Learn

"EU AI Act compliant" is not a thing a tool can sell you

Every few weeks a vendor slaps "EU AI Act compliant" on a landing page. It's a tell. Compliance under the AI Act is a property of your system, your deployment, and your role (provider vs deployer) — a tool can't confer it on you any more than a locksmith can make your building "insurance compliant." So we don't claim it. Here's the honest version of what a tool like Provenant can and can't do for you.

What the Act actually asks for (the parts we touch)

Two obligations are where an action-governance layer is genuinely relevant for high-risk systems:

  • Record-keeping / logging (Art. 12). High-risk AI systems must technically allow for the automatic recording of events over the system's lifetime — traceability appropriate to the system's purpose.
  • Human oversight (Art. 14). High-risk systems must be designed so humans can effectively oversee them — including the ability to intervene, interrupt, or not act on the system's output.

Note what those are: capabilities your system must have and evidence you must be able to produce. Neither is a certificate you buy. (There's more in the Act — risk management, data governance, transparency, conformity assessment — that a governance layer doesn't cover. Don't imply it does.)

What Provenant can support — stated carefully

  • For Art. 12 traceability: Provenant records every governed decision and its outcome to a tamper-evident, hash-chained ledger you can re-derive offline and anchor to a store you control. That's the kind of durable, traceable record-keeping the article is asking a system to be capable of — for the actions routed through Provenant.
  • For Art. 14 human oversight: the hold → human approval workflow (a person must approve a risky action before it executes) is a concrete intervention mechanism — a human in the loop with the ability to not act on the agent's output. Approval through the dashboard binds to an authenticated user; the signed out-of-band link is a bearer capability with no user identity, so govern it accordingly when you rely on it as oversight evidence.

The careful verb is can support. Provenant can be part of how you meet these obligations for the agent-action layer. Whether it's sufficient depends on your system, your risk classification, your deployment, and your role under the Act — which is where the Act places the judgment, not on a vendor's badge.

What Provenant does not do (say it plainly)

  • It does not make you compliant, and we won't say it does.
  • It does not classify your system, run your conformity assessment, or cover the obligations outside the action-governance layer (risk management, data/dataset governance, technical documentation, transparency notices, post-market monitoring).
  • Its ledger proves integrity and continuity of the exported chain — not that every action was recorded, that an action executed downstream, or that no separate history exists. Enforcing mode improves coverage and execution evidence for the path it controls, and external anchors expose rewrites of committed history — but neither makes the ledger prove universal completeness or downstream execution for every entry. An auditor will care about that distinction; get ahead of it.

Why refusing the badge is the point

For a governance and audit product, the fastest way to lose a serious buyer is to overclaim on the one axis they're paid to scrutinize. A compliance officer who reads "EU AI Act compliant" on a tool page knows it's not the tool's to give — and now they distrust the rest of your claims too. Saying "here's the specific evidence we help you produce, here's where our responsibility ends and yours begins" is both more accurate and more persuasive to the person who actually signs off.

If you need a one-liner for your own compliance narrative:

Provenant provides tamper-evident, traceable records of agent-action decisions and their reported/observed outcomes (relevant to Art. 12) and a human-approval workflow for risky actions (relevant to Art. 14). It supports the evidence; it does not establish compliance, which depends on our system, deployment, and role under the Act.

How the ledger and approvals work: see the documentation. You can also verify a signed ledger export yourself on the Verify page.

Not legal advice — confirm your obligations and their sufficiency with qualified counsel.

Frequently asked questions

Does Provenant make me EU AI Act compliant?

No — and no tool can. Compliance under the AI Act is a property of your system, your deployment, and your role under the Act (provider vs deployer), so it is not something a vendor can confer. Provenant can support the evidence Articles 12 and 14 call for — tamper-evident records of governed decisions and a human-approval workflow — but whether that is sufficient depends on your system, risk classification, deployment, and role.

What does Article 12 of the EU AI Act ask for?

Record-keeping and logging: high-risk AI systems must technically allow for the automatic recording of events over the system's lifetime — traceability appropriate to the system's purpose. It is a capability your system must have and evidence you must be able to produce, not a certificate you buy.

What does Article 14 of the EU AI Act ask for?

Human oversight: high-risk systems must be designed so humans can effectively oversee them — including the ability to intervene, interrupt, or not act on the system's output. Provenant's hold-for-human-approval workflow is a concrete intervention mechanism of that kind for the actions routed through it.

What does Provenant's ledger prove — and what does it not prove?

It proves integrity and continuity of the exported chain: the entries were not altered and none is missing from that chain, checkable offline with the open-source SDK. It does not by itself prove that every action was recorded, that an action executed downstream, or that no separate history exists. Enforcing mode improves coverage and execution evidence for the path it controls, and external anchors expose rewrites of committed history — but neither makes the ledger prove universal completeness or downstream execution for every entry.

Does the provider vs deployer distinction matter?

Yes. Obligations under the AI Act differ by role — providers and deployers carry different duties — and compliance judgments depend on which role you hold for a given system. A tool cannot determine your role or discharge the obligations attached to it; Provenant's records can serve as evidence within either role's narrative, subject to your own legal assessment.

How does Provenant's approval workflow relate to Article 14 oversight?

The hold → human approval workflow requires a person to approve a risky action before it executes — a human in the loop with the ability to not act on the agent's output. Approval through the dashboard binds to an authenticated user; the signed out-of-band link is a bearer capability with no user identity, so govern it accordingly when you rely on it as oversight evidence.