docs: EU AI Act compliance guide for CrewAI deployers

[BipinRimal314]

Summary

• Adds a deployer-facing guide covering EU AI Act obligations for autonomous agent systems
• Includes a Mermaid data flow diagram showing 17 external services CrewAI can connect to, classified by GDPR role (controller vs processor)
• Maps CrewAI's existing features (human_input, callbacks, delegation controls) to Article 14 human oversight requirements
• Documents five multi-agent-specific risks not covered by standard AI compliance frameworks

Why this matters

The EU AI Act's August 2, 2026 deadline applies to high-risk AI systems. Autonomous multi-agent systems face the highest regulatory scrutiny under Article 6. No agent framework currently has compliance documentation. This guide helps CrewAI deployers in the EU understand their obligations.

What's covered

• Risk classification: when a CrewAI deployment becomes high-risk
• Data flow mapping: 6 AI providers, 3 vector DBs, 6 databases, 5 cloud services
• GDPR role classification per service (which need Data Processing Agreements)
• Article 14 human oversight: what CrewAI already provides vs what deployers must add
• Multi-agent risks: hallucination cascading, unbounded tool use, delegation loops, prompt injection via tools, multi-step reasoning opacity
• Article 11 Annex IV documentation guidance
• Article 12 record-keeping checklist

How this was produced

Codebase analyzed using static analysis to identify AI providers, model integrations, and external service dependencies. Scanner covered 1,027 files. Regulatory mapping and deployer guidance written and reviewed manually.

Test plan

• Mermaid diagram renders correctly on GitHub
• Links to CrewAI docs (human_input, callbacks) are valid
• No factual errors in regulatory citations