RFC: EU AI Act Compliance Mapping — TealTiger v1.4 (Draft for Review) #208
nagasatish007
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Your Idea
EU AI Act Compliance Mapping
TealTiger v1.4 — Runtime Governance for High-Risk Agentic AI Systems
Document Information
Compliance Timeline Note
The original deadline for high-risk obligations (Articles 8-17) is August 2, 2026. Under the Digital Omnibus provisional agreement (Council and Parliament, May 7, 2026), standalone Annex III systems are expected to receive a deferral to December 2, 2027. This agreement is pending formal adoption. If not adopted before August 2, 2026, the original timeline applies.
This mapping is designed to satisfy requirements under either timeline.
Executive Summary
TealTiger is an open-source AI agent security platform that provides deterministic governance, guardrails, cost tracking, and policy management for LLM-based agentic applications. It operates in-process with less than 5ms overhead, requires no external services, and produces cryptographically verifiable evidence of governance decisions.
This document maps TealTiger's v1.4 capabilities to the EU AI Act's high-risk system obligations (Articles 8-17, 19, 26, 27, 73), identifying coverage, partial coverage, and gaps for each requirement.
Coverage Summary
Article-by-Article Mapping
Article 8 — General Requirements for High-Risk AI Systems
Obligation: High-risk AI systems shall be designed and developed in accordance with Articles 9-15.
TealTiger Coverage: PARTIAL
TealTiger provides the runtime enforcement layer that ensures Articles 9-15 obligations are satisfied during operation. It does not cover the design-time and pre-market requirements (conformity assessment, CE marking, quality management system design). TealTiger is complementary to design-time tools.
Article 9 — Risk Management System
Obligation: A risk management system shall be established, implemented, documented, and maintained throughout the entire lifecycle of the high-risk AI system.
TealTiger Coverage: FULL
Evidence Artifacts: TEEC execution receipts, TealDrift anomaly reports, Policy Test Harness results (JUnit XML, SARIF)
Article 10 — Data and Data Governance
Obligation: Training, validation, and testing datasets shall be subject to appropriate data governance and management practices.
TealTiger Coverage: PARTIAL
TealTiger governs data at runtime (what data flows through agents) but does not manage training data governance.
input_referencefieldGap: Training data governance (dataset bias, representativeness, labeling quality) is outside TealTiger's runtime scope. Requires complementary tools (e.g., data lineage platforms).
Article 11 — Technical Documentation
Obligation: Technical documentation shall be drawn up before the AI system is placed on the market or put into service and shall be kept up to date.
TealTiger Coverage: PARTIAL
TealTiger auto-generates runtime technical documentation from governance evidence. It does not generate pre-market design documentation.
Gap: Pre-market documentation (system architecture descriptions, intended purpose statements, training methodology) requires complementary documentation tools.
Article 12 — Record-Keeping
Obligation: High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system.
TealTiger Coverage: FULL (with v1.4 additions)
This is TealTiger's strongest coverage area. The TEEC v2.1 evidence contract is specifically designed for this requirement.
issued_atfield (ISO 8601)verifier_contract_version+ JWK Setsession.start/session.endeventsinput_reference/output_referenceretention_untilfield + configurable policyArt. 12 Receipt-to-Requirement Mapping
session.start/session.endlifecycle eventscorrelation_id,session_id,request_idinput_reference(SHA-256 hash)Known Gaps (identified by Sebastian Tagwercher):
teec.iso24970extension adapter will map TEEC fields to the standard's format.Article 13 — Transparency and Provision of Information to Deployers
Obligation: High-risk AI systems shall be designed and developed in such a way as to ensure that their operation is sufficiently transparent to enable deployers to interpret the system's output and use it appropriately.
TealTiger Coverage: FULL
reasonfield +policy_refsintent,execution_outcome,stop_reasonEvidence Artifacts: TEEC receipts with
reason,stop_reason,retry_posturefields; assessment reports fromtealtiger assessArticle 14 — Human Oversight
Obligation: High-risk AI systems shall be designed and developed in such a way as to allow for effective human oversight during the period in which the AI system is in use.
TealTiger Coverage: FULL
Evidence Artifacts: TEEC receipts with
decision: REQUIRE_APPROVAL, approval evidence records, freeze-block audit eventsArticle 15 — Accuracy, Robustness, and Cybersecurity
Obligation: High-risk AI systems shall be designed and developed in such a way that they achieve an appropriate level of accuracy, robustness, and cybersecurity.
TealTiger Coverage: FULL
Note: Article 15 cybersecurity requirements deferred to December 2, 2027 under Digital Omnibus (ref: tagwercher.io/writing/eu-ai-act-article-15-deferral/). The obligation itself is unchanged; only the enforcement date moved.
Evidence Artifacts: TealCircuit state records, TealToolIntegrity violation events, TealDrift anomaly reports, TealRunawayGuard alerts
Article 17 — Quality Management System
Obligation: Providers of high-risk AI systems shall put in place a quality management system that ensures compliance with this Regulation.
TealTiger Coverage: PARTIAL
TealTiger provides the runtime enforcement and evidence layer of a quality management system. It does not define the organizational QMS (policies, procedures, personnel responsibilities).
Gap: Organizational QMS design (reporting structures, personnel roles, incident management procedures) requires complementary governance framework.
Article 19 — Quality Management System Documentation (Retention)
Obligation: Providers shall keep the documentation at the disposal of the national competent authorities for a period of 10 years or, where specific sectoral legislation provides for a longer retention period, for that longer period.
TealTiger Coverage: INFRASTRUCTURE SUPPORT
retention_untilfield in TEEC + TealAudit configurable policyNote: The 10-year provider obligation applies to technical documentation (Art. 11), not necessarily to all operational logs. The interplay between Art. 12 log retention (unsettled, 6-month floor) and Art. 19 documentation retention (10 years) requires regulatory clarification. TealTiger supports configurable retention policies that can be adjusted once guidance is finalized.
Article 26 — Obligations of Deployers
Obligation: Deployers shall use high-risk AI systems in accordance with the instructions of use and implement appropriate technical and organisational measures.
TealTiger Coverage: PARTIAL (deployer responsibility)
TealTiger is the technical measure that deployers use to comply. It does not define organizational measures.
Open Questions for Reviewer
The following questions are for regulatory review:
Art. 12 retention period: Given the unsettled state (6-month minimum under Art. 19/26 vs. potential longer figures), what retention default would you recommend we ship in the EU AI Act policy pack? Is "6 months, configurable" a defensible default?
Input-output traceability depth: Art. 12 qualifies with "where technically feasible." For agentic AI systems processing thousands of requests per hour, is content-addressable hashing (storing the hash in the receipt, raw content in a separate customer-managed store) sufficient? Or do regulators expect inline content in the log?
prEN ISO/IEC 24970 timeline: Any visibility on when this standard will be finalized? Should we wait for it before publishing the compliance pack, or ship with a mapping note that says "will add ISO/IEC 24970 adapter when finalized"?
Multi-agent coverage: Art. 12 references "the AI system." For multi-agent deployments where several agents collaborate on a task, do you expect regulators to require per-agent logs, per-system aggregate logs, or both?
Annex I "safety component" narrowing: You mentioned watching the narrowing on the Annex I side. Is there any risk that agentic AI embedded in products (e.g., AI agent in a medical device workflow) gets re-classified under the narrowed definition? Relevant because TealTiger supports both standalone and product-embedded agent deployments.
Architecture Constraints
All TealTiger compliance modules operate under these non-negotiable constraints:
These constraints ensure that compliance infrastructure does not introduce additional attack surface, latency, or operational dependencies.
Next Steps
Document End
TealTiger — Open Source AI Agent Security Platform
Apache 2.0 License | github.com/agentguard-ai/tealtiger
NVIDIA Inception Member | OWASP Contributor
Category
Improvement
What problem does this solve?
No response
Potential Impact
No response
Implementation Thoughts
No response
Examples or References
No response
Beta Was this translation helpful? Give feedback.
All reactions