High-risk AI system implementation — Articles 9–15
If a system is high-risk under Annex III, the Act asks for a specific set of technical controls. I build them into your stack — and produce the evidence a conformity assessment relies on — before 2 August 2026.
The controls I engineer
High-risk systems carry the Act's full technical obligation set. Each of these is something you have to build and evidence, not just describe in a policy.
Risk-management system
Article 9 — a continuous process to identify, evaluate and mitigate risks across the system's lifecycle.
Data & data governance
Article 10 — training, validation and test data practices, bias checks and documented data provenance.
Technical documentation
Article 11 & Annex IV — living documentation of purpose, design, data and performance, tied to your evals.
Logging & traceability
Article 12 — automatic, audit-grade record-keeping of inputs, outputs, versions and interventions.
Transparency & instructions
Article 13 — clear information and instructions for use so deployers can operate the system correctly.
Human oversight
Article 14 — an oversight interface to monitor, override and stop the system, with every intervention logged.
Accuracy & robustness
Article 15 — eval suites and adversarial tests wired into CI, with metrics feeding the documentation.
Cybersecurity
Article 15 — defences against data poisoning, model evasion and prompt-injection, tested continuously.
Built the way you already build software
The reason this works coming from an engineer, not a document template, is that the controls become part of your codebase. Logging and evals wire into CI. Technical documentation is generated from the system and stays current as the model changes. The human-oversight layer is a real interface your operators use. When a conformity assessment or an auditor asks for evidence, it already exists — because it's produced by the running system, not assembled by hand the week before.
How the build runs
- Scope from the roadmapTake the classified high-risk systems from the readiness assessment and confirm the exact controls each needs.
- Build the controlsImplement risk management, data governance, logging, human oversight, transparency and robustness testing in your stack.
- Document & evidenceGenerate the Annex IV dossier and the risk, eval and logging evidence a conformity assessment relies on.
- Assess & monitorSupport the conformity assessment and declaration, then stand up post-market monitoring and incident reporting.
Frequently asked questions
Which controls are you actually building?
The technical obligations for high-risk systems in Articles 9–15: a risk-management system, data and data-governance controls, Annex IV technical documentation, automatic record-keeping (logging and traceability), transparency and instructions for use, human oversight, and the accuracy, robustness and cybersecurity measures. I implement these in your stack, wire them into CI, and produce the evidence a conformity assessment needs.
What is Annex IV technical documentation and why is it hard?
Annex IV is the detailed dossier you must maintain for every high-risk system — its purpose, design, architecture, data, performance metrics, risk-management measures and the changes made over its lifecycle. It's hard because it has to be accurate, current and evidence-backed, not a one-off Word doc. I build it as living documentation tied to your system and evals, so it stays true as the model and code change.
How do you implement 'human oversight' in practice?
Human oversight (Article 14) means a person can understand, monitor and intervene in the system's operation. Concretely that's an oversight interface: surfacing the model's inputs, outputs and confidence, flagging low-confidence or high-impact decisions for review, letting a human override or stop the system, and logging every intervention. I design and build that layer so it's real, not a policy line.
What about logging and record-keeping?
Article 12 requires high-risk systems to automatically record events over their lifetime so behaviour is traceable and post-market monitoring is possible. I implement audit-grade, tamper-evident logging of inputs, outputs, model versions, decisions and human interventions, with retention and access controls — the same traceability that makes agentic systems debuggable anyway.
Do you handle the conformity assessment itself?
I produce everything the conformity assessment relies on — the technical documentation, the risk-management records, the eval results for accuracy and robustness, and the logging evidence — and support you and your legal team through the assessment and the declaration of conformity. The formal legal sign-off and, where required, the notified-body process stay with your compliance function.
How do you prove accuracy, robustness and cybersecurity?
With evals and testing, run continuously rather than once. I build evaluation suites for accuracy and edge-case behaviour, adversarial and robustness tests, and cybersecurity measures against data poisoning, model evasion and prompt-injection where relevant — then wire them into CI so every change is re-checked and the results feed the technical documentation.
This service delivers the technical implementation and supporting evidence for high-risk system obligations. The legal conformity assessment, declaration of conformity and any notified-body process remain the responsibility of your legal and compliance function.