- Five Oversight Modes from suggest_only to autonomous
- Risk gate is a floor — autonomy can only tighten it
- Approval gate holds high-risk actions for a human
- Audited break-glass with a mandatory recorded reason
Run high-risk AI agents the EU AI Act can audit.
The EU AI Act is the world's first horizontal AI law. It classifies AI systems by risk and imposes the strictest obligations — risk management, human oversight, logging, traceability, and post-market monitoring — on high-risk systems. It applies to providers and deployers placing AI on the EU market, wherever they are based. Cortex enforces those obligations at runtime and exports the proof from a tamper-evident Trust Ledger.
Built for EU AI Act Title III · aligned with — never certified-claimed
EU Artificial Intelligence Act, in plain language.
The EU AI Act (Regulation (EU) 2024/1689) takes a risk-tiered approach: prohibited practices are banned outright, high-risk systems carry the heaviest obligations, limited-risk systems require transparency, and minimal-risk systems are largely unregulated. For agents that make or materially influence decisions in regulated domains — credit, employment, essential services — the high-risk regime applies. Its requirements are written as outcomes (Articles 9-15): a risk management system, data governance, technical documentation, automatic record-keeping, transparency, human oversight, and accuracy/robustness. Cortex maps each one to a fail-closed runtime gate so alignment is enforced, not just documented.
applies to ▸ European Union · providers & deployers of high-risk AI
Each requirement becomes an enforced, recorded control.
Title III imposes seven core obligations on high-risk AI. Cortex turns each into a runtime control that records its verdict in the Trust Ledger — so the technical documentation an EU auditor asks for is generated, not assembled.
- Automatic, hash-chained logging of every agent run
- Monotonic seq per tenant chain — no silent gaps
- verifyChain proves the logs were not altered
- Go-forward genesis — honest sealing, not retro-faked
- 10-hop lineage: human → agent → … → outcome → approval
- Datapoint provenance pins each fact to its source
- GET /lineage/:correlationId reconstructs any decision
- Signed receipts a third party can verify offline
- Risk register tracks each agent's risk tier and controls
- Policy-as-Code: testable allow / deny / require_approval
- Golden policy tests gate changes against regression
- Cost caps bound resource exposure (402 over budget)
- Reliability score gates which agent versions publish
- Evaluation suites with faithfulness + citation coverage
- Output guardrails screen generated content (451)
- Observability with per-run quality scoring
- Ontology object / property / action permissions
- DLP screens data in and out of every tool call
- Restricted reads fail closed (403) and are logged
- Tenant isolation keyed on (tenantId, id) everywhere
From a written obligation to provable evidence.
Every obligation reduces to a fail-closed runtime gate whose verdict lands in a tamper-evident ledger you can hand an examiner. This is the table a Compliance Pack exports for this framework.
| Obligation | Enforced Cortex control | Ledger evidence |
|---|---|---|
| Art. 14 — effective human oversight of high-risk output | Oversight Modes + approval gate | 409 hold · approver receipt |
| Art. 12 — automatic logging over the system lifecycle | Trust Ledger (hash-chained) | verifyChain ▸ ok:true |
| Art. 13 — traceability & interpretability of results | 10-hop lineage + provenance | lineage/:correlationId |
| Art. 9 — documented risk management system | Risk register + Policy-as-Code | golden tests passed/total |
| Art. 15 — accuracy, robustness, cybersecurity | Reliability score + output guard | 451 on blocked output |
| Records are complete & tamper-evident | Signed receipts, sealed chain | hashOk:false flags edits |
One-click evidence export, straight from the Trust Ledger.
EU market surveillance authorities can demand technical documentation and logs (Art. 11-12). A Compliance Pack assembles the Article-to-control mapping with the live, sealed run records that prove each control fired — exported on demand and verifiable offline.
- The EU AI Act control map, generated — not assembled by hand
- Sealed run records you can verifyChain offline
- Datapoint provenance: every fact threads back to its source
- Honest by construction — evidence is generated, never asserted
The EU AI Act verdicts you'll see in the demo.
These are not slideware promises — they are the literal codes and receipts the runtime returns when you challenge it against this framework's controls.
Three steps from EU AI Act on paper to provable.
- 01
Map
Pick EU AI Act. Cortex lines each obligation up against the runtime gate that enforces it — no spreadsheet archaeology.
- 02
Enforce
Every agent run passes the same fail-closed gates. A denied control returns a real code (402 / 403 / 409) — never a silent pass.
- 03
Prove
Export a Compliance Pack: the mapping table plus the sealed ledger records that show each control fired, verifiable offline.
Aligned with — never certified-claimed
Cortex is built for and aligned with the EU AI Act's high-risk obligations. Conformity assessment and CE marking remain the provider's responsibility; Cortex supplies the enforced controls and the evidence, not the declaration.
The Cortex capabilities that satisfy this framework.
Each obligation above is enforced by a real capability in the runtime. Explore the ones that do the work for this framework.
Oversight
Five autonomy modes and audited break-glass deliver the Article 14 human-oversight control.
Trust Ledger
Hash-chained logging and 10-hop lineage satisfy the Article 12-13 record-keeping and traceability duties.
Policy-as-Code
Testable rules and golden tests document the Article 9 risk-management system.
Map the rest of your regulatory surface.
The same enforced controls and one-click evidence export cover the other frameworks your auditors cite.
NIST AI RMF
Aligned with the NIST AI Risk Management Framework: Govern, Map, Measure, and Manage — with documented, exportable evidence..
ISO/IEC 42001
Aligned with ISO/IEC 42001: an AI management system with policies, roles, records, and continual improvement — evidence exported one-click..
SOC 2
Aligned with SOC 2 Trust Services Criteria: access controls, change management, audit logging, and tamper-evident evidence..
All frameworks
The full compliance hub — every framework Cortex maps to, with the shared control-to-evidence model.
Built for the frameworks your auditors already cite.
The sealed ledger, signed receipts, and lineage graph map to the obligations across every regime you report against — aligned with, never claiming a certification you don't hold.
Turn EU AI Act from a burden into a button.
See how Cortex maps EU AI Act to enforced controls and exports auditor-grade evidence on demand.