EU AI Act Implementation Checklist

This checklist maps each EU AI Act article to concrete implementation steps with Kakunin. Work through it sequentially when onboarding a high-risk AI system. Each item includes the specific API call or code pattern that satisfies the obligation.

For the conceptual overview, see KYC for AI Agents. For the article-to-feature mapping table, see Regulatory Mapping Matrix.

Article 9 — Risk Management System

Obligation: Continuously identify, analyse, evaluate, and mitigate risks throughout the system lifecycle.

Register the agent with metadata — creates the permanent identity record

const agent = await kakunin.agents.create({
  name: 'loan-decisioning-v3',
  metadata: {
    version: '3.1.0',
    model: 'claude-3-5-sonnet',
    framework: 'langchain@0.2.1',
    operator: 'Acme Bank SA',
    purpose: 'credit_risk_assessment',
    annex_iii_category: 'creditworthiness',  // Article 6(2) high-risk category
  },
});

Set behavioral baseline — defines normal operating envelope for anomaly detection

await kakunin.monitoring.setBaseline(agent.id, {
  decisionsPerHour: { p50: 120, p99: 300 },
  approvalRate: { expected: 0.65, tolerance: 0.15 },
  averageLatencyMs: { p95: 800 },
});

Enable risk scoring on every event — real-time evaluation against baseline

// After each agent decision:
const score = await kakunin.events.ingest({
  agent_id: agent.id,
  action_type: 'decision.credit_assessment',
  payload_hash: sha256(JSON.stringify(decisionPayload)),
  metadata: { outcome: 'approved', score: 0.72 },
});

// score.risk_score < 0.3  → low
// score.risk_score >= 0.3 → medium  (log for review)
// score.risk_score >= 0.75 → pre-revocation warning
// score.risk_score >= 0.85 → auto-revocation

Article 10 — Data Governance

Obligation: Training data must be relevant, representative, and free from errors that could affect compliance.

Record dataset provenance in agent metadata

await kakunin.agents.update(agent.id, {
  metadata: {
    ...agent.metadata,
    training_dataset: {
      name: 'eu-credit-dataset-2025',
      version: '4.2',
      hash_sha256: 'a3f8c91d...',      // hash of dataset at training time
      bias_audit_ref: 'AUDIT-2025-047',
      last_validated: '2026-03-01',
    },
  },
});

Log any model updates — create a new agent version record on each update

// Don't mutate the existing agent — create a new version
const agentV4 = await kakunin.agents.create({
  name: 'loan-decisioning-v4',  // bump version
  metadata: { ...updatedMetadata, supersedes: agent.id },
});

Article 11 — Technical Documentation

Obligation: Technical documentation proving conformity must be drawn up before the system is placed on the market.

Export the compliance documentation bundle before go-live

curl -X POST https://api.kakunin.ai/v1/compliance/bundle \
  -H "Authorization: Bearer $KAKUNIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "agent_abc123",
    "regulations": ["eu-ai-act"],
    "format": "pdf"
  }'

# Returns signed S3 URL to ZIP containing:
# - Certificate chain PEM
# - Signed metadata snapshot
# - Regulatory mapping index
# - Behavioral baseline profile

Store documentation bundle reference in your records system
Schedule quarterly refresh — regulatory documentation must stay current

Article 12 — Automatic Logging

Obligation: High-risk AI systems must automatically log events sufficient to post-incident reconstruction.

Wire event ingestion into every decision path

// Middleware pattern — runs before any agent action reaches your business logic
async function withAuditLog<T>(
  agentId: string,
  actionType: string,
  fn: () => Promise<T>,
  metadata?: Record<string, unknown>
): Promise<T> {
  const start = Date.now();
  let result: T;
  let error: unknown;

  try {
    result = await fn();
    return result;
  } catch (e) {
    error = e;
    throw e;
  } finally {
    await kakunin.events.ingest({
      agent_id: agentId,
      action_type: actionType,
      payload_hash: sha256(JSON.stringify(metadata)),
      metadata: {
        ...metadata,
        duration_ms: Date.now() - start,
        outcome: error ? 'error' : 'success',
        error_code: error instanceof Error ? error.message : undefined,
      },
    });
  }
}

// Usage:
const decision = await withAuditLog(
  agent.id,
  'decision.credit_assessment',
  () => runCreditModel(application),
  { application_id: application.id }
);

Verify log immutability — confirm WORM storage is active for your project

curl https://api.kakunin.ai/v1/project/storage-policy \
  -H "Authorization: Bearer $KAKUNIN_API_KEY"
# Expect: { "worm": true, "retention_days": 1825 }  (5 years, Article 12 minimum)

Article 13 — Transparency

Obligation: High-risk AI systems must be designed so that operation is sufficiently transparent for users to interpret the output.

Attach reasoning trace to each event — enables human-readable audit trail

await kakunin.events.ingest({
  agent_id: agent.id,
  action_type: 'decision.credit_assessment',
  payload_hash: sha256(decisionJson),
  metadata: {
    reasoning_summary: decision.chain_of_thought_summary,
    input_features_used: ['income', 'debt_ratio', 'employment_duration'],
    confidence: 0.87,
    human_readable_explanation: 'Approved based on income:debt ratio of 3.2, stable employment >2 years.',
  },
});

Expose audit log query endpoint for your compliance team

// Internal API for compliance officers
const logs = await kakunin.auditLog.query({
  agent_id: agentId,
  from: '2026-01-01',
  to: '2026-05-28',
  action_type: 'decision.credit_assessment',
  limit: 1000,
});

Article 14 — Human Oversight

Obligation: High-risk AI systems must be designed to be effectively overseen by natural persons.

Implement instant pause capability

// Route for your internal admin panel:
export async function POST(req: NextRequest) {
  const { agentId, reason } = await req.json();
  await kakunin.agents.pause(agentId, { reason, pausedBy: adminUserId });
  // All further agent API calls return 403 until resumed
  return NextResponse.json({ status: 'paused' });
}

Implement certificate revocation for full stop

await kakunin.certificates.revoke(agentId, {
  reason: 'human_override',
  revokedBy: adminUserId,
  incidentRef: 'INC-2026-0042',
});
// Revocation propagates via CRL/OCSP in < 100 ms

Set up high-risk decision thresholds requiring human co-sign

// In your decision logic:
if (decision.amount > humanApprovalThreshold) {
  await kakunin.decisions.requestHumanApproval({
    agent_id: agentId,
    decision_payload: decision,
    notify: ['compliance@yourcompany.com'],
    timeout_hours: 24,
  });
  return { status: 'pending_human_review' };
}

Article 15 — Accuracy, Robustness, Cybersecurity

Obligation: High-risk AI systems must achieve appropriate levels of accuracy; must be resilient to errors, faults, and inconsistencies.

Issue X.509 certificate via KMS — cryptographic identity, no plaintext keys

const cert = await kakunin.agents.getCertificate(agent.id, {
  validityDays: 90,
  scope: { actions: agentActions, maxTransactionValue: 10000 },
});

// kms_key_arn stored in DB — private key never leaves KMS
// certificate_pem passed to agent at runtime
const { kms_key_arn, certificate_pem, serial_number } = cert;

Enforce scope at every API call

# Python SDK
@verify_agent_scope(required_scope="decision:credit_assessment")
async def run_credit_model(application: Application) -> Decision:
    ...

Configure automatic revocation thresholds

await kakunin.project.setRiskPolicy({
  preRevocationWarning: 0.75,   // triggers webhook + notification
  autoRevocation: 0.85,          // immediate certificate revocation
  anomalyWindowMinutes: 60,      // rolling window for score calculation
});

Article 17 — Quality Management System

Obligation: Providers of high-risk AI systems shall put a quality management system in place.

Record governance metadata on the agent

await kakunin.agents.update(agent.id, {
  metadata: {
    governance: {
      board_approved_date: '2026-04-15',
      approver_name: 'Chief Risk Officer',
      next_review_date: '2026-10-15',
      change_control_ref: 'CCR-2026-019',
    },
  },
});

Schedule automated compliance reports

// Weekly compliance digest sent to your team
await kakunin.reports.schedule({
  agent_ids: [agent.id],
  frequency: 'weekly',
  recipients: ['cro@yourcompany.com', 'compliance@yourcompany.com'],
  include: ['risk_score_trend', 'decision_volume', 'anomaly_count', 'cert_expiry'],
});

Pre-Go-Live Verification Commands

Run these before every production deployment:

# 1. Confirm agent is registered and active
curl https://api.kakunin.ai/v1/agents/$AGENT_ID \
  -H "Authorization: Bearer $KAKUNIN_API_KEY" \
  | jq '{id, name, status, metadata}'

# 2. Confirm certificate is valid and not expired
curl https://api.kakunin.ai/v1/agents/$AGENT_ID/certificate \
  -H "Authorization: Bearer $KAKUNIN_API_KEY" \
  | jq '{status, serial_number, expires_at, scope}'

# 3. Confirm WORM logging is enabled
curl https://api.kakunin.ai/v1/project/storage-policy \
  -H "Authorization: Bearer $KAKUNIN_API_KEY" \
  | jq '.worm'  # must be true

# 4. Confirm behavioral baseline is set
curl https://api.kakunin.ai/v1/agents/$AGENT_ID/baseline \
  -H "Authorization: Bearer $KAKUNIN_API_KEY" \
  | jq '.configured'  # must be true

# 5. Test revocation round-trip
curl -X POST https://api.kakunin.ai/v1/sandbox/simulate-revocation \
  -H "Authorization: Bearer $KAKUNIN_API_KEY" \
  -d "{\"agent_id\": \"$AGENT_ID\"}" \
  | jq '.propagation_ms'  # must be < 1000

Regulatory Mapping Matrix — article-to-feature reference table
EU AI Act Annex III — high-risk system categories deep dive
Agent Security Guide — runtime threat model and hardening
KYC Integration Guide — SDK setup and API reference