What Is the EU AI Act?

What Is the EU AI Act?

The EU AI Act is the European Union’s risk-tiered regulation for AI systems, adopted in 2024 with obligations phasing in through 2026 and 2027. It classifies systems into four tiers: prohibited (social scoring, real-time biometric ID in public spaces), high-risk (hiring, credit, education, critical infrastructure, medical devices), limited-risk (chatbots, deepfakes — transparency duties only), and minimal-risk (most consumer applications). General-purpose AI models — including production LLMs — sit in a separate track with transparency, copyright, and systemic-risk duties. Penalties reach 7% of global annual turnover. Engineering teams are responsible for the technical controls; legal owns the classification.

Why It Matters in Production LLM and Agent Systems

If your LLM application makes or materially supports a decision in a high-risk domain — hiring, credit, healthcare, education, law enforcement, critical infrastructure — you are inside the high-risk tier and you owe a documented set of controls before launch in the EU. The Act is specific. You need a risk-management process, a data-governance program covering training-data representativeness and bias, technical documentation, logging that supports post-market monitoring, transparency to deployers, human-oversight mechanisms, and demonstrable accuracy, robustness, and cybersecurity.

The pain shows up at audit. A bank’s hiring assistant cannot ship in Frankfurt because there is no documented bias evaluation across protected classes. A healthcare triage agent fails post-market monitoring because the team kept no per-decision audit log. A B2B chatbot deployed across the EU falls into the limited-risk transparency tier and is missing the “you are interacting with an AI” disclosure.

In 2026, the GPAI obligations are the part most engineering teams underestimate. If you fine-tune or substantially modify a foundation model, you may inherit provider duties: model documentation, training-data summaries, copyright policy, and — for systemic-risk models above a compute threshold — adversarial testing, incident reporting, and cybersecurity baselines. Multi-step agent systems amplify the surface area; every tool boundary is a place a regulator can ask “what controls fired here?”

How FutureAGI Handles EU AI Act Controls

FutureAGI provides the technical signals and controls the Act expects high-risk system providers to maintain — not legal compliance itself, which is your program’s responsibility. Three primitives anchor the integration.

First, evaluators that map to specific obligations. BiasDetection plus NoAgeBias, NoGenderBias, and NoRacialBias cover the data-governance and non-discrimination duties for hiring, credit, and similar systems. DataPrivacyCompliance covers cross-cutting privacy alignment. IsCompliant lets you encode a custom policy rubric — “does this output meet our medical-device labeling rules?” — as a judge-model check that runs both offline and online.

Second, runtime guardrails through Agent Command Center. Pre and post-guardrails enforce the policy at every model boundary; on Failed, the gateway blocks, redacts, or escalates. Each decision becomes an audit-log row with the request, the detector, and the reason — the post-market monitoring evidence the Act requires.

Third, traceAI tracing captures every span across the agent trajectory. When a regulator asks “show the decision path that produced this output,” the trace is the answer: model calls, tool calls, retrieval results, guardrail decisions, all in one OpenTelemetry-compatible record. We’ve found that teams that stand this stack up before classification — rather than after — ship in the EU on the original timeline. FutureAGI is the technical control plane; your legal team owns the conformity assessment, the technical file, and the deployer notifications.

How to Measure or Detect It

Compliance posture for an EU AI Act high-risk system is a set of operational metrics, not a single score:

• Per-decision evaluator coverage — fraction of in-scope production decisions scored by BiasDetection, DataPrivacyCompliance, and the relevant domain check.
• Bias parity gaps — NoGenderBias, NoRacialBias, NoAgeBias failure-rate by cohort; the disparity itself is a regulatory signal.
• Audit-log retention — days of complete request/decision logs available; the Act expects at least six months for many high-risk classes.
• Human-oversight engagement rate — fraction of escalated decisions reviewed within SLA by a qualified human.
• Incident-to-notification latency — time from detected serious incident to authority notification (the Act sets thresholds).

from fi.evals import IsCompliant, BiasDetection

policy = IsCompliant()
bias = BiasDetection()
print(policy.evaluate(output=resp).score)
print(bias.evaluate(output=resp).score)

Common Mistakes

• Treating GDPR compliance as EU AI Act compliance. They overlap on transparency, but the AI Act adds duties on training-data governance, bias, and post-market monitoring that GDPR does not cover.
• Skipping classification for “internal” tools. A staff-facing hiring screener is still high-risk; the Act looks at function, not user count.
• No logging of context inputs. If your audit log captures the model output but not the retrieved context, you cannot reconstruct a decision after the fact.
• Assuming “we’re not the provider” is a clean escape. Deployers carry distinct duties, including risk-management for the use context and human oversight.
• Treating bias evaluation as a one-time pre-launch check. Post-market monitoring requires continuous bias and quality evaluation against production traffic.