Each obligation, mapped to a feature.

The high-risk obligations that govern AI agents are concrete. Below, each relevant article links to its primary source on the left and the SectorFlow One feature that satisfies it on the right.

Article 9

Risk management system

A risk management system must run across the entire lifecycle of a high-risk system — identifying, evaluating, and mitigating foreseeable risks, with regular review.

Read Article 9 — artificialintelligenceact.eu

Per-agent risk register

Every agent carries a living risk register: identified risks, mitigations, and review dates, updated as the agent changes. The register is the artefact your conformity assessment reads from.

Risk register — agent lifecycle view

Article 10

Data and data governance

Training, validation, and testing data must meet quality criteria, with governance over sources, collection, and relevance — and documented data lineage.

Read Article 10 — artificialintelligenceact.eu

Dataset lineage + residency controls

Grounding and fine-tuning data is tracked with source, version, and residency. Data stays in the EU region you choose, and the lineage record shows exactly what informed each agent.

Data lineage graph — source to agent

Article 12

Record-keeping

High-risk systems must log events automatically over their lifetime, to a degree that enables traceability of the system's functioning.

Read Article 12 — artificialintelligenceact.eu

HMAC + hash-chained audit log

Every agent action is written to a tamper-evident, hash-chained audit log automatically. Nothing depends on the operator remembering to switch logging on — traceability is the default state.

Audit chain — signed, sequential events

Article 13

Transparency and provision of information

Systems must be transparent enough that deployers can interpret output and use it appropriately, with instructions for use covering capabilities and limits.

Read Article 13 — artificialintelligenceact.eu

Model cards + agent documentation

Each agent ships with a model card and operating documentation: what model backs it, what it can and cannot do, and how its output should be read. Generated from configuration, kept current automatically.

Model card — capabilities and limits

Article 14

Human oversight

High-risk systems must be designed so natural persons can oversee them — including the ability to intervene, override, or stop the system.

Read Article 14 — artificialintelligenceact.eu

Human-in-the-loop approval workflows

Define which actions require a human to approve before they run. Operators can pause, override, or stop any agent mid-task. Oversight is a configured control, not a manual habit.

Approval queue — intervene and stop controls

Article 15

Accuracy, robustness and cybersecurity

Systems must achieve appropriate accuracy, robustness, and cybersecurity, and be resilient against attempts to alter their use or behaviour through adversarial inputs.

Read Article 15 — artificialintelligenceact.eu

Evaluation harness + injection defence

Agents are evaluated against a regression suite before changes ship, run behind prompt-injection defences, and operate under scoped tool permissions — so an adversarial input cannot reach a capability the agent was never granted.

Eval suite + scoped tool-permission map

Article summaries are paraphrased for clarity; the binding text is the linked source at artificialintelligenceact.eu. Whether a given system is "high-risk" under the Act depends on its use; the mapping above assumes obligations apply.

See where you stand against each article

The readiness scorecard walks the same articles and tells you which obligations you already meet and which still need work.