High-risk AI obligations under the EU AI Act

The obligations in Articles 9–15 apply primarily to providers— organisations that develop, place on the market, or put into service high-risk AI systems in the EU. A provider is the organisation responsible for the system's design, training, and placement on the market.

Deployers — organisations that use high-risk AI systems in their own operations — have separate obligations under Article 26. These are narrower: ensuring the system is used as intended, implementing technical and organisational measures, monitoring for adverse effects, and reporting serious incidents.

The boundary between provider and deployer can shift. An organisation that makes a substantial modification to a high-risk AI system — retraining it, changing its intended purpose, or integrating it into a new pipeline in a way that changes its risk profile — becomes a provider for that modification and takes on full provider obligations. This is the most commonly overlooked provider scenario in enterprise deployments.

Article 9 requires providers to establish, implement, document, and maintain a risk management system. The system must be a continuous iterative process covering the full lifecycle of the high-risk AI system.

The six substantive requirements of Article 9 — risk identification, risk evaluation, risk treatment, residual risk acceptance, testing, and post-market monitoring — are described in detail in our Article 9 deep-dive. In summary, Article 9 requires documented evidence at each stage: a risk register, a control list linked to identified risks, a residual risk acceptance statement with a named acceptor, and a testing record covering both intended use and foreseeable misuse scenarios.

Annex IV defines the technical documentation that must exist before a high-risk AI system is placed on the market. This documentation must be prepared by the provider and kept up to date throughout the system's lifecycle.

Annex IV covers eight areas: general description of the system, description of the design and development process (including training methodology), system architecture, data governance documentation, performance metrics and validation results, known limitations, and expected lifetime and maintenance requirements.

For a detailed breakdown of each Annex IV requirement and the documentation gaps that appear most often, see our Annex IV technical documentation guide.

Article 10 sets requirements for the training, validation, and testing data used in high-risk AI systems. It requires that data management practices ensure data is relevant, representative, free of errors to the extent possible, and complete for the intended purpose.

Article 10 is structured around five requirements for training data practices:

• Relevant, representative, free of errors, and complete for the intended purpose
• Appropriate statistical properties, including for the persons or groups of persons on which the system will be used
• Examination for possible biases that could lead to risks to health, safety, fundamental rights, or discrimination
• Relevant data protection measures for personal data used in training
• Documentation of the origin, scope, and characteristics of the training dataset

For providers of foundation model-based systems — systems built on top of large pre-trained models — Article 10 data governance documentation requires disclosure from the upstream model provider. This is an area where many organisations have gaps: the foundation model provider's training data disclosure is limited, and the deployer-side documentation cannot fill what the provider has not disclosed.

Article 10 data governance is hardest to satisfy when you are building on top of a model you did not train. The obligation exists regardless of whether the model provider discloses sufficient information — the documentation gap is a control gap.

Article 13 requires providers to ensure that high-risk AI systems are sufficiently transparent to enable deployers to interpret the system's output and use it appropriately. This is achieved through instructions for use — a document that accompanies the system and provides deployers with the information they need.

The instructions for use must cover: the provider's identity and contact details; the system's capabilities and limitations; the level of accuracy and performance metrics; the intended purpose and conditions for use; the data required as input; and any known risks or foreseeable misuse scenarios.

Article 14 requires that high-risk AI systems are designed and developed to allow effective human oversight during the period in which the system is in use. Oversight measures must enable those responsible for the system to understand its capabilities and limitations, monitor its operation, and intervene when necessary.

Article 14(4) specifies that natural persons assigned to human oversight must be able to: interpret the system's output; remain aware of the tendency to over-rely on AI output (automation bias); correctly interpret the system in the specific deployment context; and decide not to use the system or to disregard its output in any particular situation.

The critical evidence requirement for Article 14 is that the override capability exists technically, not just procedurally. A policy that says “humans can override the AI” is not sufficient if the system architecture makes override impractical. The human oversight measures must be built into the system design, and the evidence must demonstrate that the override pathway works.

Article 15 requires that high-risk AI systems achieve an appropriate level of accuracy, robustness, and cybersecurity throughout their lifecycle. The regulation does not specify minimum accuracy thresholds — the requirement is that performance levels are documented, proportionate to the intended purpose, and consistent across the system's deployment context.

Robustness requirements address the system's resilience to errors, faults, and inconsistencies. Article 15(3) specifically addresses resilience against attempts to alter the system's behaviour through adversarial inputs — prompt injection, data poisoning, and similar attack vectors relevant to AI systems.

The cybersecurity requirements in Article 15(5) require that high-risk AI systems are resilient to attempts to exploit vulnerabilities that could result in harmful or unexpected behaviour. This requirement maps directly to the adversarial testing phase of an AI security review.

An AI security review conducted at design time produces a defined set of artefacts. Many of those artefacts directly support EU AI Act high-risk obligations. The mapping is not perfect — some obligation areas require documentation that only the system provider can produce — but the overlap is substantial.

The value of systematic evidence mapping is that it identifies which obligations have documentation and which have gaps. An organisation that has completed AI security reviews on its high-risk systems has a head start on EU AI Act documentation — the question is whether the review evidence has been structured to be reusable for regulatory purposes.

For a detailed gap analysis methodology — identifying which EU AI Act obligations are not yet covered by existing review evidence — see the evidence mapping guide.