pith. sign in

arxiv: 2512.13907 · v3 · submitted 2025-12-15 · 💻 cs.CY · cs.AI

Assessing High-Risk AI Systems under the EU AI Act: From Legal Requirements to Technical Verification

Alessio Buscemi , Tom Deckenbrunnen , Fahria Kabir , Kateryna Mishchenko , Nishat Mowla This is my paper

Pith reviewed 2026-05-16 21:31 UTC · model grok-4.3

classification 💻 cs.CY cs.AI
keywords EU AI Acthigh-risk AI systemscompliance verificationtechnical assessmentAI lifecycleregulatory mappingstandards-based verificationconformity assessment
0
0 comments X

The pith

High-level EU AI Act rules for high-risk systems can be broken down into concrete verification activities that span the full AI lifecycle.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper sets out to create a practical bridge between the broad legal duties in the EU AI Act and the day-to-day checks that developers and auditors can actually perform. Without such a bridge, different Member States and companies interpret the same rules differently, producing patchy enforcement and legal uncertainty. The authors do this by systematically splitting each legal obligation into smaller operational pieces, tying those pieces to recognised technical standards, and then tagging each resulting verification step with both the kind of check it is and the stage of the AI system it applies to. A reader would care because the result is a reusable, technology-neutral reference that lets anyone assess compliance without reinventing the wheel for every new model or application.

Core claim

By decomposing the AI Act's high-level requirements for high-risk systems into operational sub-requirements and grounding them in authoritative standards and practices, the authors produce a mapping that characterises verification activities along two axes: the type of verification performed and the lifecycle phase to which it applies. This explicit linkage between regulatory intent and assurance practices reduces interpretive uncertainty and supplies a consistent reference for compliance verification.

What carries the argument

A structured mapping that decomposes legal requirements into operational sub-requirements, anchors them in standards, and assigns each resulting verification activity a type and a lifecycle target.

If this is right

  • Providers gain a concrete checklist of verification steps they can integrate into existing quality-management processes.
  • Authorities obtain a common reference that supports more uniform conformity assessments across Member States.
  • The same mapping can be reused for different high-risk AI applications without requiring technology-specific rework.
  • Verification activities are explicitly linked to particular lifecycle stages, allowing earlier detection of compliance gaps.
  • The approach remains technology-agnostic, so updates to standards can be incorporated without rewriting the mapping.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The mapping could be tested on real-world high-risk systems to measure how often it surfaces previously overlooked compliance gaps.
  • Regulators in other jurisdictions might adapt the same decomposition method when drafting their own AI oversight rules.
  • Automated tools could be built that read an AI system's documentation and flag which verification activities from the mapping still need to be performed.
  • The two-axis characterisation (verification type plus lifecycle stage) offers a template that could be extended to track ongoing monitoring obligations after deployment.

Load-bearing premise

High-level legal requirements can be split into operational sub-requirements and matched to existing standards without losing regulatory meaning or creating fresh ambiguities.

What would settle it

Apply the mapping to a concrete high-risk AI system already under regulatory review and check whether the resulting verification activities leave any core legal obligation unaddressed or produce contradictory interpretations of the same rule.

Figures

Figures reproduced from arXiv: 2512.13907 by Alessio Buscemi, Fahria Kabir, Kateryna Mishchenko, Nishat Mowla, Tom Deckenbrunnen.

Figure 1
Figure 1. Figure 1: Overview of the methodology. 2.1 Normative inputs and requirement structuring The starting point of the methodology consists in identifying and structuring a set of high-level requirements derived from the obligations established by the AI Act. Given the heterogeneity and dispersion of these obligations across the regulation, an explicit structuring step is required to organise them into a coherent form su… view at source ↗
Figure 2
Figure 2. Figure 2: Verification space defined by verification type and verification target. [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
read the original abstract

The implementation of the AI Act requires practical mechanisms to verify compliance with legal obligations, yet concrete and operational mappings from high-level requirements to verifiable assessment activities remain limited, contributing to uneven readiness across Member States. This paper presents a structured mapping that translates high-level AI Act requirements into concrete, implementable verification activities applicable across the AI lifecycle. The mapping is derived through a systematic process in which legal requirements are decomposed into operational sub-requirements and grounded in authoritative standards and recognised practices. From this basis, verification activities are identified and characterised along two dimensions: the type of verification performed and the lifecycle target to which it applies. By making explicit the link between regulatory intent and technical and organisational assurance practices, the proposed mapping reduces interpretive uncertainty and provides a reusable reference for consistent, technology-agnostic compliance verification under the AI Act.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The paper presents a structured mapping that translates high-level EU AI Act requirements for high-risk AI systems into concrete, implementable verification activities applicable across the AI lifecycle. Legal requirements are decomposed into operational sub-requirements and grounded in authoritative standards (e.g., ISO/IEC 42001); verification activities are then characterised by verification type and lifecycle phase to reduce interpretive uncertainty and support consistent compliance.

Significance. If the mapping is shown to faithfully preserve regulatory scope, the work would provide a reusable, technology-agnostic reference that bridges legal obligations and technical assurance practices. This directly addresses a documented gap in operationalising the AI Act, potentially supporting more uniform readiness among developers, auditors, and Member State authorities.

major comments (1)
  1. [§3] §3: The systematic decomposition of obligations (e.g., risk management under Article 9) into operational sub-requirements is presented without documented cross-validation against the AI Act recitals, Commission guidance, or EDPB interpretations. This validation step is load-bearing for the central claim that the mapping reduces uncertainty without introducing new ambiguities or narrowing regulatory intent.
minor comments (2)
  1. [§4] §4: The two-dimensional characterisation of verification activities (type and lifecycle phase) would be clearer with a small number of concrete, worked examples for at least one high-risk use case.
  2. [Abstract and §2] Abstract and §2: The phrase 'recognised practices' is used without an explicit list or selection criteria; adding a short table or appendix of referenced standards would improve traceability.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their constructive assessment of the paper and for highlighting the importance of explicit validation of the decomposition process. We address the single major comment below and will incorporate revisions to strengthen the manuscript.

read point-by-point responses

  1. Referee: [§3] §3: The systematic decomposition of obligations (e.g., risk management under Article 9) into operational sub-requirements is presented without documented cross-validation against the AI Act recitals, Commission guidance, or EDPB interpretations. This validation step is load-bearing for the central claim that the mapping reduces uncertainty without introducing new ambiguities or narrowing regulatory intent.

    Authors: We agree that the absence of an explicit cross-validation step against recitals, Commission guidance, and EDPB interpretations weakens the transparency of the mapping and leaves the central claim open to the concern raised. In the revised version we will insert a new subsection (3.3) that systematically traces each operational sub-requirement back to its source provisions. For every sub-requirement we will cite the corresponding recital(s), relevant Commission guidance documents, and EDPB opinions (where they exist), together with a short justification showing that the operationalisation neither narrows nor expands the original regulatory scope. A summary table will be added to make the traceability immediately visible. This addition directly addresses the load-bearing validation step without altering the existing mapping structure. revision: yes

Circularity Check

0 steps flagged

No circularity: mapping derived from external legal requirements and standards

full rationale

The paper's derivation consists of decomposing high-level EU AI Act obligations (e.g., Article 9 risk management) into operational sub-requirements and grounding them in external authoritative standards such as ISO/IEC 42001, then identifying verification activities by type and lifecycle phase. No equations, fitted parameters, or self-citations are shown that reduce any step to the paper's own inputs by construction; the mapping is presented as an independent translation from external sources rather than a self-referential fit or renaming. This leaves the central claim self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that legal requirements can be systematically decomposed into operational sub-requirements grounded in standards without loss of intent.

axioms (1)
  • domain assumption High-level legal requirements can be systematically decomposed into operational sub-requirements without loss of regulatory intent.
    Invoked when translating AI Act obligations into verifiable activities.

pith-pipeline@v0.9.0 · 5456 in / 1067 out tokens · 31113 ms · 2026-05-16T21:31:54.696213+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

52 extracted references · 52 canonical work pages

  1. [1]

    Data quality — Part 8: Information and data quality: Concepts and measuring

    2015. Data quality — Part 8: Information and data quality: Concepts and measuring. ISO 8000-8:2015

    work page 2015

  2. [2]

    ISO 9001:2015 - Quality management systems — Requirements

    2015. ISO 9001:2015 - Quality management systems — Requirements. https://www.iso.org/standard/62085.html Latest version published in 2015

    work page 2015

  3. [3]

    Risk management — Guidelines

    2018. Risk management — Guidelines. ISO 31000:2018

    work page 2018

  4. [4]

    Risk management — Risk assessment techniques

    2019. Risk management — Risk assessment techniques. IEC 31010:2019

    work page 2019

  5. [5]

    Information technology — Artificial intelligence (AI) — Bias in AI systems and AI-aided decision making

    2021. Information technology — Artificial intelligence (AI) — Bias in AI systems and AI-aided decision making. ISO/IEC TR 24027:2021

    work page 2021

  6. [6]

    Information security, cybersecurity and privacy protection — Information security management systems — Requirements

    2022. Information security, cybersecurity and privacy protection — Information security management systems — Requirements. ISO/IEC 27001:2022

    work page 2022

  7. [7]

    Information security, cybersecurity and privacy protection — Information security risk management

    2022. Information security, cybersecurity and privacy protection — Information security risk management. ISO/IEC 27005:2022

    work page 2022

  8. [8]

    Information technology — Artificial intelligence — Artificial intelligence concepts and terminology

    2022. Information technology — Artificial intelligence — Artificial intelligence concepts and terminology. ISO/IEC 22989:2022

    work page 2022

  9. [9]

    Artificial intelligence (AI) — Assessment of the robustness of neural networks — Part 2: Methodology for the use of formal methods

    2023. Artificial intelligence (AI) — Assessment of the robustness of neural networks — Part 2: Methodology for the use of formal methods. ISO/IEC 24029-2:2023

    work page 2023

  10. [10]

    Information security, cybersecurity and privacy protection — Information security incident management — Part 1: Principles of incident management

    2023. Information security, cybersecurity and privacy protection — Information security incident management — Part 1: Principles of incident management. ISO/IEC 27035-1:2023

    work page 2023

  11. [11]

    Information technology – Artificial intelligence – Guidance on risk management

    2023. Information technology – Artificial intelligence – Guidance on risk management. https://www.iso.org/standard/77304.html Available at: https://www.iso.org/standard/77304.html

    work page 2023

  12. [12]

    Artificial intelligence — Data quality for analytics and machine learning (ML) — Part 1: Overview, terminology and examples

    2024. Artificial intelligence — Data quality for analytics and machine learning (ML) — Part 1: Overview, terminology and examples. ISO/IEC 5259-1:2024

    work page 2024

  13. [13]

    2024. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689. OJ L 2024/1689, 12 July 2024

    work page 2024

  14. [14]

    Artificial intelligence — AI System Logging

    2025. Artificial intelligence — AI System Logging

    work page 2025

  15. [15]

    Sectorial AI Testing and Experimentation Facilities under the Digital Europe Programme

    2025. Sectorial AI Testing and Experimentation Facilities under the Digital Europe Programme. https://digital-strategy.ec.europa.eu/en/policies/ testing-and-experimentation-facilities

    work page 2025

  16. [16]

    Adam J Andreotta, Nin Kirkham, and Marco Rizzi. 2022. AI, big data, and the future of consent.Ai & Society37, 4 (2022), 1715–1728

    work page 2022

  17. [17]

    Julien Arnal. 2024. AI at Risk in the EU: It’s Not Regulation, It’s Implementation.European Journal of Risk Regulation (2024). https://www.cambridge.org/core/journals/european-journal-of-risk-regulation/article/ai-at-risk-in-the-eu-its-not-regulation-its- implementation/A9FD120F3EACE2C083048ABCBF96C0F6

    work page 2024

  18. [18]

    Ali Basiri, Casey Rosenthal, Nora Jones, Andrew Hodges, and Cole Mickens. 2016. Chaos Engineering.IEEE Software33, 3 (2016), 35–41

    work page 2016

  19. [19]

    Yoshua Bengio, Geoffrey Hinton, Andrew Yao, Dawn Song, Pieter Abbeel, Trevor Darrell, Yuval Noah Harari, Ya-Qin Zhang, Lan Xue, Shai Shalev-Shwartz, et al. 2024. Managing extreme AI risks amid rapid progress.Science384, 6698 (2024), 842–845

    work page 2024

  20. [20]

    Miles Brundage and et al. 2020. Toward Trustworthy AI Development: Mechanisms for Supporting Verifiable Claims.arXiv preprint arXiv:2004.07213 (2020)

    work page arXiv 2020

  21. [21]

    CEN-CENELEC Joint Technical Committee 21. 2025. European AI Standardization | CEN-CENELEC JTC 21. https://jtc21.eu

    work page 2025

  22. [22]

    2025.General -Purpose AI Code of Practice, Third Draft

    Chairs and Vice-Chairs of the General-Purpose AI Code of Practice. 2025.General -Purpose AI Code of Practice, Third Draft. Technical Draft Draft 3. European AI Office / European Commission, Brussels, Belgium. https://digital-strategy.ec.europa.eu/en/library/third-draft-general-purpose-ai- code-practice-published-written-independent-expertsThird draft publ...

    work page 2025

  23. [23]

    Daswin De Silva and Damminda Alahakoon. 2022. An artificial intelligence life cycle: From conception to production.Patterns3, 6 (2022)

    work page 2022

  24. [24]

    Deloitte. 2024. EU AI Act Survey: Uncertainty in Implementation.Deloitte Legal Research(2024). https://www.deloitte.com/dl/en/services/legal/ research/umfrage-eu-ai-act-2024.html

    work page 2024

  25. [25]

    Mario Draghi. 2024. EU Competitiveness Report (Draghi Report). https://sciencebusiness.net/news/ai/eu-losing-narrative-battle-over-ai-act-says- un-adviser

    work page 2024

  26. [26]

    European Commission. 2025. AI Factories - Shaping Europe’s Digital Future. https://digital-strategy.ec.europa.eu/en/policies/ai-factories

    work page 2025

  27. [27]

    European Commission. 2025. Draft - Implementing Act on AI regulatory sandboxes under the Artificial Intelligence Act. DraftImplementingActAIregulatorysandboxes

    work page 2025

  28. [28]

    European Union. 2016. Regulation (EU) 2016/679 (General Data Protection Regulation). Official Journal of the EU, L119. Manuscript submitted to ACM Assessing High-Risk AI Systems under the EU AI Act: From Legal Requirements to Technical Verification 17

    work page 2016

  29. [29]

    Luciano Floridi, Josh Cowls, and et al. 2018. AI4People: An Ethical Framework for a Good AI Society.Minds and Machines28, 4 (2018), 689–707

    work page 2018

  30. [30]

    Julio Hernandez, Delaram Golpayegani, and Dave Lewis. 2025. An open knowledge graph-based approach for mapping concepts and requirements between the eu ai act and international standards.AI and Ethics(2025), 1–12

    work page 2025

  31. [31]

    High-Level Expert Group on Artificial Intelligence. 2019. Ethics Guidelines for Trustworthy AI. https://digital-strategy.ec.europa.eu/en/library/ethics- guidelines-trustworthy-ai Accessed: 2025-05-25

    work page 2019

  32. [32]

    Ari Holtzman, Peter West, and Luke Zettlemoyer. 2025. Generative Models as a Complex Systems Science: How Can We Make Sense of Large Language Model Behavior?Journal of Social Computing6, 2 (June 2025), 75–94. doi:10.23919/JSC.2025.0009

    work page doi:10.23919/jsc.2025.0009 2025

  33. [33]

    Ken Huang, Aditi Joshi, Sandy Dun, and Nick Hamilton. 2024. AI regulations. (2024), 61–98

    work page 2024

  34. [34]

    International Organization for Standardization and International Electrotechnical Commission. 2023. ISO/IEC 42001:2023 – Artificial intelligence — Management system. https://www.iso.org/standard/81230.html. First AI Management System Standard, supporting transparency, fairness, and accountability

    work page 2023

  35. [35]

    2025.AAIA Official Review Manual

    ISACA. 2025.AAIA Official Review Manual. ISACA, Rolling Meadows, IL. Print version, 182 pages; first released May 19, 2025

    work page 2025

  36. [36]

    Noam Kolt, Michal Shur-Ofry, and Reuven Cohen. 2025. Lessons from Complex Systems Science for AI Governance.Patterns6, 8 (Aug. 2025), 101341. doi:10.1016/j.patter.2025.101341

    work page doi:10.1016/j.patter.2025.101341 2025

  37. [37]

    David Leslie, Christopher Burr, Mhairi Aitken, Josh Cowls, Michael Katell, and Morgan Briggs. 2020. Human Rights, Democracy and the Rule of Law in the Age of Artificial Intelligence. https://search.coe.int/cm/Pages/result_details.aspx?ObjectID=09000016809c4bd1

    work page 2020

  38. [38]

    Dave Lewis, Maria Lasek-Markey, Donya Golpayegani, and Harshvardhan J. Pandit. 2025. Mapping the Regulatory Learning Space for the EU AI Act. arXiv preprint arXiv:2503.05787. https://arxiv.org/abs/2503.05787

    work page arXiv 2025

  39. [39]

    Nathan Mundhenk, Barry Y

    T. Nathan Mundhenk, Barry Y. Chen, and Gerald Friedland. 2020. Efficient Saliency Maps for Explainable AI. arXiv:1911.11293 [cs.CV] https: //arxiv.org/abs/1911.11293

    work page arXiv 2020

  40. [40]

    National Institute of Standards and Technology (NIST). 2025. AI Risk Management Framework (AI RMF). https://www.nist.gov/itl/ai-risk- management-framework

    work page 2025

  41. [41]

    Claudio Novelli, Federico Casolari, Antonino Rotolo, Mariarosaria Taddeo, and Luciano Floridi. 2024. Taking AI risks seriously: a new assessment model for the AI Act.Ai & Society39, 5 (2024), 2493–2497

    work page 2024

  42. [42]

    DLA Piper. 2025. The European Commission Considers Pause on AI Act’s Entry into Application.AI Outlook Report(2025). https://www.dlapiper. com/en/insights/publications/ai-outlook/2025/the-european-commission-considers-pause-on-ai-act-entry-into-application

    work page 2025

  43. [43]

    Thibault Schrepel. 2025. Adaptive Regulation. social science research network:5416454 doi:10.2139/ssrn.5416454

    work page doi:10.2139/ssrn.5416454 2025

  44. [44]

    1993.Participatory design: Principles and practices

    Douglas Schuler and Aki Namioka. 1993.Participatory design: Principles and practices. CRC press

    work page 1993

  45. [45]

    1992.Telerobotics, automation, and human supervisory control

    Thomas B Sheridan. 1992.Telerobotics, automation, and human supervisory control. MIT press

    work page 1992

  46. [46]

    Nathalie A Smuha. 2021. From a ‘race to AI’to a ‘race to AI regulation’: regulatory competition for artificial intelligence.Law, Innovation and Technology13, 1 (2021), 57–84

    work page 2021

  47. [47]

    UNESCO. 2021. Recommendation on the Ethics of Artificial Intelligence. https://unesdoc.unesco.org/ark:/48223/pf0000381137. Adopted on 23 November 2021 by the General Conference of UNESCO at its 41st session

    work page 2021

  48. [48]

    unknown. 2025. Regulating Uncertainty: Governing General-Purpose AI Models and Systemic Risk.European Journal of Risk Regulation (2025). https://resolve.cambridge.org/core/journals/european-journal-of-risk-regulation/article/regulating-uncertainty-governing-generalpurpose- ai-models-and-systemic-risk/7EEFE1D8421A43A98CE91F7C697DE538

    work page 2025

  49. [49]

    Lei Wang, Zhengchao Liu, Ang Liu, and Fei Tao. 2021. Artificial intelligence in product lifecycle management.The International Journal of Advanced Manufacturing Technology114, 3 (2021), 771–796

    work page 2021

  50. [50]

    Yue Wang and Sai Ho Chung. 2022. Artificial intelligence in safety-critical systems: a systematic review.Industrial Management & Data Systems122, 2 (2022), 442–470

    work page 2022

  51. [51]

    2023.Web Content Accessibility Guidelines (WCAG) 2.2

    World Wide Web Consortium (W3C). 2023.Web Content Accessibility Guidelines (WCAG) 2.2. Technical Report. World Wide Web Consortium. https://www.w3.org/TR/WCAG22/ W3C Recommendation

    work page 2023

  52. [52]

    Bishoy Zaki. 2025. Conceptualising Organisational Policy Learning: Triggers, Processes, Outcomes, and Implications for Policy and Governance Change.Australian Journal of Public Administration(Nov. 2025). doi:10.1111/1467-8500.70031 Manuscript submitted to ACM

    work page doi:10.1111/1467-8500.70031 2025