EU AI Act
EU AI Act readiness for teams operating high-risk AI systems
Guardian helps teams turn EU AI Act obligations into practical monitoring, incident, documentation, and audit workflows for AI systems already in production.
The product page describes the software; methodology covers the metrics and thresholds; the 4-week Readiness Sprint is a common first engagement. Educational guides: post-market monitoring and how to monitor high-risk AI systems.
What the EU AI Act means operationally
For teams operating high-risk AI systems, the EU AI Act is not just a documentation exercise. It creates an ongoing operational expectation: monitor what the system is doing, log incidents, maintain oversight records, and keep evidence ready before someone asks for it.
Most readiness gaps are not about awareness of the law. They are about execution after deployment — when monitoring, incident handling, and evidence maintenance are not yet part of day-to-day operations.
What counts as a high-risk AI system?
Annex III of the EU AI Act lists categories where systems are typically treated as high-risk. The list below is a practical scan; your counsel should confirm how the rules apply to your facts.
- Hiring, HR management, and workforce decisions
- Credit scoring, lending, and insurance underwriting
- Fraud detection and anti-money laundering
- Healthcare diagnostics and triage
- Biometrics and identity verification
- Critical infrastructure
- Public services, benefits, and eligibility decisions
- Border control and law enforcement
If your system materially affects rights, access, eligibility, safety, or legal status, it is likely to require closer review under the EU AI Act.
What teams need to maintain under the EU AI Act
- A clear record of which AI systems are in scope
- Risk management measures and control documentation
- Data governance records
- Technical documentation
- Human oversight procedures and actions
- Post-deployment monitoring records
- Incident logs, traceability, and follow-up records
The challenge is rarely knowing these categories exist. The challenge is maintaining them continuously around a live system.
Why readiness usually breaks down after deployment
Many organisations have at least some documentation from the build or approval phase. The problem begins after go-live.
Once a system is in production, evidence becomes fragmented across tools, teams, and documents. Incidents are logged inconsistently. Oversight actions are hard to reconstruct. When an audit or regulator request appears, teams scramble to rebuild the record.
Guardian is designed to make that record continuous rather than reactive. See the product overview and how a 4-week Readiness Sprint creates a first baseline. For the measurement layer, the methodology page describes defensible monitoring inputs.
What becomes easier with the right monitoring baseline
- Explaining the status of one system to compliance, legal, and leadership
- Showing what monitoring and evidence already exist versus what is missing
- Maintaining incident and oversight records in a more structured way
- Responding faster to audit or regulator questions
- Expanding from one system to a broader readiness model over time
Where Guardian fits in your AI Act readiness programme
Guardian supports the monitoring and evidence layer of AI Act readiness.
It is not a legal advice tool and it does not certify compliance. It helps teams monitor one high-risk AI system in production, maintain incident and oversight records, and keep a defensible evidence trail ready for review.
It is often easiest to start with one real system first through the Readiness Sprint, then extend the same operating model over time. The product page describes what you run week to week; methodology explains the metrics and thresholds.
Frequently asked questions
- What is a high-risk AI system under the EU AI Act?
- High-risk AI systems are defined in Annex III of the EU AI Act. In practice, they include systems used in hiring, credit, fraud, healthcare, biometrics, public services, and other areas where decisions materially affect people.
- What documentation is required for a high-risk AI system?
- Teams typically need technical documentation, data governance records, risk management measures, human oversight procedures, and post-deployment monitoring records. These need to be maintained continuously, not assembled only when review begins.
- What does post-market monitoring mean under the EU AI Act?
- It means actively monitoring how a high-risk AI system behaves after deployment — including drift, incidents, fairness-related issues, and oversight actions — and maintaining records that can be reviewed later.
- How should teams log incidents for high-risk AI systems?
- Incident logs should capture what happened, when it happened, what system was affected, who owned follow-up, what actions were taken, and how the issue was resolved.
- Who inside a company is responsible for EU AI Act readiness?
- In practice, readiness usually spans compliance, risk, legal, and AI/ML teams. Most organisations still need one shared operating record so those teams are not working from fragmented evidence.
- When does the EU AI Act apply?
- The EU AI Act has phased application. For organisations operating systems likely to fall into high-risk categories, the practical work of monitoring, oversight, and evidence readiness should begin now.
Operational readiness, not slides alone
See how the 4-week Readiness Sprint builds a first monitoring and evidence baseline, then what Guardian does in the product. Technical depth lives under methodology.