HATS / EU AI Act Crosswalk
1. Scope
This crosswalk maps HATS capabilities to the obligations imposed by the EU AI Act on providers and deployers of high-risk AI systems (Title III, Chapter 2). The EU AI Act entered into force on 1 August 2024 with a phased compliance timeline. Requirements for high-risk AI systems apply from 2 August 2026.
HATS capabilities address the technical documentation, record-keeping, transparency, human oversight, and post-market monitoring requirements. This crosswalk does not address prohibited AI practices (Title II), general-purpose AI model obligations (Title IIIA), or governance and enforcement provisions (Titles VI-XII).
This crosswalk is a technical mapping. It does not constitute a conformity assessment under Article 43 or replace the obligations of a notified body.
2. Risk Management (Article 9)
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 9(1) Risk management system establishment | Governance Replay | Risk management decision attestation receipts recording methodology and risk criteria | Replay risk management decisions to verify systematic approach was followed |
Art. 9(2) Continuous iterative process | Continuous Attestation + Evidence Chains | Continuous risk assessment attestation chain spanning the system lifecycle | Traverse evidence chain to verify risk assessments occur at defined intervals throughout operation |
Art. 9(5) Testing for risk management | Evidence Chains | Test execution attestation receipts linked to risk assessment findings | Verify test receipts exist for each identified risk; confirm predecessor hash linkage to risk assessments |
Art. 9(8) Residual risk communication | Independent Verification | Residual risk disclosure attestation receipts verifiable by deployers | Deployers verify risk disclosure receipts using published public keys |
3. Data and Data Governance (Article 10)
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 10(2) Data governance and management practices | Evidence Chains | Data governance event attestation chain recording data lineage decisions | Traverse data governance chain; verify each data handling decision was attested |
Art. 10(3) Training data relevance and representativeness | Continuous Attestation | Training data validation attestation receipts | Verify training data assessment receipts cover stated validation criteria |
Art. 10(5) Personal data processing for bias detection | Encrypted Computation | FHE computation attestation receipts demonstrating bias detection on encrypted data | Verify computation_type indicates FHE operation; confirm data never exposed in plaintext during analysis |
4. Technical Documentation (Article 11)
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 11(1) Technical documentation drawn up before market placement | Evidence Chains | Documentation version attestation chain recording each documentation state | Verify attestation chain shows documentation existed before market placement timestamp |
Art. 11(1) Kept up to date | Continuous Attestation | Periodic documentation state attestation receipts | Verify documentation attestation continuity; confirm updates attested within SLA |
5. Record-Keeping (Article 12)
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 12(1) Automatic recording of events (logs) | Continuous Attestation | Per-event attestation receipt stream with cryptographic binding | Verify receipt stream covers all system events; confirm no gaps in attestation coverage |
Art. 12(2) Traceability of AI system functioning | Evidence Chains + Agent Attestation | Tamper-evident evidence chain of all AI operations with per-action attestation | Traverse evidence chain; verify each operation is individually attested with causal linkage |
Art. 12(3) Logs retention for appropriate period | Evidence Chains | Immutable attestation receipt archive with cryptographic integrity | Verify chain integrity from earliest receipt to current; confirm no receipts deleted or modified |
6. Transparency (Article 13)
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 13(1) Designed to allow interpretation of output | Agent Attestation + Governance Replay | Per-decision attestation receipts recording inputs, policy context, and outputs | Replay agent decisions; verify input-output pairs are consistently attested |
Art. 13(3)(b) Capabilities and limitations | Independent Verification | Capability boundary attestation receipts verifiable by deployers | Deployers verify capability attestation receipts independently |
Art. 13(3)(d) Expected lifetime and maintenance | Evidence Chains | Lifecycle attestation chain recording operational state over time | Traverse lifecycle chain to verify operational continuity and maintenance records |
7. Human Oversight (Article 14)
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 14(1) Designed for effective human oversight | Agent Attestation | Human oversight event attestation receipts recording each human intervention point | Verify oversight receipts exist at defined intervention points; confirm human identity binding |
Art. 14(4)(a) Understanding AI system capabilities | Governance Replay | Capability assessment attestation receipts with governance binding | Replay capability assessments; verify governance context includes human oversight acknowledgment |
Art. 14(4)(b) Awareness of automation bias | Agent Attestation + Evidence Chains | Bias monitoring attestation chain with per-decision agent attestation | Traverse bias monitoring chain; verify human review points are attested at defined intervals |
Art. 14(4)(d) Ability to decide not to use or override | Governance Replay | Override decision attestation receipts recording human override events | Replay override decisions; verify human authority was exercised and attested |
Art. 14(4)(e) Ability to intervene or interrupt | Continuous Attestation | Intervention event attestation receipts with sub-second timestamps | Verify intervention receipts demonstrate system responded to human interruption within SLA |
8. Accuracy, Robustness, and Cybersecurity (Article 15)
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 15(1) Appropriate level of accuracy | Continuous Attestation | Accuracy measurement attestation receipts at defined intervals | Verify accuracy measurement continuity; confirm measurements attested against stated thresholds |
Art. 15(3) Resilience against errors, faults, inconsistencies | Evidence Chains | Robustness test attestation chain recording test results over time | Traverse test result chain; verify robustness testing coverage matches stated methodology |
Art. 15(4) Cybersecurity measures | Continuous Attestation + Encrypted Computation | Security control attestation receipts; FHE computation receipts demonstrating data protection | Verify security control attestation continuity; confirm encrypted computation where required |
9. Post-Market Monitoring (Article 72)
| Article | HATS Capability | Evidence Type | Verification Method |
|---|
Art. 72(1) Post-market monitoring system | Continuous Attestation | Post-deployment attestation receipt stream covering all production operations | Verify attestation stream continuity from deployment date; confirm no monitoring gaps |
Art. 72(3) Active and systematic data collection | Evidence Chains | Systematic data collection attestation chain with configurable sampling | Verify data collection attestation coverage; confirm sampling methodology is attested |
Art. 72(4) Analysis of collected data | Governance Replay + Agent Attestation | Data analysis decision attestation receipts with governance binding | Replay analysis decisions; verify conclusions are bound to attested data collection events |
10. Coverage Notes
HATS capabilities provide technical evidence relevant to Articles 9-15 and 72 of the EU AI Act. The following EU AI Act obligations are outside the scope of HATS technical capabilities and require separate organizational measures: conformity assessment procedures (Article 43), EU declaration of conformity (Article 47), CE marking (Article 48), registration obligations (Article 49), and serious incident reporting (Article 73).
For AI systems using HATS agent attestation, the per-action attestation receipts provide the granularity of record-keeping anticipated by the EU AI Act. Each agent tool invocation, LLM call, and output generation is individually attested with three post-quantum signatures, producing the "automatic recording of events" required by Article 12.