acf.map-ai-act-obligations
Exhaustive enumeration of the AI Act obligations applicable to a qualified use case — split by lifecycle phase (pre-go-live / continuous / on-incident), with articles, deadlines (including Digital Omnibus deferrals), operational actions, and expected evidence.
!Warning
This tool produces a preliminary regulatory map, not legal advice.
requires_human_review is always true. Deadlines reflect the AI Act 2024/1689 calendar frozen in the regulatory_snapshot — a lawyer must validate fit to the concrete case before any filing or inspection.When to use
Use this tool when a system has already been qualified — typically as Annex III high-risk, Annex I, or out of scope — and you now need the exhaustive list of AI Act articles that apply, in what phase, on what applicable date, and what evidence must be ready. This is the output that feeds a compliance plan or the answer to an inspector.
The board-level question the output answers: “What are we accountable for, to whom, and by when?” The critical_path surfaces the five pre-go-live obligations not deferred by Digital Omnibus — the ones to close before any other work.
Input parameters
Five fields, four required. The annex and provider_or_deployer qualification must already be settled upstream (typically by acf.classify-agent or by a lawyer).
annex"iii" | "i" | "none"requiredAI Act risk category already qualified. iii = Annex III high-risk (HR, biometrics, critical infrastructure…); i = Annex I (toys, machinery, regulated medical devices); none = out of high-risk scope.
use_casestring (10-500)requiredUse-case description. Used to fire internal business rules (recruitment, credit scoring, etc.) that add specific ACF® cards and obligations.
provider_or_deployer"provider" | "deployer" | "both"requiredCaller’s AI Act role. deployer adds Art. 26 and Art. 27 (FRIA); provider adds the Art. 9-15 chain + Art. 43.
gpai_usedbooleanDoes the system use a GPAI (general-purpose LLM) under the hood? Activates GPAI obligations Art. 51-55 and strengthens Art. 50 (transparency).
locale"en" | "fr"default: "en"Language of the textual output (article titles, rationales).
Output schema
The output is a structured object splitting obligations by lifecycle phase, plus metadata and signed footer.
obligations{ pre_go_live: Obligation[], continuous: Obligation[], on_incident: Obligation[] }Obligations classified by phase. Each Obligation carries article, title, requirement, deadline, linked ACF® fiches, operational_actions, evidence_required, and digital_omnibus_deferred.
total_countnumberTotal number of obligations across all phases.
critical_pathstring[]Up to five pre-go-live obligations not deferred by Digital Omnibus — the list to close as top priority.
confidence"low" | "medium" | "high"Global confidence level. low if annex=none but rules fired on the use_case (contradiction).
assumptionsstring[]Explicit assumptions — for example, a detected contradiction between the declared annex and the rules that fired.
gaps_to_validatestring[]Identified gaps that the human review must close before acting on the map.
rationale_per_ruleRationaleRecord[]Per-internal-rule trace: id, version, fired (true/false), textual evidence. Feeds the signed audit trail.
requires_human_reviewtrueConstant. No call returns false.
Example call
A deployer of a CV screening agent (Annex III §4 — employment):
map-obligations.tstypescript
import { Client } from "@modelcontextprotocol/sdk/client/index.js";
import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
const transport = new StdioClientTransport({
command: "npx",
args: ["-y", "acf-mcp"],
});
const client = new Client({ name: "demo", version: "1.0" }, {});
await client.connect(transport);
const result = await client.callTool({
name: "acf.map-ai-act-obligations",
arguments: {
annex: "iii",
use_case:
"Automated CV screening agent that ranks candidates for a software-engineering role. Outputs a shortlist that recruiters use as a starting point.",
provider_or_deployer: "deployer",
gpai_used: true,
locale: "en",
},
});
console.log(JSON.stringify(result.content, null, 2));Response
response.jsonjson
{
"obligations": {
"pre_go_live": [
{
"article": "art-9",
"title": "Risk management system",
"requirement": "Establish, implement, document, maintain a risk management system across the lifecycle.",
"deadline": "2027-12-02",
"fiches": ["ACF-02", "ACF-09"],
"operational_actions": [
"Stand up risk register",
"Define risk methodology",
"Review quarterly"
],
"evidence_required": ["Risk register", "Methodology doc"],
"digital_omnibus_deferred": true
},
{
"article": "art-10",
"title": "Data and data governance",
"requirement": "Training/validation/testing data sets governance + quality requirements.",
"deadline": "2027-12-02",
"fiches": ["ACF-08"],
"operational_actions": [
"Document data sources",
"Run bias evaluation",
"Document data drift monitoring"
],
"evidence_required": ["Data inventory", "Bias evaluation report"],
"digital_omnibus_deferred": true
},
{
"article": "art-11",
"title": "Technical documentation",
"requirement": "Maintain technical documentation per Annex IV.",
"deadline": "2027-12-02",
"fiches": ["ACF-04"],
"operational_actions": ["Author Annex IV-aligned tech doc"],
"evidence_required": ["Technical documentation"],
"digital_omnibus_deferred": true
},
{
"article": "art-13",
"title": "Transparency to deployers",
"requirement": "Provide instructions for use that allow the deployer to interpret outputs.",
"deadline": "2027-12-02",
"fiches": ["ACF-04"],
"operational_actions": [
"Draft instructions for use",
"Translate to operating languages"
],
"evidence_required": ["Instructions for use"],
"digital_omnibus_deferred": true
},
{
"article": "art-50",
"title": "Transparency on AI/GPAI",
"requirement": "Disclose AI usage to natural persons interacting with the system.",
"deadline": "2026-08-02",
"fiches": ["ACF-04"],
"operational_actions": ["Add disclosure on every user surface"],
"evidence_required": ["Disclosure copy"],
"digital_omnibus_deferred": false
}
],
"continuous": [
{
"article": "art-15",
"title": "Accuracy, robustness, cybersecurity",
"requirement": "Maintain accuracy, robustness, cybersecurity levels appropriate to the use.",
"deadline": "continuous",
"fiches": ["ACF-06"],
"operational_actions": [
"Define accuracy KPIs",
"Run robustness tests",
"Define cybersecurity controls"
],
"evidence_required": ["KPI dashboards", "Pen test reports"],
"digital_omnibus_deferred": false
},
{
"article": "art-26",
"title": "Deployer obligations",
"requirement": "Instructions, monitoring, fundamental rights impact assessment.",
"deadline": "2027-12-02",
"fiches": ["ACF-12"],
"operational_actions": [
"Run fundamental rights IA",
"Document monitoring plan"
],
"evidence_required": ["FRIA report", "Monitoring plan"],
"digital_omnibus_deferred": true
},
{
"article": "art-27",
"title": "Fundamental rights impact assessment",
"requirement": "Mandatory FRIA for high-risk deployers in some sectors.",
"deadline": "2027-12-02",
"fiches": ["ACF-12"],
"operational_actions": ["Author FRIA"],
"evidence_required": ["FRIA"],
"digital_omnibus_deferred": true
},
{
"article": "art-72",
"title": "Post-market monitoring",
"requirement": "Establish a post-market monitoring system.",
"deadline": "continuous",
"fiches": ["ACF-06"],
"operational_actions": ["Define post-market monitoring plan"],
"evidence_required": ["Monitoring reports"],
"digital_omnibus_deferred": false
}
],
"on_incident": [
{
"article": "art-79",
"title": "Serious incident reporting",
"requirement": "Report serious incidents to authorities within 15 days.",
"deadline": "on-incident",
"fiches": ["ACF-09"],
"operational_actions": [
"Define incident classification + reporting playbook"
],
"evidence_required": ["Incident reports"],
"digital_omnibus_deferred": false
}
]
},
"total_count": 10,
"critical_path": [
"art-50: Transparency on AI/GPAI",
"art-15: Accuracy, robustness, cybersecurity"
],
"confidence": "high",
"assumptions": [],
"gaps_to_validate": [
"Confirm provider_or_deployer qualification — it changes the obligation set.",
"Confirm GPAI usage — Article 50 transparency obligation depends on it."
],
"requires_human_review": true,
"rationale_per_rule": [
{
"rule_id": "annex-iii.recruitment",
"rule_version": "2026-06",
"fired": true,
"evidence": "Use case mentions CV screening + candidate ranking — Annex III §4 (employment) triggered."
}
],
"doctrine_version": "ACF framework v1.0 / rules 2026-06",
"doctrine_hash": "sha256:bf0b6d8e4731ebdc58f6d6338702c5b74af47874cf0ad3dc958cde5c5b30b9dc",
"doctrine_signature": "ed25519:…",
"doctrine_archive_url": "https://acfstandard.io/doctrine/v1.0/archive.json",
"regulatory_snapshot": "EU AI Act 2024/1689 · GDPR 2016/679 · ISO 42001:2023 · NIST AI RMF 1.0 · COBIT 2019 — frozen 2026-06",
"generated_at": "2026-06-14T11:52:08.214Z",
"disclaimer": "Preliminary qualification only — not legal advice. Human review required."
}Common errors
InvalidEnumValue— annex receives something other than iii / i / none, or provider_or_deployer something other than provider / deployer / both. Fix to a canonical value.InputTooShort— use_case < 10 chars. A truncated description prevents business rules from firing — be specific.DoctrineSnapshotMismatch— the loaded regulatory snapshot does not match the requested doctrine_hash. Update acf-mcp or explicitly point at the archived version.
Related tools
acf.classify-agent— obtain the annex + provider_or_deployer qualification before calling this tool.acf.assign-ddao-controls— translate obligations into concrete DDAO controls with budget and estimated effort.acf.regulation.article— fetch the verified text of a specific AI Act article cited in the map.