The EU AI Act is the first major AI regulation with criminal teeth. It applies to providers, deployers, and importers — and if you operate in the EU at all, you are one of those. Banks, recruiters, healthcare providers, education platforms, and law-enforcement vendors get the most scrutiny.
How the classifier works
Reframe Harness runs a small policy-driven classifier on every prompt and tool call:
- Annex II (prohibited) — social scoring, untargeted scraping of facial images, exploitative manipulation. Blocked outright.
- Annex III (high-risk) — employment, education, essential services, law enforcement, migration, justice. Blocked unless a human-oversight token is attached, with a conformity-assessment record on file.
- GPAI — general-purpose AI obligations (technical documentation, transparency, model cards). Logged and surfaced.
The classifier is part of the signed policy bundle. Your legal and compliance teams own the policy; engineers cannot bypass it.
The "approval id" pattern
For legitimate high-risk uses (e.g. employment screening with a documented human oversight process), the harness accepts an `--approval-id` token tied to a signed conformity-assessment record. The audit log captures the approval id, the human reviewer, the timestamp, and the policy version in force.
What happens at audit time
Run `reframe audit export --frameworks eu-ai-act` and you get the technical-documentation bundle (Article 11), the conformity-assessment evidence (Article 43), the post-market monitoring records (Article 72), and the incident-reporting log (Article 73). All cross-linked, all signed.