EU AI Act Articles 9-15: what they actually require and how to prove compliance
Beyond the headlines
The EU AI Act has generated enormous press coverage, most of which focuses on which AI systems are banned or restricted. But for engineering teams building high-risk AI systems, the more important question is: what do Articles 9 through 15 actually require, and what evidence do you need to produce?
This article covers each article in turn. For each one, we explain what it requires, what evidence looks like in practice, and how Ryva generates that evidence automatically.
Article 9: Risk management system
Article 9 requires high-risk AI systems to have a documented risk management system that is continuously updated throughout the system's lifecycle. The risk management system must identify and analyze known and foreseeable risks, estimate and evaluate risks that may emerge when the system is used as intended, and evaluate risks from misuse.
What evidence looks like: A documented risk register, risk assessment methodology, and evidence of ongoing risk evaluation. The system must include testing procedures that address known and foreseeable risks.
How Ryva helps: Ryva's governance report scores your system against Article 9 based on configured test coverage, alignment rules, and documented risk classifications. Run ryva governance report to generate a risk classification and scoring document.
Article 10: Data and data governance
Article 10 requires that training, validation, and testing datasets meet quality standards that are appropriate for the intended purpose. Data governance practices must cover the collection procedures, data preparation procedures, examination for possible biases, and the identification of relevant data gaps.
What evidence looks like: Documentation of data sources, data preparation steps, bias analysis results, and data quality assessments. For retrieval-augmented systems, documentation of the retrieval sources and their provenance.
How Ryva helps: Ryva records all RAG sources used in each agent run and stores them in the lineage record. PII masking status is logged for each run. The governance report includes a data governance section covering configured data sources.
Article 12: Record-keeping
Article 12 requires high-risk AI systems to have logging capabilities that allow for the monitoring of the system's operation after deployment. Logs must allow for the identification of situations that may result in risk, and must be kept for periods appropriate to the intended purpose of the system, with a minimum of six months for most systems.
What evidence looks like: Automated logs for every system run, including timestamps, inputs (or input hashes for privacy), outputs, model versions, and any errors. Logs must be tamper-evident to be credible to regulators.
How Ryva helps: Every Ryva agent run produces a lineage record signed with HMAC-SHA256. The signature covers all fields in the record. Run ryva lineage verify --all to generate a verification report showing that no records have been altered. These records are exportable as part of the audit package.
Article 13: Transparency and provision of information
Article 13 requires that high-risk AI systems be designed and developed in a way that ensures their operation is sufficiently transparent that deployers can interpret outputs and use them appropriately. Deployers must receive documentation that allows them to understand the system's capabilities and limitations.
What evidence looks like: A model card for each AI system covering intended purpose, capabilities, limitations, performance metrics, and known biases. This documentation must be kept current throughout the system's lifecycle.
How Ryva helps: ryva modelcard generate --agent [name] produces a structured JSON model card covering all Article 13 requirements. The card is versioned alongside lineage records and updated whenever the agent configuration changes.
Article 14: Human oversight
Article 14 requires that high-risk AI systems be designed to allow human oversight. Specifically, people assigned to human oversight must be able to understand the system's capabilities and limitations, be aware of automation bias risks, be able to correctly interpret the system's output, and be able to intervene or interrupt the system.
What evidence looks like: Documentation of human oversight procedures, evidence that override mechanisms exist, and records showing that high-risk decisions were reviewed by appropriate personnel. Alignment rules that block or flag certain outputs demonstrate oversight controls.
How Ryva helps: Ryva's alignment rules run on every agent execution. Rules that fail block the run and create a lineage record flagging the failure reason. This demonstrates that human oversight controls are active and tested. The governance report scores Article 14 based on configured alignment rules.
Article 15: Accuracy, robustness, and cybersecurity
Article 15 requires that high-risk AI systems achieve an appropriate level of accuracy, robustness, and cybersecurity. Systems must be resilient to errors, faults, and inconsistencies, and must behave consistently when encountering inputs outside their expected range.
What evidence looks like: Test results across a wide range of inputs including adversarial and edge-case inputs. Continuous testing evidence showing that the system behaves correctly over time, not just at deployment.
How Ryva helps: Ryva's test suite includes nine test types designed to probe robustness. The fuzz testing suite runs 15 input categories including null bytes, injection attacks, unicode edge cases, and malformed inputs. Adversarial probing tests systematic attempts to elicit incorrect or harmful outputs. All results are stored in the lineage record and included in the governance report.
Generating the complete evidence package
To generate a complete EU AI Act evidence package:
ryva governance report
ryva modelcard generate --agent your_agent
ryva audit exportThe audit export command produces a zip file containing the governance report, model cards, all verified lineage records, and EU AI Act checklists. This is the package you hand to your legal team and, if required, to regulators.
The key insight is that compliance is not a documentation exercise — it is an evidence exercise. Regulators are not satisfied by policies and procedures documents. They want machine-readable records showing that your systems behaved correctly, consistently, over time. That is what Ryva produces.