EU AI Act Compliance

Map your AI agent governance to EU AI Act requirements. 6 articles, 18 requirements, deadline tracking.

The EU AI Act is the world's first comprehensive AI regulation. governance-sdk maps 6 articles and 18 specific requirements to SDK features, letting you assess your compliance posture programmatically.

Warning: Enforcement Deadline: August 2, 2026. High-risk AI system requirements take effect. Maximum fine: 15M EUR or 3% of global annual turnover — whichever is higher.

6 Tracked Articles

Art. 9 — Risk Management System (4 requirements)

Establish and maintain a risk management system. Identify risks, implement mitigations, evaluate residual risks, test measures.

SDK mapping: Policy engine (blockTools, allowOnlyTools), enforcement (gov.enforce), 7-dimension scoring, enforcement playground

Art. 11 — Technical Documentation (3 requirements)

Document the AI system before market placement. System description, capabilities, monitoring configuration.

SDK mapping: Agent registration metadata (name, description, owner, tools), governance scoring with evidence, version-controlled config

Art. 12 — Record-Keeping (4 requirements)

Automatic recording of events. Traceability, integrity of logs, appropriate retention.

SDK mapping: Audit trail (gov.audit.log), rich event context, HMAC-SHA256 hash chaining (createIntegrityAudit), storage adapters

Art. 14 — Human Oversight (3 requirements)

Enable human intervention, understanding of capabilities, and real-time monitoring.

SDK mapping: requireApproval() policy, 7-dimension scoring with explainable evidence, queryable audit trail, fleet monitoring

Art. 15 — Accuracy, Robustness, Cybersecurity (2 requirements)

Resilience against errors and faults. Appropriate cybersecurity measures.

SDK mapping: Rate limiting, token budgets, HMAC-signed audit trail, agent authentication, tool blocking

Art. 50 — Transparency Obligations (2 requirements)

Disclose AI interaction to users. Mark AI-generated content in machine-readable format.

SDK mapping: Agent registration with disclosure metadata, audit trail with provenance (agent ID, timestamp, model version)

Run a Compliance Assessment

The assessCompliance() function evaluates your governance configuration against all 18 requirements. It produces a report with per-article scores, critical gaps, and remediation steps.

import { createGovernance } from 'governance-sdk';
import { assessCompliance } from 'governance-sdk/compliance';

const gov = createGovernance({ rules: [...] });
const agents = await gov.storage.listAgents();

const report = await assessCompliance({
  governance: gov,
  agents,
  auditIntegrity: true,       // Using createIntegrityAudit?
  humanOversight: true,        // requireApproval() or manual review process?
  logRetention: true,          // Configured log retention policy?
  configVersionControlled: true, // governance config in version control?
  policiesTested: true,        // Tested policies with representative scenarios?
});

// report:
// {
//   overallScore: 78,
//   status: "partial",
//   articles: [...],
//   agentsAssessed: 8,
//   criticalGaps: ["Record-Keeping (Art. 12): No explicit retention policy"],
//   recommendations: ["Configure log retention in your storage adapter"],
//   generatedAt: "2026-03-10T14:00:00Z",
//   daysUntilDeadline: 145
// }

Note: Some requirements cannot be checked automatically (e.g., "policies have been tested"). Pass boolean flags for these manual confirmations. The assessment is honest — it marks unconfirmed items as partial or non-compliant.

Deadline Tracking

import { getDaysUntilDeadline, getArticles } from 'governance-sdk/compliance';

// How many days until enforcement?
const days = getDaysUntilDeadline();
// → 145 (as of March 10, 2026)

// Get all tracked articles
const articles = getArticles();
// → [{ article: "9", title: "Risk Management System", ... }, ...]

Gap Analysis & Remediation

The report includes pre-computed critical gaps and de-duplicated remediation steps. You can also drill into individual article assessments.

// Drill into article-level assessments
for (const article of report.articles) {
  if (article.coverage === 'non-compliant') {
    for (const req of article.requirements) {
      if (req.status === 'non-compliant') {
        // req.evidence    → "No policy rules configured"
        // req.remediation → "Add policy rules via blockTools()..."
      }
    }
  }
}

// Or use the pre-computed critical gaps
report.criticalGaps.forEach((gap) => {
  // "Risk Management (Art. 9): No enforcement active"
  // "Record-Keeping (Art. 12): Audit logs are not tamper-evident"
});

// And the de-duplicated remediation steps
report.recommendations.forEach((rec) => {
  // "Enable createIntegrityAudit() for HMAC-SHA256 hash-chained logging"
  // "Add requireApproval() policy for sensitive operations"
});

Compliance Statuses

Status	Score	Meaning
compliant	80-100	Requirement fully addressed by SDK features and configuration
partial	40-79	Some coverage but gaps remain — see remediation steps
non-compliant	0-39	Critical gap — immediate action required

Warning: This module maps SDK features to EU AI Act requirements. It is not legal advice. Consult qualified legal counsel to confirm your specific compliance obligations based on your AI system's risk classification.