--- title: EU AI Act, AI Agent Compliance Coverage description: How ZioSec evidence satisfies EU AI Act. Control-by-control mapping with coverage type, supporting evidence, and out-of-scope items. url: https://ziosec.com/ai-compliance/eu-ai-act about: EU AI Act authority: European Commission reference: 2024/1689 --- # EU AI Act Standard 01 of 05. Regulatory, Binding. The first comprehensive legal framework for AI worldwide. A risk-tiered regime where high-risk systems carry obligations around risk management, data governance, technical documentation, human oversight, accuracy, robustness, and cybersecurity. ## At a glance - **In Force:** Aug 2024 (entry); prohibitions Feb 2025 - **Critical Date:** 02 AUG 2026 - **Scope:** Providers and deployers on the EU market - **Penalty:** €35M / 7% ## Control-level coverage Where ZioSec evidence satisfies EU AI Act: - **Art. 9 Risk Management System** (Full) - Obligation: Continuous, iterative process across the AI lifecycle to identify, estimate, and evaluate risks, then test mitigations. - ZioSec capability: Continuous Pentest - Coverage: Our trained pentesting agent probes thousands of vulnerability pathways on every change, satisfying the "continuous, iterative" testing requirement. - Evidence: Risk register (auto-updated); Pre/post-mitigation test runs; Residual risk scoring - **Art. 10 Data and Data Governance** (Supporting) - Obligation: Training, validation, and testing datasets must be relevant, representative, free of errors, and complete. - ZioSec capability: Data-Path Probing - Coverage: Probes for data leakage, training data extraction, and PII exfiltration vectors that violate Art. 10's quality and integrity requirements. - Evidence: Extraction attack reports; PII leakage test results; Vector store probe logs - **Art. 11 Technical Documentation** (Full) - Obligation: Detailed documentation demonstrating system compliance, drawn up before placing on the market and maintained. - ZioSec capability: Audit-Ready Reporting - Coverage: Every pentest produces a structured, timestamped report meeting Annex IV technical documentation requirements. - Evidence: Test methodology docs; Version-pinned findings; Annex IV-aligned reports - **Art. 12 Record-Keeping (Logging)** (Full) - Obligation: Automatic logging of events relevant to risk identification and substantial modification tracking. - ZioSec capability: Fleet-Wide Telemetry - Coverage: Containerized deployment captures every agent action, tool call, and policy decision into immutable logs. - Evidence: Tool-call audit trail; Policy decision logs; Event correlation IDs - **Art. 14 Human Oversight** (Partial) - Obligation: Designed to be effectively overseen by humans, with capabilities to intervene, override, or shut down. - ZioSec capability: Policy Composition - Coverage: Automatic policy composition produces enforceable guardrails that surface decision points and preserve human-in-the-loop integrity. - Evidence: Override-path testing; Kill-switch validation; Escalation logs - **Art. 15 Accuracy, Robustness, Cybersecurity** (Full) - Obligation: Resilient against errors, faults, attempts by unauthorised third parties, and attacks specific to AI. - ZioSec capability: Offensive Testing Core - Coverage: ZioSec's primary mandate. Adversarial inputs, prompt injection, model evasion, and supply-chain attacks tested continuously. - Evidence: Adversarial test corpus; Robustness benchmarks; Attack-resistance scores - **Art. 17 Quality Management System** (Supporting) - Obligation: Documented strategy for compliance including testing, examination, validation procedures. - ZioSec capability: Continuous QMS Input - Coverage: Pentest cadence and findings feed directly into the QMS, with version-controlled procedures and evidence chains. - Evidence: Procedure version history; Validation runs - **Art. 72 Post-Market Monitoring** (Full) - Obligation: Active and systematic gathering of data on AI system performance throughout its lifetime. - ZioSec capability: Fleet-Wide Governance - Coverage: Single pane of glass surfaces every agent's behavior post-deployment, with anomaly detection feeding the post-market monitoring file. - Evidence: Drift detection alerts; Behavior baselines; Incident timelines ## Customer-owned (out of scope) These obligations are part of EU AI Act but pentest cannot satisfy them. They live with your governance, legal, and product teams. - **Art. 13 Transparency & Provision of Information** (Out of Scope (customer-owned)) - Obligation: High-risk systems must be designed so deployers can interpret outputs. - ZioSec capability: Customer Governance Fills - Coverage: Authoring user-facing instructions and interpretation guidance is a documentation and product function, not a pentest output. - Evidence: Owner: Product / Legal - **Art. 26 Obligations of Deployers** (Out of Scope (customer-owned)) - Obligation: Deployers must use the system per instructions, assign human oversight to qualified persons. - ZioSec capability: Customer Governance Fills - Coverage: Operational obligations on the organization deploying the agent. Role assignments and oversight policies live with your GRC team. - Evidence: Owner: GRC / Operations - **Art. 27 Fundamental Rights Impact Assessment** (Out of Scope (customer-owned)) - Obligation: Public-sector and certain private deployers must perform an FRIA. - ZioSec capability: Customer Governance Fills - Coverage: FRIA is a legal and ethical analysis, not a technical pentest. Owned by Legal, Privacy, and Ethics functions. - Evidence: Owner: Legal / Privacy / Ethics - **Art. 50 Transparency to Natural Persons** (Out of Scope (customer-owned)) - Obligation: Users must be informed they are interacting with AI; AI-generated content must be marked. - ZioSec capability: Customer Governance Fills - Coverage: UI disclosure copy, watermarking choices, and disclosure policies are product and legal decisions. - Evidence: Owner: Product / Legal ## Crosswalk available Get the per-article crosswalk for your stack. We will map your specific AI agents to the EU AI Act articles, identify gaps, and propose the evidence chain. What you receive: - Per-article coverage map - Annex IV tech doc template - Risk register starter - Conformity assessment outline - Post-market monitoring schema - Notified-body briefing kit Email info@ziosec.com (subject: EU AI Act Crosswalk) or open the cross-framework matrix at https://ziosec.com/ai-compliance/matrix.