The 10 Most Common EU AI Act Violations (and How to Fix Them)

High-risk AI systems are required to automatically log events during their operation. This is one of the most frequently missing technical controls — most teams instrument their training pipelines but not their production inference API. Events that must be logged include: input received, output generated, confidence/uncertainty score, timestamp, and user/session identifier.

Fix: Add a structured logging middleware to your inference endpoint. Log to a tamper-evident store (append-only S3 bucket, CloudWatch Logs with object locking, or an immutable audit log service). Retain logs for a minimum of 6 months; 1 year if the system makes decisions with significant individual impact.

Annex IV specifies 11 required documentation elements including: intended purpose, system architecture, training methodology, performance metrics on representative test datasets, known limitations, and the post-market monitoring plan. Most teams have partial documentation — architectures are current but performance baselines and limitation disclosures are missing.

Fix: Use the Annex IV checklist as a literal template. Create a documentation artefact for each of the 11 elements. Store in version control alongside the model. Treat it as a living document: update on every significant model change.

Article 14 requires that high-risk AI systems be designed to allow effective human oversight including the ability to intervene, override, or stop the system. Many systems are deployed with no accessible override path — the AI decision simply executes without a human review step or stop mechanism.

Fix: Implement a human-in-the-loop review queue for high-stakes decisions (rejections, sanctions, eligibility decisions). Add an accessible kill switch accessible to a named human operator. Document the override procedure in your technical documentation and test it quarterly.

Any AI system that interacts with natural persons must disclose that it is an AI — unless this is obvious from context. This is not limited to high-risk systems; it applies to all chatbots, virtual assistants, and customer service AI at the moment of interaction. Many products display the disclosure only in their terms of service or FAQ, which does not satisfy the requirement.

Fix: Add a persistent, visible disclosure at the start of every conversation session. Example: 'This response is generated by an AI assistant. You are not speaking with a human.' The disclosure must appear proactively, not only when requested.

Article 9 requires an establishable, documented, iterative risk management process covering risk identification, estimation across intended and foreseeable misuse, and the adoption of risk mitigations. The most common gap: teams have a penetration testing report but no structured risk register covering AI-specific risks (bias, robustness, drift).

Fix: Implement a risk register in a document or risk management tool. Create an entry for each identified risk with: description, severity, likelihood, current controls, residual risk, and owner. Review and update quarterly. This document will be the first thing market surveillance authorities request.

Article 10 requires that training, validation, and testing datasets be subject to data governance practices, including documentation of data collection methodology, labelling processes, potential biases, and known limitations. Most teams have model cards but not dataset cards, and those that have dataset cards often omit bias documentation.

Fix: Create a dataset card for each dataset used in training, validation, and testing. At minimum document: source, collection method, demographic representation, known biases, preprocessing steps applied, and any exclusions. Reference Hugging Face's Dataset Card template as a practical starting point.

Providers of high-risk AI systems must supply deployers with instructions for use that include: system capabilities and limitations, expected performance across demographic groups, circumstances under which the system may fail or produce inaccurate outputs, and human oversight recommendations. Many providers include this information in engineering documentation but do not provide it in an accessible format to deployers.

Fix: Create a standalone 'Instructions for Use' document (not a README; a user-facing document) that covers all Article 13(3) requirements. Include it in your product onboarding flow and ensure deployers sign acknowledgment of receipt.

Article 15 requires high-risk AI systems to achieve appropriate levels of accuracy, robustness, and cybersecurity, and for accuracy levels to be declared. The failure mode here is not low accuracy — it is undocumented accuracy. Systems go to production without baseline performance metrics that could be referenced in post-market monitoring.

Fix: Before each production deployment, run your test suite, record metrics (precision, recall, F1 or equivalent for your task type), and store the results alongside the model version. Include disaggregated metrics by demographic subgroup where the application affects people. Report these metrics in your Annex IV documentation.

Post-market monitoring is not optional for high-risk AI systems — it is a mandatory, documented, continuous activity. The most common gap: organisations perform informal monitoring (engineers check dashboards) but have no written plan specifying what is monitored, at what frequency, what triggers a review, and who is responsible.

Fix: Document a post-market monitoring plan covering: performance KPIs tracked in production, drift detection methodology, data collection from deployers, review frequency, escalation triggers, and incident notification procedure. The plan must reference the serious incident reporting timeline of 15 days to the national authority.

Providers of high-risk AI systems in categories listed in Annex III must register their systems in the EU AI Act database maintained by the European AI Office before placing the system on the market. As of 2026, many providers are unaware this requirement exists or have deferred registration.

Fix: Register your system at the EU AI Act database portal. You will need your technical documentation, declaration of conformity, and CE marking details. Assign a person responsible for keeping the registration current and for filing serious incident reports.