EU AI Act evidence report

contract_version: 5 · report_id: ragpi-selfhost-openai-full-initial · surface: eu-ai-act

toolkit: 1.4.0 · spec: aepf-v1 · generated: 2026-04-30T09:35:06.840Z

transfer: internal_only redaction: none execution: healthy

baseline_dir: _source_inputs/baseline · new_dir: _source_inputs/new · cases: _source_inputs/cases.json

Suites

Only one suite present in this report.

Filters

Filters are encoded in the URL hash for shareable links.

Outcome

execution: healthy

runtime status

executed cases

evidence items

benchmark issues

Runtime health and retained evidence drive the product-facing outcome. Internal benchmark checks are shown separately below.

suites: ragpi_selfhost

Environment

agent: ragpi · agent_version: selfhost-openai-cloud-v1

model: gpt-4o-mini · model_version: openai-api

prompt: ragpi-selfhost-default · tools: ragpi-selfhost-wrapper · config_hash: cfg-ragpi-selfhost-openai-gpt-4o-mini

Run Provenance

baseline agent_version=selfhost-openai-cloud-v1 · model=gpt-4o-mini · model_version=openai-api

baseline prompt=ragpi-selfhost-default · tools=ragpi-selfhost-wrapper · config_hash=cfg-ragpi-selfhost-openai-gpt-4o-mini

new agent_version=selfhost-openai-cloud-v1 · model=gpt-4o-mini · model_version=openai-api

new prompt=ragpi-selfhost-default · tools=ragpi-selfhost-wrapper · config_hash=cfg-ragpi-selfhost-openai-gpt-4o-mini

changed_fields: none

Bundle Controls

retention-controls.json

Compliance

Toolkit status describes evidence coverage, not legal completion.

framework	clause	status	evidence	gaps
`EU_AI_ACT`	`Art_9` Risk management system	evidence covered completion tier: `technical evidence collected`	required present 4 `compare-report.json.summary.risk_summary` `compare-report.json.items[].gate_recommendation` `compare-report.json.items[].security` `compare-report.json.summary.execution_quality.admissibility_kpi` supporting present 1 `artifacts/manifest.json`	residual gaps Operator-owned risk governance still sits outside the evaluator. Annex III classification and legal interpretation still require counsel. notes This clause is scored as runtime evidence coverage, not full legal conformity.
`EU_AI_ACT`	`Art_10` Data governance and data quality	evidence covered completion tier: `technical evidence collected`	required present 6 `builder-draft.json.article_10.mode` `builder-draft.json.article_10.provider_non_training_statement_ref` `builder-draft.json.article_10.testing_data_provenance_ref` `builder-draft.json.article_10.evaluation_scope_record_ref` `builder-draft.json.article_10.data_preparation_record_ref` `builder-draft.json.article_10.bias_review_record_ref` supporting present 3 `compare-report.json.summary.data_coverage` `compare-report.json.quality_flags` `builder-draft.json.sections[]`	residual gaps Dataset provenance, representativeness review, bias review, and preparation records remain provider-authored legal inputs. notes Article 10(6) path: the package declares that the provider does not train or fine-tune the model, so Article 10(2) to 10(5) are evidenced through testing datasets and evaluation inputs.
`EU_AI_ACT`	`Art_11` Technical documentation	evidence covered completion tier: `technical evidence collected`	required present 3 `compare-report.json.summary` `compare-report.json.environment` `artifacts/manifest.json` supporting present 1 `compare-report.json.items[]`	residual gaps The evaluator emits evidence inputs, not the full Article 11 technical file. notes Use this output as an annex to a broader technical documentation package.
`EU_AI_ACT`	`Annex_IV` Technical documentation dossier structure	evidence covered completion tier: `technical evidence collected`	required present 3 `compare-report.json.summary` `compare-report.json.items[]` `artifacts/manifest.json`	residual gaps The generated dossier still requires operator-authored intended-use, system-boundary, and deployment-context inputs.
`EU_AI_ACT`	`Art_12` Record-keeping and logging	evidence covered completion tier: `technical evidence collected`	required present 3 `compare-report.json.items[].trace_integrity` `compare-report.json.items[].artifacts` `artifacts/manifest.json`	residual gaps Provider logging-retention periods, production log controls, and system-specific logging scope remain provider-owned. notes This clause is scored as a logging and record-keeping evidence scaffold, not as a complete provider logging program.
`EU_AI_ACT`	`Art_13` Transparency and instructions for use	evidence covered completion tier: `technical evidence collected`	required present 3 `compare-report.json.summary.execution_quality` `compare-report.json.summary.cases_requiring_approval` `compare-report.json.quality_flags` supporting present 3 `compare-report.json.environment` `compare-report.json.items[].gate_recommendation` `report.html`	residual gaps Operator-authored intended-use, deployer-facing instructions, and operating constraints remain required. Human oversight procedures for deployers still require operator-authored narrative. notes This clause is scored as a technical instructions scaffold, not a finished instructions-for-use document.
`EU_AI_ACT`	`Art_17` Quality management system	evidence covered completion tier: `technical evidence collected`	required present 4 `compare-report.json.summary.execution_quality` `compare-report.json.summary.cases_requiring_approval` `compare-report.json.summary.cases_block_recommended` `compare-report.json.quality_flags` supporting present 2 `compare-report.json.summary_by_suite` `report.html`	residual gaps Written QMS procedures, training, document control, supplier management, and authority communication remain operator responsibilities. notes This clause is scored as a technical QMS scaffold, not a complete quality management system.
`EU_AI_ACT`	`Art_14` Human oversight	evidence covered completion tier: `technical evidence collected`	required present 3 `compare-report.json.summary.cases_requiring_approval` `compare-report.json.items[].gate_recommendation` `compare-report.json.items[].policy_evaluation`	residual gaps Deployer-facing oversight procedures, staffing, escalation rules, and operating playbooks remain operator-authored. notes This clause is scored as a technical oversight scaffold, not as a finished human-oversight operating model.
`EU_AI_ACT`	`Art_15` Accuracy, robustness, and cybersecurity	evidence covered completion tier: `technical evidence collected`	required present 4 `compare-report.json.summary.execution_quality` `compare-report.json.summary.security` `compare-report.json.items[].risk_level` `compare-report.json.items[].security` supporting present 1 `artifacts/manifest.json`	residual gaps Sector-specific validation thresholds, production robustness targets, cybersecurity controls, and acceptance criteria remain provider-owned. notes This clause is scored as an evidence scaffold for robustness and cybersecurity, not as a completed assurance program.
`EU_AI_ACT`	`Art_72` Post-market monitoring	evidence covered completion tier: `technical evidence collected`	required present 2 `compare-report.json.summary.execution_quality` `compare-report.json.summary_by_suite` supporting present 1 `report.html`	residual gaps Recurring monitoring cadence, escalation workflow, and regulator-facing reporting remain operator responsibilities.
`EU_AI_ACT`	`Art_73` Serious incident reporting	evidence covered completion tier: `awaiting operator`	required present 2 `compare-report.json.summary.execution_quality` `artifacts/manifest.json` supporting present 2 `compare-report.json.summary_by_suite` `report.html`	residual gaps Provider-owned incident classification, authority notification timing, and production escalation records remain required. notes This clause is scored as a serious-incident reporting scaffold, not a completed Article 73 authority filing.
`EU_AI_ACT`	`Art_16` Provider obligations	evidence covered completion tier: `awaiting operator`	required present 3 `compare-report.json.environment` `compare-report.json.summary.execution_quality` `compare-report.json.quality_flags` supporting present 1 `report.html`	residual gaps Provider-owned records for Section 2 compliance, declaration, marking, registration, and authority-facing obligations remain required. notes This clause is scored as a provider-obligations scaffold, not a finished provider obligations record.
`EU_AI_ACT`	`Art_18` Documentation keeping	evidence covered completion tier: `awaiting operator`	required present 3 `compare-report.json.environment` `compare-report.json.meta` `artifacts/manifest.json` supporting present 1 `compare-report.json.quality_flags`	residual gaps The 10-year documentation-keeping record for Article 11, Article 17, notified-body records where applicable, and Article 47 remains provider-owned. notes This clause is scored as a documentation-keeping scaffold, not a completed retention and authority-availability record.
`EU_AI_ACT`	`Art_19` Automatically generated logs	evidence covered completion tier: `awaiting operator`	required present 3 `compare-report.json.items[].trace_integrity` `compare-report.json.items[].artifacts` `artifacts/manifest.json`	residual gaps Provider-controlled log retention, six-month minimum retention, and retrieval path still require provider-authored records. notes This clause is scored as a logging scaffold, not a full provider log-retention record.
`EU_AI_ACT`	`Art_20` Corrective actions and duty of information	evidence covered completion tier: `awaiting operator`	required present 3 `compare-report.json.summary.execution_quality` `compare-report.json.summary.cases_block_recommended` `compare-report.json.items[].gate_recommendation` supporting present 1 `report.html`	residual gaps The provider-owned corrective-action, withdrawal or disabling, recall, and notification workflow remains required. notes This clause is scored as a corrective-action scaffold, not a finished Article 20 response record.
`EU_AI_ACT`	`Art_21` Cooperation with competent authorities	evidence covered completion tier: `awaiting operator`	required present 2 `compare-report.json.environment` `artifacts/manifest.json` supporting present 2 `compare-report.json.quality_flags` `report.html`	residual gaps The provider-owned authority cooperation path, documentation response process, and log-access process remain required. notes This clause is scored as an authority-cooperation scaffold, not a finished Article 21 cooperation record.
`EU_AI_ACT`	`Art_22` Authorised representatives	evidence covered completion tier: `awaiting operator`	required present 2 `compare-report.json.environment` `compare-report.json.meta` supporting present 1 `report.html`	residual gaps For providers established outside the Union, the written mandate and named authorised representative record remain required. notes This clause is scored as an authorised-representative scaffold, not a completed Article 22 mandate record.
`EU_AI_ACT`	`Art_26` Obligations of deployers of high-risk AI systems	evidence covered completion tier: `awaiting operator`	required present 3 `compare-report.json.summary.execution_quality` `compare-report.json.summary.cases_requiring_approval` `compare-report.json.items[].gate_recommendation` supporting present 1 `report.html`	residual gaps The deployer-owned operating record, instructions-of-use alignment, oversight assignment, log handling, and authority or provider notifications remain required where Article 26 applies. notes This clause is scored as a deployer-obligations scaffold, not a completed Article 26 operating record.
`EU_AI_ACT`	`Art_27` Fundamental rights impact assessment for deployers	evidence covered completion tier: `awaiting operator`	required present 2 `compare-report.json.summary.execution_quality` `compare-report.json.summary.cases_requiring_approval` supporting present 1 `report.html`	residual gaps The deployer-owned FRIA, updates, consultation path, and any linked impact-assessment records remain required where Article 27 applies. notes This clause is scored as a FRIA scaffold, not a completed Article 27 assessment record.
`EU_AI_ACT`	`Art_43` Conformity assessment	evidence covered completion tier: `outside toolkit scope`	required present 3 `compare-report.json.environment` `compare-report.json.summary.execution_quality` `compare-report.json.quality_flags` supporting present 1 `report.html`	residual gaps The provider-owned conformity assessment route and any notified-body records remain required. notes This clause is scored as a conformity-assessment scaffold, not a completed Article 43 record.
`EU_AI_ACT`	`Art_47` EU declaration of conformity	evidence covered completion tier: `outside toolkit scope`	required present 2 `compare-report.json.environment` `compare-report.json.meta` supporting present 1 `report.html`	residual gaps The provider-signed EU declaration of conformity remains required before placing on the market or putting into service. notes This clause is scored as a declaration scaffold, not a completed Article 47 declaration.
`EU_AI_ACT`	`Art_48` CE marking	evidence covered completion tier: `outside toolkit scope`	required present 2 `compare-report.json.environment` `compare-report.json.meta` supporting present 1 `report.html`	residual gaps The provider-owned CE marking record, including digital or physical placement and notified-body identification where applicable, remains required. notes This clause is scored as a CE-marking scaffold, not a completed Article 48 record.
`EU_AI_ACT`	`Art_49` Registration	evidence covered completion tier: `outside toolkit scope`	required present 2 `compare-report.json.environment` `compare-report.json.meta` supporting present 1 `report.html`	residual gaps The provider-owned EU database or national registration record remains required where Article 49 applies. notes This clause is scored as a registration scaffold, not a completed Article 49 record.
`EU_AI_ACT`	`Annex_V` Declaration content	evidence covered completion tier: `outside toolkit scope`	required present 2 `compare-report.json.environment` `compare-report.json.meta` supporting present 1 `report.html`	residual gaps Provider identification, system identification, legal references, and signatory details for the declaration remain provider-authored. notes This clause is scored as an Annex V content scaffold, not a completed declaration content record.

Risk

risk low

risk medium

risk high

require approval

block recommended

Data coverage

total_cases

evidence items

missing baseline

missing new

broken baseline

broken new

Execution quality

execution: healthy

status

100.0%

baseline transport success

100.0%

new transport success

baseline runner failures

new runner failures

0.0%

weak expected rate

thresholds: min transport success 95.0% · max weak expected 20.0% · min pre-action entropy removed 0.0% · min recon min saved/block 0

failure kinds: baseline none · new none

reasons: none

Admissibility KPI

risk mass before

risk mass after

0.0%

pre-action entropy removed

reconstruction min saved/block

blocked cases: 0 · reconstruction min saved total: 0

OTel anchors

cases with baseline anchor

cases with new anchor

Quality flags

true

self_contained

true

portable_paths

missing_assets_count

path_violations_count

large_payloads

missing_assets: —

path_violations: —

large_payloads: —

Suite: ragpi_selfhost

baseline checks passed

new checks passed

regressions

improvements

risk low

risk medium

risk high

require approval

block recommended

missing baseline

missing new

broken baseline

broken new

Security summary

total_cases

cases_with_signals_baseline

cases_with_signals_new

baseline severity counts: low=0, medium=0, high=0, critical=0

new severity counts: low=0, medium=0, high=0, critical=0

top_signal_kinds_baseline: —

top_signal_kinds_new: —

Cases

Tip: click case id to open replay diff

Baseline/new columns reflect internal benchmark checks, not runtime completion.

Rows/page:

case	baseline checks	new checks	baseline_root	new_root	preventable	policy_rules	trace	security	assets

Benchmark diagnostics

baseline checks passed

new checks passed

regressions

improvements

These checks help compare agent behavior and artifact quality. They are internal diagnostics, not the runtime completion verdict.

No failures / no breakdown

This report directory is self-contained (assets are copied into assets/).