EU AI Act · Article 26 · Deployer Obligations

Article 26 Walkthrough

Article 26 of Regulation (EU) 2024/1689 sets out the obligations of deployers of high-risk AI systems. AiEGIS Eye is the provider of the monitoring system; the customer is the deployer. This page maps each sub-paragraph (1 through 12) to the AiEGIS code path that satisfies it, or explicitly flags it as out of provider scope.

Scope split

Provider vs. deployer.

Article 26 binds the deployer — the natural or legal person using the AI system under their own authority. AiEGIS Eye is not the deployer of the customer's high-risk AI; the customer's organisation is. AiEGIS Eye is the provider of the governance system that lets the deployer discharge those obligations with technical evidence rather than paperwork.

The split below distinguishes obligations the AiEGIS code path directly enforces or evidences (sub‑paragraphs 1, 2, 5, 6) from obligations that AiEGIS provides infrastructure or templates for but only the deployer can complete (3, 4, 7, 8, 9, 10, 11, 12).

The authoritative regulation text is at artificialintelligenceact.eu/article/26. Quoted excerpts on this page are reproduced verbatim from that source.

12
Sub-paragraphs
4
Direct enforce / evidence
5
Infra + template
3
Deployer-only
Sub-paragraph by sub-paragraph

The mapping.

Art. 26 §1Enforced
"Deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use accompanying the systems…"
Every request flowing through POST /api/protect is evaluated against the org's policy bundle across 15 enforcement layers (L1 Identity through L15 Correlation). Decisions are emitted as {"decision":"ALLOW|WARN|BLOCK|DENY","reason":"…","layer":"L…"} and persisted to agent_logs. The auto-generated checklist at /api/admin/compliance/eu-ai-act-checklist reports the live count of scanned requests as the Art. 26§1 evidence field.
Art. 26 §2Enforced
"Deployers shall assign human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support."
The IT Violation Centre at /it/violations queues every BLOCK / WARN decision for review by a named human reviewer. Reviewer actions are written to the violation_actions table with action_type='mark_reviewed'; the checklist reports human_reviews_completed as the live evidence field. Deployer must complete: formally assign named personnel to the IT oversight role and document in the risk register.
Art. 26 §3Legal qualifier
"The obligations set out in paragraphs 1 and 2 are without prejudice to other deployer obligations under Union or national law and to the deployer's freedom to organise its own resources and activities…"
No technical obligation. AiEGIS Eye does not constrain or override the deployer's organisational autonomy.
Art. 26 §4Deployer responsibility
"Without prejudice to paragraphs 1 and 2, to the extent the deployer exercises control over the input data, that deployer shall ensure that input data is relevant and sufficiently representative in view of the intended purpose of the high-risk AI system."
Infrastructure provided: L3 Data Sentinel + L6 Input Sanitizer flag PII, prompt-injection and supply-chain patterns on the wire; counts surface in the checklist as the relevance/representativeness audit trail. Deployer must complete: training-data curation for the underlying AI model is the deployer's own data-governance process — AiEGIS does not see model training data.
Art. 26 §5Enforced
"Deployers shall monitor the operation of the high-risk AI system on the basis of the instructions for use… Where deployers have reason to consider that the use… may result in a risk … they shall, without undue delay, inform the provider or distributor and the relevant market surveillance authority, and shall suspend the use of that system."
Continuous monitoring is the platform's primary function. /api/admin/compliance/audit-export?days=30&format=json returns the full record set for the period with "framework":"EU AI Act Article 26" in the header. Serious-incident webhook alerting is wired in the dispatcher; the deployer configures the destination (SIEM or incident-response platform) per their own reporting chain.
Art. 26 §6Enforced
"Deployers shall keep the logs automatically generated by that high-risk AI system to the extent such logs are under their control, for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in applicable Union or national law…"
Every decision is appended to agent_logs with agent_id, action, target, decision, threats, timestamp, decision_ms. Retention floor is 5 years (audit-pack target), well in excess of the Art. 26§6 six-month minimum. Signed evidence manifests for any period are produced by GET /api/policy/evidence?org_id=…&from=…&to=…, signed against the public key published at /.well-known/aegis-evidence-pubkey.pem.
Art. 26 §7Deployer-only
"Before putting into service or using a high-risk AI system at the workplace, deployers who are employers shall inform workers' representatives and the affected workers that they will be subject to the use of the high-risk AI system."
Template provided: a worker transparency notice template is served by GET /compliance/worker-notice-template. The template covers what is monitored, why, who sees the data, and the employee's rights of access. Deployer must complete: issue the notice to workers and their representatives before AiEGIS is enabled.
Art. 26 §8Deployer-only
"Deployers of high-risk AI systems that are public authorities, or Union institutions, bodies, offices or agencies shall comply with the registration obligations referred to in Article 49."
Public-authority registration in the EU AI Office database is a deployer act that cannot be delegated to a provider. AiEGIS provides the exportable evidence pack referenced by /api/policy/evidence to support the registration submission, but does not file on the deployer's behalf.
Art. 26 §9Deployer responsibility
"…deployers shall use the information provided under Article 13 to comply, where applicable, with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680."
DPIA authoring is the deployer's GDPR obligation. AiEGIS publishes its provider-side DPIA inputs at /dpia so the deployer's DPO can incorporate the data-flow, retention and lawful-basis sections without re-deriving them.
Art. 26 §10Deployer-only
"…deployers of a high-risk AI system referred to in Annex III that makes decisions or assists in making decisions related to natural persons shall inform the natural persons that they are subject to the use of the high-risk AI system."
Notice to data subjects in the deployer's customer-facing flow is the deployer's act. AiEGIS Eye monitors the agent-to-tool boundary inside the deployer's organisation, not the deployer's customer-facing UI.
Art. 26 §11Partial
"Deployers shall cooperate with the relevant competent authorities on any action those authorities take in relation to the high-risk AI system to implement this Regulation."
The signed evidence manifest at /api/policy/evidence is the cooperation artefact: it carries an SHA-256 audit digest of the rule set and event stream over the requested period, signed in-process before return, with the verification public key at /.well-known/aegis-evidence-pubkey.pem. Deployer must complete: respond to authority requests using the manifest as evidence; AiEGIS does not communicate with authorities on the deployer's behalf.
Art. 26 §12Deployer-only
"Deployers shall be able to implement human oversight, where applicable, on the basis of the measures referred to in Article 14…"
Cross-references the Art. 14 human-oversight measures (those bind the provider of the underlying high-risk AI, not AiEGIS as the governance-system provider). The AiEGIS evidence for the human-oversight loop is the L14 / IT Violation Centre wiring described under §2 and the live example below.
Live evidence

A signed reason code from /api/protect.

The block below is a real response from production. The L1 Identity layer rejected an unauthenticated request; the response carries the layer name, the human-readable reason, an error code, and the decision latency in milliseconds. The same envelope shape carries higher-layer reasons (L4 Scope, L6 Input Sanitizer, L7 Memory Integrity, L9 Meta Security, L13 MCP Registry, L14 Confidence Scoring, L15 Correlation).

The requires_human_review field on the L14 Confidence Scoring response is the §6 / §2 human-oversight gate signal: when an action's computed confidence falls into the review band, L14 emits a review_id and the decision is queued in the IT Violation Centre for the deployer's named reviewer.

Reproduce locally:

# L1 Identity reject — verbatim production response (any invalid X-API-Key triggers this path): $ curl -sS -X POST https://aiegis.ie/api/protect \ -H 'Content-Type: application/json' \ -H 'X-API-Key: invalid_demo_key_for_walkthrough' \ -d '{"action":"ai_prompt","target":"chatgpt","input":"hello"}' {"decision":"DENY","reason":"Invalid API key","layer":"L1-Identity","error":"auth_failed","decision_ms":1} # An authenticated, L14-flagged action additionally carries the human-review gate signal: # result["confidence_scoring"] = { # "score": 0.45, "level": "LOW", # "requires_human_review": true, # "review_id": "<uuid>", "calibration_score": 0.91 # } # review_id is the join key against /it/violations + violation_actions.

The auto-generated Article 26 checklist (admin-scoped) compiles these signals into a per-sub-paragraph status report sourced entirely from live data — no manual attestation. The signed evidence manifest at /api/policy/evidence packages the same data for authority cooperation under §11.

Part of the AiEGIS umbrella

AiEGIS is four products under one stack: Aegis Eye (endpoint visibility), Identity (Ed25519 agent passports), Governance (15-layer runtime enforcement), and Grid (agent-to-agent marketplace). Same identity, same policy enforcement, same audit trail across all four.

Aegis Eye Identity Governance Grid