Neo is available for sign up.Get Started
← Back to blog
engineering

Shipping the EU AI Act audit, agentically

22 April 2026 · 8 min · Kleyton Costa

The EU AI Act is the first regulation that treats AI like a regulated industrial product. Conformity assessments, technical documentation, risk-management systems, human oversight — every clause maps to an artefact the provider must produce.

We took the audit one level deeper. Each control runs as an agent task: read the linked GitHub repo, find the artefact, decide whether it satisfies the clause, produce evidence. The agent's verdict is a structured finding the platform stores against the audit.

What surprised us: agents are best when the spec is precise. Article 11 (technical documentation) is the easiest because it enumerates the contents of the doc. Article 9 (risk-management system) is the hardest because it's a process requirement — we ended up writing prompts that ask the agent to look for the existence of process artefacts (incident log, risk register, sign-off trail) rather than for textual content.

The agent gets things wrong. We mitigate by attaching every finding to a citation: file path, commit, line. A reviewer reads the cited evidence in 30 seconds and either accepts or overrides. The audit isn't the agent's conclusion; it's the agent's evidence, presented for human sign-off.