The EU AI Act entered into application in August 2024. By August 2026 — just months from now — obligations for High-Risk AI systems under Annexes III and IV become fully enforceable across the European Union. Organizations that have been treating compliance as a monitoring and documentation exercise are about to discover a costly gap.
The problem is a fundamental misreading of what the regulation actually requires. Monitoring tells you what happened after the fact. The EU AI Act, read carefully, requires something different: an organizational and technical infrastructure that constrains what can happen in the first place. The distinction is not semantic. It is the difference between a governance program that satisfies an auditor and one that gets a fine of up to 3% of global turnover — or 15 million euros, whichever is higher — for non-compliance.
This article works through Articles 9, 12, 13, and 17 in detail, explains what each actually demands technically, and describes why the passive monitoring approach fails the core test of Article 9 in particular.
What "High-Risk AI" Means in Practice
Before addressing enforcement specifics, it is worth being precise about scope. The EU AI Act defines High-Risk AI systems in Annex III. The list includes AI systems used in:
- Critical infrastructure — power, water, transport management systems where AI influences safety-critical decisions
- Education and vocational training — systems determining access to education, assessment outcomes
- Employment and worker management — recruitment, CV screening, performance evaluation, work allocation
- Essential private and public services — credit scoring, loan eligibility, insurance underwriting, social benefit administration
- Law enforcement — risk assessment, evidence evaluation, crime prediction
- Migration and border control — risk assessment for visa and asylum applications
- Administration of justice — AI assisting courts and tribunals
If your organization operates LLMs in financial services — credit underwriting, loan officer assistance, fraud investigation — you are in scope. If you deploy AI in insurance claims assessment, HR candidate screening, or customer-facing credit applications, you are in scope. The breadth is significant.
The Act applies to both providers (companies placing AI systems on the EU market) and deployers (companies operating AI systems within the EU on behalf of others). The enforcement obligations described in Articles 9 and 17 apply to deployers. If you are running a third-party LLM in your lending workflow, you are the deployer and these obligations are yours.
Article 9: The Risk Management System Requirement
Article 9 is where the monitoring-vs-enforcement distinction becomes legally significant. The article requires providers and deployers of High-Risk AI systems to establish, implement, document, and maintain a risk management system. It specifies, in Article 9(2), that this system must consist of a "continuous iterative process" that:
- Identifies and analyzes the known and reasonably foreseeable risks associated with the AI system
- Estimates and evaluates the risks that may emerge when the system is used in accordance with its intended purpose
- Evaluates risks that may emerge from reasonably foreseeable misuse
- Adopts suitable risk management measures in accordance with the provisions of the following sections
That last point is the one that monitoring programs fail on. "Suitable risk management measures" is not satisfied by observing that risks occurred and recording them. The article specifies that these measures must be designed to "eliminate or reduce identified risks as much as possible." The word is reduce, not observe.
Article 9(4) sharpens this further: risk management measures must be such that "any residual risk associated with each hazard as well as the overall residual risk of the High-Risk AI system is judged to be acceptable." The regulator is asking organizations to demonstrate that their technical infrastructure actively constrains the behavior of the AI system — not simply that they have instrumented it.
A monitoring dashboard that shows "3 policy violations detected this week" does not satisfy Article 9. A monitoring dashboard that shows "3 policy violations blocked before execution" begins to satisfy it. The difference is a pre-execution enforcement layer — a component that evaluates the AI's proposed action against defined policy before the action occurs, not after.
Article 9 and Testing Requirements
Article 9(7) requires that High-Risk AI systems be tested before being placed on the market or put into service. The testing must ensure that the system "performs consistently for its intended purpose" and that it "meets the requirements set out in this Chapter." Article 9(8) specifies that testing procedures must include testing against "real world conditions" that may occur during intended use.
This has concrete implications for LLM deployments. If your AI system can generate a credit decision and you cannot demonstrate that it was tested against the actual distribution of edge cases it will encounter in production — adversarial inputs, boundary conditions, unusual borrower profiles — your compliance posture is weak. The testing must be systematic, documented, and repeatable.
Article 12: Logging and Automatic Record-Keeping
Article 12 is more prescriptive than Article 9, and easier to translate into technical requirements. It mandates that High-Risk AI systems have built-in logging capabilities that enable the monitoring of the system's operation throughout its lifecycle. Specifically, Article 12(1) states that these systems "shall have logging capabilities ensuring a level of traceability of the AI system's functioning."
Article 12(2) specifies the minimum content of these logs: they must capture the "periods of each use of the system," identify the "data input" where technically feasible, and record events that affect the output of the system. Article 12(3) adds that for High-Risk AI in the law enforcement, migration, and judicial domains, logs must record specific additional data including start and end dates, the reference database against which data was checked, and the persons responsible for verification of results.
Most enterprise AI teams have implemented some form of logging — prompt and response capture, latency recording, error tracking. What they have typically not implemented is the specific structure the Act requires:
| Article 12 Requirement | Standard Logging Covers This? | What's Missing |
|---|---|---|
| Period of each use of the system | YES | Usually covered by standard access logs |
| Data inputs used for each inference | PARTIAL | Often sampled or truncated; tokenized prompts may not preserve original input structure |
| Events affecting the output of the system | NO | Requires logging governance decisions (policy evaluations, blocks, modifications) not just LLM outputs |
| Tamper-evident audit trail | NO | Standard logs are mutable; Art. 12 implies integrity-protected records that cannot be altered retroactively |
| Linkable to specific decisions and individuals | PARTIAL | Requires correlation between AI output, governance evaluation, and downstream human decision |
The tamper-evidence requirement deserves particular attention. Standard application logs are typically stored in mutable databases or log aggregation platforms. A regulator or auditor who asks to verify that your logs have not been altered after the fact has no means of verification unless you have implemented cryptographic integrity controls — for example, HMAC-signed log records chained to one another so that any modification breaks the chain.
Article 13: Transparency and Information Provision
Article 13 requires that High-Risk AI systems be designed and developed with sufficient transparency that deployers can understand and appropriately oversee the system's operations. Article 13(1) states that systems "shall be sufficiently transparent to enable users to interpret the system's output and use it appropriately."
Article 13(3) specifies the minimum content of the technical documentation that must accompany High-Risk AI systems. This includes: the intended purpose, the performance metrics and accuracy levels, known limitations and foreseeable circumstances that may affect performance, human oversight measures, and the technical details required to allow deployers to implement proper oversight.
The transparency requirement has a practical implication that many organizations miss: when an AI system declines a loan application, recommends against a candidate, or flags a transaction for review, the decision must be interpretable. Not necessarily in the sense of full explainability of the model's internal activations — but in the sense that the governance logic that shaped the output can be reconstructed and understood.
If your LLM makes a credit recommendation and the only record of why is the model's token outputs, you cannot satisfy Article 13. If your AI is governed by a deterministic policy layer that evaluates the proposed action against explicit rules and records which rules applied, you can. The difference is a governance layer that produces structured decision records, not raw LLM outputs.
Article 17: Quality Management System
Article 17 requires providers — and by extension deployers in many cases — to implement a quality management system covering the full lifecycle of the AI system. The QMS must include documented policies for:
- Regulatory compliance strategy and relevant procedures
- Techniques for the design and control of the AI system
- Systems and procedures for data management
- Post-market monitoring systems — not just pre-deployment testing
- Procedures for communicating with national authorities
- Arrangements for human oversight as referred to in Article 14
Article 17 is the quality backbone. Without it, the requirements of Articles 9, 12, and 13 have no organizational context in which to exist. Regulators during an audit will ask to see the QMS. They will ask for evidence that it is implemented, not just documented. Organizations that have written governance policies but have not implemented the technical infrastructure to enforce them will be in a difficult position.
Article 14: Human Oversight — The Most Misunderstood Requirement
Article 14 is perhaps the most frequently misread provision in the entire Act. Organizations read "human oversight" and conclude that having a human review screen between the AI output and the final decision is sufficient. The article is more demanding than that.
Article 14(4) requires that natural persons to whom oversight is assigned must be able to:
- Fully understand the capacities and limitations of the High-Risk AI system
- Monitor the AI system's operation to detect and address signs of anomalies, dysfunctions, and unexpected performance
- Correctly interpret the High-Risk AI system's output, taking into account the characteristics and limitations of the system
- Disregard, override, or reverse the output of the High-Risk AI system
- Intervene in the operation of the system or halt it through a "stop" button or a similar procedure
The phrase "correctly interpret" is where most implementations fall short. An AI system that produces a credit denial with no structured audit record of the governance logic that shaped the output provides no basis for a human reviewer to correctly interpret it. The reviewer sees a decision and a prose explanation generated by the same LLM that made the decision. That is not interpretation — it is trusting the model to explain itself.
True human oversight requires that the AI system produce, alongside its output, a structured record of the policy evaluation that constrained or informed that output. Which rules were considered? Which were triggered? What was the confidence level? This record must be generated by a component separate from the LLM itself — a deterministic governance layer whose outputs are verifiable and whose logic is transparent.
The Technical Implementation Path
Working backward from the article requirements, a compliant architecture for High-Risk AI under the EU AI Act requires the following technical components:
Evaluates proposed AI actions against defined policy packs before execution.
Satisfies: Article 9 (risk reduction measures), Article 14 (interpretable oversight)
COMPONENT 2 Cryptographically signed audit records
HMAC-signed, hash-chained decision records for every evaluated action.
Satisfies: Article 12 (tamper-evident logging), Article 17 (QMS documentation)
COMPONENT 3 Structured decision certificates
Per-decision records identifying which policies applied, what data triggered them.
Satisfies: Article 13 (interpretability), Article 14 (human oversight support)
COMPONENT 4 Testing and validation framework
Systematic test harness against policy packs with documented coverage metrics.
Satisfies: Article 9(7) (testing before deployment)
COMPONENT 5 Post-market monitoring with anomaly detection
Ongoing evaluation of AI system behavior against baseline with alerting.
Satisfies: Article 9 (continuous risk management), Article 17 (QMS post-market)
The August 2026 Enforcement Timeline
The phased implementation of the EU AI Act creates specific deadlines that organizations should have mapped to their compliance programs:
The August 2026 deadline is not aspirational. National competent authorities in member states are establishing enforcement capabilities now. France's CNIL, Germany's BNetzA, and the UK's ICO are all building AI audit capacity. The first enforcement actions under High-Risk AI obligations are expected in Q4 2026.
Common Compliance Mistakes to Avoid
Based on the regulatory text and the patterns we observe in enterprise AI deployments, the most common mistakes in EU AI Act compliance programs are:
Conflating model cards with risk documentation. Model cards produced by foundation model providers (Anthropic, OpenAI, Mistral) describe the base model. They do not constitute the risk documentation required under Article 9 for the specific deployment context. A deployer of GPT-4 in a credit underwriting workflow needs their own risk assessment for that specific use case.
Treating logging as compliance. Capturing every prompt and response is necessary but not sufficient. The Article 12 logging requirement has a specific structure — tamper-evident records linked to individual decisions, governance evaluations, and the humans responsible for oversight. Sending LLM outputs to a SIEM does not produce this structure.
Assuming explainability satisfies Article 13. XAI tools that explain model outputs are useful but do not by themselves produce the "interpretation" Article 13 requires. Interpretation requires that the governance logic constraining the output be recorded separately from the output itself — so that a human reviewer can understand what rules applied, not just what the model said.
Delegating compliance to the AI vendor. Under Article 28, deployers take on a substantial portion of the provider's obligations when they "substantially modify" the AI system or use it outside the intended purpose. Using an LLM in a regulated lending workflow almost certainly constitutes a use case the foundation model provider did not design for. The deployer owns the compliance obligation.
How a Pre-Execution Enforcement Layer Addresses the Gap
The architectural solution to the monitoring-vs-enforcement problem is a pre-execution policy enforcement layer — a deterministic governance component that intercepts every AI action before execution, evaluates it against defined policy packs, and returns ALLOW, BLOCK, or MODIFY with a cryptographically signed decision record.
This architecture satisfies Article 9 because the enforcement layer actively reduces risk before it materializes. It satisfies Article 12 because each decision produces a tamper-evident, hash-chained audit record. It satisfies Article 13 because the record of which policies applied to which decision is available to human reviewers. And it satisfies Article 14 because reviewers can see not just the AI's output but the governance logic that shaped it.
The enforcement layer must be deterministic — the same input and policy state must produce the same evaluation result every time. Probabilistic guardrails built on secondary LLM calls do not satisfy this requirement; their outputs vary with temperature and sampling, and they cannot produce reliable audit records.
Sub-millisecond latency is also a practical requirement. If the enforcement layer adds more than a few hundred milliseconds of latency to AI responses, it will face operational pressure to be bypassed or disabled. The enforcement layer must be fast enough to be invisible to end users.