Compliance Matrix
Disclaimer: This matrix describes what Fuze supports today. Claims labelled "Partial" or "Not implemented" are on the roadmap. Labels updated: 2026-04-19.
Article-by-article mapping of EU AI Act requirements to Fuze features.
Coverage legend: Covered = Fuze directly satisfies the requirement | Partial = Fuze addresses part of the requirement; gaps noted | Not implemented = not yet available | Outside scope = provider/deployer responsibility, no runtime tool can address it
High-Risk System Requirements (Art. 8-15)
| Article | Description | Coverage | Notes |
|---|---|---|---|
| Art. 8 | Compliance with requirements | Outside scope | Organisational responsibility |
| Art. 9 | Risk Management System | Partial | Risk questionnaire + evidence upload in dashboard; no automated risk-tracking loop yet |
| Art. 10 | Data and Data Governance | Outside scope | Deployer responsibility |
| Art. 11 | Technical Documentation | Partial | Annex IV export (PDF) available; model cards not auto-generated |
| Art. 12 | Automatic Logging | Covered | Full JSONL trace per guarded call; HMAC hash chain (Python); TS hash chain on roadmap |
| Art. 13 | Transparency to Deployers | Partial | Trace replay with full decision context; model cards not auto-generated |
| Art. 14 | Human Oversight | Partial | Kill switch via dashboard and CLI; approval gates not yet implemented |
| Art. 15 | Robustness | Covered | Loop detection (iteration cap, hash dedup, stalled progress), side-effect compensation with LIFO rollback, token/step/wall-clock limits |
Provider and Deployer Obligations (Art. 16-27)
| Article | Description | Coverage | Notes |
|---|---|---|---|
| Art. 16 | Provider Obligations | Outside scope | Organisational responsibility |
| Art. 17 | Quality Management System | Outside scope | Organisational responsibility |
| Art. 18 | Documentation Keeping | Partial | Annex IV export covers technical documentation; QMS records are deployer responsibility |
| Art. 19 | Auto-Generated Logs | Covered (Python) / Partial (TS) | Python: append-only store + HMAC hash chain; TS: append-only store, no hash chain yet |
| Art. 20 | Corrective Actions | Partial | Guard events and traces surface issues; corrective workflow is deployer responsibility |
| Art. 26 | Deployer Monitoring Obligations | Partial | Dashboard provides runs list, agent health, trace replay; audit log of dashboard actions not yet implemented |
| Art. 27 | Fundamental Rights Impact Assessment | Partial | FRIA builder is on the Pro tier roadmap; not yet available |
Post-Market and Incident Reporting
| Article | Description | Coverage | Notes |
|---|---|---|---|
| Art. 72 | Post-Market Monitoring | Partial | Runtime metrics collected (tokens, steps, latency, guard-event rate); automated drift detection not implemented |
| Art. 73 | Serious Incident Reporting | Not implemented | Roadmap, no automated 72h/15d filing; manual process required |
GPAI Transparency
| Article | Description | Coverage | Notes |
|---|---|---|---|
| Art. 50 | Transparency for GPAI outputs (chatbots, deepfakes) | Not implemented | Disclosure system not yet designed or built; roadmap |
Summary
| Status | Articles |
|---|---|
| Covered | Art. 12, Art. 15, Art. 19 (Python) |
| Partial | Art. 9, Art. 11, Art. 13, Art. 14, Art. 18, Art. 19 (TS), Art. 20, Art. 26, Art. 27, Art. 72 |
| Not implemented | Art. 50, Art. 73 |
| Outside scope | Art. 8, Art. 10, Art. 16, Art. 17 |
Art. 12 in detail
What Fuze logs for every guarded function call:
| Data Point | Source |
|---|---|
| Start/end timestamps (ISO 8601) | Every @guard call |
| Agent identity | agent_id, version, model, provider |
| Tool call details | Name, args hash (raw opt-in via log_pii), result summary |
| Token counts | Tokens in/out extracted from LLM response; USD estimate where pricing table available |
| Guard decisions | proceed, loop_detected, limit_exceeded |
| Human oversight events | Who intervened, what they decided |
| Side-effect status | Real-world write flag, compensation status |
All Python records: append-only, HMAC-SHA256 hash-chained, queryable, exportable (JSON, CSV, PDF). TypeScript records: append-only; hash chain on roadmap. Configurable retention minimum 6 months.
Art. 14 in detail
| Requirement | Status | Notes |
|---|---|---|
| Understand capabilities, monitor operation | Covered | Dashboard with live runs, agent health, trace replay |
| Correctly interpret output | Covered | Trace replay with full decision context |
| Decide not to use output | Covered | Override capability via dashboard |
| Intervene or interrupt (stop button) | Covered | Kill switch: dashboard and CLI |
| Approval gates before agent proceeds | Not implemented | Roadmap |