EU AI Act Compliance Mapping
Article-by-article control coverage, findings, risks, mitigations, and actions across the AI portfolio.
86%
14 articles mapped
5
articles passing
9
needs remediation
16
across articles
18
in remediation
Compliance by Article
Coverage % per EU AI Act obligation
Article 5 — Prohibited AI Practices
Bans social scoring, manipulative subliminal techniques, real-time biometric ID in public spaces, and exploitative profiling.
Obligations
- • Maintain prohibited-use inventory and attestations
- • Pre-deployment screening for prohibited use cases
- • Vendor contractual prohibitions
Findings (1)
- F-501LowClosed
All deployed systems screened against Art.5 prohibitions
Policy Scan
Actions (1)
- A-501Investigating
Quarterly re-attestation cycle
Governance Board · due 2026-09-30
Mitigations in place
- • Hard policy gates in model approval workflow
- • Vendor AUP includes Art.5 prohibitions
Article 6 & Annex III — Classification of High-Risk AI Systems
Defines high-risk classification for systems used in credit, employment, healthcare, biometrics, and critical infrastructure.
Obligations
- • Classify every AI system against Annex III categories
- • Maintain rationale and reclassification triggers
Findings (2)
- F-601MediumOpen
3 models pending high-risk classification review
Model Registry · Medical Diagnosis Asst.
- F-602HighMitigating
Credit Scoring v3.2 reclassification trigger met
Risk Monitor · Credit Scoring v3.2
Actions (2)
- A-601Investigating
Complete Annex III classification for 3 pending models
Priya Shah · due 2026-06-30
- A-602Open
Document reclassification rationale for Credit Scoring v3.2
Governance Board · due 2026-07-15
Mitigations in place
- • Automated Annex III tagging in registry
- • Quarterly classification review
Article 9 — Risk Management System
Continuous, iterative risk management process throughout the AI system lifecycle.
Obligations
- • Documented risk management plan per high-risk system
- • Iterative testing across lifecycle
- • Residual risk acceptance sign-off
Findings (2)
- F-901MediumOpen
2 high-risk systems missing updated risk plan (>90 days)
Audit Scan
- F-902HighMitigating
Residual risk sign-off overdue for Patient Risk Pred.
Risk Register · Patient Risk Pred.
Actions (1)
- A-901Investigating
Refresh risk management plans for stale high-risk systems
Responsible AI · due 2026-07-01
Mitigations in place
- • Lifecycle hooks trigger plan refresh
- • Risk committee monthly review
Article 10 — Data & Data Governance
Training, validation, and test datasets must be relevant, representative, free of errors, and complete.
Obligations
- • Dataset datasheets and lineage
- • Bias detection on training data
- • Data quality and representativeness assessment
Findings (2)
- F-1001HighMitigating
Underrepresentation of 65+ cohort in credit training set
Fairlearn Scan · Credit Scoring v3.2
- F-1002MediumOpen
Dataset datasheet missing for HR Policy Assistant corpus
Data Catalog · HR Policy Assistant
Actions (2)
- A-1001Investigating
Resample and augment 65+ cohort
Priya Shah · due 2026-07-20
- A-1002Open
Publish datasheet for HR corpus
Sara Okonkwo · due 2026-06-25
Mitigations in place
- • Pre-train bias gate
- • Mandatory datasheet in MLflow registration
Article 11 & Annex IV — Technical Documentation
Comprehensive technical documentation maintained before market placement and kept up to date.
Obligations
- • Annex IV documentation package per system
- • Version-controlled and audit-ready
Findings (1)
- F-1101LowOpen
1 system documentation drift > 30 days from latest deploy
Doc Audit
Actions (1)
- A-1101Investigating
Sync Annex IV docs with latest production version
Daniel Reyes · due 2026-06-18
Article 12 — Record-Keeping & Logging
Automatic recording of events (logs) over system lifetime sufficient for traceability.
Obligations
- • Immutable event logs
- • Retention aligned to legal basis
Findings (0)
No open findings
Actions (1)
- A-1201Open
Extend retention to 10y for clinical AI logs
CISO Office · due 2026-08-01
Article 13 — Transparency & Information to Users
Systems must be sufficiently transparent to enable users to interpret output and use appropriately.
Obligations
- • User-facing instructions for use
- • Disclosure of limitations and intended purpose
Findings (2)
- F-1301HighOpen
Medical Assistant lacks limitation disclosure in UI
UX Audit · Medical Assistant LLM
- F-1302MediumMitigating
Loan Advisory lacks plain-language model card link
UX Audit · Loan Advisory GPT
Actions (1)
- A-1301Investigating
Add limitation banner & confidence indicator
Linh Tran · due 2026-06-22
Article 14 — Human Oversight
High-risk systems designed to be effectively overseen by natural persons.
Obligations
- • HITL / HOTL controls
- • Stop / override mechanisms
Findings (1)
- F-1401MediumMitigating
Override path not measurable on Fraud Detection v1.7
Control Test · Fraud Detection v1.7
Actions (1)
- A-1401Investigating
Instrument override latency telemetry
Daniel Reyes · due 2026-07-10
Article 15 — Accuracy, Robustness & Cybersecurity
Appropriate level of accuracy, robustness, and cybersecurity throughout lifecycle.
Obligations
- • Performance & robustness testing
- • Adversarial and security testing (OWASP AI)
Findings (2)
- F-1501HighMitigating
Prompt injection succeeds on HR Policy Assistant (red-team)
OWASP AI Scan · HR Policy Assistant
- F-1502MediumOpen
Drift exceeds threshold on Fraud Detection v1.7
Evidently AI · Fraud Detection v1.7
Actions (2)
- A-1501Investigating
Rotate prompt-injection guardrails (Llama Guard 3)
Sara Okonkwo · due 2026-06-20
- A-1502Open
Retrain Fraud Detection with last 90d data
Daniel Reyes · due 2026-07-05
Article 17 — Quality Management System
Providers establish a documented QMS covering strategy, design controls, testing, and post-market.
Obligations
- • Documented QMS
- • Roles, responsibilities, sign-offs
Findings (0)
No open findings
Actions (1)
- A-1701Open
Annual QMS internal audit
Governance Board · due 2026-11-01
Article 50 — Transparency Obligations for GenAI
Users informed they are interacting with an AI system; synthetic content marked machine-readable.
Obligations
- • AI-interaction disclosure
- • Watermarking / provenance for synthetic content
Findings (1)
- F-5001MediumOpen
Sales Co-Pilot lacks AI disclosure on first contact
UX Audit · Sales Co-Pilot
Actions (1)
- A-5001Investigating
Add 'You are chatting with AI' banner
Linh Tran · due 2026-06-19
Article 53 — GPAI Provider Obligations
Technical documentation, training data summary, and downstream provider information for GPAI models.
Obligations
- • Training data transparency summary
- • Copyright policy
- • Downstream provider documentation
Findings (2)
- F-5301HighOpen
Internal fine-tuned Llama 3.3 missing training data summary
GPAI Audit
- F-5302MediumMitigating
Copyright opt-out policy not published
Legal Review
Actions (2)
- A-5301Investigating
Publish training data summary template
Legal · due 2026-07-31
- A-5302Open
Publish copyright opt-out workflow
Legal · due 2026-07-15
Mitigations in place
- • GPAI registry under build
- • Provider attestations on procurement
Article 72 — Post-Market Monitoring
Active and systematic collection of system performance data after market placement.
Obligations
- • Post-market monitoring plan
- • Performance and incident telemetry
Findings (1)
- F-7201HighMitigating
Hallucination rate above target on Medical Assistant
DeepEval · Medical Assistant LLM
Actions (1)
- A-7201Investigating
Tighten retrieval grounding (2.1% → <1%)
Dr. Aisha Khan · due 2026-07-12
Article 73 — Serious Incident Reporting
Report serious incidents to market surveillance authority within statutory deadlines.
Obligations
- • 15-day reporting SLA (72h for widespread infringements)
- • Root-cause analysis
Findings (0)
No open findings
Actions (1)
- A-7301Open
Tabletop incident drill
CISO Office · due 2026-09-30
Mitigations in place
- • Incident runbook + on-call rota
- • Auto-ticketing on Sev1/Sev2