EU AI Act
How Nexus maps to Articles 5, 10, 12, 15, 26, 43, and 73
EU AI Act
Nexus provides infrastructure controls that map to high-risk AI system obligations under the EU AI Act. This page summarizes the mapping for compliance officers and legal teams.
This mapping is product documentation, not legal advice. Engage qualified counsel for conformity assessments.
Summary matrix
| Article | Requirement | Nexus control |
|---|---|---|
| Art. 5 | Prohibited practices | NPL rules block prohibited tool classes (e.g. social scoring patterns, covert manipulation payloads) |
| Art. 10 | Data governance | Tenant RLS, data classification on tool metadata, connector sandboxing |
| Art. 12 | Record-keeping | Hash-chained audit trail, 7-year retention |
| Art. 15 | Accuracy, robustness, cybersecurity | Fail-closed policy gate, Kill Switch v2, MFA on operator console |
| Art. 26 | Deployer obligations | Shadow mode for pre-deployment validation, human takeover hooks |
| Art. 43 | Conformity assessment | Conformity bundle export with manifest hash |
| Art. 73 | Reporting serious incidents | DORA-aligned incident classification, audit export for regulator notification |
Prohibited practices (Article 5)
NPL policy packs can encode deny rules for tool patterns associated with prohibited AI practices. The MCP Gateway inspects execution payloads, not prompts, so blocked actions are evidence-backed with stable rule IDs.
Example policy pin:
hardalion://nato-prou-strict-financial@1.0.0View policy source on GitHub →
Record-keeping (Article 12)
Every agent tool call through Nexus produces an append-only audit entry with:
- Timestamp (UTC)
- Agent ID and AgentIAM credential reference
- Tool name, input parameters (masked where sensitive)
- Policy decision and matched rule IDs
- Confidence score and human override flag
Verify integrity: Immutable audit trail.
Deployer workflow (Article 26)
Recommended deployer sequence:
- Register AI system in Nexus inventory (
/api/v1/compliance/ai-system-inventory) - Run shadow mode on production-like traffic
- Complete FRIA where required (
POST /api/v1/compliance/fria) - Export conformity bundle before go-live
- Enable enforce mode with pinned policy version
Conformity evidence
Generate a conformity bundle for auditors:
curl -X POST "https://nexus.hardalion.com/api/v1/compliance/export/conformity-bundle" \
-H "Authorization: Bearer $TENANT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"ai_system_id": "ais_trading_agent_v2",
"include_audit_sample": true
}'See Compliance exports for Annex IV and deployer pack formats.
Fundamental Rights Impact Assessment
Nexus supports FRIA lifecycle management:
- Create:
POST /api/v1/compliance/fria - Update:
PATCH /api/v1/compliance/fria/{id} - Link to agent executions and audit samples