EU AI Act Evidence Mapping
RADAR maps evidence records to EU AI Act obligations. Regulated teams can demonstrate compliance for high-risk AI systems. AI Act obligations broadly apply from 2 August 2026.
Article mappings
Article 12 — Record keeping
Obligation: High-risk AI systems must automatically record events during operation for regulatory inspection.
Evidence: RADAR captures every agent session as a structured trace: model used, prompt and completion data, tool calls, policy evaluations, and review actions. Traces are immutable after capture and retained per configurable policy.
Article 13 — Transparency
Obligation: Deployers must be informed about AI system capabilities, limitations, and risks.
Evidence: RADAR generates human-readable evidence packs documenting what the system did, which data it accessed, how decisions were reached, and which controls were applied.
Article 14 — Human oversight
Obligation: High-risk AI systems must enable effective human oversight built in before deployment.
Evidence: Findings track every high-risk action requiring review: escalation path, reviewer identity, decision, and timestamp. SLA violations are captured as findings.
Article 15 — Accuracy and robustness
Obligation: Systems must perform consistently, be resilient to errors, and be secure against exploitation.
Evidence: RADAR monitors for anomalies: cost spikes, behavioral loops, unexpected tool access, policy violations, and PII exposure. Recorded as findings with severity classification.
Article 16 — Provider obligations
Obligation: Providers must ensure conformity assessment, technical documentation, and quality management.
Evidence: RADAR evidence packs provide the documentation layer for conformity assessments with trace records and review trails.
Article 29 — Deployer obligations
Obligation: Deployers must use systems per instructions, monitor for risks, and maintain logs.
Evidence: Deployer compliance reports with evidence collection status, retention policy, monitoring coverage, and oversight summary.
Article 55 — Fundamental rights impact assessments
Obligation: Deployers of high-risk AI systems must conduct fundamental rights impact assessments.
Evidence: Traces and findings provide the data for impact assessments: PII exposure across sessions, policy violation patterns, escalation frequency, demographic coverage, and remediation history. Structured evidence supports thorough and reproducible assessments.
Other frameworks
RADAR also maps evidence to:
- Name
GDPR- Description
PII findings, data processing records, retention controls, deletion attestations (Articles 5, 17, 32).
- Name
SOC 2- Description
Access controls, monitoring, anomaly detection, incident response mapped to trust services criteria (CC6, CC7).
- Name
HIPAA- Description
ePHI access logs, audit controls, access controls, integrity controls (164.312).
- Name
ISO 42001- Description
AI management system evidence: risk assessments, monitoring records, continuous improvement documentation.
This document describes technical evidence mappings, not legal advice. Organizations should consult legal counsel for compliance determinations specific to their deployment.