EU AI Act Evidence Mapping

RADAR maps evidence records to EU AI Act obligations. Regulated teams can demonstrate compliance for high-risk AI systems. AI Act obligations broadly apply from 2 August 2026.

Article mappings

Article 12 — Record keeping

Obligation: High-risk AI systems must automatically record events during operation for regulatory inspection.

Evidence: RADAR captures every agent session as a structured trace: model used, prompt and completion data, tool calls, policy evaluations, and review actions. Traces are immutable after capture and retained per configurable policy.

Article 13 — Transparency

Obligation: Deployers must be informed about AI system capabilities, limitations, and risks.

Evidence: RADAR generates human-readable evidence packs documenting what the system did, which data it accessed, how decisions were reached, and which controls were applied.

Article 14 — Human oversight

Obligation: High-risk AI systems must enable effective human oversight built in before deployment.

Evidence: Findings track every high-risk action requiring review: escalation path, reviewer identity, decision, and timestamp. SLA violations are captured as findings.

Article 15 — Accuracy and robustness

Obligation: Systems must perform consistently, be resilient to errors, and be secure against exploitation.

Evidence: RADAR monitors for anomalies: cost spikes, behavioral loops, unexpected tool access, policy violations, and PII exposure. Recorded as findings with severity classification.

Article 16 — Provider obligations

Obligation: Providers must ensure conformity assessment, technical documentation, and quality management.

Evidence: RADAR evidence packs provide the documentation layer for conformity assessments with trace records and review trails.

Article 29 — Deployer obligations

Obligation: Deployers must use systems per instructions, monitor for risks, and maintain logs.

Evidence: Deployer compliance reports with evidence collection status, retention policy, monitoring coverage, and oversight summary.

Article 55 — Fundamental rights impact assessments

Obligation: Deployers of high-risk AI systems must conduct fundamental rights impact assessments.

Evidence: Traces and findings provide the data for impact assessments: PII exposure across sessions, policy violation patterns, escalation frequency, demographic coverage, and remediation history. Structured evidence supports thorough and reproducible assessments.

Other frameworks

RADAR also maps evidence to:

  • Name
    GDPR
    Description

    PII findings, data processing records, retention controls, deletion attestations (Articles 5, 17, 32).

  • Name
    SOC 2
    Description

    Access controls, monitoring, anomaly detection, incident response mapped to trust services criteria (CC6, CC7).

  • Name
    HIPAA
    Description

    ePHI access logs, audit controls, access controls, integrity controls (164.312).

  • Name
    ISO 42001
    Description

    AI management system evidence: risk assessments, monitoring records, continuous improvement documentation.

Was this page helpful?