EU AI Act Compliance
The EU AI Act imposes mandatory technical requirements on high-risk AI systems. For operators in those categories, the question is not whether to comply but whether their current infrastructure can produce the evidence the regulation demands. AIEP’s architecture generates that evidence automatically — not as a post-hoc report, but as a structural property of every output.
What the EU AI Act requires
High-risk AI systems under the EU AI Act must satisfy, among others:
| Requirement | Article |
|---|---|
| Automatic logging of events throughout the system’s lifetime | Article 12 |
| Traceability of AI outputs to their evidence sources | Article 12 |
| Technical documentation enabling regulatory audit | Article 11 |
| Quality management covering data, testing, and monitoring | Article 17 |
| Transparency to enable human oversight | Article 13 |
These are structural requirements — they cannot be satisfied by a log file written after the fact. They require that the system produce verifiable records as a mechanical property of its operation.
How AIEP satisfies Article 12
AIEP’s Evidence Ledger is append-only and hash-chained. Every reasoning operation produces:
- A response_commitment hash — SHA-256 over the answer, source artefact IDs, and timestamp, computed at the moment of output
- An evidence artefact chain — each source linked by hash to a genesis record for the session
- A ComplianceCertificate — bound by hash to the evidence chain and the reasoning state that produced it
- A Negative Proof — if evidence is insufficient, a signed record of absence is created and persisted, not discarded
These records are produced automatically. They cannot be generated retroactively for an output produced outside the AIEP substrate. Article 12’s logging and traceability requirements are satisfied by construction, not by policy.
Article 17 — quality management
AIEP’s canonical schema (aiep.canonical.schema.v3.0.0.json) version-binds every artefact to the exact protocol specification in force at the time of production. Any two AIEP-governed systems validating against this schema can exchange and verify each other’s records without a shared implementation.
The GENOME SDK’s GENOME_LOCKFILE.json provides a cryptographic commitment to the kernel version in force for each deployment — the trust root for production audit.
Regulated industries covered
The EU AI Act’s high-risk categories include: medical devices, critical infrastructure, employment and worker management, access to education, law enforcement, migration and border control, administration of justice. AIEP’s evidence substrate applies across all of them — the protocol is domain-agnostic.
For sector-specific deployment detail, see Regulated Industries.
Enforcement timeline
The EU AI Act applies in phases from 2025 through 2027. High-risk AI system obligations — including Article 12 logging — apply from August 2026. Operators should have compliant infrastructure in place before that date, not after the first supervisory review.
Related
→ Compliance · Data Sovereignty · Regulated Industries · GDPR & AI Compliance · Strategic Access