MLOps

EU AI Act and MLOps: Building Compliant ML Systems

DeviDevs Team
6 min read
#EU AI Act#MLOps#compliance#AI regulation#model governance#risk classification

EU AI Act and MLOps: Building Compliant ML Systems

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation. For organizations deploying ML systems in Europe, compliance isn't optional — and the good news is that solid MLOps practices cover most of the technical requirements.

This guide maps EU AI Act articles to specific MLOps implementations.

EU AI Act Quick Summary

The Act classifies AI systems into risk tiers:

| Risk Level | Requirements | Examples | |-----------|-------------|---------| | Unacceptable | Banned | Social scoring, real-time biometric surveillance | | High-risk | Full compliance (Articles 9-15) | Credit scoring, hiring, medical devices | | Limited | Transparency obligations | Chatbots, deepfakes | | Minimal | No specific requirements | Spam filters, game AI |

Most enterprise ML systems fall into high-risk or limited risk categories.

MLOps ↔ EU AI Act Mapping

Article 9: Risk Management System

Requirement: Establish and maintain a risk management system throughout the AI system's lifecycle.

MLOps Implementation:

from dataclasses import dataclass, field
from datetime import datetime
from enum import Enum
 
class RiskCategory(Enum):
    DATA_QUALITY = "data_quality"
    MODEL_PERFORMANCE = "model_performance"
    BIAS_FAIRNESS = "bias_and_fairness"
    SECURITY = "security"
    OPERATIONAL = "operational"
 
@dataclass
class RiskAssessment:
    """EU AI Act Article 9 — Risk management documentation."""
    system_name: str
    assessment_date: datetime
    assessor: str
    risk_classification: str  # "high-risk" | "limited" | "minimal"
 
    identified_risks: list[dict] = field(default_factory=list)
    mitigation_measures: list[dict] = field(default_factory=list)
    residual_risks: list[dict] = field(default_factory=list)
    monitoring_plan: dict = field(default_factory=dict)
 
    def add_risk(self, category: RiskCategory, description: str,
                 likelihood: str, impact: str, mitigation: str):
        self.identified_risks.append({
            "category": category.value,
            "description": description,
            "likelihood": likelihood,
            "impact": impact,
            "risk_score": self._calculate_score(likelihood, impact),
        })
        self.mitigation_measures.append({
            "risk": description,
            "mitigation": mitigation,
            "status": "implemented",
        })
 
    def _calculate_score(self, likelihood: str, impact: str) -> int:
        scores = {"low": 1, "medium": 2, "high": 3, "critical": 4}
        return scores.get(likelihood, 2) * scores.get(impact, 2)

Article 10: Data and Data Governance

Requirement: Training, validation, and testing datasets must be relevant, representative, free of errors, and complete.

MLOps Implementation: Data versioning + validation pipelines

class Article10Compliance:
    """EU AI Act Article 10 — Data governance documentation."""
 
    def generate_data_governance_report(self, dataset_metadata: dict) -> dict:
        return {
            "article": "Article 10 - Data and Data Governance",
            "dataset": {
                "name": dataset_metadata["name"],
                "version": dataset_metadata["version"],  # DVC/lakeFS version
                "size": dataset_metadata["row_count"],
                "collection_period": dataset_metadata["date_range"],
                "geographic_scope": dataset_metadata["regions"],
            },
            "relevance_assessment": {
                "target_population": dataset_metadata["target_population"],
                "representativeness": dataset_metadata["demographic_distribution"],
                "known_gaps": dataset_metadata.get("known_gaps", []),
            },
            "quality_measures": {
                "validation_pipeline": dataset_metadata["validation_pipeline_id"],
                "null_rate": dataset_metadata["null_percentage"],
                "duplicate_rate": dataset_metadata["duplicate_percentage"],
                "schema_validated": True,
                "statistical_tests_passed": dataset_metadata["validation_passed"],
            },
            "bias_assessment": {
                "protected_attributes_checked": dataset_metadata.get("protected_attributes", []),
                "distribution_analysis": dataset_metadata.get("demographic_analysis", {}),
                "mitigation_applied": dataset_metadata.get("bias_mitigation", "none"),
            },
        }

Article 11: Technical Documentation

Requirement: Maintain technical documentation demonstrating compliance before the system is placed on the market.

MLOps Implementation: Model cards + experiment tracking + audit logs

class Article11Documentation:
    """Generate EU AI Act Article 11 compliant technical documentation."""
 
    def generate(self, model_card, training_logs, monitoring_data) -> dict:
        return {
            "article": "Article 11 - Technical Documentation",
            "system_description": {
                "name": model_card.model_name,
                "version": model_card.model_version,
                "intended_purpose": model_card.intended_use,
                "out_of_scope_uses": model_card.out_of_scope_uses,
            },
            "development_process": {
                "training_pipeline": model_card.training_pipeline,
                "data_version": model_card.training_data_version,
                "hyperparameters": model_card.hyperparameters,
                "training_date": model_card.training_date.isoformat(),
                "mlflow_experiment_id": training_logs.get("experiment_id"),
                "mlflow_run_id": training_logs.get("run_id"),
            },
            "performance_metrics": {
                "evaluation_dataset": training_logs.get("eval_dataset_version"),
                "metrics": model_card.evaluation_metrics,
                "performance_by_subgroup": model_card.performance_by_group,
            },
            "risk_management": {
                "risk_level": model_card.risk_level.value,
                "known_limitations": model_card.known_limitations,
                "residual_risks": model_card.ethical_considerations,
            },
            "monitoring_measures": {
                "drift_detection": monitoring_data.get("drift_config"),
                "performance_monitoring": monitoring_data.get("monitoring_config"),
                "retraining_policy": monitoring_data.get("retraining_triggers"),
            },
        }

Article 12: Record-Keeping

Requirement: AI systems shall be designed to enable automatic recording of events (logs) throughout their lifetime.

MLOps Implementation: This is the audit trail — MLflow experiment tracking + prediction logging + governance events.

# All these MLOps practices directly satisfy Article 12:
 
# 1. Training logs (MLflow)
mlflow.log_params(hyperparameters)
mlflow.log_metrics(evaluation_metrics)
mlflow.log_artifact("training_data_profile.html")
 
# 2. Prediction logs (serving)
prediction_log.append({
    "timestamp": datetime.utcnow().isoformat(),
    "model_version": model.version,
    "input_hash": hash(str(features)),
    "prediction": result,
    "latency_ms": latency,
})
 
# 3. Governance events (audit trail)
audit.log_event("model.deployed", model_name, version, deployer, {
    "environment": "production",
    "traffic_percentage": 100,
    "approval_id": approval.id,
})

Article 13: Transparency and Provision of Information

Requirement: High-risk AI systems shall be designed to ensure their operation is sufficiently transparent.

MLOps Implementation: Model cards + explainability tools

import shap
 
class TransparencyReport:
    """Article 13 — Generate transparency documentation."""
 
    def generate_explainability_report(self, model, test_data, feature_names):
        """Generate SHAP-based model explanations."""
        explainer = shap.TreeExplainer(model)
        shap_values = explainer.shap_values(test_data)
 
        return {
            "article": "Article 13 - Transparency",
            "model_type": type(model).__name__,
            "explainability_method": "SHAP (SHapley Additive exPlanations)",
            "global_feature_importance": dict(zip(
                feature_names,
                [float(v) for v in np.abs(shap_values).mean(axis=0)]
            )),
            "interpretation": "Features ranked by average impact on predictions",
        }

Article 14: Human Oversight

Requirement: High-risk AI systems shall be designed to allow effective human oversight.

MLOps Implementation: Approval workflows + monitoring dashboards + kill switches

class HumanOversightControls:
    """Article 14 — Human oversight implementation."""
 
    def __init__(self):
        self.override_log = []
 
    def request_human_review(self, prediction, confidence, threshold=0.6):
        """Route low-confidence predictions to human review."""
        if confidence < threshold:
            return {
                "action": "human_review_required",
                "prediction": prediction,
                "confidence": confidence,
                "reason": f"Confidence {confidence:.2f} below threshold {threshold}",
            }
        return {"action": "auto_approve", "prediction": prediction}
 
    def emergency_stop(self, model_name: str, reason: str, actor: str):
        """Kill switch — immediately disable a model."""
        # Route all traffic to fallback
        self.override_log.append({
            "action": "emergency_stop",
            "model": model_name,
            "reason": reason,
            "actor": actor,
            "timestamp": datetime.utcnow().isoformat(),
        })
        return {"status": "model_disabled", "fallback": "rule_based_system"}

Article 15: Accuracy, Robustness, and Cybersecurity

Requirement: High-risk AI systems shall achieve an appropriate level of accuracy, robustness, and cybersecurity.

MLOps Implementation: Comprehensive testing + security controls + model monitoring

This article is satisfied by the combination of:

Compliance Checklist

| Article | Requirement | MLOps Tool | Status | |---------|------------|------------|--------| | Art. 9 | Risk management | Model cards + risk assessment | | | Art. 10 | Data governance | DVC + data validation | | | Art. 11 | Technical documentation | MLflow + model cards | | | Art. 12 | Record-keeping | Audit trail + prediction logs | | | Art. 13 | Transparency | SHAP + model cards | | | Art. 14 | Human oversight | Approval workflows + dashboards | | | Art. 15 | Accuracy & security | Testing + monitoring + security | |

Need EU AI Act compliance for your ML systems? DeviDevs provides compliance consulting and MLOps implementation that satisfies Articles 9-15. Get a free assessment →

Weekly AI Security & Automation Digest

Get the latest on AI Security, workflow automation, secure integrations, and custom platform development delivered weekly.

No spam. Unsubscribe anytime.

Related Articles

MLOps

Model Governance: Managing ML Models from Development to Retirement

Implement model governance frameworks for production ML systems. Covers model cards, approval workflows, audit trails, risk assessment, and lifecycle management for enterprise compliance.

7 min read
MLOps

MLOps for Small Teams: Building ML Infrastructure Without the Complexity

Build effective MLOps infrastructure with a small team. Covers the minimal viable MLOps stack, tool selection, automation priorities, and scaling strategies for teams with 1-5 ML engineers.

6 min read
MLOps

From Jupyter Notebook to Production: A Practical MLOps Migration Guide

Step-by-step guide to migrating ML code from Jupyter notebooks to production-ready pipelines. Covers refactoring patterns, testing, CI/CD integration, and deployment with real before/after examples.

5 min read
← Back to Blog