Current AI governance tools rely on declarations, questionnaires, and manual audits — producing what we term *paper compliance*: documentation that asserts conformity without demonstrating it. We propose a structured framework for AI compliance auditing based on observable technical evidence collected from multiple sources: source code, configuration, automated tests, operational logs, external system connectors, and cryptographic records. Our framework introduces: (1) a six-level evidence taxonomy (E0–E6) that distinguishes between absent evidence, declared, implemented, tested, executed, verified, and demonstrated compliance; (2) an Evidence Quality dimension that differentiates evidence instances within the same level by their attributive richness; (3) an Evidence Resolution Principle that determines compliance verdicts from the highest-level evidence while routing contradictions to auditor alerts; (4) a Contradiction Detection mechanism that surfaces cases where a higher-level source appears compliant while a lower-level source fails — functioning as an evidence-integrity mechanism; and (5) a three-dimensional assessment model separating compliance score, assurance score, and evidence strength. We apply this framework to EU AI Act gate articles (Art. 9, 10, 14, 15) and argue that AI compliance is fundamentally a software engineering problem requiring software engineering evidence.
PATRICK JUVET ETOUA (Mon,) studied this question.