EU AI Act compliance — defensible evidence for GPAI and high-risk systems.
The EU AI Act's GPAI obligations are now in force; high-risk Annex III obligations follow (likely December 2, 2027). acipta is the agent-based defensibility platform — workflow-grounded — that produces signed, replayable evidence mapped to the specific articles you must satisfy.
EU AI Act alongside SOC 2, HIPAA, GDPR, CCPA & WCAG 2.1 AA — one evidence chain.
Deterministic Precision. Experiential Intuition. Autonomous Agents.
GPAI is enforcing. Annex III is coming.
Two clocks, decomposed. Treating them as one is how programs miss the near one.
GPAI obligations enforce
Articles 51–56 under Regulation (EU) 2024/1689. Now in force — not delayed.
High-risk (Annex III)
Risk management, Article 12 logging, FRIA, technical documentation. Timeline likely shifts here — not for GPAI.
Evidence architecture
The defensible-evidence decision is made before the deadline, not during the audit. Commit the chain early.
The Act asks for specific artifacts — produce them as evidence.
Compliance here is documentary and ongoing. acipta produces each artifact as signed, replayable evidence rather than a one-time PDF.
Technical documentation
GPAI model documentation and training-data summaries, maintained and version-pinned — not a stale binder.
Article 12 logging
Automatic, tamper-evident records of high-risk system operation — signed at write time and replayable.
FRIA + risk records
Fundamental Rights Impact Assessments and risk-management records mapped per-article, reusable across frameworks.
The evidence the Act asks high-risk providers and deployers to retain
The EU AI Act is unusually specific about records. For high-risk systems the practical question is not "do we have a policy?" but "can we produce the artifact, on request, from our own systems?" Here is what the Act asks for — described informationally, not as legal advice — and how workflow-grounded evidence, signed at write time, maps to each need.
| What the Act asks for | What that means in practice | How signed, replayable evidence maps |
|---|---|---|
| Technical documentation Article 11 · Annex IV | A maintained description of the system — intended purpose, architecture, data and validation approach, performance — kept current across the lifecycle, not written once for a certificate. | Documentation artifacts are version-pinned on a signed evidence chain: every revision is attributable and tamper-evident, so the version you produce later is provably the version that existed at the time. |
| Automatic logging & record-keeping Articles 12 · 19 | High-risk systems must automatically record events across their lifetime — enough to trace when the system ran, on what inputs, and how it behaved — with logs retained for at least the period the Act prescribes. | Operational records are captured in the workflow where the event happened and signed at write time. Each record is tamper-evident and replayable, so "show us what the system did" is answered from the record, not reconstructed from memory. |
| Human-oversight records Articles 14 · 26 | Natural persons must be able to effectively oversee high-risk systems — which in practice means being able to show who reviewed what, when a person intervened, and what they decided. | Human decisions are first-class evidence: reviewer identity, the decision, and its timing are signed into the same chain as the automated events they governed — oversight you can demonstrate, not just describe. |
| Conformity assessment artifacts Article 43 · Annexes VI–VII | The assessment procedure and the artifacts around it — the documentation the assessment relied on, the EU declaration of conformity that follows it — must remain available to authorities long after the assessment closes. | The evidence a conformity claim rested on stays reproducible: the underlying records can be re-verified deterministically years later, rather than re-assembled by whoever still remembers the project. |
| Post-market monitoring Article 72 | Providers must keep monitoring high-risk systems after deployment and document how field performance feeds back into risk management. | Monitoring is documented as it happens: records accumulate continuously on one chain, so the post-market file is a byproduct of operating the system rather than a quarterly reconstruction. |
GPAI model providers carry a lighter but already-live documentation duty — model documentation, training-data summaries, a copyright policy, and information-sharing with the AI Office — and the same mapping logic applies: each artifact is produced as a signed record rather than a static file, so what you shared, and when, remains demonstrable later.
Which of these obligations attach to you depends on your role under the Act — provider, deployer, importer, distributor — and on the risk tier of each system. That determination is a legal judgment: none of the above is legal advice, and counsel stays in the loop. What acipta owns is the machinery underneath that judgment — evidence that is reproducible, attributable, tamper-evident, replayable, and signed at write time — so that when counsel or an authority asks what happened, the answer comes from the record. See how the platform works for the substrate these records live on.
Know which obligations attach to you.
The Act assigns duties by role and risk tier. acipta maps evidence to whichever applies — and to the other frameworks you carry.
Model providers
Transparency, documentation, copyright policy, AI Office information-sharing. Live now.
Annex III deployers/providers
Risk management, logging, FRIA, conformity documentation. The heavier tier.
One chain
acipta produces per-article evidence for either, on the same signed, replayable substrate as your SOC 2 / HIPAA / GDPR program.
Trace every requirement to its evidence — article by article
Requirement-to-evidence mapping should be a lookup, not a meeting. A companion page traces the mapping in detail.
Per-article and per-CFR requirement mapping
EU AI Act compliance — questions
Short answers to the questions compliance and engineering leaders ask most about the Act — and about what evidence actually settles them.
Is the EU AI Act GPAI deadline delayed?
No. General-purpose AI (GPAI) model obligations under Articles 51–56 are now in force. The high-risk Annex III timeline is the part likely to shift (toward December 2, 2027); GPAI is not.
What does the EU AI Act actually require me to produce?
For GPAI: technical documentation, training-data summaries, a copyright policy, and information sharing with the AI Office. For high-risk (Annex III): a risk management system, logging (Article 12), a Fundamental Rights Impact Assessment (FRIA), and audit-ready technical documentation.
Does this apply to us if we only use AI, not build models?
Likely yes for high-risk use, and increasingly for deployers. The obligations attach to the role you play (provider, deployer, importer) and the risk tier of the system — acipta maps evidence to whichever articles apply to you.
How does acipta help specifically?
acipta produces signed, replayable evidence mapped to the specific EU AI Act articles — Article 12 logging, FRIA records, technical documentation — alongside your other frameworks, on one evidence chain. Defensible if the AI Office asks years later.
What records do deployers of high-risk systems need to retain?
Deployers carry their own duties under the Act — using systems according to the provider's instructions, assigning human oversight, and keeping the logs the system generates for at least the period the Act prescribes. In practice that means retaining operational logs, oversight and intervention records, and the Fundamental Rights Impact Assessment where one is required. Which duties apply is a role-and-tier determination that belongs with counsel.
Does acipta replace our legal counsel or GRC team?
No. acipta is not legal advice and does not decide which obligations apply to you — counsel stays in the loop for that judgment. What the platform owns is the evidence layer underneath it: records signed at write time, tamper-evident, attributable, and replayable, so the people making the legal calls argue from the record rather than from reconstruction.
Where EU AI Act evidence fits in the wider program
AI agent governance
The Act's oversight and logging expectations get sharper when your AI takes actions, not just answers. How runtime evidence works for AI agents.
Compliance intelligence
Map a control once and let EU AI Act, SOC 2, HIPAA, and GDPR draw on the same evidence. What compliance intelligence means.
The platform
Seven GA suites, 115 agents, one signed evidence chain with deterministic replay. See the platform.
Defensible from day one.
acipta is the agent-based defensibility platform — workflow-grounded. Per-article EU AI Act evidence on one chain with multiple frameworks. Public Early Access July 12, 2026; Full GA August 23, 2026.