The EU AI Act is now (partly) in force, but translating its legal requirements into technical specifications for AI agents isn’t straightforward. We’ve spent months mapping each article to specific runtime behaviors and documentation requirements.
This page shares our findings. Whether you’re using Kyvvu or building your own compliance infrastructure, this mapping should help you understand what the Act actually requires from AI agents at a technical level.
What you’ll find here:
- Requirements organized by risk level (minimal, limited, high-risk)
- Direct links to specific AI Act articles
- Technical implementation details (with code examples where relevant)
- Visual compliance tree for the complete picture
Important: This is a technical resource, not legal advice. The mapping reflects our current understanding and will evolve as implementation guidelines emerge. We encourage feedback—email alice@kyvvu.com if you spot gaps or disagree with our interpretation.
Coverage Summary
The AI Act imposes three main categories of requirements:
- Workforce Education (Article 4) - Training your team on AI risks, limitations, and legal obligations
- Documentation & Registration (Article 11, Annex IV) - Recording purpose, risk classification, data governance, technical specs
- Operational Control (Articles 9-15, 72-73) - Runtime monitoring, human oversight, incident reporting, post-market surveillance
Kyvvu automates documentation generation and operational control. Workforce education is your responsibility, though our audit trails and compliance reports can support training programs.
All article references link to artificialintelligenceact.eu, the authoritative AI Act resource.
Workforce Education
Requirement: Article 4 requires AI literacy across your organization—training on risks, limitations, and legal obligations.
Kyvvu’s role: Our compliance reports and audit trails provide real-world examples for training, but workforce education delivery is your responsibility.
Documentation & Registration
Organizations must document AI systems before deployment (Article 11 + Annex IV).
System Documentation
Purpose and intended use (Article 11)
→ Captured when you call kv.register_agent() with purpose, risk_classification, and metadata fields
Risk classification (Article 6)
→ Set via risk_classification parameter: MINIMAL, LIMITED, or HIGH
Data governance (Article 10)
→ Automatic tracking of all data flows through internal_data capture in @kv.log_step()
Technical specifications (Annex IV)
→ Auto-generated from agent configuration and logged node types
Quality management (Article 17)
→ All interactions logged with immutable hash-chained audit trails
Change management (Article 11)
→ Version control through agent_version field in registration
EU Database export (Article 71)
→ Export-ready documentation from agent metadata and logs
Technical Example:
from kyvvu import Kyvvu
kv = Kyvvu(api_key="your-key")
kv.register_agent(
agent_key="customer-support-agent",
name="Customer Support Agent",
purpose="Handles tier-1 customer inquiries",
risk_classification="HIGH",
environment="prod"
)
Operational Control
All Risk Levels
Automatic logging (Article 12)
→ Every decorated function creates immutable logs: @kv.log_step("LLM_CALL") captures inputs, outputs, and internal variables
Transparency to users (Article 50)
→ Real-time dashboard shows active policies and system status
Log retention (Article 26(6))
→ Configurable retention (minimum 6 months for deployers)
High-Risk Systems
Human oversight (Article 14)
→ Policy engine supports HUMAN_APPROVAL node type for pre-execution approval workflows
Risk management (Article 9)
→ Real-time policy evaluation on every step; incidents auto-generated on violations
PII protection (Article 10)
→ Policies can block execution if PII detected in inputs/outputs
Accuracy monitoring (Article 15)
→ Confidence thresholds configurable via policies
Incident reporting (Article 73)
→ Automatic incident creation with full context when policies violated
Post-market monitoring (Article 72)
→ Continuous tracking of agent behavior, drift detection via log analysis
Technical Example:
# Logging captures everything automatically
@kv.log_step("LLM_CALL")
def generate_response(user_query):
# Internal LLM calls captured via context variables
response = llm.invoke(
prompt=f"User: {user_query}",
model="gpt-4",
temperature=0.7
)
return response
# Human approval enforced by policy
@kv.log_step("TOOL_CALL", has_write_permission=True)
def update_customer_record(data):
# Policy evaluates: "require human approval for write operations"
return database.update(data)
How policies work:
- Define rules like “All
TOOL_CALLnodes withhas_write_permission=Truerequire human approval” - Policies evaluated in real-time before/after each step
- Violations create incidents with full context (task_id, step, inputs, outputs)
- Dashboard shows policy status and incident history
Visual Compliance Tree
Explore the full compliance mapping interactively:
- Interactive HTML Tree - Click to expand each requirement
- Mermaid Diagram - Visual flowchart
Learn More
Ready to implement AI Act compliance? Our Co-Development Pilot Program gets you production-ready in 6 weeks.
Technical questions? Email alice@kyvvu.com
External resources:
- EU AI Act Explorer - Complete Act text
- AI Act Service Desk - Official EC guidance
This mapping references Regulation (EU) 2024/1689. While we strive for accuracy, this is not legal advice. Consult legal counsel for compliance guidance.