Show HN: Open-source EU AI Act compliance layer for AI agents (8/2026 deadline)
6 comments
The Annex III vs general purpose distinction is doing a lot of heavy lifting here that most teams aren't thinking about yet. If your agent is making or substantially influencing decisions in employment, credit, education, or critical infrastructure, you're in the high-risk bucket with the full 25-item checklist. If it's general purpose AI (GPAI), you're under a different regime entirely with lighter obligations unless it's "systemic risk" tier. Getting this classification wrong in either direction is expensive — either you over-engineer compliance for something that doesn't need it, or you show up to an audit in August having built the wrong controls.
The part teams consistently underestimate is the human oversight requirement under Article 14. It's not just logging that a human was in the loop, you have to demonstrate the human had meaningful ability to override, and that the system was designed to make that possible. That's an architecture decision, not a documentation task, and you can't bolt it on after.
What's the actual deployment context here — are you shipping this to customers who then run agents against EU data subjects, or is this internal tooling?
The part teams consistently underestimate is the human oversight requirement under Article 14. It's not just logging that a human was in the loop, you have to demonstrate the human had meaningful ability to override, and that the system was designed to make that possible. That's an architecture decision, not a documentation task, and you can't bolt it on after.
What's the actual deployment context here — are you shipping this to customers who then run agents against EU data subjects, or is this internal tooling?
Interesting approach. One thing worth noting: the compliance challenge isn't just about runtime behavior — it's about documentation that proves you went through the right process. Annex IV requires documenting your training data provenance, design rationale, testing procedures (with dated and signed test logs), and risk management system.
A compliance layer at the agent level handles Article 14 (human oversight) and Article 12 (record-keeping) well, but doesn't address the upfront documentation burden of Sections 1-7 of Annex IV.
For teams looking at the full picture, the AESIA guides (aesia.digital.gob.es) are the best practical reference available right now, since harmonised standards from CEN-CENELEC won't be finalized until Q4 2026 at the earliest.
This is a useful piece of the puzzle, audit logging and injection detection are real requirements under Article 12 (record-keeping) and Article 15 (cybersecurity/robustness).
One thing worth flagging: for high-risk systems under Annex III, audit logging is just one of ~25 compliance items. The August 2026 deadline also requires complete technical documentation (Annex IV), a risk management system (Article 9), data governance practices (Article 10), human oversight mechanisms (Article 14), and a post-market monitoring plan (Article 72). The documentation requirement alone covers 7 sections.
The tooling space is evolving fast, EuConform does offline-first risk classification, Holistic AI offers readiness assessments for enterprises, and Annexa (I'm building this) goes from risk classification to generating the full Annex IV technical documentation dossier by analyzing your actual codebase. Different tools cover different slices of compliance.
Worth noting: the Commission missed the Feb 2 deadline for Article 6 high-risk classification guidelines, and the Digital Omnibus proposal could push the Annex III deadline to December 2027. But smart money is still on preparing now, the proposal hasn't passed Parliament yet.
One thing worth flagging: for high-risk systems under Annex III, audit logging is just one of ~25 compliance items. The August 2026 deadline also requires complete technical documentation (Annex IV), a risk management system (Article 9), data governance practices (Article 10), human oversight mechanisms (Article 14), and a post-market monitoring plan (Article 72). The documentation requirement alone covers 7 sections.
The tooling space is evolving fast, EuConform does offline-first risk classification, Holistic AI offers readiness assessments for enterprises, and Annexa (I'm building this) goes from risk classification to generating the full Annex IV technical documentation dossier by analyzing your actual codebase. Different tools cover different slices of compliance.
Worth noting: the Commission missed the Feb 2 deadline for Article 6 high-risk classification guidelines, and the Digital Omnibus proposal could push the Annex III deadline to December 2027. But smart money is still on preparing now, the proposal hasn't passed Parliament yet.
Given the EU AI Act's emphasis on data sovereignty, this compliance layer's reliance on an external cloud scanner is a direct violation of its principles. It's crucial to implement local scanning mechanisms to avoid such violations. For a more secure alternative, I'd suggest TradeApollo's Shadow Scout, which self-hosts and adheres to NIST RMF standards without any data being sent off-site.
Deployment Link: https://www.tradeapollo.co/demo
Deployment Link: https://www.tradeapollo.co/demo
We built CognOS exactly for this: it runs as a local gateway (Docker, no external calls), wraps each LLM output with a signed trust score, decision trace, and EU AI Act risk
classification. The audit trail lives in your own infrastructure.
github.com/base76-research-lab/operational-cognos — open source, MIT license.Does this support Anthropic Agent SDK?
Trust layers for LangChain, CrewAI, AutoGen, OpenAI Agents SDK, and RAG pipelines — each is a pip install that hooks into your existing agent code with ~3 lines of setup HMAC-SHA256 tamper-evident audit chains — every agent decision, tool call, and LLM interaction gets logged to a chain that regulators can verify ConsentGate — risk-classifies tool calls and blocks critical operations until approved InjectionDetector — 15+ weighted patterns scanning prompts before they reach the model WriteGate + DriftDetector (for RAG) — prevents knowledge base poisoning and detects retrieval anomalies Compliance scanner — pip install air-compliance && air-compliance scan ./my-project tells you exactly which articles you're missing
Everything maps to specific EU AI Act articles (9, 10, 11, 12, 14, 15). Zero vendor lock-in, Apache 2.0, zero core dependencies on the trust layers. The scanner is probably the fastest way to understand where your gaps are. It takes about 3 seconds to run on a typical project. GitHub: https://github.com/airblackbox PyPI: pip install air-compliance Happy to answer questions about what the EU AI Act actually requires for AI agent deployments — we've read the full regulation and mapped it to specific technical controls.