EU AI Act
Regulator: European Commission, DG CNECT · Hard deadline: August 2, 2026 for high-risk systems
Signal Provenance is the evidence layer for Articles 9, 11, 12, 14, 17(1)(f), and Annex IV Sec. 2. Every AI event is recorded in a hash-chained ledger that your auditor can verify independently, on your hardware. The coverage below traces every claim to source code or a shipped deliverable.
Scope
The EU AI Act governs providers and deployers of AI systems placed on the EU market. High-risk systems (Annex III) must meet record-keeping, data governance, technical documentation, risk management, and human oversight requirements. Non-compliance can reach EUR 35M or 7 percent of global turnover.
Control-by-control coverage
Every claim below traces to source code in the echology monorepo or to a deliverable template shipped with Signal Provenance. If the code does not do it, the row is not here.
| Control | Requirement | Coverage | Evidence mechanism | Source |
|---|---|---|---|---|
| Art. 9 | Risk management system throughout the AI lifecycle | Strong | Tiered AI risk assessments (tiered, registered, mitigated, periodically reviewed) recorded in ai_risk_assessments. | ops.db: ai_risk_assessments |
| Art. 11 | Technical documentation for high-risk AI systems | Strong | Model cards and dataset sheets generated from live training runs, plus the five client deliverables (Scorecard, Report, Policy, Playbook, Build Report). | ops/deliverables/templates/ |
| Art. 12 | Automatic record-keeping of events across the AI lifecycle | Complete | 49 operational witness points plus per-inference logging plus training-run logging, all hash-chained in Aletheia. Modification of any entry invalidates all subsequent hashes. | engine/aletheia/ledger.py, ops/db.py |
| Art. 14 | Human oversight of high-risk AI systems | Strong | Review gates enforced by database CHECK constraints. Findings require a distinct reviewer identity to advance (confirm_finding). | ops/db.py review_gates |
| Art. 17(1)(f) | Quality management system: data management procedures | Strong | Hash-chained provenance over the full data pipeline from harvest to inference. verify_chain() detects any tampering. | engine/aletheia/ledger.py |
| Annex IV Sec. 2 | Data provenance, training methodology, validation | Strong | training_data_provenance table: origin, license, consent, collection methodology, transformations, hash of source snapshot. | ops.db: training_data_provenance |
What Signal Provenance does not do
The platform is the technical evidence layer. The items below require organizational or physical implementation by the client. Listing them explicitly is how we keep the claim honest.
- Conformity assessment and CE marking (the client performs the assessment; Signal Provenance supplies the evidence).
- Post-market monitoring plan authoring (Signal logs the events; the plan itself is an organizational document).
- Human resources and training on AI oversight responsibilities.
What you get
Each deployment ships these artifacts. All are generated from the live ledger and current deployment state.
Consolidated compliance export (PDF + JSON)
ops compliance audit <deployment-id> --framework eu_ai_act Model card
ops compliance model-card <model-id> Dataset sheet
ops compliance dataset-sheet <dataset-id> Risk assessment register
ops risk list --deployment-id <deployment-id> Inference log extract
ops ledger history --source inference --deployment-id <deployment-id> Aletheia chain verification
ops ledger verify <deployment-id> Prove it for your next audit.
Signal Provenance is deployed white-glove. We configure it on your hardware, point it at your folders, and generate your first EU AI Act coverage export together. Your auditor verifies the hash chain independently.
Schedule your deployment
Canonical URL: /provenance/frameworks/eu-ai-act/ \u00b7 Cited in every compliance export for EU AI Act.