// EU AI ACT · ARTICLE-BY-ARTICLE
Each obligation, mapped to a feature.
The high-risk obligations that govern AI agents are concrete. Below, each relevant article links to its primary source on the left and the SectorFlow One feature that satisfies it on the right.
Article 9
Risk management system
A risk management system must run across the entire lifecycle of a high-risk system — identifying, evaluating, and mitigating foreseeable risks, with regular review.
Read Article 9 — artificialintelligenceact.euPer-agent risk register
Every agent carries a living risk register: identified risks, mitigations, and review dates, updated as the agent changes. The register is the artefact your conformity assessment reads from.
Article 10
Data and data governance
Training, validation, and testing data must meet quality criteria, with governance over sources, collection, and relevance — and documented data lineage.
Read Article 10 — artificialintelligenceact.euDataset lineage + residency controls
Grounding and fine-tuning data is tracked with source, version, and residency. Data stays in the EU region you choose, and the lineage record shows exactly what informed each agent.
Article 12
Record-keeping
High-risk systems must log events automatically over their lifetime, to a degree that enables traceability of the system's functioning.
Read Article 12 — artificialintelligenceact.euHMAC + hash-chained audit log
Every agent action is written to a tamper-evident, hash-chained audit log automatically. Nothing depends on the operator remembering to switch logging on — traceability is the default state.
Article 13
Transparency and provision of information
Systems must be transparent enough that deployers can interpret output and use it appropriately, with instructions for use covering capabilities and limits.
Read Article 13 — artificialintelligenceact.euModel cards + agent documentation
Each agent ships with a model card and operating documentation: what model backs it, what it can and cannot do, and how its output should be read. Generated from configuration, kept current automatically.
Article 14
Human oversight
High-risk systems must be designed so natural persons can oversee them — including the ability to intervene, override, or stop the system.
Read Article 14 — artificialintelligenceact.euHuman-in-the-loop approval workflows
Define which actions require a human to approve before they run. Operators can pause, override, or stop any agent mid-task. Oversight is a configured control, not a manual habit.
Article 15
Accuracy, robustness and cybersecurity
Systems must achieve appropriate accuracy, robustness, and cybersecurity, and be resilient against attempts to alter their use or behaviour through adversarial inputs.
Read Article 15 — artificialintelligenceact.euEvaluation harness + injection defence
Agents are evaluated against a regression suite before changes ship, run behind prompt-injection defences, and operate under scoped tool permissions — so an adversarial input cannot reach a capability the agent was never granted.
Article summaries are paraphrased for clarity; the binding text is the linked source at artificialintelligenceact.eu. Whether a given system is "high-risk" under the Act depends on its use; the mapping above assumes obligations apply.
See where you stand against each article
The readiness scorecard walks the same articles and tells you which obligations you already meet and which still need work.
