EU AI Act — Article 9 (risk management)

Article 9 of Regulation (EU) 2024/1689 requires a risk management system that identifies, estimates, evaluates, and mitigates risks that a high-risk AI system may pose. Operators must document the controls they have in place for each relevant Annex III category.

Aira's eu_ai_act_art9 report inspects every action in the period, classifies it into one of the Annex III categories, and renders a register with per-category counts, sample actions, and the control statements Aira's policy engine enforces.

Categories

The classifier covers each Annex III high-risk use:

Classification is keyword-based on action_type and deterministic — the same inputs always produce the same category. To override, set metadata.art9_category on the AgentAction when you log it; the mapper honors the override.

Output formats

The report produces three artifacts:

1. PDF risk register — per-category sections with counts, sample action IDs, and the control statements Aira enforces for that category. Signed with Ed25519, optionally timestamped (RFC 3161).
2. CSV export — one row per action (columns: action_uuid, action_type, agent_id, category, risk_level, receipt_hash, signature, created_at). Spreadsheet-friendly for auditor review.
3. Structured metadata — report_metadata.categories on the report row, keyed by category, with counts and sample IDs.

Persisted per-agent observations

When the report generates, Aira also inserts one article9_risk_categories row per (agent_id, category) pair observed. That table is the queryable audit trail — callers can ask "what was agent X's risk profile in Q1 2026?" without regenerating the PDF:

GET /api/v1/compliance/reports/article9/categories?agent_id=bot-a&period_start=2026-01-01T00:00:00Z&period_end=2026-03-31T23:59:59Z

Response:

{
  "items": [
    {
      "id": "...",
      "compliance_report_id": "...",
      "agent_id": "bot-a",
      "category": "employment_hr",
      "risk_level": "high",
      "period_start": "2026-01-01T00:00:00Z",
      "period_end": "2026-03-31T23:59:59Z",
      "action_count": 412,
      "sample_action_ids": ["...", "...", "..."],
      "distinct_action_types": ["hr_review_candidate", "performance_review"],
      "created_at": "..."
    }
  ],
  "total": 1,
  "request_id": "req_..."
}

Filters: agent_id, category, period_start, period_end. Period filters match any row whose window overlaps the requested range, so a Q1 search finds every report that covered any part of Q1 — not just reports whose own period was exactly Q1.

Generate

from aira import Aira, FRAMEWORK_ART9

client = Aira(api_key="aira_live_...")

report = client.create_compliance_report(
    framework=FRAMEWORK_ART9,
    period_start="2026-01-01T00:00:00Z",
    period_end="2026-03-31T23:59:59Z",
)
pdf = client.download_compliance_report(report.id)

import { Aira, FRAMEWORK_ART9 } from "aira-sdk";

const aira = new Aira({ apiKey: "aira_live_..." });

const report = await aira.createComplianceReport({
  framework: FRAMEWORK_ART9,
  periodStart: "2026-01-01T00:00:00Z",
  periodEnd: "2026-03-31T23:59:59Z",
});

curl -X POST https://api.airaproof.com/api/v1/compliance/reports \
  -H "Authorization: Bearer $AIRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "framework": "eu_ai_act_art9",
    "period_start": "2026-01-01T00:00:00Z",
    "period_end": "2026-03-31T23:59:59Z"
  }'

Verify

Same verify endpoint and flow as every other compliance report:

curl https://api.airaproof.com/api/v1/compliance/reports/{id}/verify \
  -H "Authorization: Bearer $AIRA_API_KEY"

Pairing

Annex IV §4 (the technical documentation file) references Article 9 rather than duplicating its content. Generate both over the same reporting period so an auditor can cross-read them.