal enforcement power. As of August 2026, full obligations for high-risk AI systems are being enforced across the EU.
Because many aviation systems are part of a certified product (like a flight control system or an engine monitoring tool), they are automatically classified as “High-Risk” under the Act. This changes my audit checklist to include:
- AI Management Systems (AIMS): – Auditor Task to check if there is a formal governance structure for AI, similar to how you manage your Quality or Safety systems.
- Data Lineage: To see evidence of where the training data came from and how you ensure it is free from “bias” that could lead to safety failures (e.g., an AI that performs well on modern engines but fails to recognize faults on older, analog-heavy fleets).
The Technical Reality: NPA 2025-07
NPA 2025-07 introduces the Seven Dimensions of Trustworthiness
Instead of a simple “Pass/Fail” on a maintenance task, To audit your AI against seven core properties:
Human Agency & Oversight: to look for “Override Logs.” If your AI recommended a part replacement and your technician disagreed, did the system allow that override, and was the reasoning recorded?
Technical Robustness & Safety: To demonstrate how the AI handles “edge cases” or sensor data gaps without crashing or providing dangerous advice.
Transparency & Explainability: The “Hidden Black Box” is now prohibited. If an AI flags a fault, it must provide a “human-interpretable” explanation so a licensed engineer can verify the logic.
Privacy & Data Governance: Ensuring that the data used for machine learning complies with privacy laws and maintains integrity throughout the lifecycle.
Diversity & Fairness: Auditing for “model drift” or bias that could result in uneven safety standards across different operational environments.
Societal & Environmental Wellbeing: Verifying that AI efficiency gains (like fuel saving) do not inadvertently compromise safety margins.
Accountability: Establishing a clear digital “paper trail” from the AI developer to the end-user who signed off the work.
The Shift to Continuous Oversight
2026 Brings Continuous Risk Management.
- Real-Time Data Feeds To consider the possibility of accessing AI’s Performance Indicators remotely to see if the system is “drifting” from its certified baseline.
- SMS Integration: AI is no longer an “IT project”; it is a core component of your Safety Management System (SMS). To audit how your AI findings are analyzed, actioned, and fed back into your risk assessments.
The Auditor’s Perspective: to establish no Automation Bias. Where there are signs that staff have become “passive observers” who trust the machine too much.
- Training records should show specific “AI literacy” training on how to challenge the machine.
Special Consideration Concerning the August 2026 enforcement deadline
Is the Management System capable of documenting the “explainability” of your digital decisions, or is the relevant technical documentation siloed within your IT department?
Next Steps
Join Sofema for a free EASA Compliance Auditors Masterclass on 20 May, led by industry expert and CEO, Steven Bentley. This session will explore the evolving auditor role under Part-CAMO and SMS, focusing on risk-based auditing and modern competencies. Register here as places are limited.
Explore 525+ aviation courses at Sofema, or contact [email protected] for support.
Tags:
Safety Management System SMS, Compliance Auditing, sasblogs, Sofema Online (SOL), Management System, NPA 2025-07, EASA AI Roadmap, AI Management Systems (AIMS), Sofema Aviaition Services (SAS)
