EU AI Act alignment

Run high-risk AI agents the EU AI Act can audit.

The EU AI Act is the world's first horizontal AI law. It classifies AI systems by risk and imposes the strictest obligations — risk management, human oversight, logging, traceability, and post-market monitoring — on high-risk systems. It applies to providers and deployers placing AI on the EU market, wherever they are based. Cortex enforces those obligations at runtime and exports the proof from a tamper-evident Trust Ledger.

Built for EU AI Act Title III · aligned with — never certified-claimed

audit/verify
#101hash ✓#102hash ✓#103hash ✓#104hash ✓#105hash ✓
head 0x9f3a…c1ok: true
verifyChain ▸ chained SHA-256 · signed receipts
What EU AI Act is

EU Artificial Intelligence Act, in plain language.

The EU AI Act (Regulation (EU) 2024/1689) takes a risk-tiered approach: prohibited practices are banned outright, high-risk systems carry the heaviest obligations, limited-risk systems require transparency, and minimal-risk systems are largely unregulated. For agents that make or materially influence decisions in regulated domains — credit, employment, essential services — the high-risk regime applies. Its requirements are written as outcomes (Articles 9-15): a risk management system, data governance, technical documentation, automatic record-keeping, transparency, human oversight, and accuracy/robustness. Cortex maps each one to a fail-closed runtime gate so alignment is enforced, not just documented.

applies to ▸ European Union · providers & deployers of high-risk AI

The obligations — and how Cortex maps to them

Each requirement becomes an enforced, recorded control.

Title III imposes seven core obligations on high-risk AI. Cortex turns each into a runtime control that records its verdict in the Trust Ledger — so the technical documentation an EU auditor asks for is generated, not assembled.

Art. 14 · Human oversight
  • Five Oversight Modes from suggest_only to autonomous
  • Risk gate is a floor — autonomy can only tighten it
  • Approval gate holds high-risk actions for a human
  • Audited break-glass with a mandatory recorded reason
Art. 12 · Record-keeping
  • Automatic, hash-chained logging of every agent run
  • Monotonic seq per tenant chain — no silent gaps
  • verifyChain proves the logs were not altered
  • Go-forward genesis — honest sealing, not retro-faked
Art. 13 · Traceability
  • 10-hop lineage: human → agent → … → outcome → approval
  • Datapoint provenance pins each fact to its source
  • GET /lineage/:correlationId reconstructs any decision
  • Signed receipts a third party can verify offline
Art. 9 · Risk management
  • Risk register tracks each agent's risk tier and controls
  • Policy-as-Code: testable allow / deny / require_approval
  • Golden policy tests gate changes against regression
  • Cost caps bound resource exposure (402 over budget)
Art. 15 · Accuracy & robustness
  • Reliability score gates which agent versions publish
  • Evaluation suites with faithfulness + citation coverage
  • Output guardrails screen generated content (451)
  • Observability with per-run quality scoring
Art. 10 · Data governance
  • Ontology object / property / action permissions
  • DLP screens data in and out of every tool call
  • Restricted reads fail closed (403) and are logged
  • Tenant isolation keyed on (tenantId, id) everywhere
The control mapping

From a written obligation to provable evidence.

Every obligation reduces to a fail-closed runtime gate whose verdict lands in a tamper-evident ledger you can hand an examiner. This is the table a Compliance Pack exports for this framework.

ObligationEnforced Cortex controlLedger evidence
Art. 14 — effective human oversight of high-risk outputOversight Modes + approval gate409 hold · approver receipt
Art. 12 — automatic logging over the system lifecycleTrust Ledger (hash-chained)verifyChain ▸ ok:true
Art. 13 — traceability & interpretability of results10-hop lineage + provenancelineage/:correlationId
Art. 9 — documented risk management systemRisk register + Policy-as-Codegolden tests passed/total
Art. 15 — accuracy, robustness, cybersecurityReliability score + output guard451 on blocked output
Records are complete & tamper-evidentSigned receipts, sealed chainhashOk:false flags edits
Compliance Packs

One-click evidence export, straight from the Trust Ledger.

EU market surveillance authorities can demand technical documentation and logs (Art. 11-12). A Compliance Pack assembles the Article-to-control mapping with the live, sealed run records that prove each control fired — exported on demand and verifiable offline.

  • The EU AI Act control map, generated — not assembled by hand
  • Sealed run records you can verifyChain offline
  • Datapoint provenance: every fact threads back to its source
  • Honest by construction — evidence is generated, never asserted
01 · Humanrisk-ops@nw02 · AgentFraud Triage03 · Skilltriage.v404 · Promptsha 0x3a…05 · Policyapprove≥5k06 · Modelclaude-opus07 · ToollookupCase08 · Artifactmemo #447109 · Outcomeapproved10 · Approvalj.lee
Prove it — don't just claim it

The EU AI Act verdicts you'll see in the demo.

These are not slideware promises — they are the literal codes and receipts the runtime returns when you challenge it against this framework's controls.

gate verdicts ▸ EU AI Act
High-risk action held for human409 HOLDenforced
Tampered log range detectedok:false · brokenAtSeqenforced
Restricted personal-data read403 deniedenforced
Decision reconstructed end-to-end10-hop lineageenforced
compliance-pack ▸ generated from the trust ledger · verifiable offline
Getting audit-ready

Three steps from EU AI Act on paper to provable.

  1. 01

    Map

    Pick EU AI Act. Cortex lines each obligation up against the runtime gate that enforces it — no spreadsheet archaeology.

  2. 02

    Enforce

    Every agent run passes the same fail-closed gates. A denied control returns a real code (402 / 403 / 409) — never a silent pass.

  3. 03

    Prove

    Export a Compliance Pack: the mapping table plus the sealed ledger records that show each control fired, verifiable offline.

Aligned with — never certified-claimed

Cortex is built for and aligned with the EU AI Act's high-risk obligations. Conformity assessment and CE marking remain the provider's responsibility; Cortex supplies the enforced controls and the evidence, not the declaration.

Compliance framing

Built for the frameworks your auditors already cite.

The sealed ledger, signed receipts, and lineage graph map to the obligations across every regime you report against — aligned with, never claiming a certification you don't hold.

EU AI ActNIST AI RMFISO 42001SOC 2HIPAAFINRAIRS Circular 230

Turn EU AI Act from a burden into a button.

See how Cortex maps EU AI Act to enforced controls and exports auditor-grade evidence on demand.