The EU AI Act, reviewed in the pull request.
For systems the Act classes as high-risk, a set of its obligations are not paperwork: they are properties of the running system and its pipeline. Whether events are logged, whether a human can intervene, whether the data governance held when someone swapped a dataset. Each of those is a change in a repository, with an article behind it.
For high-risk systems, the obligation is in the build.
The AI Act draws most of its hard engineering duties around high-risk systems, and for those, compliance is continuous: the logging has to keep running, the human-oversight step has to stay in the path, the data-governance checks have to survive the next refactor of the pipeline. A pull request that quietly removes one of those is exactly the kind of regression the conformity process is meant to prevent. heygrc reads the change against the relevant article and names it, so the regression is caught at the diff rather than at conformity assessment. Whether a given system is in scope and at what risk tier is a determination for your own assessment; heygrc flags the control-relevant change, it does not classify your system for you.
The high-risk duties a review can actually catch.
Each row is a real article reference and the kind of change that trips it. heygrc cites the article on the finding, not a vague AI-governance note.
- Art. 9risk management system
A mitigation that the risk management process put in place (a guardrail, a filter, a constraint on the model's outputs) is removed or weakened in a change.
- Art. 10data and data governance
A training, validation, or test dataset is swapped or filtered in a way that drops the quality, representativeness, or bias checks the system relied on.
- Art. 12record-keeping and logging
Automatic logging of the system's events over its lifetime is removed or narrowed, so the traceability the article requires no longer holds.
- Art. 13transparency to deployers
Information the system is supposed to surface to the people operating it (capabilities, limitations, intended use) is dropped from an output or an interface.
- Art. 14human oversight
A human-in-the-loop checkpoint on a high-risk automated decision is removed or auto-confirmed, so a person can no longer intervene before it takes effect.
- Art. 15accuracy, robustness, cybersecurity
An accuracy threshold, a robustness safeguard, or an adversarial-input defense the system shipped with is lowered or deleted.
An auto-approve that removes Art. 14 oversight.
A pull request speeds up a high-risk eligibility decision by auto-confirming the model's output above a confidence score, removing the step where a person reviewed it before it took effect.
const result = await model.score(application)
- return queueForHumanReview(result)+ if (result.confidence > 0.8) return autoDecide(result) return queueForHumanReview(result)For a high-risk decision this lets a high-confidence model output take effect with no person able to review it first. Art. 14 (human oversight) expects an effective way for a human to intervene on this kind of decision. A confidence score is not the oversight the article means. Keep the human-review path, or gate the auto-decision behind a reviewable, documented control rather than a threshold.
A review, not a conformity assessment.
heygrc flags changes that touch an AI Act obligation and cites the article so the fix happens in the pull request. It does not classify your system's risk tier, run your conformity assessment, or stand in for the technical documentation and post-market monitoring the Act requires. It catches the change early so a high-risk safeguard holds in code review instead of failing at assessment. heygrc is in early access.