High-risk indicators detected — compliance review needed
This codebase contains 1 indicator(s) of high-risk AI functionality (Article 6). If this system is deployed in the EU in a high-risk context (e.g. credit scoring, employment, healthcare), it will be subject to mandatory obligations including risk management, data governance, human oversight, and technical documentation. A compliance review is recommended before deployment.
Scanned 1 file(s) · 0 prohibited · 1 high-risk · 0 limited-risk · 0 credential finding(s) · Generated 2026-07-09 23:35 UTC
| Article | EU AI Act | NIST AI RMF | ISO 42001 | UK ICO |
|---|---|---|---|---|
| Art. 9 | Risk Management System | GOVERN 1.1: Legal and regulatory requirements are identified, GOVERN 1.2: Trustworthy AI characteristics are integrated into organizational policies | 6.1: Actions to address risks and opportunities, A.5.3: AI risk management | DSIT Principle 1 — Safety, security and robustness: Risk management processes must identify and mitigate foreseeable harms before deployment; DSIT Principle 5 — Accountability and governance: Organisations must implement appropriate governance structures and assign clear accountability for AI risk |
| Art. 10 | Data and Data Governance | MAP 2.1: The specific tasks and methods for the AI system are defined, MAP 2.2: Information about the AI systems knowledge limits is documented | A.6.6: Data for AI systems, A.7.4: Documentation of data | ICO Data minimisation (Art. 5(1)(c) UK GDPR): Only personal data adequate, relevant and limited to what is necessary; ICO Storage limitation (Art. 5(1)(e) UK GDPR): Data not kept longer than necessary for training or evaluation |
| Art. 11 | Technical Documentation | MAP 1.1: Intended purposes, context of use, deployment are understood, MAP 1.2: Interdisciplinary AI actors, competencies, skills, and capacities for AI are documented | A.6.4: AI system documentation, 7.5: Documented information | DSIT Principle 5 — Accountability and governance: Document AI system design, data sources and intended purpose; ICO Accountability (Art. 5(2) UK GDPR): Maintain records of processing activities where AI processes personal data |
| Art. 12 | Record-Keeping | MEASURE 2.7: AI system evaluations are logged and documented, MEASURE 2.8: Measurement results are logged | A.6.10: Logging and monitoring | ICO Accountability (Art. 5(2) UK GDPR): Maintain records sufficient to demonstrate compliance with data protection principles; DSIT Principle 5 — Accountability and governance: Audit logs support post-incident review and regulatory enquiry |
| Art. 13 | Transparency and Provision of Information to Deployers | MAP 3.1: Approaches for mapping AI risks are established, MAP 3.2: AI system capabilities are documented | A.6.8: Transparency and explainability | DSIT Principle 2 — Appropriate transparency and explainability: Users should understand when AI is involved in decisions and how it works; ICO 'Explaining decisions made with AI': Meaningful information about AI-driven decisions must be provided to individuals |
| Art. 14 | Human Oversight | GOVERN 1.3: Processes for human oversight are defined, MAP 4.1: Approaches for mapping AI risks in deployment contexts are identified | A.6.3: Human oversight of AI systems | DSIT Principle 5 — Contestability and redress: Individuals should be able to challenge AI decisions; appropriate mechanisms must exist; ICO Art. 22 UK GDPR: Solely automated decisions with legal/significant effects require human review mechanism on request |
| Art. 15 | Accuracy, Robustness and Cybersecurity | MEASURE 1.1: Approaches for measurement of AI risks are documented, MEASURE 1.2: Appropriateness of AI metrics and effectiveness of measurement are evaluated | A.6.9: Performance and monitoring, A.8.1: Cybersecurity for AI | DSIT Principle 1 — Safety, security and robustness: AI systems must be technically secure and perform reliably across foreseeable contexts; ICO Accuracy (Art. 5(1)(d) UK GDPR): AI outputs used in decisions about individuals must be accurate; inaccurate outputs that lead to wrong decisions may breach UK GDPR |
| File | Risk Tier | Category | Confidence | Description | Remediation |
|---|---|---|---|---|---|
| app.py | HIGH-RISK | Annex III, Category 4 | 63 | Employment and workers management | Add human oversight before automated hiring/employment decisions Articles 9-15 (current law: Aug 2026; Omnibus agreed: Dec 2027 for Annex III) |