Show HN: Open-source EU AI Act compliance layer for AI agents (8/2026 deadline)
Trust layers for LangChain, CrewAI, AutoGen, OpenAI Agents SDK, and RAG pipelines — each is a pip install that hooks into your existing agent code with ~3 lines of setup HMAC-SHA256 tamper-evident audit chains — every agent decision, tool call, and LLM interaction gets logged to a chain that regulators can verify ConsentGate — risk-classifies tool calls and blocks critical operations until approved InjectionDetector — 15+ weighted patterns scanning prompts before they reach the model WriteGate + DriftDetector (for RAG) — prevents knowledge base poisoning and detects retrieval anomalies Compliance scanner — pip install air-compliance && air-compliance scan ./my-project tells you exactly which articles you're missing
Everything maps to specific EU AI Act articles (9, 10, 11, 12, 14, 15). Zero vendor lock-in, Apache 2.0, zero core dependencies on the trust layers. The scanner is probably the fastest way to understand where your gaps are. It takes about 3 seconds to run on a typical project. GitHub: https://github.com/airblackbox PyPI: pip install air-compliance Happy to answer questions about what the EU AI Act actually requires for AI agent deployments — we've read the full regulation and mapped it to specific technical controls.
5 comments
[ 2.4 ms ] story [ 17.8 ms ] threadOne thing worth flagging: for high-risk systems under Annex III, audit logging is just one of ~25 compliance items. The August 2026 deadline also requires complete technical documentation (Annex IV), a risk management system (Article 9), data governance practices (Article 10), human oversight mechanisms (Article 14), and a post-market monitoring plan (Article 72). The documentation requirement alone covers 7 sections.
The tooling space is evolving fast, EuConform does offline-first risk classification, Holistic AI offers readiness assessments for enterprises, and Annexa (I'm building this) goes from risk classification to generating the full Annex IV technical documentation dossier by analyzing your actual codebase. Different tools cover different slices of compliance.
Worth noting: the Commission missed the Feb 2 deadline for Article 6 high-risk classification guidelines, and the Digital Omnibus proposal could push the Annex III deadline to December 2027. But smart money is still on preparing now, the proposal hasn't passed Parliament yet.
Deployment Link: https://www.tradeapollo.co/demo
The part teams consistently underestimate is the human oversight requirement under Article 14. It's not just logging that a human was in the loop, you have to demonstrate the human had meaningful ability to override, and that the system was designed to make that possible. That's an architecture decision, not a documentation task, and you can't bolt it on after.
What's the actual deployment context here — are you shipping this to customers who then run agents against EU data subjects, or is this internal tooling?