{ "schema_version": 1, "framework": "EU_AI_ACT", "report_id": "eu-ai-act-demo", "generated_at": 1777808239944, "bundle_artifacts": { "compare_report_href": "compare-report.json", "primary_report_html_href": "report.html", "manifest_href": "artifacts/manifest.json", "annex_iv_href": "compliance/eu-ai-act-annex-iv.json", "article_10_data_governance_href": "compliance/article-10-data-governance.json", "article_13_instructions_href": "compliance/article-13-instructions.json", "article_16_provider_obligations_href": "compliance/article-16-provider-obligations.json", "article_43_conformity_assessment_href": "compliance/article-43-conformity-assessment.json", "article_47_declaration_of_conformity_href": "compliance/article-47-declaration-of-conformity.json", "article_9_risk_register_href": "compliance/article-9-risk-register.json", "article_72_monitoring_plan_href": "compliance/article-72-monitoring-plan.json", "article_17_qms_lite_href": "compliance/article-17-qms-lite.json", "annex_v_declaration_content_href": "compliance/annex-v-declaration-content.json", "human_oversight_summary_href": "compliance/human-oversight-summary.json", "post_market_monitoring_href": "compliance/post-market-monitoring.json", "article_50_transparency_marking_href": "compliance/article-50-transparency-marking.json", "release_review_href": "compliance/release-review.json", "coverage_href": "compliance/eu-ai-act-coverage.json", "report_html_href": "compliance/eu-ai-act-report.html", "reviewer_html_href": "compliance/eu-ai-act-reviewer.html", "reviewer_markdown_href": "compliance/eu-ai-act-reviewer.md", "evidence_index_href": "compliance/evidence-index.json", "article_73_serious_incident_pack_href": "compliance/article-73-serious-incident-pack.json", "package_completion_href": "compliance/package-completion.json", "section_completion_href": "compliance/section-completion.json", "legal_record_register_href": "compliance/legal-record-register.json", "legal_artifact_manifest_href": "compliance/legal-artifact-manifest.json", "sign_off_record_href": "compliance/sign-off-record.json" }, "document_scope": { "article": "Art_73", "generated_scope": "technical_serious_incident_triage_scaffold", "operator_inputs_required": [ "named serious-incident owner and escalation backup", "human determination of whether the event meets Article 73 serious-incident threshold", "authority, customer, and internal notification routing by jurisdiction", "incident impact assessment and affected-person analysis", "reporting deadline calculation and external communications approver" ] }, "current_assessment": { "machine_triage_status": "review_for_serious_incident", "trigger_count": 4, "blocking_case_count": 1, "approval_case_count": 1, "high_or_critical_signal_count": 2, "drift_detected": false, "release_decision_status": "reject", "rationale": [ "4 machine-detected trigger(s) require human incident review before concluding whether Article 73 reporting applies.", "Technical evidence status is not ready.", "High or critical security signals were observed in the packaged run." ] }, "triggers": [ { "id": "blocking-cases-present", "trigger_type": "blocking_case", "severity": "urgent", "summary": "1 blocking case(s) are present in the technical evidence review.", "case_ids": [ "c-block" ], "artifact_hrefs": [ "compliance/release-review.json", "compliance/human-oversight-summary.json", "compliance/article-9-risk-register.json" ] }, { "id": "high-critical-security-signals", "trigger_type": "high_critical_security_signal", "severity": "urgent", "summary": "2 high or critical security signal(s) were observed in the new run.", "case_ids": [ "c-approval", "c-block" ], "artifact_hrefs": [ "compare-report.json", "compliance/article-9-risk-register.json" ] }, { "id": "machine-release-reject", "trigger_type": "release_reject", "severity": "urgent", "summary": "Machine technical evidence review currently marks this bundle as not ready.", "case_ids": [ "c-block" ], "artifact_hrefs": [ "compliance/release-review.json" ] }, { "id": "approval-queue-open", "trigger_type": "approval_queue", "severity": "review", "summary": "1 approval-required case(s) remain open for human review.", "case_ids": [ "c-approval" ], "artifact_hrefs": [ "compliance/human-oversight-summary.json", "compliance/article-13-instructions.json" ] } ], "notification_preparation": { "recommended_artifacts": [ "compare-report.json", "report.html", "compliance/article-9-risk-register.json", "compliance/article-72-monitoring-plan.json", "compliance/article-17-qms-lite.json", "compliance/release-review.json", "compliance/post-market-monitoring.json" ], "reporting_fields_required": [ "incident date and detection timestamp", "affected deployment context and users", "summary of harm or potential harm", "system version, model, and deployment identifiers", "mitigation taken, rollback status, and corrective-action owner" ], "operator_inputs_required": [ "named serious-incident owner and escalation backup", "human determination of whether the event meets Article 73 serious-incident threshold", "authority, customer, and internal notification routing by jurisdiction", "incident impact assessment and affected-person analysis", "reporting deadline calculation and external communications approver" ] }, "corrective_action_linkage": { "required_human_actions": [ "Assigned reviewer must clear approval-required cases before the technical evidence bundle is treated as ready.", "Blocked cases must be remediated and rerun before the technical evidence bundle is treated as ready.", "Determine whether authority reporting is required and document the basis for the decision." ], "related_artifacts": [ "compliance/release-review.json", "compliance/post-market-monitoring.json", "compliance/article-72-monitoring-plan.json", "compliance/article-17-qms-lite.json" ], "qms_process_refs": [ "incident_and_corrective_action", "oversight_and_release_control", "monitoring_and_feedback" ] }, "residual_gaps": [ "Operator-owned risk governance still sits outside the evaluator.", "Annex III classification and legal interpretation still require counsel.", "Trend ingest disabled for this run.", "Trend ingest was disabled for this run, so the monitoring window is not refreshed with the current release.", "No matching historical runs are available for this monitoring scope.", "No prior run is available to compute change-over-time deltas.", "This register is generated from runtime evidence and still requires operator-owned likelihood, impact, and acceptance rationale.", "Recurring monitoring cadence, escalation workflow, and regulator-facing reporting remain operator responsibilities.", "Operator-authored instructions for use are still required before deployer handoff.", "This export summarizes technical evidence; it does not replace deployer-facing operating instructions.", "Operator-authored intended-use, deployer-facing instructions, and operating constraints remain required.", "Human oversight procedures for deployers still require operator-authored narrative.", "This plan is a technical scaffold and still requires operator-owned monitoring ownership, cadence, retention, and authority-reporting decisions.", "This export does not decide whether the legal threshold for a serious incident has been met.", "Authority reporting workflow, deadlines, and jurisdiction-specific notification content remain operator-authored.", "Final incident narrative, impact assessment, and external communications approval remain outside the evaluator." ], "surface": { "id": "eu-ai-act", "label": "EU AI Act evidence report", "kind": "vertical", "base_contract": "report-contract-v5", "vertical_contract": "eu-ai-act-full" }, "surface_version": "eu-ai-act-full-v1" }