EU AI Act Compliance
The EU AI Act rail provides a complete compliance management system for Regulation (EU) 2024/1689 — the world’s first comprehensive AI regulation.
Overview
Section titled “Overview”| Aspect | Details |
|---|---|
| Rail Code | EU_AI_ACT |
| Category | GOVERNANCE |
| Base Path | /api/v1/eu-ai-act |
| Authorization | Cerbos ABAC (eu_ai_act resource) |
| Deadline | 2 August 2026 (full high-risk obligations) |
Endpoints
Section titled “Endpoints”AI System Registry
Section titled “AI System Registry”List Systems
Section titled “List Systems”GET /api/v1/eu-ai-act/systems?limit=50&offset=0&classification=high-riskReturns all registered AI systems for the tenant, with optional classification filter.
Register System
Section titled “Register System”POST /api/v1/eu-ai-act/systemsContent-Type: application/json
{ "systemId": "iof-credit-scoring-v1", "name": "Credit Scoring Engine", "description": "AI-assisted creditworthiness assessment for Murabaha contracts", "classification": "high-risk", "annexCategory": "5b-creditworthiness", "gpaiProvider": "Anthropic", "gpaiModel": "claude-sonnet-4-20250514", "intendedPurpose": "Evaluate credit applications for Islamic finance products", "humanOversightMechanism": "All credit decisions require human review before approval", "riskOwner": "compliance-team", "relatedRail": "COMPLIANCE", "deploymentRegions": ["EU", "MENA"]}Get System Details
Section titled “Get System Details”GET /api/v1/eu-ai-act/systems/{id}Returns system details with recent risk assessments, oversight logs, and incidents.
Risk Assessment (Article 9)
Section titled “Risk Assessment (Article 9)”POST /api/v1/eu-ai-act/systems/{id}/risk-assessments
{ "assessmentType": "initial", "riskLevel": "high", "mitigationMeasures": [ "Human-in-the-loop for all credit decisions", "Bias testing via AI Fairness 360", "Red-teaming with promptfoo" ], "residualRisks": [ "Model drift over time", "Emerging adversarial attack vectors" ], "assessorId": "compliance-officer-001", "nextReviewDate": "2026-06-01T00:00:00Z"}Human Oversight (Article 14)
Section titled “Human Oversight (Article 14)”POST /api/v1/eu-ai-act/systems/{id}/human-oversight
{ "decisionId": "credit-decision-2026-001", "aiOutput": "Recommended approval with 85% confidence score", "humanAction": "approved", "reviewerId": "senior-analyst-042", "justification": "Financial ratios within acceptable range, manual verification confirms"}Incident Reporting (Article 62)
Section titled “Incident Reporting (Article 62)”POST /api/v1/eu-ai-act/systems/{id}/incidents
{ "severity": "high", "description": "Credit scoring model produced systematically lower scores for applicants from specific region", "affectedPersons": 47, "rootCause": "Training data imbalance in regional representation", "correctiveActions": [ "Retrain model with balanced regional data", "Add geographic bias monitoring", "Manual review of affected applications" ], "reportedToAuthority": false}Note: Critical incidents must be reported to the relevant national authority within 15 days per Article 62.
Conformity Status
Section titled “Conformity Status”GET /api/v1/eu-ai-act/conformity-statusReturns aggregate compliance metrics across all AI systems.
Evidence Pack
Section titled “Evidence Pack”GET /api/v1/eu-ai-act/evidence-pack?format=jsonGenerates a comprehensive evidence pack for regulatory auditors covering all 9 key articles.
Risk Classification
Section titled “Risk Classification”| Classification | Description | IOF Examples |
|---|---|---|
| Prohibited | Unacceptable risk, banned in EU | Social scoring, subliminal manipulation |
| High-Risk | Annex III systems requiring conformity | Credit scoring, AML screening, KYC verification |
| Limited-Risk | Transparency obligations only | Chatbots, AI-generated content |
| Minimal-Risk | No obligations | Spam filters, search algorithms |
| GPAI Systemic | General-purpose AI with systemic risk | Foundation models used across services |
| GPAI Non-Systemic | General-purpose AI below threshold | Standard LLM deployments |
Annex III Categories (Financial Services)
Section titled “Annex III Categories (Financial Services)”| Category | Description |
|---|---|
| 5a | Essential private/public services access |
| 5b | Creditworthiness assessment |
| 5c | Risk assessment and pricing |
| 5d | Fraud detection |
Authorization Roles
Section titled “Authorization Roles”| Role | Permissions |
|---|---|
AI_GOVERNANCE_OFFICER | Full CRUD, approve conformity, generate evidence |
COMPLIANCE_OFFICER | Create, update, assess, log oversight, report incidents |
DPO | Read, report incidents |
RISK_OFFICER | Read, assess, log oversight, report incidents |
AUDITOR | Read-only, generate evidence packs |
TENANT_ADMIN | Full access |
Webhook Events
Section titled “Webhook Events”| Event | Trigger |
|---|---|
eu_ai_act.system.registered | New AI system registered |
eu_ai_act.assessment.high_risk_detected | High/critical risk in assessment |
eu_ai_act.oversight.rejected | AI output rejected by human |
eu_ai_act.incident.critical | Critical incident requiring authority notification |
eu_ai_act.conformity.non_compliant | System failed conformity assessment |
eu_ai_act.evidence_pack.generated | Evidence pack created for audit |