EU AI Act - capability crosswalk

If your AI program needs to evidence Article 12 record-keeping, Article 14 human oversight, or Article 73 serious-incident reconstruction, here is how the obligation maps to the AGLedger record, the Signed Statement chain, and the audit-export surface.

The crosswalk below is a capability mapping, not a compliance certificate. AGLedger provides the evidence pattern; your program provides the policy, the methodology, and the decisions.

Last updated: 2026-06-10 · API v1.2.0 · Article references reviewed against Regulation (EU) 2024/1689 (OJ L, 12 July 2024) and the Digital Omnibus provisional agreement of 7 May 2026

Where enforcement stands

The AI Act entered into force on 1 August 2024. Prohibitions and AI-literacy duties have applied since 2 February 2025, and general-purpose AI obligations since 2 August 2025. Under the Digital Omnibus agreed by the Parliament and Council on 7 May 2026 (pending formal adoption), the high-risk obligations this page maps - including Article 12 record-keeping - are expected to apply from 2 December 2027 for standalone Annex III systems and 2 August 2028 for high-risk AI embedded in regulated products. The records you will need in 2027 have to start accumulating before 2027.

If your AI program needs to evidence Article 12 record-keeping, the crosswalk below applies. The same evidence pattern - signed records, hash-chained, append-only - also supports non-AI automated work under SOX, GLBA, HIPAA, and other control families that require tamper-evident audit trails for RPA, CI pipelines, and microservice handoffs. AGLedger is software you self-host; the regulations are AI-framed, the underlying evidence pattern is not.

Article-by-article mapping

ArticleRequiresAGLedger providesYou own
Art. 6 + Annex IIIClassification rules for high-risk AI systemsField to record the classification (high, limited, minimal) and Annex III domain tag per record, applied consistently across the chainThe classification decision and methodology
Art. 9Risk management systemSigned, timestamped records of risk assessments, mitigation decisions, and tolerance-check results — evidence the process ran, when, and with what outcomeThe risk management system itself: identification, evaluation, and the mitigation measures
Art. 12Record-keeping (event logging)Append-only audit vault — every state change, attestation, and tolerance check result recorded automatically, Ed25519-signed and hash-chained; external anchoring writes signed checkpoints to write-once storage (S3 Object Lock) so the log’s integrity holds even against the operator running itDetermining which events are in scope
Art. 13Transparency and provision of information to deployersFull chain exportable and machine-readable (JSON, CSV, NDJSON), so deployers can see what the system intended and didThe instructions for use, and deciding what to disclose and to whom
Art. 14Human oversightStructured record of the designated overseer — name, role, authority scope, designation date — plus the signed Gate verdict when a human renders a decisionDesignating the overseer and defining their authority
Art. 15Accuracy, robustness and cybersecurityTolerance bands enforce numeric bounds on record criteria; deviations are recorded as signed eventsDefining the tolerance thresholds and acceptance criteria
Art. 17Quality management systemCross-record compliance attestation records, linked to audit chainThe quality management system and policies, and the Art. 11/Annex IV technical documentation it references
Art. 18Documentation keepingAudit export formatted for regulatory submission and third-party audit — signed, so a decade-old export still verifiesThe documentation content and narrative, and the 10-year retention policy
Art. 19Automatically generated logs — retention of at least six monthsAppend-only retention — nothing in the vault is deleted or overwritten, so the six-month floor is exceeded by default; anchored checkpoints in write-once storage carry their own object-lock retention window (default ~7 years, configurable); offline-verifiable export at any point in the windowThe retention schedule, and the lawful-basis and erasure analysis under GDPR
Art. 20Corrective actions and duty of informationDispute resolution (3-tier), remediation states, revision workflow — each transition a signed recordDeciding what corrective action to take, and the notifications
Art. 26Deployer obligations — including Art. 26(6) log retention4 attestation record types (workplace notification, affected persons, input data quality, FRIA) plus the same retained, tamper-evident log store on the deployer sidePerforming the attestation — we record it, you do it — and the deployer’s retention schedule
Art. 27Fundamental rights impact assessmentStructured record per assessment with risk level, domain, mitigation measuresConducting the assessment itself
Art. 49RegistrationEU AI Act domain classification across 8 Annex III categories, kept consistent between your filing and your operational recordsThe registration filing
Art. 72Post-market monitoring by providersA continuous, signed record stream of production behaviour — intents, actions, outcomes, verdicts — as a data source the monitoring plan can rely on without questioning its integrityThe monitoring plan, the analysis, and the conclusions
Art. 73Reporting of serious incidentsThe audit vault contains timestamped, hash-chained records of every agent action, record, completion, and verdict — export a complete incident reconstruction from a single signed source rather than correlating across multiple unsigned systemsIncident determination, authority notification, and the filing obligation

These obligations exist because automated work needs structurally durable evidence. Whether or not your jurisdiction enforces them on schedule, the engineering requirement is real today. AGLedger provides the evidence pattern; your compliance program provides the policy and process around it.

Record-keeping under the Act also intersects data-protection law: Article 12 logs and Article 18 retained documentation are themselves records to which GDPR residency and international-transfer analysis applies. Self-hosting keeps that analysis short - the logs live in your PostgreSQL, in the jurisdiction you choose, with no processor relationship and no transfer introduced by the evidence layer. Data sovereignty is a property of the deployment model, not a clause to negotiate.