EU AI Act Compliance Specialist

Production-ready compliance patterns for Regulation (EU) 2024/1689 -- the EU Artificial Intelligence Act. Covers risk classification, provider/deployer obligations, GPAI model requirements, conformity assessment, and AI governance.

AI System Inventory and Classification Workflow

The agent classifies AI systems under the EU AI Act's risk-based framework and maps applicable obligations.

Workflow: Classify and Map Obligations

• Inventory all AI systems -- for each system, document: name, provider/developer, description, intended purpose, deployment status, affected persons, geographic scope, data processed, and decision impact level.

• Apply classification decision tree to each system:

• Does it meet the Art. 3(1) definition of an AI system? If no, document exclusion.

• Does it fall under a prohibited practice (Art. 5)? If yes, flag as UNACCEPTABLE RISK -- must be discontinued.

• Is it a safety component of an Annex I product? If yes, HIGH-RISK (product legislation path).

• Does it fall under an Annex III category? If yes, apply Art. 6(3) exception analysis. If exception does not apply, HIGH-RISK.

• Does Art. 50 transparency obligation apply? If yes, LIMITED RISK. Otherwise, MINIMAL RISK.

• Map obligations based on classification -- assign compliance owners for each obligation.

• Run gap analysis using scripts/ai_compliance_checker.py to identify compliance gaps.

• Prioritize remediation by deadline urgency, penalty severity, and number of affected persons.

• Validation checkpoint: Every AI system classified; prohibited practices flagged for immediate action; high-risk systems have assigned compliance owners and remediation timelines.

Example: AI System Classification Output

{ "system_name": "Resume Screener v2.1", "provider": "Internal ML Team", "intended_purpose": "Screen job applications and rank candidates for recruiter review", "ai_act_classification": "HIGH-RISK", "classification_rationale": "Annex III Category 4 - Employment: AI for recruitment and screening of job applicants", "art_6_3_exception": false, "exception_rationale": "System directly influences which candidates proceed to interview stage - not a narrow procedural task", "applicable_obligations": [ "Risk management system (Art. 9)", "Data governance (Art. 10)", "Technical documentation (Art. 11)", "Record-keeping / automatic logging (Art. 12)", "Transparency and information to deployers (Art. 13)", "Human oversight (Art. 14)", "Accuracy, robustness, cybersecurity (Art. 15)", "Quality management system (Art. 17)", "Conformity assessment (Art. 43)", "CE marking (Art. 48)", "EU database registration (Art. 49)", "Post-market monitoring (Art. 72)" ], "compliance_deadline": "2026-08-02", "assigned_owner": "Head of AI Governance" }

Risk Classification System

The AI Act uses a risk-based approach with four tiers.

Tier 1: Prohibited Practices (Art. 5) -- Banned from 2 February 2025

Prohibited Practice Article

Social scoring by public authorities Art. 5(1)(c)

Real-time remote biometric identification in public spaces (with narrow exceptions) Art. 5(1)(h)

Emotion recognition in workplace and education (except medical/safety) Art. 5(1)(f)

Individual predictive policing based solely on profiling Art. 5(1)(d)

Exploitation of vulnerabilities (age, disability, social/economic situation) Art. 5(1)(b)

Subliminal manipulation causing significant harm Art. 5(1)(a)

Untargeted facial image scraping for recognition databases Art. 5(1)(e)

Biometric categorization by sensitive attributes (race, religion, etc.) Art. 5(1)(g)

Tier 2: High-Risk AI Systems (Art. 6, Annex III)

An AI system is high-risk if it falls under Annex III categories OR is a safety component of a product covered by Annex I harmonization legislation.

Annex III Categories:

Category Examples

1 Biometric identification and categorization Remote biometric ID, emotion recognition

2 Critical infrastructure management Road traffic, water/gas/electricity supply, digital infrastructure

3 Education and vocational training Admissions, learning outcome evaluation, test monitoring

4 Employment and workers management Recruitment/screening, promotion/termination, performance monitoring

5 Essential private and public services Creditworthiness, insurance risk, public assistance eligibility

6 Law enforcement Polygraph, deepfake detection, crime analytics

7 Migration, asylum, border control Asylum risk assessment, visa/permit examination

8 Administration of justice Judicial fact-finding, election influence

Tier 3: Limited Risk -- Transparency Obligations (Art. 50)

System Type Transparency Requirement

Chatbots / AI interacting with persons Inform person they are interacting with AI

Emotion recognition / biometric categorization Inform exposed persons of system operation

Deepfakes / AI-generated content Disclose AI generation; machine-readable labelling

AI-generated text on public interest matters Disclose AI generation unless editorially reviewed

Tier 4: Minimal Risk

No mandatory requirements. Voluntary codes of conduct encouraged (Art. 95).

Provider Obligations for High-Risk AI

Providers of high-risk AI systems must comply with all of the following:

Obligation Article Key Requirement

1 Risk Management System Art. 9 Continuous iterative process throughout lifecycle; test against defined metrics

2 Data Governance Art. 10 Training/validation/testing datasets meet quality, representativeness, and bias criteria

3 Technical Documentation Art. 11 Drawn up before market placement; kept up to date throughout lifecycle

4 Record-Keeping / Logging Art. 12 Automatic recording of events enabling traceability

5 Transparency Art. 13 Instructions for use with capabilities, limitations, and oversight measures

6 Human Oversight Art. 14 Human-in-the-loop, on-the-loop, or in-command depending on risk

7 Accuracy, Robustness, Cybersecurity Art. 15 Appropriate levels declared and maintained; adversarial resilience

8 Quality Management System Art. 17 Documented QMS covering design, development, testing, data management, post-market

9 Conformity Assessment Art. 43 Internal control (Annex VI) or third-party assessment (Annex VII)

10 CE Marking Art. 48 Affix CE marking before market placement

11 EU Database Registration Art. 49 Register in EU database before market placement

12 Post-Market Monitoring Art. 72 Active systematic data collection; serious incident reporting within 15 days

Deployer Obligations (Art. 26)

Obligation Detail

Use per instructions Operate per provider's instructions for use

Human oversight Assign competent, trained, authorized oversight personnel

Input data relevance Ensure input data is relevant and representative

Monitoring Monitor operation; inform provider of risks/incidents

Record-keeping Keep auto-generated logs (minimum 6 months)

Inform workers Notify workers/representatives before deployment of high-risk AI

DPIA Carry out GDPR Art. 35 data protection impact assessment when required

Fundamental Rights Impact Assessment Required for public bodies / private entities providing public services (Art. 27)

General-Purpose AI Models (GPAI)

GPAI Provider Obligations (Art. 53) -- Effective 2 August 2025

Obligation Detail

Technical documentation Maintain documentation of model training/testing process

Information for downstream Provide sufficient info for downstream AI system providers

Copyright compliance Comply with EU copyright law; honor opt-out mechanisms

Training data summary Publish detailed summary of training content per AI Office template

EU representative Non-EU providers must appoint EU-based representative

Systemic Risk GPAI Models (Art. 51, 55)

Classified as systemic risk if: high impact capabilities, AI Office designation, or trained with >10^25 FLOPs (rebuttable presumption).

Additional obligations: Model evaluation with adversarial testing, red-teaming proportionate to risk, systemic risk assessment and mitigation, incident tracking and reporting, cybersecurity protection, energy consumption reporting.

Conformity Assessment Workflow

The agent guides organizations through conformity assessment for high-risk AI systems.

Workflow: Internal Control (Annex VI)

• Establish QMS per Art. 17 -- document design, development, testing, data management, and post-market monitoring processes.

• Compile technical documentation per Art. 11 -- system description, development process, risk management, data governance, performance metrics.

• Implement all Chapter III Section 2 requirements -- verify each obligation is addressed.

• Conduct internal assessment:

• Verify risk management system addresses all identified risks (Art. 9)

• Verify data governance meets Art. 10 requirements

• Verify technical documentation is complete and current (Art. 11)

• Verify logging capability (Art. 12)

• Verify transparency and instructions for use (Art. 13)

• Verify human oversight design (Art. 14)

• Verify accuracy, robustness, cybersecurity (Art. 15)

• Confirm QMS covers all required elements (Art. 17)

• Sign EU Declaration of Conformity (Art. 47), affix CE marking (Art. 48), register in EU database (Art. 49).

• Implement post-market monitoring (Art. 72) and maintain documentation updates.

• Validation checkpoint: All 12 provider obligations verified; declaration signed; CE marking affixed; EU database registration complete; post-market monitoring operational.

Workflow: Third-Party Assessment (Annex VII)

Required for biometric identification systems (Annex III point 1) and cases where harmonized standards are insufficient.

• Complete all internal control steps above.

• Select and engage notified body with relevant AI system expertise.

• QMS assessment -- notified body reviews and assesses QMS; issues certificate or requires corrective action; annual surveillance.

• Technical documentation assessment -- notified body reviews documentation, tests system, issues type-examination certificate.

• Sign EU Declaration of Conformity with notified body identification number on CE marking.

• Maintain ongoing compliance -- notified body surveillance, notify of significant changes, maintain all documentation.

• Validation checkpoint: Notified body certificates issued; CE marking with NB number affixed; ongoing surveillance scheduled.

Bias Detection and Fairness Testing

The agent performs bias detection per Art. 10 data governance requirements.

Workflow: Bias Testing

• Define protected attributes -- age, gender, ethnicity, disability, religion, and other relevant characteristics for the system's context.

• Analyze data distribution -- check representation ratios (target: 0.8-1.25 vs. population), class imbalance ratios (>0.5), and coverage of all known groups.

• Evaluate outcome fairness using these metrics:

• Demographic parity: P(positive outcome) equal across groups (within 80% / four-fifths rule)

• Equalized odds: TPR and FPR equal across groups (within 80%)

• Predictive parity: PPV equal across groups (within 80%)

• Calibration: Predicted probabilities accurate for all groups (within 5pp)

• Identify proxy variables -- check for features correlated with protected attributes.

• Implement mitigation -- data augmentation, re-sampling, re-weighting, adversarial debiasing, threshold adjustment, or reject option classification as appropriate.

• Validate -- re-run analysis to confirm improvement.

• Document -- record all findings, measures taken, and residual bias levels in technical documentation.

• Validation checkpoint: All protected attributes tested; fairness metrics within thresholds or residual bias documented with justification; mitigation measures recorded.

Example: Bias Detection Command

Analyze dataset statistics for bias indicators

python scripts/ai_bias_detector.py --input dataset_stats.json
--protected-attributes gender,age_group,ethnicity

Output as JSON for integration with compliance documentation

python scripts/ai_bias_detector.py --input dataset_stats.json --json

Implementation Timeline

Date Milestone Key Requirements

1 Aug 2024 Entry into force Regulation published

2 Feb 2025 Prohibited practices + AI literacy Art. 5 prohibitions; Art. 4 AI literacy

2 Aug 2025 GPAI obligations + governance Art. 53, 55 GPAI obligations; AI Office operational

2 Aug 2026 Full application All remaining: high-risk, deployer, transparency, conformity, CE marking

2 Aug 2027 Extended deadline Certain Annex I Section B high-risk safety components

Penalties (Art. 99)

Violation Type Maximum Fine % Global Turnover

Prohibited AI practices EUR 35 million 7% (whichever higher)

High-risk non-compliance EUR 15 million 3% (whichever higher)

Misleading information to authorities EUR 7.5 million 1% (whichever higher)

SMEs and startups receive proportionate treatment (lower of absolute or percentage).

AI Model Documentation Templates

Template: AI System Description

AI SYSTEM DESCRIPTION

System Name: Version: Provider: Date:

1. GENERAL INFORMATION

   • Intended purpose:
   • Target users (deployers):
   • Affected persons:
   • Geographic scope:
   • AI Act classification:
   • Annex III category (if applicable):

2. TECHNICAL ARCHITECTURE

   • Model type:
   • Input data modalities:
   • Output description:
   • Key design choices and rationale:

3. TRAINING AND DATA

   • Training data sources:
   • Data volume and characteristics:
   • Data preparation methods:
   • Bias examination results:

4. PERFORMANCE

   • Accuracy metrics:
   • Robustness testing results:
   • Known limitations:
   • Performance across demographic groups:

5. HUMAN OVERSIGHT

   • Oversight level: [human-in-the-loop / on-the-loop / in-command]
   • Override mechanism:
   • Automation bias safeguards:

Template: Risk Management Documentation

RISK MANAGEMENT SYSTEM -- AI SYSTEM

System Name: Version: Risk Management Lead: Date:

1. RISK IDENTIFICATION

   Risk ID	Description	Likelihood	Severity	Risk Level
   R-001

2. RISK CONTROL MEASURES

   Risk ID	Measure	Type	Verification	Status
   R-001

3. RESIDUAL RISK ASSESSMENT

   • Acceptability determination:
   • Overall risk-benefit analysis:

4. POST-MARKET DATA INTEGRATION

   • Review frequency:
   • Trigger conditions for update:

Tools

AI Risk Classifier

Classify AI system from JSON description

python scripts/ai_risk_classifier.py --input system_description.json

Classify from inline JSON

python scripts/ai_risk_classifier.py --inline '{ "name": "Resume Screener", "description": "AI system that screens job applications and ranks candidates", "domain": "employment", "uses_biometrics": false, "decision_type": "automated_with_review", "affected_persons": "job applicants", "eu_deployment": true }'

JSON output for programmatic use

python scripts/ai_risk_classifier.py --input system.json --json

AI Compliance Checker

Full compliance check with gap analysis

python scripts/ai_compliance_checker.py --input compliance_status.json

Check deployer obligations only

python scripts/ai_compliance_checker.py --input compliance_status.json --role deployer

JSON output with remediation steps

python scripts/ai_compliance_checker.py --input compliance_status.json --json

AI Bias Detector

Analyze dataset for bias indicators mapped to Art. 10

python scripts/ai_bias_detector.py --input dataset_stats.json

Specify protected attributes explicitly

python scripts/ai_bias_detector.py --input dataset_stats.json
--protected-attributes gender,age_group,ethnicity --json

Reference Documentation

Document Path Description

Classification Guide references/ai-act-classification-guide.md

Complete Annex III categories, decision trees, prohibited practices, GPAI classification

Governance Framework references/ai-governance-framework.md

Organizational structure, ethics board, model lifecycle, conformity assessment procedures

Documentation Templates references/ai-technical-documentation-templates.md

Full templates for system description, risk management, data governance, testing, oversight, post-market monitoring, incident reporting, FRIA

Regulation Reference: Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 Last Updated: March 2026 Version: 1.0.0