EU AI Act Compliance for High-Risk AI Systems — Tenet AI
The EU AI Act requires high-risk AI systems to maintain immutable decision logs, Annex IV technical documentation, and auditable human oversight. High-risk AI system obligations take full effect August 2026 — penalties reach 3% of global annual turnover or EUR 15 million. Tenet AI instruments your existing agent in 2 lines of code to satisfy Articles 11, 12, 13, 14, and 26, generating the logging evidence and human oversight documentation that conformity assessments require.
What the EU AI Act Requires for High-Risk AI
The EU AI Act creates a risk-based compliance framework with four tiers. Unacceptable risk AI is prohibited entirely — real-time biometric surveillance in public spaces, social scoring, manipulation of vulnerable populations. High-risk AI in Annex III categories must meet documentation, logging, transparency, human oversight, and accuracy requirements. General-purpose AI models (GPAI) face transparency obligations. All other AI systems face minimal requirements. For the AI teams this page serves — fintech, healthtech, legaltech, insurtech — the operative obligation is the high-risk regime. Article 11 requires technical documentation produced before deployment and maintained throughout the lifecycle. Article 12 requires automatic logging of decisions for post-hoc reconstruction. Article 13 requires transparency documentation enabling deployers and users to interpret AI outputs correctly. Article 14 requires human oversight measures ensuring a natural person can monitor, detect, understand, and override AI behavior. Article 26 imposes specific obligations on deployers: implementing the provider's human oversight instructions, monitoring system performance, and reporting serious incidents. Tenet satisfies Article 11, 12, and 14 obligations with its decision ledger and human override capture architecture.
Which AI Systems Are High-Risk Under EU AI Act Annex III
EU AI Act Annex III lists eight categories of high-risk AI systems. Category 2 covers critical infrastructure management including energy, water, and transportation. Category 3 covers education: AI that determines access, assesses performance, or evaluates applicants. Category 4 covers employment and worker management: CV screening, work assignment, monitoring, promotion, and termination. Category 5 covers essential private and public services including AI used in credit scoring, insurance risk assessment, benefits eligibility, emergency dispatch, and credit evaluation. Category 6 covers law enforcement AI including risk scoring for criminal proceedings. Category 7 covers migration and asylum including risk assessment of irregular migration. Category 8 covers administration of justice and democratic processes. AI systems in fintech fall squarely within Category 5: credit decision AI, insurance pricing AI, and benefits eligibility AI are all Annex III high-risk. Healthcare AI for clinical support and prior authorization is Category 5 (essential services access) or potentially other categories. Employment AI for hiring screening is Category 4. Legal AI systems influencing access to justice can fall within Category 8.
EU AI Act Article 12: Automatic Logging Requirements
Article 12 requires high-risk AI systems to have automatic logging capabilities enabling post-hoc reconstruction of the system's operation throughout its entire use. Three specific requirements: first, logs must be enabled by default and cannot be disabled by the deployer without documenting the reason. Second, logs must be retained for the minimum period specified in the technical documentation — for high-risk AI in financial services, this typically means multi-year retention aligned with financial record requirements. Third, logs must be accessible to the national competent authority upon request, requiring a structured export capability that can produce records on-demand for regulatory inquiry. Standard application logs — server access logs, API call logs — do not satisfy Article 12 because they record that the AI operated, not what it decided and why. Tenet's Reasoning Ledger captures the decision inputs, reasoning chain, model version, policy context, and outcome for every agent decision, with cryptographic integrity verification ensuring records have not been altered since capture.
EU AI Act Conformity Assessment and Annex IV Documentation
High-risk AI systems in most Annex III categories must complete a conformity assessment before market placement in the EU. For AI systems in financial services, healthcare, employment, and essential services, conformity assessment is mandatory. Annex IV lists the technical documentation requirements in detail: general system description and intended purpose; design specifications including training data and validation procedures; deployed system architecture; monitoring and logging system description; details of human oversight measures; description of post-market monitoring plan; instructions for use addressed to deployers. The monitoring and logging section of Annex IV is where Tenet evidence maps directly — every item in Annex IV Section 2(f) (logging, event timestamps, reference to data and AI systems used) is captured automatically from Ghost SDK instrumentation. Organizations can generate the Annex IV monitoring section from Tenet records in under an hour, compared to weeks of manual documentation assembly.
EU AI Act Enforcement Timeline and Penalties
The EU AI Act has a phased enforcement timeline. Prohibited practices took effect in February 2025. General-purpose AI model obligations apply from August 2025. High-risk AI system obligations under Annex III apply from August 2026. Post-market monitoring obligations for deployers apply from August 2027 for certain categories. For organizations preparing now (May 2026), the August 2026 deadline for high-risk AI obligations is three months away. Penalties for non-compliant high-risk AI systems: providers face fines of up to 3% of global annual turnover or EUR 15 million, whichever is higher. Deployers face fines of up to 1.5% of global annual turnover or EUR 7.5 million. Providing incorrect or misleading information to a national competent authority carries fines of up to 1% of global annual turnover or EUR 3.75 million. Penalties for violations involving prohibited AI are higher: up to 7% of global annual turnover or EUR 35 million.
How Tenet AI Maps to EU AI Act Articles
Tenet's architecture maps to EU AI Act obligations at the decision layer. Article 11 technical documentation: Ghost SDK generates the monitoring and logging evidence that comprises the largest variable component of Annex IV documentation. Article 12 automatic logging: every decision is captured with the data used, reasoning chain, model version, timestamp, and outcome — satisfying the post-hoc reconstruction requirement. Article 14 human oversight: Human Override Intelligence captures every human correction, override, and intervention with the corrected outcome, creating an auditable human oversight record. Annex IV conformity assessment support: compliance PDF reports export the Article 12 logging evidence and Article 14 oversight records in structured format for submission to notified bodies and national competent authorities. The two components Tenet does not replace — system description and design specifications — remain the provider's documentation responsibility. These are static documents produced once; Tenet generates the operational evidence that must be updated continuously throughout the AI system's lifecycle.