FREE READINESS KIT FOR ENGINEERING LEADERS

The EU AI Act Engineering Readiness Kit

What your codebase must prove by 2 August 2026 — a CTO's evidence checklist for Articles 11, 12 and 14, mapped to ISO 42001 and NIST AI RMF.

The one Article you cannot retrofit — and why every day before your logging is live is evidence permanently lost.
The scope test: whether standard coding-assistant use even falls inside the Act's high-risk net — and the day that flips.
Three fill-in templates that turn Articles 11, 12 and 14 into evidence you can hand an auditor.
An engineering-readiness kit, not legal advice — consult qualified counsel for legal interpretation and your specific scope.
The EU AI Act Engineering Readiness Kit
PDF · ~14 PAGES · 3 FILL-IN TEMPLATES
Get the kit.

What your codebase must prove by 2 August 2026 — the checklist, the evidence map, and three fill-in templates. Free, engineering-readiness, every claim sourced.

Your role
Country
WHY THIS KIT EXISTS

Article 12 logging is architectural. You cannot retrofit it after the deadline.

On 2 August 2026 the EU AI Act's high-risk obligations become enforceable — and with them, Article 12 automatic logging. Logging is architectural: it records events as they happen and cannot be reconstructed after the fact. The evidence for every AI-assisted change you ship before logging is live does not exist, and never will. This is the one compliance clock you cannot back-fill.

2 AUG 2026

EU AI Act high-risk obligations become enforceable

EU AI Act / Evidence Pack §3
€35M / 7%

maximum fine — €35M or 7% of global turnover, whichever is higher

EU AI Act / Evidence Pack §3
45%

of AI-generated code fails security tests — the risk auditors and insurers now ask about

Veracode 2025
WHAT'S INSIDE

Eight sections. One evidence chain.

01

Are you in scope?

A decision tree for engineering planning — why standard coding-assistant use is not Annex III high-risk by default, and the three moves that flip it (confirm classification with counsel).

02

Article 11 — Technical documentation

The 'show your work' article: the 10-year documentation index an auditor can request, and why it is something you keep, not something you write in July 2026.

03

Article 12 — Automatic logging

The one you cannot retrofit. What each log entry must capture — invoking user, model version, inputs, outputs, reviewer, disposition — plus the fillable schema.

04

Article 14 — Human oversight

The regulatory form of 'AI does not merge itself.' A named human, an override path, and a decision captured as evidence.

05

Article 53 — GPAI & the training-data summary

If you train, fine-tune, or place a general-purpose model on the market: the Model Documentation Form and the regulator-mandated AIBOM-lite data summary.

06

The evidence map — CRAFT practice × regulation

Which practice produces the evidence each regulation asks for. Read a row to see what one practice proves; read a column to see everything one regulation demands.

07

The adjacent clocks

ISO 42001, NIST AI RMF, insurance exclusions live since 1 Jan 2026, CA AB 489, TX TRAIGA, SR 26-2, CMMC — each asking for a subset of the same evidence.

08

The 90-day readiness plan

Stand up the non-retrofittable evidence first. Logging and provenance in days 0–30, provable human decision next, standing documentation last.

THE CLOCK

The deadline is already on the calendar.

1 Aug 2024
Act in force
Live
2 Feb 2025
Prohibited-practices ban + AI-literacy duty
Live
2 Aug 2025
GPAI obligations
Live
2 Aug 2026
High-risk obligations + Article 50 transparency enforceable
The deadline
2 Aug 2027
Embedded high-risk products
Extended

Two of these — Article 12 logging and Article 11 documentation — accumulate evidence continuously. They cannot be reconstructed the week before an audit.

THE EVIDENCE MAP — CRAFT PRACTICE × REGULATION
C

Curate

EU AI Act — Art. 53 (training-data summary). Also — ISO 42001 A.6 · NIST Map. Evidence — context provenance, data lineage, AIBOM core.

R

Refine

EU AI Act — Art. 17 (QMS). Also — ISO 42001 A.5 · NIST Manage. Evidence — specs, requirement-to-code traceability.

A

Architect

EU AI Act — Art. 12 (logs). Also — ISO 42001 A.5/A.7 · NIST Map. Evidence — machine-readable ADRs, pipeline logging.

F

Fortify

EU AI Act — Art. 9 & 11 (risk, docs). Also — ISO 42001 A.3/A.9 · NIST Govern · insurers. Evidence — immutable audit trails, policy-as-code, provenance.

T

Test

EU AI Act — Art. 15 (accuracy). Also — ISO 42001 A.5 · NIST Measure. Evidence — AI-calibrated quality gates, validation evidence.

An organisation with the method already produces the evidence. The audit is not a project — it is a query against artifacts the practices keep. Article assignments per the Evidence Pack's engineering reading; confirm classification with counsel.

THE THREE FILL-IN TEMPLATES
A

Article 11 Technical-Documentation Index

A standing index of what an auditor can request, who owns it, where it lives, and how long it is kept. Each empty location is an audit finding waiting to happen.

B

Article 12 Automatic-Logging Schema

The field spec every AI-assisted action should emit automatically — invoking user, model version, inputs, outputs, reviewer, disposition, retained ≥ 6 months. A log that depends on someone remembering is not automatic.

C

Article 14 Human-Oversight Sign-Off

A repeatable, signable record that a human understood an AI-affecting change, decided on it, and could have stopped it. Its disposition flows into the Artifact B log.

These three artifacts are one evidence chain: the index (A) points to the logs (B), and each log entry's disposition points back to a sign-off (C).

THE ONE MOVE

If you do one thing before the deadline, stand up logging and provenance first. Documentation and sign-off you can back-fill from a point in time; logs you cannot back-fill at all. Every day before Article 12 logging is live is a day of evidence that will never exist.

WHO IT'S FOR

Read this if you're an engineering leader who…

…has an ISO 42001 or SOC-style auditor asking how you govern AI-generated code — and no evidence to hand them.

…is feeling D&O and cyber-insurance renewal pressure now that standard policies exclude many generative-AI claims (live since 1 Jan 2026).

…needs to know whether Article 12 logging is already too late to retrofit for the changes you have shipped this year.

…wants to walk into the compliance conversation with your engineering evidence already mapped — not to replace counsel, but to arrive prepared.

This kit is pitched at The Structured Org (61–80) — the organisation that already has a method and now has to prove it produces audit evidence. If you are earlier than that, the Free Curate Scorecard tells you where you stand first.

THE AUTHOR

CRAFT Method wasn't designed in a boardroom. It was forged in production.

It was forged by building production software with AI, every day, for months. FIKR Space — eleven integrated products, built solo plus AI — is the live proof point.

LUIS GONÇALVESCREATOR OF CRAFT METHOD
THE WINDOW

EU AI Act high-risk obligations enforceable

2 AUG 2026

Article 12 logging is architectural, not retrofittable. If it isn't built in, it isn't there when the audit arrives.

Insurance exclusions for generative-AI claims live

1 JAN 2026

The financial backstop for AI-introduced defects is narrowing. The liability is moving onto the balance sheet.

The decision is yours. The clock is not.

QUESTIONS, ANSWERED

Before you ask.

Does the EU AI Act even apply to us if we just use Copilot, Cursor, or Claude Code?

Probably not by default. Standard coding-assistant use to write application code is not Annex III high-risk on that basis alone. It can flip — when AI is used to evaluate developers as workers, acts as a safety component in a regulated product, or you fine-tune or rebrand a model and become its provider. Scope is a legal determination: the kit gives you the decision tree; your counsel confirms the outcome.

Is this legal advice?

No. This is an engineering-readiness kit, not legal advice. It translates Articles 11, 12, 14 and 53 into the artifacts your engineering org must be able to produce — logs, documentation, sign-offs, provenance. It does not tell you whether a system is in scope, whether you are a provider or a deployer, or how a regulator will interpret an Article. Consult qualified counsel and your compliance function for legal interpretation and your specific scope.

Is this really free?

Yes. The kit is a free download in exchange for your email — ~14 pages plus three fill-in templates — and the occasional field note. Unsubscribe anytime, and we never share your email. Every regulatory claim is sourced to the CRAFT Method Evidence Pack, April 2026.

What's the Enterprise Diagnostic?

The Full Assessment scores all five CRAFT practices and produces the evidence map for your org, plus a 30-minute live debrief with Luis Gonçalves where you map your Article 11/12/14 evidence against 2 August 2026 in your context. Listed at €1,500–2,000; free during the 2026 launch period, limited capacity.