EU AI Act Compliance

The compliance engine maps Curate-Me platform features to EU AI Act requirements and scores your organization’s compliance across 8 articles. It identifies gaps and offers one-click fixes to bring you into compliance.

Articles Covered

The engine evaluates requirements for high-risk AI systems under the EU AI Act:

Article	Title	What We Check
Art. 9	Risk Management System	Governance chain: rate limits, daily budgets, PII scanning, model allowlists
Art. 11	Technical Documentation	Immutable audit trail (100+ events = compliant)
Art. 12	Record-Keeping	Time-travel debugging and session output recording
Art. 13	Transparency	Desktop streaming and OpenTelemetry telemetry
Art. 14	Human Oversight	HITL approval queues (cost, confidence, content gates)
Art. 15	Accuracy & Robustness	PII scanning + model allowlists in governance policy
Art. 26	Deployer Obligations	Cost governance: daily budgets and per-request limits
Art. 96	Record-Keeping Obligations	Audit trail with 6-month minimum retention

Compliance Statuses

Each article receives a score from 0 to 100:

Status	Score Range	Meaning
`compliant`	100	All requirements met
`partial`	40—70	Some requirements met, remediation available
`non_compliant`	0—20	Requirements not met

The overall score is the average of all 8 article scores.

Getting Your Score


# Quick summary
curl https://api.curate-me.ai/gateway/admin/compliance/score \
  -H "X-CM-API-Key: cm_sk_xxx"


{
  "overall_score": 72.5,
  "total_articles": 8,
  "compliant_count": 4,
  "partial_count": 3,
  "non_compliant_count": 1,
  "fixes_available": 3
}


# Full report with per-article details and remediation steps
curl https://api.curate-me.ai/gateway/admin/compliance/report \
  -H "X-CM-API-Key: cm_sk_xxx"

One-Click Remediation

When an article is partial or non_compliant, the report includes a one_click_fix identifier. Apply it with a single API call:


curl -X POST https://api.curate-me.ai/gateway/admin/compliance/remediate/art_9 \
  -H "X-CM-API-Key: cm_sk_xxx"

Available one-click fixes:

Fix ID	What It Does
`enable_governance_policy`	Creates a governance policy with all safeguards enabled
`enable_pii_scanning`	Enables PII scanning with block action
`enable_hitl`	Sets HITL cost threshold to $5.00
`enable_daily_budget`	Sets daily budget to $50 and per-request limit to $1.00
`enable_desktop_streaming`	Enables desktop streaming feature flag

After applying a fix, the API returns the new score for that article.

Dashboard

The compliance dashboard at Compliance in the sidebar shows:

Overall compliance score with visual indicator
Per-article breakdown with status badges
Remediation steps sorted by priority
One-click fix buttons for each actionable item

Audit Trail Export

Export your audit trail for regulators or internal review:


# Export as JSON
curl "https://api.curate-me.ai/gateway/admin/compliance/export?format=json&start_date=2026-01-01&end_date=2026-03-14" \
  -H "X-CM-API-Key: cm_sk_xxx"
 
# Export as CSV
curl "https://api.curate-me.ai/gateway/admin/compliance/export?format=csv" \
  -H "X-CM-API-Key: cm_sk_xxx"

Export with a reason for chain-of-custody:


curl -X POST https://api.curate-me.ai/gateway/admin/compliance/export \
  -H "X-CM-API-Key: cm_sk_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "format": "json",
    "reason": "Q1 2026 regulatory review",
    "include_runner_events": true,
    "include_gateway_events": true
  }'

All exports are logged to the audit trail with the accessor, timestamp, and reason.

Feature Flag

The compliance engine is gated behind FF_COMPLIANCE_DASHBOARD. When disabled, all compliance endpoints return 404.

Backend Implementation

File	Purpose
`src/services/runner_control_plane/compliance_engine.py`	Compliance scoring, article checks, remediation handlers
`src/gateway/gateway_compliance.py`	Admin API routes (score, report, articles, remediate)
`src/gateway/gateway_compliance_export.py`	Audit export routes (JSON/CSV, chain-of-custody)
`apps/dashboard/app/(dashboard)/compliance/page.tsx`	Dashboard compliance page