This article is for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel to assess their specific obligations under the EU AI Act and applicable national implementing measures.
According to Accenture's 2025 Sovereign AI research, only 22% of organizations report having adequate controls at the AI model layer β the exact layer where EU AI Act obligations for high-risk systems are most concentrated. With the regulation's core high-risk AI requirements scheduled to apply from August 2, 2026, compliance teams and engineering leaders face a relatively narrow window to build the systems, processes, and documentation the regulation generally requires.
This article provides a structured checklist across the seven key compliance areas defined in Chapter 3 of the EU AI Act (Regulation EU 2024/1689) for high-risk AI systems. Each section maps to a specific article and outlines the types of measures organizations may need to consider. This is an orientation guide, not a substitute for professional legal analysis.
A note on scope: these obligations apply primarily to providers of high-risk AI systems as classified under Article 6 and Annex III of the regulation. Whether a specific AI tool or system deployed in a software development environment qualifies as high-risk depends on its use case, the context of deployment, and a professional legal assessment. The previous article in this series covered the classification framework in detail.
Article 9 β Risk Management System
Article 9 generally requires providers of high-risk AI systems to establish, implement, document, and maintain a continuous risk management system throughout the system's entire lifecycle. The framework is iterative: it involves identifying risks, estimating them under intended use and reasonably foreseeable misuse, evaluating emerging risks over time, and adopting targeted measures proportionate to the risk identified.
Checklist
Establish a documented risk management process covering the full lifecycle of each high-risk AI system
Identify known and reasonably foreseeable risks to health, safety, and fundamental rights associated with each system
Estimate risks under both intended use and foreseeable misuse scenarios
Incorporate post-market monitoring data to evaluate and respond to emerging risks on an ongoing basis
Adopt targeted risk management measures proportionate to the identified risks
Conduct testing throughout development and before market placement, using defined metrics and probabilistic thresholds
Assess potential adverse impacts on minors and other vulnerable populations where relevant
Document how residual risks have been reduced to acceptable levels through design choices or control measures
Article 10 β Data and Data Governance
Article 10 establishes mandatory data governance standards for high-risk AI systems. For systems using machine learning techniques, training, validation, and testing datasets must be relevant, sufficiently representative, and β to the best extent possible β free of errors relative to the system's intended purpose.
Checklist
Document design choices and data collection processes for all datasets used in training, validation, and testing
Maintain records of data preparation operations β annotation, labeling, cleaning, enrichment, and updates
Ensure datasets are relevant, sufficiently representative, and free of errors to the best extent possible
Document assumptions about what data represents and assess data availability and suitability for the intended use
Implement bias detection and mitigation measures, with documented procedures and outcomes
Identify and document data gaps that may prevent full regulatory compliance
Account for geographical, behavioral, and functional deployment contexts in dataset selection and design
Where sensitive personal data is processed for bias correction: apply technical safeguards, strictly control access, and delete data once correction is complete
Article 11 β Technical Documentation
Article 11 requires providers to prepare and maintain comprehensive technical documentation before placing a high-risk AI system on the market or putting it into service. This documentation must demonstrate compliance with Chapter 3 requirements and enable competent authority and notified body assessments.
Checklist
Prepare technical documentation covering the minimum elements specified in Annex IV before deployment or market placement
Keep documentation current throughout the system's operational lifecycle β not only at the point of initial approval
Ensure documentation enables authorities and notified bodies to verify that compliance requirements are met
Where applicable, coordinate with product documentation under EU harmonization legislation (Annex I, Section A) to avoid duplication
Small and microenterprises may be eligible for a simplified documentation format β verify eligibility and confirm the accepted format with qualified legal counsel
Article 12 β Record-Keeping and Automatic Logging
Article 12 states that "High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system." Logs must capture events relevant to identifying risk situations, supporting post-market monitoring, and enabling deployer oversight of system operation.
Checklist
Design or configure high-risk AI systems to generate automatic event logs throughout their operational lifetime
Ensure logs capture events relevant to identifying situations where the system may present risk or undergo substantial modification
Enable post-market monitoring through the availability and accessibility of log data
For biometric identification systems specifically: record the period of each use (start and end time), the reference database used, matched input data, and the identities of personnel verifying results
Establish a log retention policy aligned with the system's intended use and applicable data retention requirements
Article 13 β Transparency and Provision of Information to Deployers
Article 13 requires high-risk AI systems to operate with sufficient transparency so deployers can interpret outputs and use them appropriately. Providers must supply instructions for use in an appropriate digital format, covering a defined set of information categories.
Checklist
Prepare instructions for deployers identifying the provider and authorized representative, including contact information
Document the system's intended purpose, accuracy metrics, robustness performance, and cybersecurity testing results
Describe known or foreseeable circumstances that may lead to health, safety, or fundamental rights risks
Include information enabling deployers to correctly interpret system outputs in their operational context
Document performance specifications for specific user groups or populations where applicable
Identify any predetermined modifications established during the initial conformity assessment
Describe human oversight measures and the technical means available to support output interpretation
Specify computational resource requirements, expected operational lifetime, and maintenance requirements
Describe mechanisms for collecting, storing, and interpreting system logs as generally required by Article 12
Article 14 β Human Oversight
Article 14 requires high-risk AI systems to be designed to enable effective human monitoring during their operational period. The objective, as stated in the regulation, is to "prevent or minimise the risks to health, safety or fundamental rights" that may emerge during intended use or foreseeable misuse. Oversight mechanisms must be proportionate to the risks, level of autonomy, and context of use.
Checklist
Design systems so that qualified natural persons can effectively monitor them during operation
Ensure oversight personnel can understand the relevant capacities and limitations of the system and monitor for anomalies
Implement measures to help personnel recognize and counteract automation bias β the tendency to over-rely on AI-generated outputs
Enable personnel to correctly interpret high-risk AI system outputs within their operational context
Provide mechanisms for personnel to override, disregard, or reverse AI system outputs
Implement an accessible intervention mechanism allowing the system to be brought to a halt in a safe state when necessary
For biometric identification systems: require verification and confirmation by at least two natural persons before any action or decision, unless a justified exception applies under the regulation
Document oversight roles, responsibilities, and the competence requirements for personnel performing oversight functions
Article 15 β Accuracy, Robustness, and Cybersecurity
Article 15 requires high-risk AI systems to achieve an appropriate level of accuracy, robustness, and cybersecurity and to maintain consistent performance throughout their operational lifetime. Systems must demonstrate resilience against errors, faults, and adversarial manipulation throughout the period of use.
Checklist
Define and document accuracy levels and relevant accuracy metrics in user instructions as required
Implement technical and organizational safeguards to ensure resilience against errors and faults during operation
Establish backup solutions appropriate to the system's risk level and operational context
Implement controls to prevent feedback loops that could introduce bias in continuously learning systems
Implement protections against unauthorized manipulation, including data poisoning, model poisoning, adversarial attacks, and confidentiality breaches
Conduct cybersecurity testing appropriate to the system's risk profile and deployment environment
Establish post-deployment monitoring processes to verify that declared accuracy levels are maintained over time
Timing, Proportionality, and Implementation Sequence
The obligations outlined above generally become applicable from August 2, 2026, as confirmed by the European Commission's implementation guidance. The regulation includes proportionality provisions β small and microenterprises may benefit from simplified documentation requirements and other accommodations. Organizations operating across multiple EU member states should also account for any national-level implementing measures that may apply.
Research on AI governance in regulated enterprise environments β including recent work on trustworthy AI deployment frameworks β consistently identifies documentation completeness and audit trail continuity as the primary readiness gaps. A structured implementation sequence is generally considered practical: begin with risk classification, then build technical documentation and automatic logging infrastructure, and address conformity assessment requirements once foundational records are in place.
From Checklist to Practice: Where Governance Tooling Fits
A significant governance implementation gap persists across most organizations today. Accenture's Sovereign AI research found that only 22% of organizations have adequate controls at the AI model layer, and only 15% have elevated AI governance to board or CEO-level oversight β both signals that systematic compliance preparation is in early stages for most organizations with AI systems in production.
Translating a compliance checklist into operational practice typically requires tooling that captures what AI systems actually do at the point of execution β not reconstructed after the fact. For engineering teams building or deploying AI-assisted development workflows, this means integrating logging, review workflows, and documentation at the layer where AI outputs are generated, before those outputs merge into production code.
re-entry.ai is designed as a governance implementation layer for AI coding workflows. It captures structured logs of AI-generated code activity at the MCP Gateway layer, supports human review processes aligned with Article 14 oversight considerations, and generates audit-ready records that may address Article 12 logging obligations. re-entry.ai is a governance implementation tool β it does not provide legal compliance guarantees, and organizations should assess all implementation options in light of their specific risk classification and qualified legal counsel's guidance.
Next in This Series
Article 4 in this series focuses specifically on Article 12's automatic logging requirement: what audit trail obligations may generally entail for AI-generated code, how they differ from standard version control, and what a minimal viable audit trail might look like in practice for engineering teams working with AI coding agents.