EU AI Act 2026 Engineering Guide
The EU AI Act takes effect August 2026 for high-risk AI systems. This guide translates regulatory requirements into engineering patterns using cryptographic governance primitives.
Disclaimer: This is an engineering interpretation, not legal advice. Consult qualified legal counsel for compliance decisions.
What are the key Article requirements?
High-risk AI systems under the EU AI Act must implement technical measures for transparency, human oversight, and record-keeping. Here's how governance primitives map:
Article 9: Risk Management
"Continuous iterative process... identification and analysis of known and reasonably foreseeable risks"
Engineering mapping: Policy artifacts encode risk thresholds; enforcement receipts prove continuous evaluation; drift detection identifies deviation from known-safe states.
Article 12: Record-Keeping
"Technical means ensuring... automatic recording of events (logs) throughout the AI system's lifetime"
Engineering mapping: Continuity chain provides tamper-evident event log; receipts capture each governance decision; evidence bundles enable audit.
Article 14: Human Oversight
"AI systems shall be designed and developed in such a way... that they can be effectively overseen by natural persons"
Engineering mapping: Enforcement actions (BLOCK, TERMINATE) enable intervention; policy versions require human approval; receipts prove oversight controls were active.
Article 17: Quality Management
"Procedures and instructions for data and model version control"
Engineering mapping: Policy_id is content-addressed (version control); subject manifest captures model hash; policy versioning is monotonic.
How do I structure a compliance-ready deployment?
A compliance-ready deployment includes these governance components:
┌─────────────────────────────────────────────────────────┐ │ COMPLIANCE ARCHITECTURE │ ├─────────────────────────────────────────────────────────┤ │ │ │ ┌────────────────┐ ┌────────────────┐ │ │ │ Model Registry │────▶│ Policy Minter │ │ │ │ (versioned) │ │ (human approval)│ │ │ └────────────────┘ └───────┬────────┘ │ │ │ │ │ ▼ │ │ ┌────────────────────┐ │ │ │ Policy Artifact │ │ │ │ (signed, bounded) │ │ │ └─────────┬──────────┘ │ │ │ │ │ ▼ │ │ ┌────────────────────────────────────────────┐ │ │ │ GOVERNANCE BOUNDARY │ │ │ │ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────────┐ │ │ │ │ │Match │→│Measure│→│Decide│→│ Receipt │ │ │ │ │ └──────┘ └──────┘ └──────┘ └──────────┘ │ │ │ └────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌────────────────┐ ┌────────────────┐ │ │ │ AI Workload │ │ Receipt Chain │ │ │ │ (governed) │ │ (immutable) │ │ │ └────────────────┘ └───────┬────────┘ │ │ │ │ │ ▼ │ │ ┌────────────────────┐ │ │ │ Evidence Bundle │◄──── Audit │ │ │ (offline verify) │ │ │ └────────────────────┘ │ └─────────────────────────────────────────────────────────┘
What should the policy artifact include?
For EU AI Act compliance, the policy artifact should capture:
- ■Model identity: Content-addressed hash of model weights/configuration (Art. 17 version control)
- ■Risk thresholds: Operational bounds that trigger enforcement (Art. 9 risk management)
- ■Human approval: Issuer signature from authorized personnel (Art. 14 oversight)
- ■Validity window: Time bounds for policy applicability (periodic review)
- ■Enforcement mapping: What happens when thresholds are exceeded
What receipts should be captured?
For Article 12 record-keeping compliance:
// Required receipt types for compliance POLICY_LOADED - Model version hash - Policy version - Human approver key_id MODEL_INVOCATION - Input characteristics (not raw input) - Output classification - Inference timing DRIFT_DETECTED - Which threshold exceeded - Measured value vs. baseline - Risk category affected ENFORCED - Action taken (CONTINUE/BLOCK/TERMINATE) - Reason code - Recovery actions if any HUMAN_OVERRIDE - Override authorization - Reason documented - Expiration of override PERIODIC_CHECKPOINT - System health metrics - Receipt chain summary - No-event confirmation
How long must records be retained?
Article 12 requires logs to be kept for "an appropriate period of time." Engineering interpretation:
- ■Minimum 10 years: Evidence bundles in archival storage with integrity verification
- ■Periodic anchoring: Checkpoint hashes to immutable stores (blockchain, TSA) for long-term non-repudiation
- ■Format stability: Use documented, open formats; include embedded verifier
Frequently asked questions
Does this guarantee compliance?
No. Compliance requires organizational processes, documentation, and legal review beyond technical controls. These patterns provide the technical foundation that compliance requires.
What about GDPR data minimization?
Receipts should capture governance events without raw PII. Use structural metadata hashing (privacy-preserving verification) for input/output characteristics.
When should we start implementing?
Now. August 2026 is the enforcement date for high-risk systems. Deploying governance infrastructure takes time; evidence bundles should be accumulating before the deadline.