It is tempting to treat the EU AI Act as a documentation exercise: a risk classification, a conformity file, a folder of policies. For the systems it classes as high-risk, a real part of it is not documentation at all. It is whether the running system logs its events, keeps a human in the loop, and holds its accuracy and robustness, and all three of those are decided in code.
Which means a normal pull request can move you out of conformity, and the policy PDF will not catch it.
Which obligations live in the diff
Several of the high-risk obligations are properties of the build, not the binder. Article 12 (record-keeping) requires automatic logging of the system's events over its lifetime. Article 14 (human oversight) requires an effective way for a person to intervene. Article 10 (data and data governance) covers the quality and governance of training, validation, and test data. Article 15 (accuracy, robustness, and cybersecurity) covers the safeguards the system ships with. Each of those can be strengthened or weakened by a single change, and the page on how each shows up is in the framework breakdown.
The change that removes oversight
Consider a high-risk eligibility decision that used to queue for human review. A change speeds it up by auto-confirming the model's output above a confidence score. It is a reasonable performance optimisation. It also removes the step where a person could intervene before the decision takes effect.
const result = await model.score(application)- return queueForHumanReview(result)+ if (result.confidence > 0.8) return autoDecide(result) return queueForHumanReview(result)For a high-risk decision, a confidence threshold on its own is not the effective human oversight Article 14 calls for. Removing the configured human-review path can defeat the oversight measure unless another effective way to intervene or override remains. Keep a real path for a person to step in, or gate the auto-decision behind a reviewable, documented control.
The policy PDF won't save you
Conformity is assessed against the system, not the document describing it. A change that removes the logging Article 12 requires, or the oversight Article 14 requires, puts the running system out of line with the file you assembled, and the file does not know the change happened.
Whether a given system is high-risk and in scope is a determination for your own assessment, heygrc does not classify your system for you. But once you know an obligation applies, it is enforced at the commit, not the policy PDF, and that is where heygrc is built to read the change against the article it touches. heygrc is in early access.