What documentation do I need before starting an AI agent certification assessment?

The minimum documentation package for starting an assessment contains four elements: a system architecture description covering the AI system's purpose, data inputs and outputs, decision points, and integration dependencies; a human oversight map showing where human review or approval occurs in the system's decision flow; an incident log covering any known errors, failures, or unexpected behaviours since the system was deployed; and a data governance record covering what personal data the system processes, on what lawful basis, and what security measures are applied. Operators who have completed an EU AI Act Article 26 operator file have already assembled most of this material.

By Future Proof Intelligence · Published 12 June 2026 · 12 minute read

AI agent certification timeline: how long does it actually take?

Q: How long does an AI agent certification assessment take from start to certification issuance?

A full Agent Certified assessment for a single AI system takes between four and twelve weeks from the start of the gap analysis to certification issuance, depending on the complexity of the system, the readiness of the operator's existing documentation, and the number of remediation actions required after the gap analysis. Systems with mature existing governance (ISO 42001 or NIST AI RMF documented) and clean technical documentation typically complete in four to six weeks. Systems starting with minimal documentation require eight to twelve weeks to build the operator file before the formal assessment can begin.

Q: What is the difference between an Agent Certified assessment and an EU AI Act conformity assessment?

An EU AI Act conformity assessment under Article 43 of Regulation (EU) 2024/1689 is a mandatory process for providers of high-risk AI systems listed in Annex III. It assesses whether the AI system meets the technical requirements in Articles 9 through 15 of the Regulation. Agent Certified assesses the deployer's governance, oversight, and documentation quality across seven dimensions including those that overlap with but are not identical to the provider-facing Articles 9 through 15 requirements. Agent Certified is not a substitute for a mandatory conformity assessment, but it provides the deployer governance layer that the EU AI Act conformity assessment does not cover, and it produces the operator file evidence that deployers are independently required to maintain under Article 26.

Q: Is August 2 2026 still the EU AI Act deadline for deployers?

The European Commission's Digital Omnibus on AI proposes to delay the EU AI Act's high-risk AI system obligations from 2 August 2026 to 2 December 2027. As of June 2026, the Omnibus is in trilogue and has not been formally adopted or published in the Official Journal. Until formal adoption, the 2 August 2026 deadline remains legally binding. Article 5 prohibition obligations have been in force since February 2025. Article 50 transparency obligations for new systems apply from August 2026 regardless of any Omnibus delay. Operators should not halt compliance work pending the Omnibus outcome, because even a confirmed delay does not reduce the exposure from ongoing prohibition obligations and product liability changes.

The question that reaches the Agent Certified desk most frequently in 2026 is not about the seven dimensions or the scoring rubric. It is: how long does this take? The question comes from compliance leads working backwards from August deadlines, from enterprises that started their AI governance programme later than planned, and from operators who want to know whether certification is still achievable before the applicable regulatory window. This article gives honest answers based on how assessments actually proceed: the minimum viable timeline, the common bottlenecks, and what determines whether you finish in four weeks or twelve.

Key takeaways

A full Agent Certified assessment takes four to twelve weeks from gap analysis start to certification issuance. The range is determined by documentation readiness, system complexity, and how many remediation actions are required after the gap analysis identifies deficiencies.
The single largest time consumer is not the assessment itself. It is the gap between what operators believe they have documented and what is actually available when the assessment team requests it. Operators who can produce a system architecture description, a human oversight map, an incident log, and a data governance record on Day 1 can cut two to four weeks from the typical timeline.
The August 2, 2026 EU AI Act deadline for high-risk system deployer obligations remains the target date unless the Digital Omnibus is formally adopted in the Official Journal. As of June 2026, the Omnibus is still in trilogue. The safe working assumption is that August 2 remains binding.
Operators who have completed an EU AI Act Article 26 operator file, an ISO/IEC 42001 gap analysis, or a NIST AI RMF implementation have already completed the documentation foundation for most of the seven assessment dimensions. Their certification timeline is typically four to six weeks.
An In Progress notation is available for operators who have commenced assessment but not yet resolved all remediation items. This notation documents an active compliance programme and is accepted by most insurers and counterparties requiring evidence of AI governance engagement.

The four phases of a certification assessment

An Agent Certified assessment proceeds through four phases regardless of the system being assessed. The time each phase takes varies by operator, but the sequence is fixed. Understanding where the time goes helps operators identify where they can accelerate.

Phase 1: Gap analysis (1 to 3 weeks)

The gap analysis compares the operator's existing documentation and governance practices against the requirements of the seven certification dimensions: Trust and Transparency, Context Awareness, Distribution and Scope, Product Safety and Reliability, Governance, System Integration, and Autonomy Envelope. For each dimension, the gap analysis identifies what evidence exists, what evidence is absent, and what changes or additions are needed before the formal assessment can proceed.

The gap analysis phase can take as little as one week for operators with mature existing documentation or as long as three weeks for operators who need to assemble documentation from multiple teams and systems during the phase. The most common bottleneck in Phase 1 is the absence of a unified owner for the AI governance file. When the technical documentation is held by the engineering team, the legal review is held by legal, the incident history is held by the support team, and the data governance record is in the privacy programme, assembling these into a coherent package requires coordination that many organisations have not done before.

Operators can reduce Phase 1 time by designating a single owner for the certification file before the assessment begins, identifying in advance where each required document is held, and confirming that the document owner can make the document available on request within 24 hours. This preparation, done in the two weeks before the assessment starts, typically saves at least a week from Phase 1.

Phase 2: Documentation remediation (0 to 6 weeks)

After the gap analysis identifies deficiencies, the operator must address them before the formal assessment scoring can occur. Remediation involves creating or improving the documents and governance processes that the gap analysis identified as absent or insufficient. This phase has the widest time range: operators with only minor gaps may complete remediation in days; operators who need to build a human oversight policy, write their first incident response procedure, or map their data governance for the first time may need six weeks.

The most common remediation items across assessments are: a documented human oversight policy specifying when and how human review of agent outputs occurs; an incident log covering the system's operating history; a formal scope definition specifying what decisions the agent can make autonomously and what requires escalation; and a technical documentation package satisfying the requirements comparable to EU AI Act Article 11 (technical documentation for high-risk AI systems).

Operators who have already produced an EU AI Act Article 26 operator file will have covered significant portions of the remediation checklist. The operator file under Article 26(1) includes instructions of use, technical documentation, and the human oversight measures the deployer has put in place, which overlap directly with the Agent Certified Governance, Context, and Autonomy dimensions.

Phase 3: Formal assessment (1 to 2 weeks)

The formal assessment is the structured review of the remediated documentation package against the seven-dimension scoring rubric. Each dimension is scored on a 1 to 10 scale with defined evidence requirements for each score level. The total weighted score determines the certification level: Elite (75 and above), Advanced (55 to 74), Certified (35 to 54), In Progress (20 to 34), or Pre-Assessment (below 20). The methodology and weighting are published at agentcertified.eu/methodology.html.

The formal assessment phase takes one to two weeks. The first week is spent on document review and structured queries for clarification or additional evidence on specific dimension scoring. The second week is used for final scoring, report drafting, and any scoring challenges the operator wishes to raise. Scoring challenges require written submissions citing specific evidence, and the assessment team responds within five business days.

Phase 4: Certification issuance (2 to 5 business days)

Once the scoring is finalised and any challenges resolved, certification is issued within two to five business days. The certification package includes the scoring summary by dimension, the overall certification level, the certification validity period (twelve months from issuance), and the list of conditions attached to the certification where remediation items were accepted as in progress rather than resolved. A machine-readable certification record is issued for use in insurance underwriting submissions and regulatory filings.

Where operators run out of time

The assessments that fail to complete before an operator's target date almost always fail for the same reason: the documentation phase takes longer than expected because the documentation does not exist in the form required. The most common scenario is an operator who has implemented excellent AI governance in practice but has never written it down in the form a third-party assessor needs to verify it.

An engineering team that reviews every agent output before it goes live has effectively met the human oversight requirement. But without a written human oversight policy describing the review process, the reviewer's authority, the escalation path, and how the review is logged, the assessor cannot verify it. The time required to produce that written policy from an existing unwritten practice is not the time to think about governance: the governance is already there. It is the time to write it down, have it reviewed by legal, approved by management, and added to the operator file. That process commonly takes two to three weeks in organisations with normal approval chains.

The second most common reason for timeline slippage is that the scope definition for the AI system is ambiguous. If the assessment team cannot determine from the documentation what the system is designed to do, what decisions it can make autonomously, and what happens when it encounters an input outside its designed scope, the Autonomy Envelope and Context dimensions cannot be scored. Operators who can provide a one-page scope document, signed by a responsible person, at the start of Phase 1 avoid this bottleneck entirely.

Timeline for operators facing August 2026

The EU AI Act high-risk deployer obligations activate on 2 August 2026 unless the Digital Omnibus formally changes the date. As of 12 June 2026, 51 days remain. This is the current timeline analysis for operators who have not yet started:

An operator starting today with no existing AI governance documentation can complete a Pre-Assessment or In Progress level certification by August 2 if they move without delay through Phase 1 (maximum two weeks) and Phase 2 remediation (focusing on the minimum viable documentation set for the lower certification levels). Full Certified or Advanced level certification by August 2 is achievable only if Phase 2 remediation can be compressed by using existing documentation from adjacent programmes (ISO 42001, NIST AI RMF, GDPR Article 35 DPIAs, or EU AI Act operator files).

An operator with existing EU AI Act operator file documentation, ISO 42001 implementation, or NIST AI RMF documentation can complete a full Certified level assessment by August 2 if they start immediately. The existing documentation satisfies most Phase 2 requirements directly, compressing the combined Phase 1 and 2 timeline to approximately three weeks.

An operator who has already completed a full Agent Certified assessment within the last twelve months is not required to restart. If the certification remains valid, it applies to the August 2 compliance context. If the certification expired or was issued more than twelve months ago, a renewal assessment (shorter than a full assessment for systems with no material changes) should be initiated immediately.

For operators who cannot complete a full certification by August 2, the In Progress notation provides documented evidence of an active compliance programme. This notation is accepted by most insurance underwriters requiring AI governance evidence and by most enterprise counterparties requiring AI compliance confirmation as a contract condition. It signals meaningful engagement, not a blank page.

How the seven dimensions determine timeline

The seven dimensions are not equally time-consuming to evidence. Understanding which dimensions are likely to require new work, and which your existing documentation covers, allows operators to prioritise their Phase 2 remediation effort and compress the timeline.

Trust and Transparency and Governance are the dimensions most likely to require new written documentation from operators who have strong practices but little formal governance writing. Both can be addressed with relatively short, focused policy documents once the practices are confirmed.

Data Governance is typically well-covered by operators who have completed GDPR Article 35 DPIAs or equivalent data protection documentation. The data governance dimension scoring maps closely to GDPR Article 5 processing principles and Article 25 data protection by design requirements.

System Integration and Product Safety and Reliability require technical documentation about system architecture, dependencies, and testing history. These are typically held by engineering but not in the format the assessment requires. Engineering teams that can produce an architecture diagram and a test summary in the first week of Phase 1 reduce overall timeline by five to ten days.

Autonomy Envelope is the dimension that most often generates surprise. Operators frequently discover during the gap analysis that their agent has a broader autonomy scope than the official description suggests, because the system prompt or configuration was written broadly and has never been formally scoped. Tightening the autonomy envelope is sometimes the best remediation action available in a short timeline.

Context Awareness depends on the operator's use case documentation: for whom is the system deployed, in what circumstances, and what are the operator's obligations to users in those circumstances. This dimension draws on EU AI Act Article 14 (human oversight) and Article 26(1)(a) (deployer instructions of use) requirements and is well-covered by operators who have prepared those documents.

For the complete seven-dimension methodology with scoring rubrics, see the methodology page. For the certification levels and their implications for insurance and regulatory compliance, see the certification levels page. For what AI certification means for insurance underwriting, see the insurance underwriting article on this site and the certification and premium impact guide on agentinsured.eu.

Frequently asked questions

How long does an AI agent certification assessment take from start to certification issuance?

A full Agent Certified assessment takes between four and twelve weeks, depending on documentation readiness and system complexity. Systems with mature existing governance documentation typically complete in four to six weeks. Systems starting with minimal documentation require eight to twelve weeks. The most variable element is Phase 2 remediation, which depends on how many new governance documents need to be created from scratch.

Can I get an interim certification or a letter of evidence before the full certification is complete?

Agent Certified issues an In Progress notation for operators who have commenced assessment, completed the gap analysis, and reached the documentation threshold for this level, but have not yet resolved all remediation items. This notation documents an active compliance programme and is accepted by most insurers and enterprise counterparties requiring evidence of AI governance engagement.

What documentation do I need before starting a certification assessment?

The minimum documentation package contains four elements: a system architecture description; a human oversight map showing where human review occurs; an incident log covering known errors and failures; and a data governance record covering personal data processing. Operators who have completed an EU AI Act Article 26 operator file have already assembled most of this material.

What is the difference between an Agent Certified assessment and an EU AI Act conformity assessment?

An EU AI Act conformity assessment under Article 43 is mandatory for providers of high-risk AI systems and evaluates whether the system meets the technical requirements in Articles 9 through 15. Agent Certified assesses the deployer's governance, oversight, and documentation quality across seven dimensions. Agent Certified is not a substitute for a mandatory conformity assessment, but it covers the deployer governance layer that the provider-facing conformity assessment does not address, and it produces the operator file evidence that deployers must maintain independently under Article 26.

Is August 2 2026 still the EU AI Act deadline for deployers?

The Digital Omnibus proposes to delay high-risk obligations from 2 August 2026 to 2 December 2027. As of June 2026, the Omnibus is in trilogue and not formally adopted. The 2 August 2026 deadline remains legally binding until formal adoption and publication. Article 5 prohibitions have been in force since February 2025. Article 50 transparency obligations apply from August 2026. Operators should not halt compliance work pending the Omnibus outcome.

References

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 (EU Artificial Intelligence Act). OJ L, 2024/1689. Article 26 (obligations of deployers of high-risk AI systems), Article 43 (conformity assessment). Application dates: Article 5 prohibitions from 2 February 2025; Article 50 transparency from 2 August 2026; high-risk system obligations from 2 August 2026 (pending Digital Omnibus).
ISO/IEC 42001:2023. Artificial intelligence management systems. International Organisation for Standardisation and International Electrotechnical Commission. Published December 2023. Provides the management system framework that maps to the Agent Certified Governance dimension requirements.
NIST AI Risk Management Framework (AI RMF 1.0), January 2023, NIST AI 100-1. The four functions GOVERN, MAP, MEASURE, and MANAGE provide the operational framework that maps to five of the seven Agent Certified dimensions. Available at nist.gov/artificial-intelligence.
EU AI Act Article 11 Technical Documentation requirements. Annex IV of Regulation (EU) 2024/1689 specifies the technical documentation content. The Agent Certified System Integration and Product Safety dimensions incorporate these requirements for deployer-level documentation. Note that Article 11 documentation obligations fall primarily on providers; deployers working with the documentation requirements of Article 26(1)(a) benefit from Annex IV as a reference model.
EU AI Act Article 14 (human oversight requirements for high-risk AI systems) and Article 26(1)(a) (deployer obligation to use the AI system in accordance with the instructions of use). These two provisions provide the regulatory foundation for the Agent Certified Context Awareness and Autonomy Envelope dimensions.