The Compliance Gap Is Already Here

Most Part 145 organizations are already using AI tools — informally, without organizational policy, and without an assessment of whether those tools satisfy the requirements EASA NPA 2025-07 will impose.

Technicians use ChatGPT to interpret procedures. Maintenance planning teams run documents through commercial AI summarizers. Some organizations have deployed enterprise knowledge platforms — built for office environments — and call them their AI strategy for maintenance. In virtually every case, these tools were adopted without a compliance evaluation because no regulatory framework existed to evaluate against.

That framework now exists. It is in consultation. Its direction is clear. And the organizations that evaluate their current AI use against NPA 2025-07 requirements now are in a fundamentally better position than those that wait for finalization.

This audit takes under an hour. It produces a clear answer. Do it before your next NAA visit.

What NPA 2025-07 Requires — The Short Version

The full regulatory text runs to considerable length. The compliance-relevant requirements reduce to four:

Requirement A
Source Traceability

Any AI-generated response used to support a maintenance decision must be traceable to a specific approved data source: document name, revision, section, and page. A response that is correct but not traceable does not satisfy this requirement.

Requirement B
Approved Data Boundaries

AI systems must operate exclusively within the organization's approved documentation corpus. Tools that draw on internet data, general training corpora, or external knowledge sources do not satisfy this requirement — regardless of output accuracy.

Requirement C
Auditability of AI Interactions

Organizations must be able to demonstrate, on request, what their AI systems told technicians, when, and on what basis. This requires timestamped, user-attributed interaction logs linked to the source data used in each response.

Requirement D
Human Authority over AI Output

AI must support human decision-making — not substitute for it. The Accountable Manager and the signing technician retain full responsibility. There must be a defined human decision point before AI output is acted upon.

The One-Hour Audit

For each AI tool currently in use in your organization, work through these four questions. You need access to the tool and, ideally, contact with the vendor's technical team for questions you cannot answer from the UI alone. Each question should take 10–15 minutes.

Q1 — Can this tool show the exact source of its answer?

Ask the tool a specific maintenance question. Look at the response. Does it show: (a) the document name, (b) the revision number, (c) the section, and (d) the page number — every time, as part of the standard response?

PASS Exact citation appears with every answer: document, revision, section, page. Reproducible across multiple queries.
FAIL "It pulls from your knowledge base." A link to a document without section/page. Citation available on request but not shown by default. No citation at all.
Q2 — Does this tool use only our approved documentation?

Ask the vendor: is the system's knowledge corpus limited to documents your organization has uploaded and approved? Is it technically impossible for the system to draw on external internet sources or general training data?

PASS Corpus is defined, bounded, and version-controlled by your organization. The vendor can demonstrate, technically, that external data sources cannot be accessed.
FAIL Tool was trained on internet data. Tool supplements retrieval with web search. Corpus boundaries are defined by policy, not architecture. Vendor cannot demonstrate isolation technically.
Q3 — Can we produce a complete log of what the AI told our technicians?

Ask the vendor to show you the interaction log. Can you see every query and response, with timestamp, user identity, and the source citation used? Is it exportable for audit use?

PASS Timestamped, user-attributed, exportable interaction logs exist. Logs include the source citation used in each response. Accessible by QM and AM on request.
FAIL No interaction logging. Logs exist but are not user-attributed. Logs not exportable. Source citations not recorded in log. Data residency unknown.
Q4 — Is there a clear human decision point before AI output is acted upon?

Review your current use cases. Is the AI output explicitly framed as advisory? Is there a defined process by which the signing technician reviews and accepts or rejects the AI-provided information before acting on it?

PASS AI is presented as advisory. System UI makes the advisory nature explicit. There is a defined human sign-off step in the workflow before AI-sourced information is applied.
FAIL AI output is presented as instruction without explicit advisory framing. No defined human review step in the workflow. System encourages direct action on AI output.

Scoring Your Results

Score Assessment Action
4 / 4 Potentially compliant Request a formal compliance assessment against the full NPA text. Document findings in QMS.
3 / 4 One structural gap Identify the failing question. Determine whether the gap is fixable within the current tool or requires procurement. Set a remediation timeline.
2 / 4 Significant gaps Current tool architecture is likely incompatible with NPA 2025-07. Begin procurement evaluation now. Do not wait for NPA finalization.
0–1 / 4 Non-compliant architecture Current tool does not meet the NPA standard. Restrict use pending replacement. Document the restriction in your QMS with a remediation plan and target date.

What to Do After the Audit

  1. Document your findings in the QMS Regardless of outcome, the audit itself is a quality activity. Record it: date, tools evaluated, questions asked, findings, score, and planned actions. This demonstrates proactive regulatory awareness to your NAA.
  2. Establish an AI use policy Define which AI tools are approved for use, in which workflows, with what oversight requirements. If an AI tool failed this audit, document the restriction on its use until remediation is complete.
  3. Begin procurement evaluation if needed If your current tools score below 3/4, the timeline to evaluate and implement a replacement before NPA finalization is shorter than it appears. Procurement, validation, and integration take time. Start now.
  4. Engage with the EASA consultation The consultation process exists to receive input from regulated organizations. Your Quality Manager should review the full NPA text and consider whether your organization has findings worth submitting. Engagement with the consultation process is itself a demonstration of regulatory competence.

DokPath Passes All Four

Four Questions. Four Passes.

Q1 — Exact source citation: Every DokPath response includes document name, revision number, section, and page number. Not on request — as the default output of every query, every time.

Q2 — Approved documentation only: DokPath operates exclusively within the corpus your organization has uploaded and approved. External data sources are architecturally isolated — not filtered, not policy-restricted. Isolated. We can demonstrate this technically during evaluation.

Q3 — Complete interaction logs: Every query and response is logged with timestamp and user attribution, including the exact source citation used. Logs are exportable in PDF format for QMS and audit use. Data residency is configurable.

Q4 — Human authority maintained: DokPath presents all responses as advisory, with explicit framing. The signing technician retains full responsibility. The system is designed as a reference tool, not an instruction source.

We recommend running this audit against DokPath yourself — with your Quality Manager, using your documents, in a live evaluation. The results should be verifiable in under 30 minutes.

Schedule a compliance evaluation
Disclaimer This audit framework is based on DokPath's interpretation of EASA NPA 2025-07 requirements as published for consultation in early 2026. It does not constitute legal or regulatory advice. Organizations should consult the official EASA documentation and their regulatory advisors for guidance specific to their approval certificates and operational context. NPA requirements are subject to revision through the consultation process.