{
  "schema_version": "v1.0",
  "generated_at": "2026-05-24T07:45:00+00:00",
  "framework": "EU AI Act — Regulation (EU) 2024/1689 Article 26 (Deployer Obligations)",
  "primary_source": "https://artificialintelligenceact.eu/article/26/",
  "scope_split": {
    "total_sub_paragraphs": 12,
    "enforced_or_evidenced": 4,
    "infrastructure_and_template": 5,
    "deployer_only_or_legal_qualifier": 3
  },
  "mapping": [
    {
      "sub": 1,
      "tag": "enforced",
      "title": "Use system per instructions, with technical + organisational measures",
      "regulation_excerpt": "Deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use accompanying the systems...",
      "aiegis_evidence": "Every request flowing through POST /api/protect is evaluated across 15 enforcement layers (L1 Identity through L15 Correlation). Decisions are persisted to agent_logs with structured reason codes.",
      "code_path": "core/api_v2.py:api_protect",
      "checklist_field": "scanned_requests_count"
    },
    {
      "sub": 2,
      "tag": "enforced",
      "title": "Human oversight by competent + trained personnel",
      "regulation_excerpt": "Deployers shall assign human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support.",
      "aiegis_evidence": "IT Violation Centre at /it/violations queues every BLOCK/WARN decision for named human reviewer. Reviewer actions persisted to violation_actions table with action_type='mark_reviewed'.",
      "code_path": "core/api_v2.py:it_violations",
      "checklist_field": "human_reviews_completed",
      "deployer_responsibility": "Formally assign named personnel to IT oversight role and document in risk register."
    },
    {
      "sub": 3,
      "tag": "legal_qualifier",
      "title": "Without prejudice to other deployer obligations + organisational autonomy",
      "regulation_excerpt": "The obligations set out in paragraphs 1 and 2 are without prejudice to other deployer obligations under Union or national law and to the deployer's freedom to organise its own resources and activities...",
      "aiegis_evidence": "No technical obligation. AiEGIS does not constrain or override the deployer's organisational autonomy."
    },
    {
      "sub": 4,
      "tag": "deployer_only",
      "title": "Input-data relevance and representativeness",
      "regulation_excerpt": "Without prejudice to paragraphs 1 and 2, to the extent the deployer exercises control over the input data, that deployer shall ensure that input data is relevant and sufficiently representative in view of the intended purpose of the high-risk AI system.",
      "aiegis_infrastructure": "L3 Data Sentinel + L6 Input Sanitizer flag PII, prompt-injection and supply-chain patterns on the wire. Counts surface in checklist as relevance audit trail.",
      "deployer_responsibility": "Training-data curation for the underlying AI model is the deployer's own data-governance process — AiEGIS does not see model training data."
    },
    {
      "sub": 5,
      "tag": "enforced",
      "title": "Monitor operation + report serious incidents",
      "regulation_excerpt": "Deployers shall monitor the operation of the high-risk AI system on the basis of the instructions for use... Where deployers have reason to consider that the use... may result in a risk... they shall, without undue delay, inform the provider or distributor and the relevant market surveillance authority, and shall suspend the use of that system.",
      "aiegis_evidence": "/api/admin/compliance/audit-export?days=30&format=json returns full record set with 'framework':'EU AI Act Article 26' header. Serious-incident webhook alerting wired; deployer configures destination per their reporting chain.",
      "code_path": "core/api_v2.py:audit_export",
      "checklist_field": "monitoring_active"
    },
    {
      "sub": 6,
      "tag": "enforced",
      "title": "Keep logs for at least six months",
      "regulation_excerpt": "Deployers shall keep the logs automatically generated by that high-risk AI system to the extent such logs are under their control, for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in applicable Union or national law...",
      "aiegis_evidence": "Every decision appended to agent_logs with agent_id, action, target, decision, threats, timestamp, decision_ms. Retention floor: 5 years (audit-pack target), well in excess of the Art. 26§6 six-month minimum. SQL-enforced via BEFORE DELETE / BEFORE UPDATE triggers on grid_ledger.",
      "code_path": "grid_platform/grid_ledger.sql",
      "verifier_endpoint": "https://aiegis.ie/grid/ledger/retention",
      "signed_evidence_endpoint": "https://aiegis.ie/api/policy/evidence",
      "public_key": "https://aiegis.ie/.well-known/aegis-evidence-pubkey.pem"
    },
    {
      "sub": 7,
      "tag": "deployer_only",
      "title": "Workplace AI: inform workers + representatives",
      "regulation_excerpt": "Before putting into service or using a high-risk AI system at the workplace, deployers who are employers shall inform workers' representatives and the affected workers that they will be subject to the use of the high-risk AI system.",
      "aiegis_template_endpoint": "/compliance/worker-notice-template",
      "deployer_responsibility": "Issue the notice to workers and their representatives before AiEGIS is enabled."
    },
    {
      "sub": 8,
      "tag": "deployer_only",
      "title": "Public-authority registration in EU AI Office DB",
      "regulation_excerpt": "Deployers of high-risk AI systems that are public authorities, or Union institutions, bodies, offices or agencies shall comply with the registration obligations referred to in Article 49.",
      "aiegis_infrastructure": "Exportable evidence pack from /api/policy/evidence supports the registration submission.",
      "deployer_responsibility": "Public-authority registration in EU AI Office database is a deployer act that cannot be delegated to a provider."
    },
    {
      "sub": 9,
      "tag": "deployer_only",
      "title": "Use Art 13 info for GDPR DPIA",
      "regulation_excerpt": "...deployers shall use the information provided under Article 13 to comply, where applicable, with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680.",
      "aiegis_infrastructure": "Provider-side DPIA inputs published at https://aiegis.ie/dpia for deployer DPO to incorporate.",
      "deployer_responsibility": "DPIA authoring is the deployer's GDPR obligation."
    },
    {
      "sub": 10,
      "tag": "deployer_only",
      "title": "Biometric judicial-auth requirements",
      "regulation_excerpt": "...real-time remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement... shall request prior authorisation for use from a judicial authority or independent administrative authority...",
      "aiegis_infrastructure": "Not applicable to AiEGIS deployments; biometric judicial-auth is law-enforcement-specific and outside the AiEGIS Eye / Identity / Grid / Governance scope."
    },
    {
      "sub": 11,
      "tag": "partial",
      "title": "Inform affected persons subject to AI decisions",
      "regulation_excerpt": "Deployers of high-risk AI systems referred to in Annex III... shall inform natural persons who are subject to the use of the high-risk AI system. For high-risk AI systems used for law-enforcement purposes Article 13 of Directive (EU) 2016/680 shall apply.",
      "aiegis_infrastructure": "decision_id surfaced in /api/protect responses for downstream notice systems to reference.",
      "deployer_responsibility": "Affected-person notification UI is the deployer's customer-facing system, not AiEGIS."
    },
    {
      "sub": 12,
      "tag": "deployer_only",
      "title": "Cooperate with competent authorities",
      "regulation_excerpt": "Deployers shall cooperate with the competent authorities on any action those authorities take in relation to the high-risk AI system to implement this Regulation.",
      "aiegis_infrastructure": "Signed evidence manifests at /api/policy/evidence package live decision data for authority requests.",
      "deployer_responsibility": "Cooperation with competent authorities is deployer-direct; AiEGIS provides the evidence chain."
    }
  ],
  "live_endpoints": {
    "walkthrough_page": "https://aiegis.ie/article-26-walkthrough",
    "checklist_generator": "https://aiegis.ie/api/admin/compliance/eu-ai-act-checklist",
    "audit_export": "https://aiegis.ie/api/admin/compliance/audit-export",
    "signed_evidence_pubkey": "https://aiegis.ie/.well-known/aegis-evidence-pubkey.pem",
    "policy_evidence_endpoint": "https://aiegis.ie/api/policy/evidence",
    "retention_floor_verifier": "https://aiegis.ie/grid/ledger/retention",
    "worker_notice_template": "https://aiegis.ie/compliance/worker-notice-template"
  }
}