The regulation requires documented evidence your AI agents were tested. Most companies don't have it.
EU AI Act Article 9 mandates that high-risk AI systems implement a risk management system including systematic adversarial testing. A documented, repeatable scan process is the evidence you need.
Where most AI teams are today.
Article 9 compliance is not a checkbox. It requires a documented, repeatable, evidence-generating process.
Which articles Orithos
covers — and how.
The EU AI Act does not describe a testing methodology. It describes requirements. Orithos translates each requirement into testable probes and generates the evidence your legal team needs.
What a notified body
actually wants to see.
The EU AI Act requires evidence packages, not reports. Every Orithos scan generates a structured evidence pack with control citations a notified body or internal legal team can act on.
| Article | Regulatory requirement | Evidence Orithos generates | Status |
|---|---|---|---|
| Art. 9(4)(b) | Identification and analysis of known and foreseeable risks | Threat taxonomy mapped to your agent configuration | ✓ Automated |
| Art. 9(4)(c) | Testing to identify appropriate risk management measures | Probe sets, 3-tier judge confirmation, risk score with methodology | ✓ Automated |
| Art. 9(5) | Risk management system reviewed throughout lifecycle | Scheduled re-testing with risk score trend over time | ✓ Automated |
| Art. 9(7) | Testing against groups for which the system is intended | Domain-specific probe packs (FS, Health, Legal) | ✓ Automated |
| Art. 13(1) | Transparency of design and functionality | Attack surface documentation per agent configuration | ✓ Automated |
| Art. 13(3)(b)(v) | Performance metrics including known limitations | Residual risk section with unaddressed finding documentation | ~ Partial |
| Art. 14(4)(a) | Ability to detect anomalies and unexpected performance | Scheduled scans with regression alerts on risk score change | ✓ Automated |
| Art. 15(1) | Appropriate levels of accuracy and robustness | Adversarial robustness findings with severity and exploit path | ✓ Automated |
| Art. 15(3) | Resilience against attempts to alter behaviour | Prompt injection, RAG poisoning, jailbreak detection evidence | ✓ Automated |
This is what the
evidence pack looks like.
Every Business tier scan produces an EU AI Act audit-ready export. Below is a representative extract showing the structure your legal team and notified body receive.
From deployment to
audit-ready in one workflow.
Most companies treat EU AI Act compliance as a documentation exercise. Orithos treats it as a security programme — the documentation is a by-product of the testing.
Request access before
your competitors do.
The August 2026 deadline is firm. Security teams who establish their testing programme before Q2 2026 have time to remediate findings before enforcement begins.