EU AI Act · Compliance Framework
How a Helios world model maps to the obligations of the EU AI Act across risk classification, transparency, human oversight, robustness, and post-market monitoring. Auditor-ready.
Purpose
This document maps the Helios substrate to the obligations of the EU AI Act for high-risk AI systems. It is intended for compliance officers, internal audit teams, DPAs, and procurement reviewers. It is auditor-ready: every claim references a substrate property and the artefact that demonstrates it.
Risk classification
A Helios world model deployed for institutional decisions is treated as a high-risk AI system under the EU AI Act. The substrate is designed against the obligations applicable to that class: risk management, data governance, technical documentation, transparency, human oversight, accuracy and robustness, and post-market monitoring.
Risk management system
The substrate implements a continuous risk management process: known risks are catalogued with the controls that mitigate them, residual risks are documented, and emerging risks are surfaced through adversarial review (see Project Athena). The risk register is versioned with the substrate.
Data governance
Data inside the substrate is typed, versioned, and bound to provenance contracts. Training and operational data are separable. Personal data is processed under GDPR Article 22 obligations: every automated decision is traceable, explainable, and reviewable at the level the regulator and the data subject require.
Technical documentation
The substrate generates its own technical documentation as a property of the runtime. Architecture diagrams, data flow records, reasoning composition logs, and policy artefacts are produced continuously. A regulator inquiry does not require a documentation project, it requires a query.
Human oversight
The substrate is designed to be operated by humans, not in place of humans. Every recommendation can be reviewed at the level of evidence, reasoning composition, and policy enforcement. Refusal is supported as a first-class output. Critical actions require typed human sign-off, recorded with the substrate.
Accuracy and robustness
Accuracy is measured at the decision level, not the prediction level. Robustness is tested through adversarial governance (Project Athena), drift detection across nested time-scales, and provenance-aware replay of prior states. The substrate exposes its own confidence and refuses outside its support.
Post-market monitoring
The substrate monitors itself in production. Drift, anomaly, governance violation, and outcome divergence are continuously evaluated. Incidents are reported under DORA timelines for financial sector clients. The post-market monitoring is part of the runtime, not a separate compliance pipeline.
Papadopoulos, L. (2025). EU AI Act · Compliance Framework. Helios Brain · Governance Document, HB-005.
