The EU AI Act enforcement date for high-risk AI systems is August 2, 2026 - 116 days from today. This roadmap breaks down exactly what Python teams need to implement, month by month, to reach compliance before the deadline. If your team runs autonomous agents (LangChain, CrewAI, AutoGen, or custom), this is your playbook.
I've run compliance scans on 50+ Python AI projects in the past three months. The baseline is grim: most score 1 out of 6 on the compliance checklist. A typical LangChain agent ships with zero audit trails, no human oversight controls, no technical documentation, and no record-keeping infrastructure. The frameworks are excellent at orchestration. They're not built for compliance.
Here's what we see in raw numbers:
The good news: none of this is hard to fix. It just takes planning and four months of methodical implementation. Let's walk through it.
Before we map the timeline, here are the six technical requirements from Articles 9-15. Each one has a specific June-level deadline.
| Article | Requirement | By When |
|---|---|---|
| Article 9 | Risk management plan - identify failure modes, mitigations, monitoring | June 1 |
| Article 10 | Data governance - input validation, PII detection, data retention policy | June 1 |
| Article 11 | Technical documentation - model cards, system architecture, known limitations | June 15 |
| Article 12 | Automatic recording - HMAC-SHA256 audit trails, tamper-evident logging | May 15 |
| Article 13 | Transparency information - explain to users how the AI system works | June 30 |
| Article 14 | Human oversight - approval workflows, override capability, user identity binding | July 15 |
Notice the clustering: Articles 9-10 are risk + data (May), Articles 11-13 are docs + transparency (June), Article 14 is oversight (July). That's exactly how we'll sequence the roadmap.
Spend this month answering: where do we stand? What's the scope? How much work are we actually looking at?
Week 1-2: Run your baseline compliance scan.
Install air-compliance and scan every Python agent file in your codebase:
pip install air-compliance
python -m air_compliance scan --path . --output report.json
This reads your LangChain, CrewAI, AutoGen, or custom agent code and scores you against all six articles. The output JSON shows exactly which articles are failing and why. Most teams will see something like:
{
"Article 9 (Risk Management)": "FAIL",
"Article 10 (Data Governance)": "FAIL",
"Article 11 (Technical Docs)": "FAIL",
"Article 12 (Audit Trails)": "FAIL",
"Article 13 (Transparency)": "FAIL",
"Article 14 (Human Oversight)": "FAIL",
"overall_score": "1/6"
}
Expected result: you'll fail everything. That's normal. This is your baseline.
Week 2-3: Document your AI systems.
For every Python agent you run in production, create a simple one-page summary:
This becomes your system inventory. You can't build a compliance roadmap without knowing what you're complying with.
Week 3-4: Set up audit infrastructure.
Create a compliance/ directory in your repo:
compliance/
risk_management.md
data_governance.md
technical_docs.md
audit_trails.md
transparency.md
human_oversight.md
These six files will hold all your compliance documentation by August. Start each with a stub outline. End of April deliverable: one-pager per agent system + six empty compliance markdown files.
Articles 9 (risk management) and 10 (data governance) are the foundation. Everything else builds on them. Spend May filling these out.
Article 9: Risk Management Plan.
Write a one-page risk management plan per agent. Answer:
Use a simple table. Here's a real example for a resume-screening agent:
| Failure Mode | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Rejects qualified candidates due to protected attribute bias | Medium | High (discrimination risk) | Monthly audit of rejections vs. hires by demographic; human review of top-20 rejections weekly |
| Hallucinates interview feedback that wasn't said | Low | High (liability) | System prompt constraints; human HR review of all screening notes before candidate contact |
| Processes PII without retention policy | High | High (GDPR + Art 10) | Auto-delete resume data after 90 days; no PII in system prompts |
| Runs out of API budget mid-recruitment cycle | Medium | Medium (operational) | Set monthly spend alerts at 70% threshold; have CPU-based fallback model |
This goes in compliance/risk_management.md. Total time: 4-6 hours per agent.
Article 10: Data Governance.
Write your data governance policy:
Example data governance policy for a legal document analyzer:
INPUT VALIDATION:
- Accepts: PDF, DOCX, TXT files, max 50 MB
- Rejects: executable files, images without OCR, files with binary content
- Schema validation: all files must be readable text-like
PII DETECTION:
- Scans inputs for: name, SSN, email, phone, DOB, credit card
- Scans outputs for: same + legal case numbers + medical record IDs
- Action on detection: redact from logs, alert compliance team, do not send to external API
DATA RETENTION:
- Logs: 90 days
- Audit trails: 5 years (legal requirement)
- Training data: deleted immediately after processing
- User consent: logged and retained for audit trail lifetime
DATA ACCESS:
- Operators: read-only access to audit logs
- Compliance team: full access to audit export
- Researchers: anonymized data only
- Export: signed audit trail with HMAC verification
Put this in compliance/data_governance.md. Total time: 4-6 hours per agent.
May Deliverable: Completed risk management plans and data governance policies for all production agents. Second air-compliance scan should show improvement in Articles 9 and 10.
Articles 11 (technical docs) and 13 (transparency) are heavy on paperwork. Your June is documentation month.
Article 11: Technical Documentation.
Create a model card for every agent. This is an open standard that regulators recognize. It answers:
Example model card for a hiring assessment agent (shortened):
MODEL CARD: HiringAssess v2
MODEL OVERVIEW
- Base model: GPT-4-turbo (OpenAI)
- Fine-tuning: 500 examples of real candidate assessments
- Deployment: LangChain Agent with CrewAI orchestration
- Framework version: LangChain 0.1.4, CrewAI 0.2.1
INTENDED USE
- Support recruitment teams in evaluating technical candidates
- NOT for final hiring decisions; humans make those
- Intended for initial resume screening and interview assessment
LIMITATIONS
- Does not evaluate soft skills well (leadership, communication)
- Struggles with non-English resumes
- Biased toward common university names and traditional backgrounds
EVALUATION
- Precision on "recommend interview": 82%
- Recall on "recommend interview": 78%
- Tested on 200 real candidates with known outcomes
KNOWN ISSUES
- Underestimates candidates from non-traditional backgrounds (13% lower score)
- Overweights company name in resume (needs prompt injection hardening)
- Hallucinates job titles 2% of the time
PERFORMANCE BY GROUP
- Women: 79% precision, 76% recall (slight negative disparity)
- Men: 84% precision, 80% recall
- White candidates: 82% precision
- BIPOC candidates: 74% precision (8pt gap - being addressed in v3)
This goes in compliance/technical_docs.md. You'll need one per agent. Total time: 6-8 hours per agent.
Article 13: Transparency Information.
Write the text that appears to end users explaining how your agent works. This should be clear to a non-technical person. Example for a customer service chatbot:
How This Support Agent Works
When you ask a question, this agent uses artificial intelligence (a large language model from OpenAI) to understand your question and draft a response. A human support specialist always reviews and approves the response before it reaches you.
The agent cannot:
- Process payment information
- Make refund decisions (humans do)
- Access your personal account data
The agent can:
- Answer common questions about product features
- Escalate complex issues to a human specialist
- Learn from feedback to improve future responses
If you want to speak to a human, type "human agent" at any time. If you think the AI made a mistake, let us know and we'll improve it.
Put this in compliance/transparency.md. Total time: 1-2 hours per agent.
June Deliverable: Model cards + transparency statements for all agents. Third compliance scan should show significant improvement in Articles 11 and 13. You're now at 3/6 minimum.
Article 14 is the operational requirement: humans have to be in the loop. This is where code meets process. July is implementation month.
Article 14: Human Oversight.
For every high-risk agent, implement one of three oversight patterns:
Pattern 1: Full approval before action (safest). Agent makes recommendation, human approves or rejects before any action. Example: resume screening. Use this for high-stakes decisions.
Agent → generates recommendation (hire/reject)
Compliance system → agent waits
Human reviewer → approves recommendation
System → executes decision (email sent, record created)
Pattern 2: Execute then monitor (faster). Agent acts immediately, human reviews within N hours. Example: content moderation on social media. Use this for time-sensitive decisions with reversible actions.
Agent → takes action (flags post as spam)
Compliance system → records action in audit trail
Human reviewer → audits flagged decisions daily
System → reverses mistaken actions within 24h
Pattern 3: Escalation for high-uncertainty (hybrid). Agent decides when confident, escalates low-confidence cases to human. Example: fraud detection. Use this for high-volume, varying-risk scenarios.
Agent → analyzes transaction
If confidence > 95% → auto-allow or auto-block
If confidence 60-95% → escalate to human analyst
If confidence < 60% → always escalate
Pick one pattern per agent and document it. Then implement the approval workflow. If you use Slack, email, or a web dashboard, integrate the agent's output there so humans can actually review it in their workflow.
Add audit trails with air-trust:
pip install air-trust
import air_trust
from crewai import Crew
crew = Crew(agents=[...], tasks=[...])
crew = air_trust.trust(crew) # Adds audit logging
result = crew.kickoff()
That single line adds HMAC-SHA256 signed audit logging to every agent action. Article 12 compliance (audit trails) happens here.
Integration testing (end-to-end).
Run a full compliance test of your agent system:
Do this with 10-20 representative test cases per agent. Make sure the whole flow actually works before August.
July Deliverable: Oversight workflows implemented for all agents. Audit trails running in production. Full integration testing complete. Fourth compliance scan should show 5/6 or 6/6.
One week before the deadline, do final verification:
python -m air_compliance scan --strict. Must pass 6/6.python -m air_trust verify. Chain must be unbroken.python -m air_trust export --format json > audit_export.jsonIf all checks pass, you're done. You have 116 days from today to get here.
Right now, this minute, run air-compliance and see where you stand:
pip install air-compliance
python -m air_compliance scan --path /path/to/agents --output report.json
cat report.json
You'll get a JSON report like this:
{
"codebase": "/path/to/agents",
"timestamp": "2026-04-08T14:32:00Z",
"frameworks_detected": ["langchain", "crewai"],
"agents_found": 3,
"articles": {
"article_9_risk_management": {
"status": "FAIL",
"score": 0,
"findings": ["No risk management documentation found"]
},
"article_10_data_governance": {
"status": "FAIL",
"score": 0,
"findings": ["No PII detection", "No data retention policy"]
},
"article_11_technical_docs": {
"status": "FAIL",
"score": 0,
"findings": ["No model card", "No technical documentation"]
},
"article_12_audit_trails": {
"status": "FAIL",
"score": 0,
"findings": ["No audit trail infrastructure", "No HMAC signing"]
},
"article_13_transparency": {
"status": "FAIL",
"score": 0,
"findings": ["No user-facing documentation", "No system explanation"]
},
"article_14_human_oversight": {
"status": "FAIL",
"score": 0,
"findings": ["Agent is fully autonomous", "No approval workflow"]
}
},
"overall_score": "0/6",
"compliance_percentage": 0,
"estimated_work_hours": 240,
"recommended_start_date": "2026-04-08"
}
The estimated_work_hours field tells you rough effort. For most teams: 240-280 hours over 4 months. That's roughly 15-17 hours per week, or one person's part-time effort, or a small team's portion of capacity.
To add audit trails immediately:
pip install air-trust
# For LangChain
from langchain_openai import ChatOpenAI
import air_trust
llm = ChatOpenAI(model="gpt-4")
llm = air_trust.trust(llm)
# For CrewAI
from crewai import Crew
import air_trust
crew = Crew(agents=[agent1, agent2], tasks=[task1])
crew = air_trust.trust(crew)
# Then run as normal - audit trails happen automatically
That's Article 12 done. Takes 10 minutes to add to an existing agent.
LangChain agents: LangChain is agent-ready but compliance-empty. Add air-trust, write a model card focusing on the LLM version and chain structure, implement a tool approval layer (only approved tools can run), and add PII detection to the input validator. Most work goes to the approval UI. Estimated effort: 180 hours for a 3-agent system.
CrewAI agents: CrewAI's agent abstraction is cleaner but still lacks oversight. Add air-trust, write risk management and data governance docs focusing on role-based access control, implement a task approval workflow (tasks are the unit of approval), add human review of tool outputs before they're used in subsequent tasks. Estimated effort: 160 hours for a 3-agent system.
AutoGen agents: AutoGen's human-in-the-loop is already built-in (agents can request human feedback). Leverage that. Add air-trust, implement the approval code path, document the conversation context, audit all data flowing between agents. Estimated effort: 140 hours for a 3-agent system.
Custom Python agents: You have full control. Add air-trust at the LLM client level (OpenAI SDK, Anthropic SDK, etc.), write all six compliance docs from scratch, implement approval workflows in your orchestration layer. Estimated effort: 220 hours for a 3-agent system.
August 2, 2026 is hard enforcement. After that, the EU AI Act applies. High-risk systems deployed without compliance documentation face:
The fine is real. The EU has fined Meta €400M+ for GDPR violations. The precedent is set. For AI systems post-August 2, they will fine at the scale they've threatened.
If you're in the EU market (customer data is in EU or customers use your system in EU), you must comply. If you're only in US/APAC, you can skip this. But if you want EU revenue, do it.
August 2, 2026. That's 116 days from today (April 8, 2026). The EU AI Act Articles 9-15 apply to all high-risk AI systems deployed in the EU starting that date. If your agent is deployed before that date with compliance documentation, you're grandfathered in with a brief transition period. If you deploy after without documentation, you're in violation immediately.
Autonomous AI agents used for real-world decision-making in specific use cases listed in Annex III of the EU AI Act. That includes recruitment, criminal justice, benefits/entitlements, critical infrastructure, education, and content moderation. If your Python agent can take action without human approval at each step, it's almost certainly high-risk.
4-6 months for a typical team starting from zero. The roadmap breaks it into four one-month chunks: April (assessment), May (risk + data), June (docs + transparency), July (oversight + testing). The critical path is documentation and human oversight workflows, not code. Most LangChain/CrewAI teams spend 70% of effort on paperwork, 30% on code changes.
Administrative fines of 6% of global annual revenue or €30 million (whichever is higher). Market access suspension. Mandatory third-party audit at your expense. Corrective action orders from regulators. The EU has already established precedent fining tech companies at this scale for other regulations (GDPR, Digital Markets Act).
Not without modification. Most frameworks score 1/6 on baseline compliance. They lack audit trails, human oversight, technical documentation, and risk management infrastructure. You must add air-trust for audit logging, build approval workflows, and generate all six documentation packages. This is 60% of your total compliance effort.
Run python -m air_compliance scan --strict. If you score 6/6 on all six articles, you're done. Verify your audit trail is unbroken (python -m air_trust verify). Export your audit trail for regulators. Compile all documentation into a single compliance package. You should be able to hand this package to a regulator and prove full compliance.
Start your compliance roadmap today:
pip install air-compliance air-trust
Get Started · 6 Technical Checks · Compliance Mapping · Add Audit Trails