EU AI Act
The EU AI Act places obligations on providers and deployers. Dictiva supplies agent-level artifacts that support a customer's conformity and operational evidence package.
Citations use the Article format from the canonical matrix.
Covered
4
Partial
1
Uncovered
1
| Requirement | AF | Evidence kind | Status | Notes |
|---|---|---|---|---|
# Art 9 Risk management system - Establish, implement, document, and maintain a risk management system for high-risk AI systems as a continuous iterative process throughout the lifecycle, including identifying foreseeable risks, estimating, evaluating, and adopting risk-management measures. | AF-3, AF-4, AF-6 | agent_charters.riskLevel; agent_charters.mayNotActions + mustEscalateWhen (mitigation measures); agent_statement_assignments (controls); agent_action_events.decision (operational evidence the measures are applied) | Covered | Per-agent risk management is fully expressed: classification (charter), declared treatments (charter rules), bound controls (statement assignments), runtime evidence (ledger). The lifecycle iteration is supported by the supersedesCharterId chain + reviewDueAt recertification timer. |
# Art 10 Data and data governance - Training, validation, and testing data sets shall be subject to data governance and management practices appropriate for the intended purpose; examined for biases; relevant in light of the intended purpose. | AF-3 (runtime data only) | agent_charters.dataAccess[] documents which datasets/PII categories the agent accesses at runtime | Uncovered out of AF scope | Article 10 governs training data for the AI system. Dictiva agents use third-party model providers (Claude, GPT, etc.) — training-data governance is the model vendor's domain plus the customer's own model-procurement practice. AF documents runtime data exposure (charter dataAccess[]) but does not address training-data lineage. Not tracking in AF-7. |
# Art 12 Record-keeping - High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system. Logs shall ensure traceability of the system's functioning appropriate to the intended purpose. | AF-1, AF-0 | agent_action_events ledger row per action: actor_did_snapshot, action, subject_type/subject_id, occurred_at, decision, initiator_user_id, approved_by_user_id, metadata | Covered | The ledger is the technical record-keeping mechanism. Append-only enforcement (trigger-based per ADR-044) makes the logs tamper-evident at the DB level. The four indexes support per-agent timeline, per-DID lookup (across rotation), per-subject drilldown, and per-execution grouping — all retrieval modes a regulator audit would require. |
# Art 13 Transparency and provision of information to deployers - High-risk AI systems shall be designed and developed in such a way as to ensure that their operation is sufficiently transparent to enable deployers to interpret a system's output and use it appropriately. Instructions for use shall be provided. | AF-3 | agent_charters rendered on /members/[id] profile page: purpose, scope, riskLevel, mayActions, mayNotActions, mustEscalateWhen, humanOversight, approvalRequirements, dataAccess, externalSystems | Covered | The charter is the agent's "instructions for use" expressed as data, not just text. The profile page renders it in human-readable form. A non-technical deployer can read it in 30 seconds (per AF-3 acceptance criterion). |
# Art 14 Human oversight - High-risk AI systems shall be designed and developed in such a way as to enable human oversight by natural persons during the period in which they are in use, including: (a) understanding capacities and limitations and being able to monitor operation, (b) remaining aware of automation bias, (c) correctly interpreting output, (d) deciding not to use or otherwise disregard, override, reverse, or stop the output, (e) intervening on the operation or interrupting the system through a 'stop' button. | AF-3, AF-6 | agent_charters.humanOversight.{requiredFor, monitoringCadence, overrideAuthority} (declared); agent_charters.approvalRequirements[] (declared); AF-6 preflight evaluator (enforced); agent_action_events.decision='escalated' with approved_by_user_id populated (proven-in-use evidence) | Covered | This is the AF system's headline alignment with the AI Act. (a) monitoring → AF-1.5 Recent Actions tab. (b/c) charter purpose/riskLevel declare scope and limits. (d/e) override/intervene → AF-6 escalation routes the request to a human and blocks until approval; the ledger row records the decision. The Art 14(4)(e) "stop button" is the per-action override; agent-wide stop (kill switch) is AF-7.1 — a noted gap. |
# Art 15 Accuracy, robustness, and cybersecurity - High-risk AI systems shall be designed and developed in such a way that they achieve, in the light of their intended purpose, an appropriate level of accuracy, robustness, and cybersecurity, and that they perform consistently in those respects throughout their lifecycle. | AF-1 (robustness signal); AF-7.5 (qualification) | agent_action_events.decision='blocked' rows surface behavioral inconsistencies | Partial | Robustness is partially covered: the ledger surfaces inconsistencies and the AF-6 enforcement layer prevents many. Accuracy is upstream — a function of the underlying model and the agent's prompt/skill quality, addressed by the AF-7.5 qualification track (#2632). Cybersecurity is tenant-wide (auth, encryption, network controls) — out of AF scope. |
Framework detail
Public gap references
Row-level gap badges link to the public AF-7 parent epic rather than exposing internal sub-issue numbers.