The standard framing for EU AI Act compliance in Agile organisations goes like this: the regulation imposes a set of obligations, and the delivery team must find somewhere to absorb them. Committees are formed. A compliance workstream is chartered. A mapping exercise is commissioned that takes six weeks and produces a spreadsheet nobody reads.

This framing is not just inefficient. It is technically incorrect — and the incorrectness matters because it leads organisations to build the wrong infrastructure. The EU AI Act and a well-structured Agile or SAFe delivery model are not two independent systems that need bridging. They are descriptions of the same engineering lifecycle, written by different authors for different audiences, using different vocabulary for identical concepts.

This piece makes that case at the level of technical artefacts — the actual objects that teams produce. Not as a loose analogy. As a structural claim.

"The EU AI Act is not a compliance overlay on top of engineering. It is a specification of what rigorous AI engineering looks like. If your Agile delivery is producing the right artefacts, you are already building the evidence base. The question is whether you know it."

Two Descriptions of One Lifecycle

Start with what the EU AI Act is actually doing structurally. For high-risk AI systems under Annex III, the Act defines obligations at five stages: design intent, data preparation, development and testing, deployment, and post-market operation. It specifies what must be documented, tested, monitored, and revisable at each stage — and crucially, it requires that the evidence of these activities be generated during the stage, not reconstructed afterward.

Now look at what a two-week sprint in a mature Agile team actually produces. Sprint planning produces a committed backlog with acceptance criteria. Development produces tested, reviewed code with associated data artefacts. The sprint review produces a demonstrated increment with stakeholder sign-off. The retrospective produces a record of process decisions. Across PIs, the system demo, I&A workshop, and inspect-and-adapt cycle produce programme-level documentation of architectural decisions, risk evolution, and quality trends.

Lay these two structures side by side:

EU AI Act — Lifecycle Stage
  • Design intent & intended purpose definitionAnnex IV §1 — documented before development begins
  • Training data governance & quality validationArticle 10 — prior to model training
  • Risk identification & mitigation across developmentArticle 9 — continuous, not point-in-time
  • Accuracy, robustness & bias testingArticle 15 — against pre-defined metrics
  • Human oversight mechanism — built & verifiedArticle 14 — technically implemented
  • Technical documentation — versioned & currentAnnex IV — updated at each change
  • Post-market performance monitoringArticle 72 — active, not passive
Agile / SAFe — Delivery Artefact
  • Feature vision + PI objectives + system intentPI Planning — sprint zero for new systems
  • Dataset card + data lineage record + quality gateDefinition of Done on data-touching stories
  • Risk register — story-level, version-controlledUpdated per sprint as acceptance criterion
  • Test results + model evaluation report + fairness metricsCI/CD pipeline output, gated per build
  • Override mechanism + review queue + escalation specAcceptance-tested story, not a policy doc
  • Architecture Decision Records + Annex IV technical fileSystem Architect ownership, release-bumped
  • Observability dashboard + drift alerts + incident logMLOps pipeline output, sprint-maintained

The rows align not because someone cleverly mapped one to the other. They align because both the Act and Agile are describing the same underlying engineering discipline: build with intent, validate your data, track your risks, test against defined criteria, make oversight technically real, keep your documentation current, watch your system in production. The regulation codifies what good engineering practice already requires.

The Artefact Gap Is Narrower Than You Think

The practical implication of this alignment is that most mature Agile teams are closer to compliance than their legal counsel believes — and further than their engineers realise. The gap is rarely about missing artefacts. It is almost always about artefact quality and generation timing.

Here is what that looks like in practice across the four artefact categories that Notified Bodies scrutinise most closely:

Article 9 Risk Management System
The risk register most teams have vs. the one that satisfies Article 9
Most Agile teams maintain some form of risk log — in Jira, Confluence, or a shared spreadsheet. What Article 9 requires is that it be continuous (updated when capability changes, not quarterly), traceable (risks linked to the sprint story that introduced them), and residual-aware (mitigation status plus residual risk rating, not just "risk identified"). The artefact already exists. The specification needs tightening — typically two fields added to a Jira issue type and a DoD line item.
Extend existing artefact
Article 10 Data Governance
Dataset cards are not optional documentation — they are the compliance evidence
Article 10 requires that training, validation, and test datasets be accompanied by documentation of their provenance, preprocessing decisions, known limitations, and demographic representativeness where relevant. Teams that treat dataset documentation as a nice-to-have are not just producing poor engineering — they are missing the primary evidence artefact for one of the Act's most scrutinised obligations. A dataset card, authored at the point of dataset creation or modification and version-controlled alongside the model, is what compliance looks like here.
Most teams have a genuine gap here
Article 14 Human Oversight
The distinction between a described oversight mechanism and a tested one
This is the single most common compliance failure mode in systems built under Agile. Teams write a policy describing how human reviewers can intervene in automated decisions. Article 14 requires that the technical means for such intervention be built into the system and verifiable. The override mechanism, the review queue, the SLA for review completion, the escalation pathway — these must exist as tested software features, with acceptance tests that confirm they work under realistic load. A policy document that describes a mechanism that was never implemented is not Article 14 compliance. It is Article 14 documentation of a gap.
Policy alone does not satisfy this
Annex IV Technical Documentation
Architecture Decision Records as the spine of the technical file
Annex IV requires a technical file that describes the system's design, development process, testing methodology, and risk management approach — and is kept current across the system's lifecycle. Teams that practice Architecture Decision Records have the structure for this already. The gap is typically completeness (ADRs cover major architectural choices but not the full Annex IV scope) and versioning discipline (ADRs are often written once and not revisited when the decision is later revised). Mapping the Annex IV required sections to ADR templates and making the file a living artefact — bumped at every release — closes most of this gap without new tooling.
ADR discipline closes most of this gap

How SAFe's Three Tiers Carry the Obligation Structure

Scrum at the team level handles the sprint-cadence obligations. But the EU AI Act's requirements span more than one delivery tier. Article 17's quality management system, the programme-level technical file, and the strategic risk classification decisions that determine whether a system falls under Annex III at all — these operate at programme and portfolio level. SAFe's architecture provides a natural structural match.

Figure 1 — SAFe as EU AI Act compliance backbone
SAFe's three-tier structure — Portfolio/LPM, ART, and Agile Team — each carrying a distinct tier of EU AI Act obligations. The diagram shows which articles are owned at which level, and which SAFe ceremonies are the natural delivery vehicles for each obligation.

The Portfolio level owns the decisions that no sprint team can make alone: is this system high-risk under Annex III? Does it require a Fundamental Rights Impact Assessment? What is the conformity assessment pathway — internal or Notified Body? These are strategic AI governance questions that belong in portfolio-level governance, funded through lean budget guardrails, and tracked in the portfolio Kanban alongside other compliance epics.

The ART level owns the cross-team coordination that individual squads cannot self-organise: the Annex IV technical file (authored and maintained by the System Architect role), the programme-level risk register, and the PI-cadence inspection of conformity status. PI Planning is the natural vehicle for Article 4's literacy obligations — competency gaps assessed, training epics planned, roles confirmed against the Act's requirements for qualified personnel.

The Team level executes the sprint-cadence work: risk register updates in the DoD, dataset cards on data stories, override mechanisms in acceptance criteria, observability pipeline maintenance in the definition of done for MLOps stories. Not additional work — engineering work, specified correctly.

The Obligation-to-Artefact Map

The second diagram makes the full mapping explicit — nine EU AI Act obligations, each connected to the specific Agile delivery artefact that constitutes its compliance evidence. This is not a conceptual alignment. Each connection represents a precise structural match: the obligation defines what must exist; the artefact is what existence looks like in a delivery context.

Figure 2 — EU AI Act obligations mapped to Agile delivery artefacts
Nine EU AI Act obligations — Articles 4, 9, 10, 12, 13, 14, 17, Annex IV, and post-market monitoring — each connected through a technical bridge to a corresponding Agile delivery artefact. The artefact is the compliance evidence, not a description of it.

The two artefact categories that most consistently surprise teams when they first see this mapping are Article 12 (record-keeping) and Article 13 (transparency). Article 12 is not a logging policy — it is the observability stack itself: structured event logs, audit trails on inference decisions, and the retention and access architecture that makes those logs usable for post-incident review. Teams building production AI systems should have this infrastructure anyway. The Act makes it non-optional and specifies minimum content requirements. Article 13's transparency obligation maps to model cards and API documentation — artefacts that responsible ML practice has been advocating for years. The Act converts advocacy into obligation.

Where the Coalescing Actually Breaks Down

The structural alignment is real. But three conditions cause it to fracture in practice — and they are worth naming precisely because they are not the problems most organisations spend time on.

Artefact drift. The technical file and risk register are accurate at sprint zero and progressively wrong thereafter. This is the most common failure mode in systems that have been in development for more than two PI cycles. The fix is not a quarterly review — it is making artefact currency a pipeline gate. A deployment that updates the model without a corresponding commit to the technical file fails the build. This sounds harsh until you consider that a Notified Body assessing a system whose technical file is six months behind its codebase will not treat that charitably.

The Article 14 implementation gap. Already described in the artefact section above, but worth restating as a structural point: every team that has written a human oversight policy and not shipped a working override mechanism has a compliance liability they may not have priced. The gap between "we have a process for this" and "we have a tested feature for this" is the gap between describing Article 14 and satisfying it.

Tier disconnection. Team-level governance artefacts — risk register updates, dataset cards, DoD compliance items — exist but are never aggregated upward into the programme-level technical file. The sprint team updates their risk register; nobody rolls it into the Annex IV documentation; the System Architect is maintaining a separate document that diverges from what teams are actually tracking. This is a governance architecture problem, not a compliance knowledge problem. The solution is a single source-of-truth for the technical file, with automated aggregation from team-level artefacts — not three separate documents maintained by three separate people.

◈ The Diagnostic Question

If you want a fast read on where your organisation stands: ask your System Architect or Chief Engineer to show you the current Annex IV technical file and point to the sprint story that last updated it. If those two things cannot be connected in under two minutes, you have a tier disconnection problem — and the other artefact issues are probably downstream of the same root cause.

What This Changes About How You Read the Regulation

The practical implication of the structural alignment argument is this: the EU AI Act should be read by engineering leads and delivery managers — not just by legal and compliance functions. Not because engineers need to become regulatory experts, but because the Act's technical obligations are engineering specifications. Article 15's accuracy and robustness requirements are test criteria. Article 10's data governance obligations are data quality standards. Article 9's risk management system is a risk-register specification.

Legal teams reading the Act produce policy documents. Engineering teams reading it produce artefact specifications. Both are necessary. But organisations that route the Act exclusively through legal functions and then hand requirements downstream to delivery teams are doing the translation in the wrong direction — and introducing latency and distortion at every step.

Engineering leads read the technical articles directly. Articles 9, 10, 12, 14, 15, and Annex IV are engineering specifications. The people writing acceptance criteria should have read them.
Artefact specifications precede ceremony changes. Define what each artefact must contain before changing how ceremonies work. The DoD change is the last step, not the first.
Validate Article 14 as a tested feature, not a process description. Before any other compliance work, confirm that your human oversight mechanism exists in the deployed system and has acceptance test coverage.
Establish a single technical file with automated aggregation. Team-level artefacts should flow upward automatically. If the Annex IV file requires manual curation from multiple sources, it will drift.
Do not treat dataset documentation as optional. Article 10 dataset cards are primary compliance evidence, not supplementary documentation. Teams without them have a genuine gap — not an artefact quality issue.

The EU AI Act is stringent. Its conformity assessment requirements are substantive and its enforcement trajectory is clear. But for organisations already practising disciplined Agile delivery, the distance to compliance is not a chasm — it is a set of specific, definable artefact quality improvements and two or three structural changes to how artefacts flow between delivery tiers. The coalescing is already happening. The task is to see it clearly enough to complete it.

AB
Anjish Bhondwe
Digital Transformation Lead · Enterprise Agile Coach · AI Strategist

Based in Brussels, Anjish advises European financial institutions and technology organisations on AI governance strategy, EU AI Act compliance integration, and enterprise Agile delivery. He works at the intersection of regulatory requirements and delivery practice, helping teams build compliance capability that is operationally sustainable.

LinkedIn → Earlier: Embedding AI Governance → Read: EU AI Act Deep-Dive → More Blogs →