EU AI Act | High-Risk Obligations

Regulation (EU) 2024/1689  |  Compliance mapping by TeNova
High-risk enforcement begins
December 2, 2027
103
days remaining
€35M / 7% Prohibited AI practices
(Art. 99(1))
€15M / 3% High-risk non-compliance
(Art. 99(2))
€7.5M / 1.5% Incorrect information
(Art. 99(3))
High-Risk AI Obligations
Article What You Must Prove Evidence Required Ready?
Art. 9Critical Risk management system operational throughout AI lifecycle Guardrail enforcement logs, risk assessments, mitigation records
Art. 10 Training data is governed, traceable, and free of prohibited bias Data provenance records, PII scrub logs, bias measurements
Art. 11Critical Technical documentation per Annex IV must be drawn up BEFORE placing a high-risk AI system on the market. Documentation must be kept up-to-date throughout the lifecycle. Covers 15 sections including general description, risk management, training data, logging, human oversight, and post-market monitoring. Annex IV checklist (15 sections), auto-populated from AI procedure verdicts. 10 of 15 sections mapped to SWT3 procedures (AI-ID.1, AI-MDL.1, AI-INF.1, AI-GRD.1, AI-HITL.1). Remaining sections flagged for manual provider input.
Art. 12Critical Every inference is automatically logged with sufficient traceability. Logs must enable reliable tracing back. If records can be altered, they are not traceable. Cryptographically signed, tamper-evident inference records with prompt/response hashes, latency, volume
Art. 13 System is transparent enough for deployers to interpret output Explanation generation records, confidence scores per decision
Art. 14Critical Natural persons can effectively oversee the AI during use Human review attestations, override logs, decision support scores
Art. 15 System achieves appropriate accuracy, robustness, and cybersecurity Model version tracking, behavioral drift detection, integrity hashes
Art. 17 Quality management system documented covering AI development, testing, deployment, and post-market monitoring QMS documentation, process records, internal audit trail, SWT3 compliance pipeline evidence
Art. 26 Deployers use AI per instructions; monitor for unauthorized use Shadow AI detection records, acceptable use policy enforcement
Art. 49 High-risk AI registered in EU database before market placement Registration records, approved model registry

Quick Self-Assessment

Can you reconstruct any AI decision from the last 6 months? Y / N
Do you have cryptographic proof that guardrails were active at inference time? Y / N
Can you detect when a model's behavior drifts from its baseline? Y / N
Do you have timestamped evidence of human oversight for high-risk decisions? Y / N
Can you produce this evidence in a format an auditor accepts, not a dashboard screenshot? Y / N

If you answered "No" to any of these, you have an integrity gap. The EU AI Act requires cryptographic evidence, not policy documents.

EU AI Act ↔ NIST 800-53 Control Mapping

SWT3 procedures map to both frameworks. One evidence pipeline, dual compliance.
EU AI Act Obligation NIST 800-53 SWT3 Protocol Evidence Artifact
Art. 9 Risk management & guardrail enforcement RA-3, SI-10 AI-GRD.1 Guardrail factor triple per inference
Art. 9 Content safety filtering SI-10, SC-18 AI-GRD.2 Refusal detection flag + hash
Art. 9 Model risk identification RA-3, RA-5 AI-MDL.1 Model weight integrity hash
Art. 10 Data governance & PII protection SI-12, DM-1 AI-GRD.3 PII scrub + clearing level proof
Art. 12 Automatic inference logging AU-2, AU-3 AI-INF.1 Prompt/response hash + timestamp
Art. 12 Performance monitoring AU-6, SI-4 AI-INF.2 Latency threshold + anomaly flag
Art. 13 Transparency & explainability AC-4, AU-3 AI-EXPL.1 Explanation generation record
Art. 14 Human oversight attestation CP-2, IR-4 AI-HITL.1 Human review + override log
Art. 14 Decision support confidence RA-3, SA-15 AI-EXPL.2 Confidence calibration score
Art. 15 Model version tracking CM-3, SA-10 AI-MDL.2 Version hash + system fingerprint
Art. 15 Behavioral drift detection SI-7, CA-7 AI-MDL.3 Drift baseline comparison
Art. 26 Shadow AI detection CM-8, PM-5 AI-GOV.4 Unauthorized model inventory

Art. 12 requires logs that "enable tracing back" of AI system operation. Editable log files fail this test. SWT3 Witness Anchors are SHA-256 signed, tamper-evident, and independently verifiable. If a record is altered, the fingerprint breaks. That is how you prove traceability.

Try it now. No API keys, no signup.
Mints 3 SWT3 anchors locally in 30 seconds
pip install swt3-ai && python -m swt3_ai.demo
Demo Audit Portal QR
Live Demo Audit Portal
See real SWT3 anchors, verdicts,
and evidence. No login required.
Free Account QR
Free Account
sovereign.tenova.io/signup
Open tier. No credit card.
TeNova  |  Defining the AI Accountability Standard
tenova.io  |  SWT3 Protocol  |  Patent Pending