Ask HN: How are you handling EU AI Act compliance as a developer?
1 pointby gibs-dev5 hours ago1 comment
  • alexgarden5 hours ago
    We're building in this space so I'll share what we've learned rather than what we sell.

    The fundamental problem with Article 50 compliance isn't knowing the obligations — it's operationalizing them continuously. You can read Article 50 once and understand you need to: (1) notify users they're interacting with AI, (2) mark AI-generated content machine-readably, (3) disclose how decisions are made, and (4) maintain audit trails.

    The hard part is proving you actually did all four, consistently, across every agent interaction, in a way a regulator can independently verify. Documentation gets stale the moment you deploy. Logs can be edited. Self-attestation is just a trust claim.

    What we've found developers actually need:

        Fail-closed defaults. If your compliance check fails or times out, the agent shouldn't silently continue. That's the gap most teams miss.
    Machine-readable marking that's actually machine-readable. Not a disclaimer in the chat window — structured metadata a regulator's tooling can parse programmatically.
    Tamper-evident audit trails. Append-only, hash-chained, so you can prove nothing was deleted or reordered after the fact. This is the difference between "we logged it" and "we can prove we logged it."
    Cross-regulation awareness. If you're in fintech, DORA and AI Act overlap. If you handle personal data, GDPR and AI Act overlap. The compliance surface is the union, not the intersection.
    The teams I've seen doing this well treat it as an engineering problem from day one — SDK presets, CI/CD integration, automated conformity checks — not a quarterly legal review.

    157 days isn't a lot of runway.

    • gibs-dev5 hours ago

        Great breakdown. The fail closed point is underappreciated.
      I've seen teams bolt on compliance checks as middleware that silently degrades to "allow" on timeout. That's worse than no check at all because you have a false paper trail.

      Are you seeing anyone actually implement hash-chaining in production, or is this still theoretical for most teams? The regulation requires record-keeping but doesn't specify the technical standard, yet.

      The cross-regulation surface is what made me build what I built. DORA Article 19 incident reporting (4 hours) + GDPR Article 33 breach notification (72 hours) + AI Act Article 14 human oversight — hitting all three during a live incident with manual lookups is not realistic. That's an API problem, not a legal review problem.

      Curious what stack you're using for the audit trail side.

      Do share if you want. Dont mind

      • guerython5 hours ago
        We’re seeing both in production, but mostly in regulated orgs where auditability is part of procurement.

        Common implementation is append-only event log + periodic Merkle root anchoring (internal TSA or external timestamp service). Not blockchain, just verifiable ordering + immutability proofs during audits.

        Agree with your API point. The practical win is prebuilt control mappings (AI Act articles -> concrete checks + evidence fields) so incident response is data retrieval, not policy interpretation under time pressure.

        • gibs-dev4 hours ago
          The control mapping point is spot on. We took that approach. Structured JSON with article-level mappings so downstream systems can consume obligations programmatically.

          The Merkle root anchoring pattern is interesting. Do you anchor per-session or batch? Curious how you handle the latency tradeoff for the 4-hour DORA window where every minute of audit lag matters.