Compliance positioning · EU AI Act

Does Runtime Governance make me EU AI Act compliant?

No.Runtime Governance is not a legal certification, and the EU AI Act does not certify a company, website, or tool as “compliant.” What Runtime Governance does provide is a set of technical controls, enforcement mechanisms, and audit evidence that help organisations meet key obligations for agentic AI systems.

Built for AI deployers, not just AI providers. Most AI-Act tooling targets provider obligations; Runtime Governance also provides the enforcement and evidence controls that support deployer obligations (Article 26) — where most enterprises actually sit.

Primary alignment

  • Article 9Risk Management
  • Article 12Record-Keeping, Logging & Traceability
  • Article 14Human Oversight
  • Article 15Accuracy, Robustness & Cybersecurity

Strong additional alignment

  • Article 26Deployer Obligations
  • Article 19Automatically Generated Logs

How Runtime Governance supports Article 26 (Deployer Obligations)

Article 26 places operational duties on the organisations that deploy high-risk AI systems — human oversight, monitoring, acting on risk, and keeping logs. Runtime Governance provides enforcement and evidence controls that support those duties:

Pre-execution controlsUnsafe agent actions are blocked before they run — operationalising the duty to operate the system safely and under oversight (Art 26(1)–(2)).
Human review visibilityBorderline trajectories are surfaced and escalated for human review, supporting oversight by assigned, competent persons (Art 26(2)).
Replayable audit evidenceEvery decision is reproducible with an attestation, supporting the duty to keep the system's automatically generated logs (Art 26(6)).
Deterministic decision recordsEach ALLOW / BLOCK is a deterministic, attributable record — traceable evidence of how the system was operated.
Risk exposure mappingContinuous mapping of which trajectories can reach forbidden states, supporting the duty to monitor operation and act on risk (Art 26(5)).
Runtime monitoring evidenceOngoing runtime logs and metrics, supporting the duty to monitor operation and inform the provider of any risk (Art 26(5)).

Supporting alignment

  • Article 72Post-Market Monitoring
  • Article 13Transparency
  • Article 21Cooperation with Authorities
  • Article 17Quality Management (support)

Runtime Governance provides

  • Pre-execution risk controls
  • Deterministic ALLOW / BLOCK enforcement
  • Replayable audit trails
  • Trajectory-level traceability
  • Human-review visibility
  • Verifiable governance evidence

What it does not provide

  • Legal classification of your AI system
  • Conformity assessments
  • Quality management systems (QMS)
  • Regulatory registration
  • Legal advice
“Runtime Governance provides the enforcement and audit-trail controls that help organisations demonstrate compliance with EU AI Act Articles 9, 12, 14 and 15 for agentic AI systems — with replayable evidence for every governed decision.”

Compliance is ultimately a legal determination based on a specific AI system and deployment context. Runtime Governance acts as a technical control and evidence layer within a broader compliance programme.

At a glance

CapabilityRuntime Governance
Pre-execution controls
Audit evidence
Traceability
Human oversight support
Risk management support
Legal certification
Conformity assessment
Legal advice

Related Governance & Risk Framework Alignment

Runtime Governance provides enforcement, evidence, traceability and audit-trail controls that may support organisations operating under broader governance, risk and compliance frameworks. Runtime Governance is not a certification and does not claim compliance with any of these frameworks.

Governance & compliance frameworks

For risk, audit & compliance teams

Strong alignment

NIST AI RMFSupports
NIST AI Risk Management Framework
Risk identificationMonitoringOversightOperational controlsTraceability
ISO/IEC 42001Supports
AI management system
MonitoringRisk controlsEvidence generationAuditability

Supporting alignment

ISO/IEC 23894Supports
AI risk management guidance
Risk identificationRisk-treatment controlsMonitoring evidence
SOC 2Supports
Trust Services Criteria
SecurityProcessing integrityAudit evidence
NIS2Supports
EU network & information security directive
Operational resilienceMonitoringGovernance visibility
DORASupports
Digital Operational Resilience Act
Risk managementOperational resilienceMonitoring evidence
GDPRSupports
General Data Protection Regulation (supporting only)
AccountabilityTraceabilityAudit evidence

Threat & security frameworks

For security & AI red-team teams

Supporting alignment

MITRE ATLASSupports
Adversarial threat landscape for AI systems
Adversarial-behaviour controlsPre-execution mitigationEvidence of testing
OWASP — LLM & Agentic AISupports
Top-10 threats for LLM / agentic applications
Excessive-agency controlSensitive-data egress controlPre-execution enforcement evidence

Not claimed

  • Certification or conformity assessment under any framework (e.g. ISO 42001 / ISO 27001 certificates, SOC 2 report issuance, CE marking)
  • Training-data governance, dataset bias, or model-provider obligations
  • Regulatory registration or legal classification of your AI system
  • Domain certifications we do not hold (e.g. HIPAA, PCI-DSS, FedRAMP)

Runtime Governance is a technical control and evidence layer. Regulatory compliance remains dependent on the organisation, deployment context, legal obligations, and broader governance programme.

Want to see which obligations apply to your agent? Run the free assessment — it maps your tools to the live Ω catalog and shows the trajectories Runtime Governance would block before execution, with replayable evidence.